search

wbond / certvalidator

Python library for validating X.509 certificates and paths
MIT License
107 stars 31 forks source link

OCSP timestamp validation fails due to different date precisions #15

Open zaddach opened 5 years ago

zaddach commented 5 years ago

On my system, checking moment against cert_response['this_update'].native when treating an OCSP response fails here. The reason for this is that moment is a datetime object with nanoseconds (on my Linux system), and cert_response['this_update'].native is a datetime object with seconds precision. I've fixed this for myself by subtracting a timedelta(seconds = 1) from moment in the comparison (and adding one second to moment in the next comparison here), which is fine for my purposes, but might not be a good solution in general.

pjsg commented 4 years ago

I suspect that a bigger 'slop' is required to deal with some (small) time skew between client and OCSP server. I'd default it to 10 seconds, but allow an arbitrary value to be used.