Add leeway in identity not before.

This commit is contained in:
Mariano Cano 2019-12-09 16:54:48 -08:00 committed by max furman
parent 0512f6e3e5
commit caa2b8dbb7
2 changed files with 6 additions and 4 deletions

View file

@ -7,11 +7,10 @@ import (
"os"
"time"
"github.com/smallstep/certificates/templates"
"github.com/pkg/errors"
"github.com/smallstep/certificates/authority/provisioner"
"github.com/smallstep/certificates/db"
"github.com/smallstep/certificates/templates"
"github.com/smallstep/cli/crypto/tlsutil"
"github.com/smallstep/cli/crypto/x509util"
)

View file

@ -32,6 +32,9 @@ const Disabled IdentityType = ""
// MutualTLS represents the identity using mTLS
const MutualTLS IdentityType = "mTLS"
// DefaultLeeway is the duration for matching not before claims.
const DefaultLeeway = 1 * time.Minute
// IdentityFile contains the location of the identity file.
var IdentityFile = filepath.Join(config.StepPath(), "config", "identity.json")
@ -179,8 +182,8 @@ func (i *Identity) Options() ([]ClientOption, error) {
if err != nil {
return nil, errors.Wrap(err, "error creating identity certificate")
}
now := time.Now()
if now.Before(x509Cert.NotBefore) || now.After(x509Cert.NotAfter) {
now := time.Now().Truncate(time.Second)
if now.Add(DefaultLeeway).Before(x509Cert.NotBefore) || now.After(x509Cert.NotAfter) {
return nil, nil
}
return []ClientOption{WithCertificate(crt)}, nil