Update profileLimitDuration validator ...

- respect notBefore of the provisioner
- modify/fix the reported errors
This commit is contained in:
max furman 2020-06-16 12:16:43 -07:00
parent 54be8889cd
commit 7d5cf34ce5
3 changed files with 17 additions and 14 deletions

View file

@ -221,8 +221,8 @@ func (v profileDefaultDuration) Option(so Options) x509util.WithOption {
// profileLimitDuration is an x509 profile option that modifies an x509 validity
// period according to an imposed expiration time.
type profileLimitDuration struct {
def time.Duration
notAfter time.Time
def time.Duration
notBefore, notAfter time.Time
}
// Option returns an x509util option that limits the validity period of a
@ -236,15 +236,17 @@ func (v profileLimitDuration) Option(so Options) x509util.WithOption {
notBefore = n
backdate = -1 * so.Backdate
}
if notBefore.After(v.notAfter) {
return errors.Errorf("provisioning credential expiration (%s) is before "+
"requested certificate notBefore (%s)", v.notAfter, notBefore)
if notBefore.Before(v.notBefore) {
return errors.Errorf("requested certificate notBefore (%s) is before "+
"the active validity window of the provisioning credential (%s)",
notBefore, v.notBefore)
}
notAfter := so.NotAfter.RelativeTime(notBefore)
if notAfter.After(v.notAfter) {
return errors.Errorf("provisioning credential expiration (%s) is before "+
"requested certificate notAfter (%s)", v.notAfter, notBefore)
return errors.Errorf("requested certificate notAfter (%s) is after "+
"the expiration of the provisioning credential (%s)",
notAfter, v.notAfter)
}
if notAfter.IsZero() {
t := notBefore.Add(v.def)

View file

@ -485,7 +485,7 @@ func Test_profileDefaultDuration_Option(t *testing.T) {
cert: new(x509.Certificate),
valid: func(cert *x509.Certificate) {
n := now()
assert.True(t, n.After(cert.NotBefore), fmt.Sprintf("expected now = %s to be after cert.NotBefore = %s", n, cert.NotBefore))
assert.True(t, n.Add(3*time.Second).After(cert.NotBefore), fmt.Sprintf("expected now = %s to be after cert.NotBefore = %s", n.Add(3*time.Second), cert.NotBefore))
assert.True(t, n.Add(-1*time.Minute).Before(cert.NotBefore))
assert.Equals(t, cert.NotAfter, na)
@ -530,14 +530,14 @@ func Test_profileLimitDuration_Option(t *testing.T) {
err error
}
tests := map[string]func() test{
"fail/notBefore-after-limit": func() test {
d, err := ParseTimeDuration("8h")
"fail/notBefore-before-active-window": func() test {
d, err := ParseTimeDuration("6h")
assert.FatalError(t, err)
return test{
pld: profileLimitDuration{def: 4 * time.Hour, notAfter: n.Add(6 * time.Hour)},
pld: profileLimitDuration{def: 4 * time.Hour, notBefore: n.Add(8 * time.Hour)},
so: Options{NotBefore: d},
cert: new(x509.Certificate),
err: errors.New("provisioning credential expiration ("),
err: errors.New("requested certificate notBefore ("),
}
},
"fail/requested-notAfter-after-limit": func() test {
@ -547,7 +547,7 @@ func Test_profileLimitDuration_Option(t *testing.T) {
pld: profileLimitDuration{def: 4 * time.Hour, notAfter: n.Add(6 * time.Hour)},
so: Options{NotBefore: NewTimeDuration(n.Add(3 * time.Hour)), NotAfter: d},
cert: new(x509.Certificate),
err: errors.New("provisioning credential expiration ("),
err: errors.New("requested certificate notAfter ("),
}
},
"ok/valid-notAfter-requested": func() test {

View file

@ -199,7 +199,8 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
return []SignOption{
// modifiers / withOptions
newProvisionerExtensionOption(TypeX5C, p.Name, ""),
profileLimitDuration{p.claimer.DefaultTLSCertDuration(), claims.chains[0][0].NotAfter},
profileLimitDuration{p.claimer.DefaultTLSCertDuration(),
claims.chains[0][0].NotBefore, claims.chains[0][0].NotAfter},
// validators
commonNameValidator(claims.Subject),
defaultPublicKeyValidator{},