From 7ad5800a9a6667f2b65b24507bb34d284431eb55 Mon Sep 17 00:00:00 2001 From: frank Date: Tue, 7 Nov 2023 09:51:15 +0800 Subject: [PATCH] use timesource(synced) to generate/validate server cert time (#4228) * use timesource(synced) to generate/validate server cert time * add debug log * bump version --- VERSION | 2 +- server/certs.go | 13 +++++++++--- server/pairing/client.go | 2 ++ server/pairing/preflight/preflight.go | 10 ++++++++- server/pairing/server.go | 11 +++++++++- timesource/timesource.go | 29 ++++++++++++++++++++++----- 6 files changed, 56 insertions(+), 11 deletions(-) diff --git a/VERSION b/VERSION index 858241479..c75633450 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.171.8 +0.171.9 diff --git a/server/certs.go b/server/certs.go index 0e1ce7321..4dcb5a912 100644 --- a/server/certs.go +++ b/server/certs.go @@ -11,6 +11,10 @@ import ( "math/big" "net" "time" + + "github.com/ethereum/go-ethereum/log" + + "github.com/status-im/status-go/timesource" ) var globalMediaCertificate *tls.Certificate = nil @@ -78,10 +82,13 @@ func generateMediaTLSCert() error { return nil } - notBefore := time.Now() + notBefore, err := timesource.GetCurrentTime() + if err != nil { + return err + } notAfter := notBefore.Add(365 * 24 * time.Hour) - - finalCert, certPem, err := GenerateTLSCert(notBefore, notAfter, []net.IP{}, []string{Localhost}) + log.Debug("generate media cert", "system time", time.Now().String(), "cert notBefore", notBefore.String(), "cert notAfter", notAfter.String()) + finalCert, certPem, err := GenerateTLSCert(*notBefore, notAfter, []net.IP{}, []string{Localhost}) if err != nil { return err } diff --git a/server/pairing/client.go b/server/pairing/client.go index 03bc60127..34f76a9fa 100644 --- a/server/pairing/client.go +++ b/server/pairing/client.go @@ -19,6 +19,7 @@ import ( "github.com/status-im/status-go/logutils" "github.com/status-im/status-go/server" "github.com/status-im/status-go/signal" + "github.com/status-im/status-go/timesource" ) /* @@ -139,6 +140,7 @@ func NewBaseClient(c *ConnectionParams, logger *zap.Logger) (*BaseClient, error) MinVersion: tls.VersionTLS12, InsecureSkipVerify: false, // MUST BE FALSE RootCAs: rootCAs, + Time: timesource.Time, }, } diff --git a/server/pairing/preflight/preflight.go b/server/pairing/preflight/preflight.go index 383005cff..1d464a727 100644 --- a/server/pairing/preflight/preflight.go +++ b/server/pairing/preflight/preflight.go @@ -11,7 +11,10 @@ import ( "sync" "time" + "github.com/ethereum/go-ethereum/log" + "github.com/status-im/status-go/server/pairing" + "github.com/status-im/status-go/timesource" "go.uber.org/zap" @@ -36,7 +39,11 @@ func preflightHandler(w http.ResponseWriter, r *http.Request) { } func makeCert(address net.IP) (*tls.Certificate, []byte, error) { - now := time.Now() + now, err := timesource.GetCurrentTime() + if err != nil { + return nil, nil, err + } + log.Debug("makeCert", "system time", time.Now().String(), "timesource time", now.String()) notBefore := now.Add(-pairing.CertificateMaxClockDrift) notAfter := now.Add(pairing.CertificateMaxClockDrift) return server.GenerateTLSCert(notBefore, notAfter, []net.IP{address}, []string{}) @@ -80,6 +87,7 @@ func makeClient(certPem []byte) (*http.Client, error) { MinVersion: tls.VersionTLS12, InsecureSkipVerify: false, // MUST BE FALSE RootCAs: rootCAs, + Time: timesource.Time, }, } diff --git a/server/pairing/server.go b/server/pairing/server.go index 7e8c8bd27..4c8069cd3 100644 --- a/server/pairing/server.go +++ b/server/pairing/server.go @@ -8,8 +8,12 @@ import ( "net" "time" + "github.com/ethereum/go-ethereum/log" + "go.uber.org/zap" + "github.com/status-im/status-go/timesource" + "github.com/status-im/status-go/api" "github.com/status-im/status-go/logutils" "github.com/status-im/status-go/server" @@ -74,7 +78,12 @@ func MakeServerConfig(config *ServerConfig) error { return err } - tlsCert, _, err := GenerateCertFromKey(tlsKey, time.Now(), ips, []string{}) + now, err := timesource.GetCurrentTime() + if err != nil { + return err + } + log.Debug("pairing server generate cert", "system time", time.Now().String(), "timesource time", now.String()) + tlsCert, _, err := GenerateCertFromKey(tlsKey, *now, ips, []string{}) if err != nil { return err } diff --git a/timesource/timesource.go b/timesource/timesource.go index fd010fbc6..741dbca84 100644 --- a/timesource/timesource.go +++ b/timesource/timesource.go @@ -7,6 +7,8 @@ import ( "sync" "time" + "go.uber.org/zap" + "github.com/beevik/ntp" "github.com/ethereum/go-ethereum/log" @@ -264,16 +266,33 @@ func (s *NTPTimeSource) Stop() error { } func GetCurrentTimeInMillis() (uint64, error) { - ts := Default() - if err := ts.Start(); err != nil { + now, err := GetCurrentTime() + if err != nil { return 0, err } - var t uint64 + return uint64(now.UnixNano() / int64(time.Millisecond)), nil +} + +func GetCurrentTime() (*time.Time, error) { + ts := Default() + if err := ts.Start(); err != nil { + return nil, err + } + var t *time.Time ts.AddCallback(func(now time.Time) { - t = uint64(now.UnixNano() / int64(time.Millisecond)) + t = &now }).Wait() if ts.updatedOffset { return t, nil } - return 0, errUpdateOffset + return nil, errUpdateOffset +} + +func Time() time.Time { + now, err := GetCurrentTime() + if err != nil { + log.Error("[timesource] error when getting current time", zap.Error(err)) + return time.Now() + } + return *now }