alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Check constraints and policy for leaf certificates too

Browse source
This commit is contained in:
Mariano Cano 2022-09-21 15:54:28 -07:00
parent a6e85cbbf6
commit 4b79405dac
1 changed files with 12 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
authority/tls.go
View file

@ -630,6 +630,18 @@ func (a *Authority) GetTLSCertificate() (*tls.Certificate, error) {
certTpl.NotBefore = now.Add(-1 * time.Minute) certTpl.NotBefore = now.Add(-1 * time.Minute)
certTpl.NotAfter = now.Add(24 * time.Hour) certTpl.NotAfter = now.Add(24 * time.Hour)
// Policy and constraints require this fields to be set. At this moment they
// are only present in the extra extension.
certTpl.DNSNames = cr.DNSNames
certTpl.IPAddresses = cr.IPAddresses
certTpl.EmailAddresses = cr.EmailAddresses
certTpl.URIs = cr.URIs
// Fail if name constraints or policy does not allow the server names.
if err := a.isAllowedToSignX509Certificate(certTpl); err != nil {
return fatal(err)
}
resp, err := a.x509CAService.CreateCertificate(&casapi.CreateCertificateRequest{ resp, err := a.x509CAService.CreateCertificate(&casapi.CreateCertificateRequest{
Template: certTpl, Template: certTpl,
CSR: cr, CSR: cr,