#110 [i586] max unix date problem
Opened 3 months ago by slev. Modified 3 months ago

I'm testing Certmonger in conjunction with FreeIPA server installation on x86 machine.
'caSigningCert cert-pki-ca' lifetime is 20 years.
As we know max unix date on 32bit machines is 03:14:07 UTC 19 January 2038.
Please, take a look on the logs below.

certutil -L -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' | grep -i 'not after'
Not After : Mon Apr 11 14:01:54 2039

getcert list -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' | grep expires
expires: 2038-01-19 06:14:07 MSK

getcert resubmit -i 'xxx'

getcert list -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' | grep expires
expires: 2038-01-19 06:14:07 MSK                                        

certutil -L -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' | grep -i 'not after'      
Not After : Mon Apr 11 14:58:51 2039

As I can see getcert shows max unix date (2038Y), but certutil tells the right date (2039Y).
Actually, I don't know is this only display (getcert) problem? Or this date is used for internals.

cat /var/lib/certmonger/requests/20190411140250 | grep 'cert_not_after'
cert_not_after=20380119031407

Internally it is stored as time_t which should be safe. I pulled the Fedora i686 glibc-headers and it defines it as a long int.

Can you see what yours is defined as:

time.c:

#include <time.h>

int main(int argc, char** argv)
{
        time_t test;
        return 0;
}

$ gcc -E time.c | grep time_t |grep typedef
typedef long int __time_t;
typedef __time_t time_t;

Login to comment on this ticket.

Metadata