forked from TrueCloudLab/certificates
Update profileLimitDuration validator ...
- respect notBefore of the provisioner - modify/fix the reported errors
This commit is contained in:
parent
54be8889cd
commit
7d5cf34ce5
3 changed files with 17 additions and 14 deletions
|
@ -221,8 +221,8 @@ func (v profileDefaultDuration) Option(so Options) x509util.WithOption {
|
||||||
// profileLimitDuration is an x509 profile option that modifies an x509 validity
|
// profileLimitDuration is an x509 profile option that modifies an x509 validity
|
||||||
// period according to an imposed expiration time.
|
// period according to an imposed expiration time.
|
||||||
type profileLimitDuration struct {
|
type profileLimitDuration struct {
|
||||||
def time.Duration
|
def time.Duration
|
||||||
notAfter time.Time
|
notBefore, notAfter time.Time
|
||||||
}
|
}
|
||||||
|
|
||||||
// Option returns an x509util option that limits the validity period of a
|
// Option returns an x509util option that limits the validity period of a
|
||||||
|
@ -236,15 +236,17 @@ func (v profileLimitDuration) Option(so Options) x509util.WithOption {
|
||||||
notBefore = n
|
notBefore = n
|
||||||
backdate = -1 * so.Backdate
|
backdate = -1 * so.Backdate
|
||||||
}
|
}
|
||||||
if notBefore.After(v.notAfter) {
|
if notBefore.Before(v.notBefore) {
|
||||||
return errors.Errorf("provisioning credential expiration (%s) is before "+
|
return errors.Errorf("requested certificate notBefore (%s) is before "+
|
||||||
"requested certificate notBefore (%s)", v.notAfter, notBefore)
|
"the active validity window of the provisioning credential (%s)",
|
||||||
|
notBefore, v.notBefore)
|
||||||
}
|
}
|
||||||
|
|
||||||
notAfter := so.NotAfter.RelativeTime(notBefore)
|
notAfter := so.NotAfter.RelativeTime(notBefore)
|
||||||
if notAfter.After(v.notAfter) {
|
if notAfter.After(v.notAfter) {
|
||||||
return errors.Errorf("provisioning credential expiration (%s) is before "+
|
return errors.Errorf("requested certificate notAfter (%s) is after "+
|
||||||
"requested certificate notAfter (%s)", v.notAfter, notBefore)
|
"the expiration of the provisioning credential (%s)",
|
||||||
|
notAfter, v.notAfter)
|
||||||
}
|
}
|
||||||
if notAfter.IsZero() {
|
if notAfter.IsZero() {
|
||||||
t := notBefore.Add(v.def)
|
t := notBefore.Add(v.def)
|
||||||
|
|
|
@ -485,7 +485,7 @@ func Test_profileDefaultDuration_Option(t *testing.T) {
|
||||||
cert: new(x509.Certificate),
|
cert: new(x509.Certificate),
|
||||||
valid: func(cert *x509.Certificate) {
|
valid: func(cert *x509.Certificate) {
|
||||||
n := now()
|
n := now()
|
||||||
assert.True(t, n.After(cert.NotBefore), fmt.Sprintf("expected now = %s to be after cert.NotBefore = %s", n, cert.NotBefore))
|
assert.True(t, n.Add(3*time.Second).After(cert.NotBefore), fmt.Sprintf("expected now = %s to be after cert.NotBefore = %s", n.Add(3*time.Second), cert.NotBefore))
|
||||||
assert.True(t, n.Add(-1*time.Minute).Before(cert.NotBefore))
|
assert.True(t, n.Add(-1*time.Minute).Before(cert.NotBefore))
|
||||||
|
|
||||||
assert.Equals(t, cert.NotAfter, na)
|
assert.Equals(t, cert.NotAfter, na)
|
||||||
|
@ -530,14 +530,14 @@ func Test_profileLimitDuration_Option(t *testing.T) {
|
||||||
err error
|
err error
|
||||||
}
|
}
|
||||||
tests := map[string]func() test{
|
tests := map[string]func() test{
|
||||||
"fail/notBefore-after-limit": func() test {
|
"fail/notBefore-before-active-window": func() test {
|
||||||
d, err := ParseTimeDuration("8h")
|
d, err := ParseTimeDuration("6h")
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
return test{
|
return test{
|
||||||
pld: profileLimitDuration{def: 4 * time.Hour, notAfter: n.Add(6 * time.Hour)},
|
pld: profileLimitDuration{def: 4 * time.Hour, notBefore: n.Add(8 * time.Hour)},
|
||||||
so: Options{NotBefore: d},
|
so: Options{NotBefore: d},
|
||||||
cert: new(x509.Certificate),
|
cert: new(x509.Certificate),
|
||||||
err: errors.New("provisioning credential expiration ("),
|
err: errors.New("requested certificate notBefore ("),
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail/requested-notAfter-after-limit": func() test {
|
"fail/requested-notAfter-after-limit": func() test {
|
||||||
|
@ -547,7 +547,7 @@ func Test_profileLimitDuration_Option(t *testing.T) {
|
||||||
pld: profileLimitDuration{def: 4 * time.Hour, notAfter: n.Add(6 * time.Hour)},
|
pld: profileLimitDuration{def: 4 * time.Hour, notAfter: n.Add(6 * time.Hour)},
|
||||||
so: Options{NotBefore: NewTimeDuration(n.Add(3 * time.Hour)), NotAfter: d},
|
so: Options{NotBefore: NewTimeDuration(n.Add(3 * time.Hour)), NotAfter: d},
|
||||||
cert: new(x509.Certificate),
|
cert: new(x509.Certificate),
|
||||||
err: errors.New("provisioning credential expiration ("),
|
err: errors.New("requested certificate notAfter ("),
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"ok/valid-notAfter-requested": func() test {
|
"ok/valid-notAfter-requested": func() test {
|
||||||
|
|
|
@ -199,7 +199,8 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
|
||||||
return []SignOption{
|
return []SignOption{
|
||||||
// modifiers / withOptions
|
// modifiers / withOptions
|
||||||
newProvisionerExtensionOption(TypeX5C, p.Name, ""),
|
newProvisionerExtensionOption(TypeX5C, p.Name, ""),
|
||||||
profileLimitDuration{p.claimer.DefaultTLSCertDuration(), claims.chains[0][0].NotAfter},
|
profileLimitDuration{p.claimer.DefaultTLSCertDuration(),
|
||||||
|
claims.chains[0][0].NotBefore, claims.chains[0][0].NotAfter},
|
||||||
// validators
|
// validators
|
||||||
commonNameValidator(claims.Subject),
|
commonNameValidator(claims.Subject),
|
||||||
defaultPublicKeyValidator{},
|
defaultPublicKeyValidator{},
|
||||||
|
|
Loading…
Reference in a new issue