From 98f904036c7988f5b53a5880ad7b3cf0b3bb6f0f Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Fri, 22 Mar 2019 21:11:37 +0000
Subject: [PATCH] For https://github.com/heimdal/heimdal/issues/392

Modern OpenSSL no longer has the 2038 year restriction.  Update the
certs to last 500 years rather than 10 years.

Modern crypto requirements suggest a stronger key strength than 1024.
Update to use a minimum of 4096.

Fix executable bit on gen-req.sh
---
 lib/hx509/data/gen-req.sh | 8 ++++----
 lib/hx509/data/mkcert.sh  | 3 +--
 2 files changed, 5 insertions(+), 6 deletions(-)
 mode change 100644 => 100755 lib/hx509/data/gen-req.sh

diff --git a/lib/hx509/data/gen-req.sh b/lib/hx509/data/gen-req.sh
old mode 100644
new mode 100755
index 20b5d98d4..09f0dfb0b
--- a/lib/hx509/data/gen-req.sh
+++ b/lib/hx509/data/gen-req.sh
@@ -16,7 +16,7 @@ fi
 
 gen_cert()
 {
-	keytype=${6:-rsa:1024}
+	keytype=${6:-rsa:4096}
 	${openssl} req \
 		-new \
 		-subj "$1" \
@@ -30,7 +30,7 @@ gen_cert()
         if [ "$3" = "ca" ] ; then
 	    ${openssl} x509 \
 		-req \
-		-days 3650 \
+		-days 182500 \
 		-in cert.req \
 		-extfile ${config} \
 		-extensions $4 \
@@ -46,7 +46,7 @@ gen_cert()
 	    ${openssl} x509 \
 		-req \
 		-in cert.req \
-		-days 3650 \
+		-days 182500 \
 		-out cert.crt \
 		-CA $2.crt \
 		-CAkey $2.key \
@@ -59,7 +59,7 @@ gen_cert()
 
 	    ${openssl} ca \
 		-name $4 \
-		-days 3650 \
+		-days 182500 \
 		-cert $2.crt \
 		-keyfile $2.key \
 		-in cert.req \
diff --git a/lib/hx509/data/mkcert.sh b/lib/hx509/data/mkcert.sh
index 5faa57120..c06528dc8 100755
--- a/lib/hx509/data/mkcert.sh
+++ b/lib/hx509/data/mkcert.sh
@@ -2,8 +2,7 @@
 
 set -e
 
-# For now, avoid going past the 2038 32-bit clock rollover
-DAYS=$(( ( 0x7fffffff - $(date +%s) ) / 86400 - 1 ))
+DAYS=182500
 
 key() {
     local key=$1; shift