mirror of
https://github.com/theupdateframework/python-tuf
synced 2026-05-24 10:08:28 +00:00
client: update expiration check to match spec
The specification, as of 1.0.16, describes an update expiration check as:
> The expiration timestamp in the trusted $ROLE metadata file MUST be
higher than the fixed update expiration time.
Having done some research into how other security providers are comparing
expiration equivalents (i.e. OpenSSL x509 certificate checking code, and
GnuPG expiration checks), and how other TUF implementations are performing
the same check (rust-tuf, go-tuf), we came to a consensus that the correct
way to implement expiration comparisons is:
expiration <= now
Where:
expiration: is the metadata's expiration datetime
now: is the current system time, or the fixed notion of time in the
detailed client workflow (introduced in 1.0.16 of the spec)
Fixes #1231
Signed-off-by: Joshua Lock <jlock@vmware.com>
This commit is contained in:
Joshua Lock
parent
cdf069a8a9
commit
4bcd703462
1 changed files with 1 additions and 1 deletions
|
|
@ -2266,7 +2266,7 @@ def _ensure_not_expired(self, metadata_object, metadata_rolename):
|
|||
expires_timestamp = tuf.formats.datetime_to_unix_timestamp(expires_datetime)
|
||||
|
||||
current_time = int(time.time())
|
||||
if expires_timestamp < current_time:
|
||||
if expires_timestamp <= current_time:
|
||||
message = 'Metadata '+repr(metadata_rolename)+' expired on ' + \
|
||||
expires_datetime.ctime() + ' (UTC).'
|
||||
raise tuf.exceptions.ExpiredMetadataError(message)
|
||||
|
|
|
|||
Loading…
Reference in a new issue