[tor-commits] [bridgedb/master] Fix OpenSSL cert timestamp bug in gen_bridge_descriptors.
isis at torproject.org
isis at torproject.org
Sun Jan 12 06:06:31 UTC 2014
commit e34e392186f599edc2c97e3816ae0ee2cb1a8c83
Author: Isis Lovecruft <isis at torproject.org>
Date: Fri Nov 15 08:19:36 2013 +0000
Fix OpenSSL cert timestamp bug in gen_bridge_descriptors.
OpenSSL only strictly takes a non-standardized format for timestamps which set
the "Not Valid Before" and "Not Valid After" fields on an x509 certificate. It
*doesn't* take timestamps in Seconds Since Epoch (as I previously had
believed), but only with the strftime format "%Y%m%d%H%M%SZ" (yes, with a
random capital-Z at the end).
OpenSSL *also* doesn't consider the timestamp `0` to be the current time,
contrary to its documentation.
* FIXES a bug in gen_bridge_descriptors where all x509 certificates, and the
signatures which their corresponding OpenSSL.crypto.PKeys created, were
invalid due to crazy timestamps.
---
scripts/gen_bridge_descriptors | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/scripts/gen_bridge_descriptors b/scripts/gen_bridge_descriptors
index 23e87bf..161e310 100644
--- a/scripts/gen_bridge_descriptors
+++ b/scripts/gen_bridge_descriptors
@@ -474,8 +474,14 @@ def createTLSCert(lifetime=None):
lifetime -= 1
cert = OpenSSL.crypto.X509()
- cert.gmtime_adj_notBefore(0) # Not valid before now
- cert.gmtime_adj_notAfter(lifetime)
+
+ timeFormat = lambda x: time.strftime("%Y%m%d%H%M%SZ", x)
+ now = time.time()
+ before = time.gmtime(now)
+ after = time.gmtime(now + lifetime)
+ cert.set_notBefore(timeFormat(before))
+ cert.set_notAfter(timeFormat(after))
+
return cert
def createTLSLinkCert(lifetime=7200):
More information about the tor-commits
mailing list