Re: [PATCH] X.509: Remove certificate date checks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am 14.03.2013 13:48, schrieb David Woodhouse:
On Thu, 2013-03-14 at 12:34 +0000, David Howells wrote:
Remove the certificate date checks that are performed when a certificate is
parsed.  There are two checks: a valid from and a valid to.  The first check is
causing a lot of problems with system clocks that don't keep good time and the
second places an implicit expiry date upon the kernel when used for module
signing, so do we really need them?

While the date check is entirely bogus for the specific case of module
signing, I don't think we necessarily ought to rip it out of our generic
X.509 support entirely.

Some use cases *might* want to check the dates, and should be permitted
to do so. Just don't refuse to even *parse* the key outside its valid
date range... :)

Agreed (thats what my patch did).

I've introduced a new config option because I don't know if something (a use case I don't know) relies on the validity check of the dates in the parser. If there currently isn't such a user, just removing the validity check in the parser might be enough. Offering the parsed dates for later usage is still a good idea.

Regards,

Alexander

--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]