mbiryukova/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

Remove policy validation on renew

Browse source
This commit is contained in:
Mariano Cano 2022-09-22 12:17:16 -07:00
parent ccd93684c3
commit 2eba5326db
1 changed files with 6 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
authority/tls.go
View file

@ -348,9 +348,12 @@ func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x5
newCert.ExtraExtensions = append(newCert.ExtraExtensions, ext) newCert.ExtraExtensions = append(newCert.ExtraExtensions, ext)
} }
// Check if the certificate is allowed to be renewed, policies or // Check if the certificate is allowed to be renewed, name constraints might
// constraints might change over time. // change over time.
if err := a.isAllowedToSignX509Certificate(newCert); err != nil { //
// TODO(hslatman,maraino): consider adding policies too and consider if
// RenewSSH should check policies.
if err := a.constraintsEngine.ValidateCertificate(newCert); err != nil {
var ee *errs.Error var ee *errs.Error
if errors.As(err, &ee) { if errors.As(err, &ee) {
return nil, errs.ApplyOptions(ee, opts...) return nil, errs.ApplyOptions(ee, opts...)