Stowage/caddy
2
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-10-19 07:43:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

caddypki: check intermediate lifetime to actual root cert lifetime (#7272)

Browse source
This commit is contained in:
Y.Horie 2025-09-27 01:24:52 +09:00 committed by GitHub
parent 25be2f26fc
commit 1e82f9652e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 4 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
modules/caddypki/ca.go
View file

@ -124,8 +124,6 @@ func (ca *CA) Provision(ctx caddy.Context, id string, log *zap.Logger) error {
} }
if ca.IntermediateLifetime == 0 { if ca.IntermediateLifetime == 0 {
ca.IntermediateLifetime = caddy.Duration(defaultIntermediateLifetime) ca.IntermediateLifetime = caddy.Duration(defaultIntermediateLifetime)
} else if time.Duration(ca.IntermediateLifetime) >= defaultRootLifetime {
return fmt.Errorf("intermediate certificate lifetime must be less than root certificate lifetime (%s)", defaultRootLifetime)
} }
// load the certs and key that will be used for signing // load the certs and key that will be used for signing
@ -144,6 +142,10 @@ func (ca *CA) Provision(ctx caddy.Context, id string, log *zap.Logger) error {
if err != nil { if err != nil {
return err return err
} }
actualRootLifetime := time.Until(rootCert.NotAfter)
if time.Duration(ca.IntermediateLifetime) >= actualRootLifetime {
return fmt.Errorf("intermediate certificate lifetime must be less than actual root certificate lifetime (%s)", actualRootLifetime)
}
if ca.Intermediate != nil { if ca.Intermediate != nil {
interCert, interKey, err = ca.Intermediate.Load() interCert, interKey, err = ca.Intermediate.Load()
} else { } else {