Skip to content

Commit

Permalink
change ordering of expiry checks and add explicit error type for expired
Browse files Browse the repository at this point in the history
certs

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
  • Loading branch information
riyazdf committed Aug 8, 2016
1 parent 2952229 commit 1c7d922
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 13 deletions.
9 changes: 9 additions & 0 deletions tuf/data/errors.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,12 @@ func (e ErrMismatchedChecksum) Error() string {
return fmt.Sprintf("%s checksum for %s did not match: expected %s", e.alg, e.name,
e.expected)
}

// ErrCertExpired is the error to be returned when a certificate has expired
type ErrCertExpired struct {
CN string
}

func (e ErrCertExpired) Error() string {
return fmt.Sprintf("certificate with CN %s is expired", e.CN)
}
9 changes: 8 additions & 1 deletion tuf/tuf.go
Original file line number Diff line number Diff line change
Expand Up @@ -253,7 +253,14 @@ func (tr *Repo) GetDelegationRole(name string) (data.DelegationRole, error) {
continue
}
if err := utils.ValidateCertificate(certFromKey, true); err != nil {
logrus.Warnf("error with delegation %s key ID %d: %s", delgRole.Name, keyID, err)
switch err.(type) {
case data.ErrCertExpired:
logrus.Warnf("error with delegation %s key ID %d: %s", delgRole.Name, keyID, err)
default:
// skip delegation roles for other invalid cert errors
continue
}

}
}
foundRole = &delgRole
Expand Down
24 changes: 12 additions & 12 deletions tuf/utils/x509.go
Original file line number Diff line number Diff line change
Expand Up @@ -264,18 +264,6 @@ func ValidateCertificate(c *x509.Certificate, checkExpiry bool) error {
if (c.NotBefore).After(c.NotAfter) {
return fmt.Errorf("certificate validity window is invalid")
}
if checkExpiry {
now := time.Now()
tomorrow := now.AddDate(0, 0, 1)
// Give one day leeway on creation "before" time, check "after" against today
if (tomorrow).Before(c.NotBefore) || now.After(c.NotAfter) {
return fmt.Errorf("certificate with CN %s is expired", c.Subject.CommonName)
}
// If this certificate is expiring within 6 months, put out a warning
if (c.NotAfter).Before(time.Now().AddDate(0, 6, 0)) {
logrus.Warnf("certificate with CN %s is near expiry", c.Subject.CommonName)
}
}
// Can't have SHA1 sig algorithm
if c.SignatureAlgorithm == x509.SHA1WithRSA || c.SignatureAlgorithm == x509.DSAWithSHA1 || c.SignatureAlgorithm == x509.ECDSAWithSHA1 {
return fmt.Errorf("certificate with CN %s uses invalid SHA1 signature algorithm", c.Subject.CommonName)
Expand All @@ -290,6 +278,18 @@ func ValidateCertificate(c *x509.Certificate, checkExpiry bool) error {
return fmt.Errorf("RSA bit length is too short")
}
}
if checkExpiry {
now := time.Now()
tomorrow := now.AddDate(0, 0, 1)
// Give one day leeway on creation "before" time, check "after" against today
if (tomorrow).Before(c.NotBefore) || now.After(c.NotAfter) {
return data.ErrCertExpired{CN: c.Subject.CommonName}
}
// If this certificate is expiring within 6 months, put out a warning
if (c.NotAfter).Before(time.Now().AddDate(0, 6, 0)) {
logrus.Warnf("certificate with CN %s is near expiry", c.Subject.CommonName)
}
}
return nil
}

Expand Down

0 comments on commit 1c7d922

Please sign in to comment.