Add slack on NotBefore value for generated certs.

This fixes an issue where, due to clock skew, one system can get a cert and try to use it before it thinks it's actually valid. The tolerance of 30 seconds should be high enough for pretty much any set of systems using NTP. Fixes #1035
hashicorp · Feb 7, 2016 · 122773b · 122773b
1 parent 71468c9
commit 122773b
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go
@@ -299,9 +299,13 @@ func checkCertsAndPrivateKey(keyType string, key crypto.Signer, usage certUsage,
 		}
 	}
 
-	if math.Abs(float64(time.Now().Unix()-cert.NotBefore.Unix())) > 10 {
+	// 40 seconds since we add 30 second slack for clock skew
+	if math.Abs(float64(time.Now().Unix()-cert.NotBefore.Unix())) > 40 {
 		return nil, fmt.Errorf("Validity period starts out of range")
 	}
+	if !cert.NotBefore.Before(time.Now().Add(-10 * time.Second)) {
+		return nil, fmt.Errorf("Validity period not far enough in the past")
+	}
 
 	if math.Abs(float64(time.Now().Add(validity).Unix()-cert.NotAfter.Unix())) > 10 {
 		return nil, fmt.Errorf("Validity period of %d too large vs max of 10", cert.NotAfter.Unix())

diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go
@@ -717,7 +717,7 @@ func createCertificate(creationInfo *creationBundle) (*certutil.ParsedCertBundle
 	certTemplate := &x509.Certificate{
 		SerialNumber:   serialNumber,
 		Subject:        subject,
-		NotBefore:      time.Now(),
+		NotBefore:      time.Now().Add(-30 * time.Second),
 		NotAfter:       time.Now().Add(creationInfo.TTL),
 		IsCA:           false,
 		SubjectKeyId:   subjKeyID,
@@ -873,7 +873,7 @@ func signCertificate(creationInfo *creationBundle,
 	certTemplate := &x509.Certificate{
 		SerialNumber: serialNumber,
 		Subject:      subject,
-		NotBefore:    time.Now(),
+		NotBefore:    time.Now().Add(-30 * time.Second),
 		NotAfter:     time.Now().Add(creationInfo.TTL),
 		SubjectKeyId: subjKeyID[:],
 	}