commit e34e392186f599edc2c97e3816ae0ee2cb1a8c83 Author: Isis Lovecruft isis@torproject.org Date: Fri Nov 15 08:19:36 2013 +0000
Fix OpenSSL cert timestamp bug in gen_bridge_descriptors.
OpenSSL only strictly takes a non-standardized format for timestamps which set the "Not Valid Before" and "Not Valid After" fields on an x509 certificate. It *doesn't* take timestamps in Seconds Since Epoch (as I previously had believed), but only with the strftime format "%Y%m%d%H%M%SZ" (yes, with a random capital-Z at the end).
OpenSSL *also* doesn't consider the timestamp `0` to be the current time, contrary to its documentation.
* FIXES a bug in gen_bridge_descriptors where all x509 certificates, and the signatures which their corresponding OpenSSL.crypto.PKeys created, were invalid due to crazy timestamps. --- scripts/gen_bridge_descriptors | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/scripts/gen_bridge_descriptors b/scripts/gen_bridge_descriptors index 23e87bf..161e310 100644 --- a/scripts/gen_bridge_descriptors +++ b/scripts/gen_bridge_descriptors @@ -474,8 +474,14 @@ def createTLSCert(lifetime=None): lifetime -= 1
cert = OpenSSL.crypto.X509() - cert.gmtime_adj_notBefore(0) # Not valid before now - cert.gmtime_adj_notAfter(lifetime) + + timeFormat = lambda x: time.strftime("%Y%m%d%H%M%SZ", x) + now = time.time() + before = time.gmtime(now) + after = time.gmtime(now + lifetime) + cert.set_notBefore(timeFormat(before)) + cert.set_notAfter(timeFormat(after)) + return cert
def createTLSLinkCert(lifetime=7200):