From 50152391a397461364c909615a6348e8af6fe183 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Mon, 9 Dec 2019 16:54:48 -0800 Subject: [PATCH] Add leeway in identity not before. --- authority/config.go | 3 +-- ca/identity.go | 7 +++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/authority/config.go b/authority/config.go index 462a764b..812a1db4 100644 --- a/authority/config.go +++ b/authority/config.go @@ -7,11 +7,10 @@ import ( "os" "time" - "github.com/smallstep/certificates/templates" - "github.com/pkg/errors" "github.com/smallstep/certificates/authority/provisioner" "github.com/smallstep/certificates/db" + "github.com/smallstep/certificates/templates" "github.com/smallstep/cli/crypto/tlsutil" "github.com/smallstep/cli/crypto/x509util" ) diff --git a/ca/identity.go b/ca/identity.go index a63ae671..d7ad7042 100644 --- a/ca/identity.go +++ b/ca/identity.go @@ -32,6 +32,9 @@ const Disabled IdentityType = "" // MutualTLS represents the identity using mTLS const MutualTLS IdentityType = "mTLS" +// DefaultLeeway is the duration for matching not before claims. +const DefaultLeeway = 1 * time.Minute + // IdentityFile contains the location of the identity file. var IdentityFile = filepath.Join(config.StepPath(), "config", "identity.json") @@ -179,8 +182,8 @@ func (i *Identity) Options() ([]ClientOption, error) { if err != nil { return nil, errors.Wrap(err, "error creating identity certificate") } - now := time.Now() - if now.Before(x509Cert.NotBefore) || now.After(x509Cert.NotAfter) { + now := time.Now().Truncate(time.Second) + if now.Add(DefaultLeeway).Before(x509Cert.NotBefore) || now.After(x509Cert.NotAfter) { return nil, nil } return []ClientOption{WithCertificate(crt)}, nil