diff options
author | Edward Hyunkoo Jee <edjee@google.com> | 2018-06-05 17:01:08 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-06-06 01:16:27 -0700 |
commit | e21e46dfc68596e3495c68cfc49c7442fec2942a (patch) | |
tree | 505faf04871a46f6f128df86e4c57ab1e48d8427 | |
parent | 2cc35b0f31fe1cf69ce6781e7d502f07c64c93c9 (diff) | |
download | vboot-e21e46dfc68596e3495c68cfc49c7442fec2942a.tar.gz |
keygeneration: make the certificates valid for 10 yearsfirmware-nami-10775.Bfirmware-nami-10775.130.Bfirmware-nami-10775.108.B
UEFI firmware implementations are unlikely to validate the "days".
However we'd better specify a reasonable value. We learned that
setting the "days" argument to a large number can cause unexpected
results due to overflow.
GCE team has decided to set this value as 10 years.
BUG=b:62189155
TEST=None
BRANCH=none
Change-Id: If0375251b41e9584708355a6fd32192aa5ad0c1a
Reviewed-on: https://chromium-review.googlesource.com/1088165
Commit-Ready: Edward Jee <edjee@google.com>
Tested-by: Edward Jee <edjee@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
-rw-r--r-- | scripts/keygeneration/uefi/uefi_common.sh | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/scripts/keygeneration/uefi/uefi_common.sh b/scripts/keygeneration/uefi/uefi_common.sh index 87585450..ba5369b6 100644 --- a/scripts/keygeneration/uefi/uefi_common.sh +++ b/scripts/keygeneration/uefi/uefi_common.sh @@ -79,7 +79,7 @@ _make_self_signed_pair() { pushd "${key_name}" >/dev/null || return 1 openssl req -new -x509 -nodes -newkey rsa:2048 -sha256 \ -keyout "${key_name}.rsa" -out "${key_name}.pem" \ - -subj "${subj}" -days 73000 + -subj "${subj}" -days 3650 popd >/dev/null } @@ -100,10 +100,10 @@ _make_child_pair() { pushd "${ca_name}/${ca_name}.children" >/dev/null || return 1 openssl req -new -nodes -newkey rsa:2048 -sha256 \ -keyout "${child_key_name}.rsa" -out "${child_key_name}.csr" \ - -subj "${subj}" -days 73000 + -subj "${subj}" openssl x509 -req -sha256 -CA "../${ca_name}.pem" -CAkey "../${ca_name}.rsa" \ -CAcreateserial -in "${child_key_name}.csr" \ - -out "${child_key_name}.pem" -days 73000 + -out "${child_key_name}.pem" -days 3650 popd >/dev/null } |