Skip to content

Commit e345671

Browse files
epoberezkinepoberezkin
authored
agent: extend xrcp certificate validity 1 hour in the past, to allow out of sync clocks (#1601)
1 parent 86fb2cd commit e345671

File tree

2 files changed

+3
-11
lines changed

2 files changed

+3
-11
lines changed

src/Simplex/Messaging/Transport/Credentials.hs

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -25,14 +25,6 @@ import qualified Simplex.Messaging.Crypto as C
2525
import qualified Time.System as Hourglass
2626
import qualified Time.Types as HT
2727

28-
-- | Generate a certificate chain to be used with TLS fingerprint-pinning
29-
--
30-
-- @
31-
-- genTlsCredentials = do
32-
-- ca <- genCredentials Nothing (-25, 365 * 24) "Root" -- long-lived root cert
33-
-- leaf <- genCredentials (Just ca) (0, 1) "Entity" -- session-signing cert
34-
-- pure $ tlsCredentials (leaf :| [ca])
35-
-- @
3628
tlsCredentials :: NonEmpty Credentials -> (C.KeyHash, TLS.Credential)
3729
tlsCredentials credentials = (C.KeyHash rootFP, (X509.CertificateChain certs, privateToTls $ snd leafKey))
3830
where

src/Simplex/RemoteControl/Client.hs

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -85,7 +85,7 @@ encInvitationSize = 900
8585

8686
newRCHostPairing :: TVar ChaChaDRG -> IO RCHostPairing
8787
newRCHostPairing drg = do
88-
((_, caKey), caCert) <- genCredentials drg Nothing (-25, 24 * 999999) "ca"
88+
((_, caKey), caCert) <- genCredentials drg Nothing (25, 24 * 999999) "ca"
8989
(_, idPrivKey) <- atomically $ C.generateKeyPair drg
9090
pure RCHostPairing {caKey, caCert, idPrivKey, knownHost = Nothing}
9191

@@ -193,7 +193,7 @@ connectRCHost drg pairing@RCHostPairing {caKey, caCert, idPrivKey, knownHost} ct
193193
genTLSCredentials :: TVar ChaChaDRG -> C.APrivateSignKey -> X.SignedCertificate -> IO TLS.Credential
194194
genTLSCredentials drg caKey caCert = do
195195
let caCreds = (C.signatureKeyPair caKey, caCert)
196-
leaf <- genCredentials drg (Just caCreds) (0, 24 * 999999) "localhost" -- session-signing cert
196+
leaf <- genCredentials drg (Just caCreds) (1, 24 * 999999) "localhost" -- session-signing cert
197197
pure . snd $ tlsCredentials (leaf :| [caCreds])
198198

199199
certFingerprint :: X.SignedCertificate -> C.KeyHash
@@ -259,7 +259,7 @@ connectRCCtrl drg (RCVerifiedInvitation inv@RCInvitation {ca, idkey}) pairing_ h
259259
where
260260
newCtrlPairing :: IO RCCtrlPairing
261261
newCtrlPairing = do
262-
((_, caKey), caCert) <- genCredentials drg Nothing (0, 24 * 999999) "ca"
262+
((_, caKey), caCert) <- genCredentials drg Nothing (1, 24 * 999999) "ca"
263263
(_, dhPrivKey) <- atomically $ C.generateKeyPair drg
264264
pure RCCtrlPairing {caKey, caCert, ctrlFingerprint = ca, idPubKey = idkey, dhPrivKey, prevDhPrivKey = Nothing}
265265
updateCtrlPairing :: RCCtrlPairing -> ExceptT RCErrorType IO RCCtrlPairing

0 commit comments

Comments
 (0)