use timesource(synced) to generate/validate server cert time (#4228)
* use timesource(synced) to generate/validate server cert time * add debug log * bump version
This commit is contained in:
parent
ce121710d9
commit
7ad5800a9a
|
@ -11,6 +11,10 @@ import (
|
||||||
"math/big"
|
"math/big"
|
||||||
"net"
|
"net"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/ethereum/go-ethereum/log"
|
||||||
|
|
||||||
|
"github.com/status-im/status-go/timesource"
|
||||||
)
|
)
|
||||||
|
|
||||||
var globalMediaCertificate *tls.Certificate = nil
|
var globalMediaCertificate *tls.Certificate = nil
|
||||||
|
@ -78,10 +82,13 @@ func generateMediaTLSCert() error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
notBefore := time.Now()
|
notBefore, err := timesource.GetCurrentTime()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
notAfter := notBefore.Add(365 * 24 * time.Hour)
|
notAfter := notBefore.Add(365 * 24 * time.Hour)
|
||||||
|
log.Debug("generate media cert", "system time", time.Now().String(), "cert notBefore", notBefore.String(), "cert notAfter", notAfter.String())
|
||||||
finalCert, certPem, err := GenerateTLSCert(notBefore, notAfter, []net.IP{}, []string{Localhost})
|
finalCert, certPem, err := GenerateTLSCert(*notBefore, notAfter, []net.IP{}, []string{Localhost})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
|
@ -19,6 +19,7 @@ import (
|
||||||
"github.com/status-im/status-go/logutils"
|
"github.com/status-im/status-go/logutils"
|
||||||
"github.com/status-im/status-go/server"
|
"github.com/status-im/status-go/server"
|
||||||
"github.com/status-im/status-go/signal"
|
"github.com/status-im/status-go/signal"
|
||||||
|
"github.com/status-im/status-go/timesource"
|
||||||
)
|
)
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -139,6 +140,7 @@ func NewBaseClient(c *ConnectionParams, logger *zap.Logger) (*BaseClient, error)
|
||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
InsecureSkipVerify: false, // MUST BE FALSE
|
InsecureSkipVerify: false, // MUST BE FALSE
|
||||||
RootCAs: rootCAs,
|
RootCAs: rootCAs,
|
||||||
|
Time: timesource.Time,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -11,7 +11,10 @@ import (
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/ethereum/go-ethereum/log"
|
||||||
|
|
||||||
"github.com/status-im/status-go/server/pairing"
|
"github.com/status-im/status-go/server/pairing"
|
||||||
|
"github.com/status-im/status-go/timesource"
|
||||||
|
|
||||||
"go.uber.org/zap"
|
"go.uber.org/zap"
|
||||||
|
|
||||||
|
@ -36,7 +39,11 @@ func preflightHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func makeCert(address net.IP) (*tls.Certificate, []byte, error) {
|
func makeCert(address net.IP) (*tls.Certificate, []byte, error) {
|
||||||
now := time.Now()
|
now, err := timesource.GetCurrentTime()
|
||||||
|
if err != nil {
|
||||||
|
return nil, nil, err
|
||||||
|
}
|
||||||
|
log.Debug("makeCert", "system time", time.Now().String(), "timesource time", now.String())
|
||||||
notBefore := now.Add(-pairing.CertificateMaxClockDrift)
|
notBefore := now.Add(-pairing.CertificateMaxClockDrift)
|
||||||
notAfter := now.Add(pairing.CertificateMaxClockDrift)
|
notAfter := now.Add(pairing.CertificateMaxClockDrift)
|
||||||
return server.GenerateTLSCert(notBefore, notAfter, []net.IP{address}, []string{})
|
return server.GenerateTLSCert(notBefore, notAfter, []net.IP{address}, []string{})
|
||||||
|
@ -80,6 +87,7 @@ func makeClient(certPem []byte) (*http.Client, error) {
|
||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
InsecureSkipVerify: false, // MUST BE FALSE
|
InsecureSkipVerify: false, // MUST BE FALSE
|
||||||
RootCAs: rootCAs,
|
RootCAs: rootCAs,
|
||||||
|
Time: timesource.Time,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -8,8 +8,12 @@ import (
|
||||||
"net"
|
"net"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/ethereum/go-ethereum/log"
|
||||||
|
|
||||||
"go.uber.org/zap"
|
"go.uber.org/zap"
|
||||||
|
|
||||||
|
"github.com/status-im/status-go/timesource"
|
||||||
|
|
||||||
"github.com/status-im/status-go/api"
|
"github.com/status-im/status-go/api"
|
||||||
"github.com/status-im/status-go/logutils"
|
"github.com/status-im/status-go/logutils"
|
||||||
"github.com/status-im/status-go/server"
|
"github.com/status-im/status-go/server"
|
||||||
|
@ -74,7 +78,12 @@ func MakeServerConfig(config *ServerConfig) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
tlsCert, _, err := GenerateCertFromKey(tlsKey, time.Now(), ips, []string{})
|
now, err := timesource.GetCurrentTime()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
log.Debug("pairing server generate cert", "system time", time.Now().String(), "timesource time", now.String())
|
||||||
|
tlsCert, _, err := GenerateCertFromKey(tlsKey, *now, ips, []string{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,6 +7,8 @@ import (
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"go.uber.org/zap"
|
||||||
|
|
||||||
"github.com/beevik/ntp"
|
"github.com/beevik/ntp"
|
||||||
|
|
||||||
"github.com/ethereum/go-ethereum/log"
|
"github.com/ethereum/go-ethereum/log"
|
||||||
|
@ -264,16 +266,33 @@ func (s *NTPTimeSource) Stop() error {
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetCurrentTimeInMillis() (uint64, error) {
|
func GetCurrentTimeInMillis() (uint64, error) {
|
||||||
ts := Default()
|
now, err := GetCurrentTime()
|
||||||
if err := ts.Start(); err != nil {
|
if err != nil {
|
||||||
return 0, err
|
return 0, err
|
||||||
}
|
}
|
||||||
var t uint64
|
return uint64(now.UnixNano() / int64(time.Millisecond)), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func GetCurrentTime() (*time.Time, error) {
|
||||||
|
ts := Default()
|
||||||
|
if err := ts.Start(); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
var t *time.Time
|
||||||
ts.AddCallback(func(now time.Time) {
|
ts.AddCallback(func(now time.Time) {
|
||||||
t = uint64(now.UnixNano() / int64(time.Millisecond))
|
t = &now
|
||||||
}).Wait()
|
}).Wait()
|
||||||
if ts.updatedOffset {
|
if ts.updatedOffset {
|
||||||
return t, nil
|
return t, nil
|
||||||
}
|
}
|
||||||
return 0, errUpdateOffset
|
return nil, errUpdateOffset
|
||||||
|
}
|
||||||
|
|
||||||
|
func Time() time.Time {
|
||||||
|
now, err := GetCurrentTime()
|
||||||
|
if err != nil {
|
||||||
|
log.Error("[timesource] error when getting current time", zap.Error(err))
|
||||||
|
return time.Now()
|
||||||
|
}
|
||||||
|
return *now
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue