From 4bcd703462ce747ab010525f6ff0a4ada35ed946 Mon Sep 17 00:00:00 2001 From: Joshua Lock Date: Tue, 8 Dec 2020 13:32:48 +0000 Subject: [PATCH] client: update expiration check to match spec The specification, as of 1.0.16, describes an update expiration check as: > The expiration timestamp in the trusted $ROLE metadata file MUST be higher than the fixed update expiration time. Having done some research into how other security providers are comparing expiration equivalents (i.e. OpenSSL x509 certificate checking code, and GnuPG expiration checks), and how other TUF implementations are performing the same check (rust-tuf, go-tuf), we came to a consensus that the correct way to implement expiration comparisons is: expiration <= now Where: expiration: is the metadata's expiration datetime now: is the current system time, or the fixed notion of time in the detailed client workflow (introduced in 1.0.16 of the spec) Fixes #1231 Signed-off-by: Joshua Lock --- tuf/client/updater.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tuf/client/updater.py b/tuf/client/updater.py index d9ffb1f0..9ada0974 100755 --- a/tuf/client/updater.py +++ b/tuf/client/updater.py @@ -2266,7 +2266,7 @@ def _ensure_not_expired(self, metadata_object, metadata_rolename): expires_timestamp = tuf.formats.datetime_to_unix_timestamp(expires_datetime) current_time = int(time.time()) - if expires_timestamp < current_time: + if expires_timestamp <= current_time: message = 'Metadata '+repr(metadata_rolename)+' expired on ' + \ expires_datetime.ctime() + ' (UTC).' raise tuf.exceptions.ExpiredMetadataError(message)