[tor-commits] [bridgedb/master] Fix OpenSSL cert timestamp bug in gen_bridge_descriptors.

isis at torproject.org isis at torproject.org
Sun Jan 12 06:06:31 UTC 2014


commit e34e392186f599edc2c97e3816ae0ee2cb1a8c83
Author: Isis Lovecruft <isis at torproject.org>
Date:   Fri Nov 15 08:19:36 2013 +0000

    Fix OpenSSL cert timestamp bug in gen_bridge_descriptors.
    
    OpenSSL only strictly takes a non-standardized format for timestamps which set
    the "Not Valid Before" and "Not Valid After" fields on an x509 certificate. It
    *doesn't* take timestamps in Seconds Since Epoch (as I previously had
    believed), but only with the strftime format "%Y%m%d%H%M%SZ" (yes, with a
    random capital-Z at the end).
    
    OpenSSL *also* doesn't consider the timestamp `0` to be the current time,
    contrary to its documentation.
    
     * FIXES a bug in gen_bridge_descriptors where all x509 certificates, and the
       signatures which their corresponding OpenSSL.crypto.PKeys created, were
       invalid due to crazy timestamps.
---
 scripts/gen_bridge_descriptors |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/scripts/gen_bridge_descriptors b/scripts/gen_bridge_descriptors
index 23e87bf..161e310 100644
--- a/scripts/gen_bridge_descriptors
+++ b/scripts/gen_bridge_descriptors
@@ -474,8 +474,14 @@ def createTLSCert(lifetime=None):
             lifetime -= 1
 
     cert = OpenSSL.crypto.X509()
-    cert.gmtime_adj_notBefore(0)        # Not valid before now
-    cert.gmtime_adj_notAfter(lifetime)
+
+    timeFormat = lambda x: time.strftime("%Y%m%d%H%M%SZ", x)
+    now = time.time()
+    before = time.gmtime(now)
+    after = time.gmtime(now + lifetime)
+    cert.set_notBefore(timeFormat(before))
+    cert.set_notAfter(timeFormat(after))
+
     return cert
 
 def createTLSLinkCert(lifetime=7200):





More information about the tor-commits mailing list