[En-Nut-Discussion] [PATCH 1/2] FIX: accept certificate without expiration date
Krzysztof Sawicki
krzysztof.sawicki at mlabs.pl
Tue Apr 25 09:35:40 CEST 2017
On 24.04.2017 16:34, Uwe Bonnes wrote:
>>>>>> "Krzysztof" == Krzysztof Sawicki <krzysztof.sawicki at mlabs.pl> writes:
>
>
> Krzysztof> RFC5280 4.1.2.5
>
> Krzysztof> "In some situations, devices are given certificates for which
> Krzysztof> no good expiration date can be assigned. For example, a
> Krzysztof> device could be issued a certificate that binds its model and
> Krzysztof> serial number to its public key; such a certificate is
> Krzysztof> intended to be used for the entire lifetime of the device."
>
> Krzysztof,
>
> is the problem really existant? If you emit a certificate and set not_after =
> (time_t) 0x7fffffff, the check (tv.tv_sec > cert->not_after) will never
> trigger with a 32 bit time implementataion.
>
> Otherwise the standard talks about a constant of (GeneralizedTime)
> 99991231235959Z as marker.
Uwe,
problem really exists, I checked this again to be 100% sure. time_t aka
long is signed and both tv.tv_sec and cert->not_after are of type
time_t. So we compare two signed ints. BTW (time_t)(-1)=0xFFFFFFFF not
0x7FFFFFFF, but this makes no difference in the situation.
--
Krzysztof Sawicki
MLabs sp. z o.o.
ul. Kaliska 21
61-131 Poznań
tel. 61 646 84 27
KRS: 0000390306
NIP: 7822533401
More information about the En-Nut-Discussion
mailing list