Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: do not trim notBefore #1366

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: do not trim notBefore #1366

wants to merge 1 commit into from

Conversation

nodece
Copy link

@nodece nodece commented Mar 13, 2024

Fix: #1064

Motivation

Today, I attempted to use cfssl to generate my certificate and key, with a validity period of 5 minutes, and then setup that to my program, I got the following log:

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
	at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369) ~[?:?]
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275) ~[?:?]
	at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[?:?]
	at io.netty.handler.ssl.EnhancingX509ExtendedTrustManager.checkServerTrusted(EnhancingX509ExtendedTrustManager.java:69) ~[netty-handler-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:235) ~[netty-handler-4.1.105.Final.jar:4.1.105.Final]
	at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:790) ~[netty-handler-4.1.105.Final.jar:4.1.105.Final]

You see this cert has expired, and then I tried to check the cfssl, and I found the notBefore has been trimmed with 5m. I know that trimming the notBefore is a good idea to void the clock issue, but this will cause some accidents. So I suggest that do not trim notBefore.

The following is the reproduced script:

echo '{"CN":"CA","key":{"algo":"rsa","size":2048}}' | cfssl gencert -initca - |cfssljson -bare ca -
echo '{"signing":{"default":{"expiry":"5m","usages":["signing","key encipherment","server auth","client auth"]}}}' > ca-config.json
echo '{"CN":"broker","hosts":["localhost"],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem - | cfssljson -bare broker
echo '{"CN":"localhost","hosts":["localhost"],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem - | cfssljson -bare client
openssl pkcs8 -topk8 -inform PEM -outform PEM \
      -in broker-key.pem -out broker-key-pk8.pem -nocrypt
openssl pkcs8 -topk8 -inform PEM -outform PEM \
      -in client-key.pem -out client-key-pk8.pem -nocrypt

echo "now: $(date -u)"
echo "------"
cfssl certinfo -cert client.pem | grep not

And then you can see the not_after is very close to the now.

Alternative

Add backdate to the ca-config.json:

echo '{"signing":{"default":{"backdate": "1s", "expiry":"5m","usages":["signing","key encipherment","server auth","client auth"]}}}' > ca-config.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

cfssl: new CA certificates with an expiry less than or equal to 240s are always expired.
1 participant
@nodece