forked from TrueCloudLab/certificates
Add leeway in identity not before.
This commit is contained in:
parent
0512f6e3e5
commit
caa2b8dbb7
2 changed files with 6 additions and 4 deletions
|
@ -7,11 +7,10 @@ import (
|
||||||
"os"
|
"os"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/smallstep/certificates/templates"
|
|
||||||
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/smallstep/certificates/authority/provisioner"
|
"github.com/smallstep/certificates/authority/provisioner"
|
||||||
"github.com/smallstep/certificates/db"
|
"github.com/smallstep/certificates/db"
|
||||||
|
"github.com/smallstep/certificates/templates"
|
||||||
"github.com/smallstep/cli/crypto/tlsutil"
|
"github.com/smallstep/cli/crypto/tlsutil"
|
||||||
"github.com/smallstep/cli/crypto/x509util"
|
"github.com/smallstep/cli/crypto/x509util"
|
||||||
)
|
)
|
||||||
|
|
|
@ -32,6 +32,9 @@ const Disabled IdentityType = ""
|
||||||
// MutualTLS represents the identity using mTLS
|
// MutualTLS represents the identity using mTLS
|
||||||
const MutualTLS IdentityType = "mTLS"
|
const MutualTLS IdentityType = "mTLS"
|
||||||
|
|
||||||
|
// DefaultLeeway is the duration for matching not before claims.
|
||||||
|
const DefaultLeeway = 1 * time.Minute
|
||||||
|
|
||||||
// IdentityFile contains the location of the identity file.
|
// IdentityFile contains the location of the identity file.
|
||||||
var IdentityFile = filepath.Join(config.StepPath(), "config", "identity.json")
|
var IdentityFile = filepath.Join(config.StepPath(), "config", "identity.json")
|
||||||
|
|
||||||
|
@ -179,8 +182,8 @@ func (i *Identity) Options() ([]ClientOption, error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "error creating identity certificate")
|
return nil, errors.Wrap(err, "error creating identity certificate")
|
||||||
}
|
}
|
||||||
now := time.Now()
|
now := time.Now().Truncate(time.Second)
|
||||||
if now.Before(x509Cert.NotBefore) || now.After(x509Cert.NotAfter) {
|
if now.Add(DefaultLeeway).Before(x509Cert.NotBefore) || now.After(x509Cert.NotAfter) {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
return []ClientOption{WithCertificate(crt)}, nil
|
return []ClientOption{WithCertificate(crt)}, nil
|
||||||
|
|
Loading…
Reference in a new issue