From 4010890a3940433927f34f71417719167ad58275 Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Wed, 20 Jun 2012 12:15:42 +0100 Subject: [crypto] Allow an error margin on X.509 certificate validity periods iPXE has no concept of the local time zone, mainly because there is no viable way to obtain time zone information in the absence of local state. This causes potential problems with newly-issued certificates and certificates that are about to expire. Avoid such problems by allowing an error margin of around 12 hours on certificate validity periods, similar to the error margin already allowed for OCSP response timestamps. Signed-off-by: Michael Brown --- src/include/ipxe/ocsp.h | 8 -------- src/include/ipxe/x509.h | 8 ++++++++ 2 files changed, 8 insertions(+), 8 deletions(-) (limited to 'src/include') diff --git a/src/include/ipxe/ocsp.h b/src/include/ipxe/ocsp.h index 2521681c0..fe825fd06 100644 --- a/src/include/ipxe/ocsp.h +++ b/src/include/ipxe/ocsp.h @@ -28,14 +28,6 @@ FILE_LICENCE ( GPL2_OR_LATER ); #define OCSP_STATUS_SIG_REQUIRED 0x05 #define OCSP_STATUS_UNAUTHORIZED 0x06 -/** Margin of error allowed in OCSP response times - * - * We allow a generous margin of error: 12 hours to allow for the - * local time zone being non-GMT, plus 30 minutes to allow for general - * clock drift. - */ -#define OCSP_ERROR_MARGIN_TIME ( ( 12 * 60 + 30 ) * 60 ) - /** An OCSP request */ struct ocsp_request { /** Request builder */ diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h index a5626c8a8..a47942a75 100644 --- a/src/include/ipxe/x509.h +++ b/src/include/ipxe/x509.h @@ -42,6 +42,14 @@ struct x509_validity { struct x509_time not_after; }; +/** Margin of error allowed in X.509 response times + * + * We allow a generous margin of error: 12 hours to allow for the + * local time zone being non-GMT, plus 30 minutes to allow for general + * clock drift. + */ +#define X509_ERROR_MARGIN_TIME ( ( 12 * 60 + 30 ) * 60 ) + /** An X.509 certificate public key */ struct x509_public_key { /** Raw public key information */ -- cgit v1.2.3-55-g7522