From 87604820a935f87a8f533e3f294419d27c0514eb Mon Sep 17 00:00:00 2001

From: Allison Karlitskaya <allison.karlitskaya@redhat.com>

Date: Tue, 26 Oct 2021 12:32:13 +0200

Subject: [PATCH 2/2] Correct certificate lifetime calculation

sscg allows passing the certificate lifetime, as a number of days, as a

commandline argument.  It converts this value to seconds using the

formula

  days * 24 * 3650

which is incorrect.  The correct value is 3600.

This effectively adds an extra 20 minutes to the lifetime of the

certificate for each day as given on the commandline, and was enough to

cause some new integration tests in cockpit to fail.

Interestingly, 3650 is the old default value for the number of days of

certificate validity (~10 years) so this probably slipped in as a sort

of muscle-memory-assisted typo.

Let's just write `24 * 60 * 60` to make things clear.

---

 src/x509.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/x509.c b/src/x509.c

index dc1594a4bdcb9d81607f0fe5ad2d4562e5edb533..7c7e4dfe56d5756862f3e0f851941e846ce96f31 100644

--- a/src/x509.c

+++ b/src/x509.c

@@ -416,11 +416,11 @@ sscg_sign_x509_csr (TALLOC_CTX *mem_ctx,

       X509_set_issuer_name (cert, X509_REQ_get_subject_name (csr));

     }

   /* set time */

   X509_gmtime_adj (X509_get_notBefore (cert), 0);

-  X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 3650);

+  X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 60 * 60);

   /* set subject */

   subject = X509_NAME_dup (X509_REQ_get_subject_name (csr));

   sslret = X509_set_subject_name (cert, subject);

   CHECK_SSL (sslret, X509_set_subject_name);

-- 

2.33.0