use timesource(synced) to generate/validate server cert time (#4228)

* use timesource(synced) to generate/validate server cert time * add debug log * bump version
2023-11-07 09:51:15 +08:00 · 2023-11-07 09:51:15 +08:00 · 7ad5800a9a
parent ce121710d9
commit 7ad5800a9a
6 changed files with 56 additions and 11 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-0.171.8
+0.171.9
--- a/server/certs.go
+++ b/server/certs.go
@ -11,6 +11,10 @@ import (
 	"math/big"
 	"net"
 	"time"
+
+	"github.com/ethereum/go-ethereum/log"
+
+	"github.com/status-im/status-go/timesource"
 )

 var globalMediaCertificate *tls.Certificate = nil
@ -78,10 +82,13 @@ func generateMediaTLSCert() error {
 		return nil
 	}

-	notBefore := time.Now()
+	notBefore, err := timesource.GetCurrentTime()
+	if err != nil {
+		return err
+	}
 	notAfter := notBefore.Add(365 * 24 * time.Hour)
-
-	finalCert, certPem, err := GenerateTLSCert(notBefore, notAfter, []net.IP{}, []string{Localhost})
+	log.Debug("generate media cert", "system time", time.Now().String(), "cert notBefore", notBefore.String(), "cert notAfter", notAfter.String())
+	finalCert, certPem, err := GenerateTLSCert(*notBefore, notAfter, []net.IP{}, []string{Localhost})
 	if err != nil {
 		return err
 	}
--- a/server/pairing/client.go
+++ b/server/pairing/client.go
@ -19,6 +19,7 @@ import (
 	"github.com/status-im/status-go/logutils"
 	"github.com/status-im/status-go/server"
 	"github.com/status-im/status-go/signal"
+	"github.com/status-im/status-go/timesource"
 )

 /*
@ -139,6 +140,7 @@ func NewBaseClient(c *ConnectionParams, logger *zap.Logger) (*BaseClient, error)
 			MinVersion:         tls.VersionTLS12,
 			InsecureSkipVerify: false, // MUST BE FALSE
 			RootCAs:            rootCAs,
+			Time:               timesource.Time,
 		},
 	}

--- a/server/pairing/preflight/preflight.go
+++ b/server/pairing/preflight/preflight.go
@ -11,7 +11,10 @@ import (
 	"sync"
 	"time"

+	"github.com/ethereum/go-ethereum/log"
+
 	"github.com/status-im/status-go/server/pairing"
+	"github.com/status-im/status-go/timesource"

 	"go.uber.org/zap"

@ -36,7 +39,11 @@ func preflightHandler(w http.ResponseWriter, r *http.Request) {
 }

 func makeCert(address net.IP) (*tls.Certificate, []byte, error) {
-	now := time.Now()
+	now, err := timesource.GetCurrentTime()
+	if err != nil {
+		return nil, nil, err
+	}
+	log.Debug("makeCert", "system time", time.Now().String(), "timesource time", now.String())
 	notBefore := now.Add(-pairing.CertificateMaxClockDrift)
 	notAfter := now.Add(pairing.CertificateMaxClockDrift)
 	return server.GenerateTLSCert(notBefore, notAfter, []net.IP{address}, []string{})
@ -80,6 +87,7 @@ func makeClient(certPem []byte) (*http.Client, error) {
 			MinVersion:         tls.VersionTLS12,
 			InsecureSkipVerify: false, // MUST BE FALSE
 			RootCAs:            rootCAs,
+			Time:               timesource.Time,
 		},
 	}

--- a/server/pairing/server.go
+++ b/server/pairing/server.go
@ -8,8 +8,12 @@ import (
 	"net"
 	"time"

+	"github.com/ethereum/go-ethereum/log"
+
 	"go.uber.org/zap"

+	"github.com/status-im/status-go/timesource"
+
 	"github.com/status-im/status-go/api"
 	"github.com/status-im/status-go/logutils"
 	"github.com/status-im/status-go/server"
@ -74,7 +78,12 @@ func MakeServerConfig(config *ServerConfig) error {
 		return err
 	}

-	tlsCert, _, err := GenerateCertFromKey(tlsKey, time.Now(), ips, []string{})
+	now, err := timesource.GetCurrentTime()
+	if err != nil {
+		return err
+	}
+	log.Debug("pairing server generate cert", "system time", time.Now().String(), "timesource time", now.String())
+	tlsCert, _, err := GenerateCertFromKey(tlsKey, *now, ips, []string{})
 	if err != nil {
 		return err
 	}
--- a/timesource/timesource.go
+++ b/timesource/timesource.go
@ -7,6 +7,8 @@ import (
 	"sync"
 	"time"

+	"go.uber.org/zap"
+
 	"github.com/beevik/ntp"

 	"github.com/ethereum/go-ethereum/log"
@ -264,16 +266,33 @@ func (s *NTPTimeSource) Stop() error {
 }

 func GetCurrentTimeInMillis() (uint64, error) {
-	ts := Default()
-	if err := ts.Start(); err != nil {
+	now, err := GetCurrentTime()
+	if err != nil {
 		return 0, err
 	}
-	var t uint64
+	return uint64(now.UnixNano() / int64(time.Millisecond)), nil
+}
+
+func GetCurrentTime() (*time.Time, error) {
+	ts := Default()
+	if err := ts.Start(); err != nil {
+		return nil, err
+	}
+	var t *time.Time
 	ts.AddCallback(func(now time.Time) {
-		t = uint64(now.UnixNano() / int64(time.Millisecond))
+		t = &now
 	}).Wait()
 	if ts.updatedOffset {
 		return t, nil
 	}
-	return 0, errUpdateOffset
+	return nil, errUpdateOffset
+}
+
+func Time() time.Time {
+	now, err := GetCurrentTime()
+	if err != nil {
+		log.Error("[timesource] error when getting current time", zap.Error(err))
+		return time.Now()
+	}
+	return *now
 }
 @ -1 +1 @@
 .171.8
 .171.9