Update profileLimitDuration validator ...

- respect notBefore of the provisioner
- modify/fix the reported errors
This commit is contained in:
max furman 2020-06-16 12:16:43 -07:00
parent 54be8889cd
commit 7d5cf34ce5
3 changed files with 17 additions and 14 deletions

View file

@ -222,7 +222,7 @@ func (v profileDefaultDuration) Option(so Options) x509util.WithOption {
// period according to an imposed expiration time. // period according to an imposed expiration time.
type profileLimitDuration struct { type profileLimitDuration struct {
def time.Duration def time.Duration
notAfter time.Time notBefore, notAfter time.Time
} }
// Option returns an x509util option that limits the validity period of a // Option returns an x509util option that limits the validity period of a
@ -236,15 +236,17 @@ func (v profileLimitDuration) Option(so Options) x509util.WithOption {
notBefore = n notBefore = n
backdate = -1 * so.Backdate backdate = -1 * so.Backdate
} }
if notBefore.After(v.notAfter) { if notBefore.Before(v.notBefore) {
return errors.Errorf("provisioning credential expiration (%s) is before "+ return errors.Errorf("requested certificate notBefore (%s) is before "+
"requested certificate notBefore (%s)", v.notAfter, notBefore) "the active validity window of the provisioning credential (%s)",
notBefore, v.notBefore)
} }
notAfter := so.NotAfter.RelativeTime(notBefore) notAfter := so.NotAfter.RelativeTime(notBefore)
if notAfter.After(v.notAfter) { if notAfter.After(v.notAfter) {
return errors.Errorf("provisioning credential expiration (%s) is before "+ return errors.Errorf("requested certificate notAfter (%s) is after "+
"requested certificate notAfter (%s)", v.notAfter, notBefore) "the expiration of the provisioning credential (%s)",
notAfter, v.notAfter)
} }
if notAfter.IsZero() { if notAfter.IsZero() {
t := notBefore.Add(v.def) t := notBefore.Add(v.def)

View file

@ -485,7 +485,7 @@ func Test_profileDefaultDuration_Option(t *testing.T) {
cert: new(x509.Certificate), cert: new(x509.Certificate),
valid: func(cert *x509.Certificate) { valid: func(cert *x509.Certificate) {
n := now() n := now()
assert.True(t, n.After(cert.NotBefore), fmt.Sprintf("expected now = %s to be after cert.NotBefore = %s", n, cert.NotBefore)) assert.True(t, n.Add(3*time.Second).After(cert.NotBefore), fmt.Sprintf("expected now = %s to be after cert.NotBefore = %s", n.Add(3*time.Second), cert.NotBefore))
assert.True(t, n.Add(-1*time.Minute).Before(cert.NotBefore)) assert.True(t, n.Add(-1*time.Minute).Before(cert.NotBefore))
assert.Equals(t, cert.NotAfter, na) assert.Equals(t, cert.NotAfter, na)
@ -530,14 +530,14 @@ func Test_profileLimitDuration_Option(t *testing.T) {
err error err error
} }
tests := map[string]func() test{ tests := map[string]func() test{
"fail/notBefore-after-limit": func() test { "fail/notBefore-before-active-window": func() test {
d, err := ParseTimeDuration("8h") d, err := ParseTimeDuration("6h")
assert.FatalError(t, err) assert.FatalError(t, err)
return test{ return test{
pld: profileLimitDuration{def: 4 * time.Hour, notAfter: n.Add(6 * time.Hour)}, pld: profileLimitDuration{def: 4 * time.Hour, notBefore: n.Add(8 * time.Hour)},
so: Options{NotBefore: d}, so: Options{NotBefore: d},
cert: new(x509.Certificate), cert: new(x509.Certificate),
err: errors.New("provisioning credential expiration ("), err: errors.New("requested certificate notBefore ("),
} }
}, },
"fail/requested-notAfter-after-limit": func() test { "fail/requested-notAfter-after-limit": func() test {
@ -547,7 +547,7 @@ func Test_profileLimitDuration_Option(t *testing.T) {
pld: profileLimitDuration{def: 4 * time.Hour, notAfter: n.Add(6 * time.Hour)}, pld: profileLimitDuration{def: 4 * time.Hour, notAfter: n.Add(6 * time.Hour)},
so: Options{NotBefore: NewTimeDuration(n.Add(3 * time.Hour)), NotAfter: d}, so: Options{NotBefore: NewTimeDuration(n.Add(3 * time.Hour)), NotAfter: d},
cert: new(x509.Certificate), cert: new(x509.Certificate),
err: errors.New("provisioning credential expiration ("), err: errors.New("requested certificate notAfter ("),
} }
}, },
"ok/valid-notAfter-requested": func() test { "ok/valid-notAfter-requested": func() test {

View file

@ -199,7 +199,8 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
return []SignOption{ return []SignOption{
// modifiers / withOptions // modifiers / withOptions
newProvisionerExtensionOption(TypeX5C, p.Name, ""), newProvisionerExtensionOption(TypeX5C, p.Name, ""),
profileLimitDuration{p.claimer.DefaultTLSCertDuration(), claims.chains[0][0].NotAfter}, profileLimitDuration{p.claimer.DefaultTLSCertDuration(),
claims.chains[0][0].NotBefore, claims.chains[0][0].NotAfter},
// validators // validators
commonNameValidator(claims.Subject), commonNameValidator(claims.Subject),
defaultPublicKeyValidator{}, defaultPublicKeyValidator{},