forked from TrueCloudLab/certificates
Merge pull request #680 from smallstep/identity-cert-lifetime
Identity certificate lifetime
This commit is contained in:
Mariano Cano
GitHub
commit
c43d0362a4
2 changed files with 31 additions and 5 deletions
|
|
@ -2,6 +2,7 @@ package api
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"time"
|
||||||
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/smallstep/certificates/authority/provisioner"
|
"github.com/smallstep/certificates/authority/provisioner"
|
||||||
|
|
@ -72,7 +73,11 @@ func (h *caHandler) SSHRekey(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
identity, err := h.renewIdentityCertificate(r)
|
// Match identity cert with the SSH cert
|
||||||
|
notBefore := time.Unix(int64(oldCert.ValidAfter), 0)
|
||||||
|
notAfter := time.Unix(int64(oldCert.ValidBefore), 0)
|
||||||
|
|
||||||
|
identity, err := h.renewIdentityCertificate(r, notBefore, notAfter)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
WriteError(w, errs.ForbiddenErr(err))
|
WriteError(w, errs.ForbiddenErr(err))
|
||||||
return
|
return
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,9 @@
|
||||||
package api
|
package api
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/x509"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"time"
|
||||||
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/smallstep/certificates/authority/provisioner"
|
"github.com/smallstep/certificates/authority/provisioner"
|
||||||
|
|
@ -62,7 +64,11 @@ func (h *caHandler) SSHRenew(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
identity, err := h.renewIdentityCertificate(r)
|
// Match identity cert with the SSH cert
|
||||||
|
notBefore := time.Unix(int64(oldCert.ValidAfter), 0)
|
||||||
|
notAfter := time.Unix(int64(oldCert.ValidBefore), 0)
|
||||||
|
|
||||||
|
identity, err := h.renewIdentityCertificate(r, notBefore, notAfter)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
WriteError(w, errs.ForbiddenErr(err))
|
WriteError(w, errs.ForbiddenErr(err))
|
||||||
return
|
return
|
||||||
|
|
@ -74,13 +80,28 @@ func (h *caHandler) SSHRenew(w http.ResponseWriter, r *http.Request) {
|
||||||
}, http.StatusCreated)
|
}, http.StatusCreated)
|
||||||
}
|
}
|
||||||
|
|
||||||
// renewIdentityCertificate request the client TLS certificate if present.
|
// renewIdentityCertificate request the client TLS certificate if present. If notBefore and notAfter are passed the
|
||||||
func (h *caHandler) renewIdentityCertificate(r *http.Request) ([]Certificate, error) {
|
func (h *caHandler) renewIdentityCertificate(r *http.Request, notBefore, notAfter time.Time) ([]Certificate, error) {
|
||||||
if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
|
if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
certChain, err := h.Authority.Renew(r.TLS.PeerCertificates[0])
|
// Clone the certificate as we can modify it.
|
||||||
|
cert, err := x509.ParseCertificate(r.TLS.PeerCertificates[0].Raw)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "error parsing client certificate")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Enforce the cert to match another certificate, for example an ssh
|
||||||
|
// certificate.
|
||||||
|
if !notBefore.IsZero() {
|
||||||
|
cert.NotBefore = notBefore
|
||||||
|
}
|
||||||
|
if !notAfter.IsZero() {
|
||||||
|
cert.NotAfter = notAfter
|
||||||
|
}
|
||||||
|
|
||||||
|
certChain, err := h.Authority.Renew(cert)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue