metan-ucw
commented
2 years ago @ebiggers can you please have a look at this?
Closed uudiin closed 2 years ago
metan-ucw
commented
2 years ago @ebiggers can you please have a look at this?
ebiggers
commented
2 years ago I thought that the kernel intentionally doesn't check the validity dates of certificates, since it doesn't know whether the system clock is accurate or not. When did this change?
pevik
commented
2 years ago I thought that the kernel intentionally doesn't check the validity dates of certificates, since it doesn't know whether the system clock is accurate or not. When did this change?
@uudiin ping. I don't see error with keyctl05 either. How do you reproduce this error?
uudiin
commented
2 years ago @pevik @ebiggers Sorry for the inconvenience caused to you, I was triggered on a custom version of 4.19 internally, as Eric said, it may be caused by the internal verification of the certificate expiration time, I verified the latest master tree and the latest 4.19 stable tree, All are no problem. On the other hand, this certificate is indeed expired, is it necessary to update it? Thanks.
ebiggers
commented
2 years ago I don't think there's any point in updating it.
The certificate generated by the openssl command provided by keyctl05 is valid for only one month, and the built-in certificate is also expired, as the command 'openssl x509' shows:
Validity Not Before: Jul 28 21:41:34 2017 GMT Not After : Aug 27 21:41:34 2017 GMT
Which will cause the keyctl() systemcall to return the error value EKEYEXPIRED. This patch updates the certificate data and makes it valid for a long time.
Signed-off-by: Tianjia Zhang tianjia.zhang@linux.alibaba.com