search

cloudflare / cfssl

CFSSL: Cloudflare's PKI and TLS toolkit
https://cfssl.org/
BSD 2-Clause "Simplified" License
8.68k stars 1.1k forks source link

fix: do not trim notBefore #1366

Open nodece opened 6 months ago

nodece commented 6 months ago

Fix: https://github.com/cloudflare/cfssl/issues/1064

Motivation

Today, I attempted to use cfssl to generate my certificate and key, with a validity period of 5 minutes, and then setup that to my program, I got the following log:

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369) ~[?:?]
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275) ~[?:?]
    at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[?:?]
    at io.netty.handler.ssl.EnhancingX509ExtendedTrustManager.checkServerTrusted(EnhancingX509ExtendedTrustManager.java:69) ~[netty-handler-4.1.105.Final.jar:4.1.105.Final]
    at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:235) ~[netty-handler-4.1.105.Final.jar:4.1.105.Final]
    at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:790) ~[netty-handler-4.1.105.Final.jar:4.1.105.Final]

You see this cert has expired, and then I tried to check the cfssl, and I found the notBefore has been trimmed with 5m. I know that trimming the notBefore is a good idea to void the clock issue, but this will cause some accidents. So I suggest that do not trim notBefore.

The following is the reproduced script:

echo '{"CN":"CA","key":{"algo":"rsa","size":2048}}' | cfssl gencert -initca - |cfssljson -bare ca -
echo '{"signing":{"default":{"expiry":"5m","usages":["signing","key encipherment","server auth","client auth"]}}}' > ca-config.json
echo '{"CN":"broker","hosts":["localhost"],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem - | cfssljson -bare broker
echo '{"CN":"localhost","hosts":["localhost"],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem - | cfssljson -bare client
openssl pkcs8 -topk8 -inform PEM -outform PEM \
      -in broker-key.pem -out broker-key-pk8.pem -nocrypt
openssl pkcs8 -topk8 -inform PEM -outform PEM \
      -in client-key.pem -out client-key-pk8.pem -nocrypt

echo "now: $(date -u)"
echo "------"
cfssl certinfo -cert client.pem | grep not

And then you can see the not_after is very close to the now.

Alternative

Add backdate to the ca-config.json:

echo '{"signing":{"default":{"backdate": "1s", "expiry":"5m","usages":["signing","key encipherment","server auth","client auth"]}}}' > ca-config.json