mirror of
https://github.com/caddyserver/caddy.git
synced 2025-12-08 06:09:53 +00:00
Move intermediate lifetime configuration check
In #7272 a check was changed to ensure that generated intermediate certificates would always use a lifetime that falls within the lifetime of the root. However, when a root and intermediate(s) are supplied, the configuration value was being used instead of the actual lifetimes of the certificates. The check was moved to only be performed when an intermediate is generated; not when loaded from disk.
This commit is contained in:
Herman Slatman
parent
c2a2626f86
commit
80eb3e81e5
2 changed files with 12 additions and 6 deletions
|
|
@ -145,13 +145,15 @@ func (ca *CA) Provision(ctx caddy.Context, id string, log *zap.Logger) error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
actualRootLifetime := time.Until(rootCert.NotAfter)
|
||||
if time.Duration(ca.IntermediateLifetime) >= actualRootLifetime {
|
||||
return fmt.Errorf("intermediate certificate lifetime must be less than actual root certificate lifetime (%s)", actualRootLifetime)
|
||||
}
|
||||
|
||||
if ca.Intermediate != nil {
|
||||
interCertChain, interKey, err = ca.Intermediate.Load()
|
||||
} else {
|
||||
actualRootLifetime := time.Until(rootCert.NotAfter)
|
||||
if time.Duration(ca.IntermediateLifetime) >= actualRootLifetime {
|
||||
return fmt.Errorf("intermediate certificate lifetime must be less than actual root certificate lifetime (%s)", actualRootLifetime)
|
||||
}
|
||||
|
||||
interCertChain, interKey, err = ca.loadOrGenIntermediate(rootCert, rootKey)
|
||||
}
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -43,6 +43,8 @@ func TestInternalIssuer_Issue(t *testing.T) {
|
|||
Subject: pkix.Name{CommonName: "test-root"},
|
||||
IsCA: true,
|
||||
MaxPathLen: 3,
|
||||
NotAfter: time.Now().Add(7 * 24 * time.Hour),
|
||||
NotBefore: time.Now().Add(-7 * 24 * time.Hour),
|
||||
}
|
||||
rootBytes, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, rootSigner.Public(), rootSigner)
|
||||
if err != nil {
|
||||
|
|
@ -63,7 +65,8 @@ func TestInternalIssuer_Issue(t *testing.T) {
|
|||
Subject: pkix.Name{CommonName: "test-first-intermediate"},
|
||||
IsCA: true,
|
||||
MaxPathLen: 2,
|
||||
NotAfter: time.Now().Add(time.Hour),
|
||||
NotAfter: time.Now().Add(24 * time.Hour),
|
||||
NotBefore: time.Now().Add(-24 * time.Hour),
|
||||
}, root, firstIntermediateSigner.Public(), rootSigner)
|
||||
if err != nil {
|
||||
t.Fatalf("Creating intermediate certificate failed: %v", err)
|
||||
|
|
@ -83,7 +86,8 @@ func TestInternalIssuer_Issue(t *testing.T) {
|
|||
Subject: pkix.Name{CommonName: "test-second-intermediate"},
|
||||
IsCA: true,
|
||||
MaxPathLen: 2,
|
||||
NotAfter: time.Now().Add(time.Hour),
|
||||
NotAfter: time.Now().Add(24 * time.Hour),
|
||||
NotBefore: time.Now().Add(-24 * time.Hour),
|
||||
}, firstIntermediate, secondIntermediateSigner.Public(), firstIntermediateSigner)
|
||||
if err != nil {
|
||||
t.Fatalf("Creating second intermediate certificate failed: %v", err)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue