diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp index e022621e4..5cc266a54 100644 --- a/lib/base/tlsutility.cpp +++ b/lib/base/tlsutility.cpp @@ -752,18 +752,31 @@ std::shared_ptr CreateCertIcingaCA(const std::shared_ptr& cert) return CreateCertIcingaCA(pkey.get(), X509_get_subject_name(cert.get())); } +static inline +bool CertExpiresWithin(X509* cert, int seconds) +{ + time_t renewalStart = time(nullptr) + seconds; + + return X509_cmp_time(X509_get_notAfter(cert), &renewalStart) < 0; +} + bool IsCertUptodate(const std::shared_ptr& cert) { - time_t now; - time(&now); + if (CertExpiresWithin(cert.get(), RENEW_THRESHOLD)) { + return false; + } /* auto-renew all certificates which were created before 2017 to force an update of the CA, * because Icinga versions older than 2.4 sometimes create certificates with an invalid * serial number. */ time_t forceRenewalEnd = 1483228800; /* January 1st, 2017 */ - time_t renewalStart = now + RENEW_THRESHOLD; - return X509_cmp_time(X509_get_notBefore(cert.get()), &forceRenewalEnd) != -1 && X509_cmp_time(X509_get_notAfter(cert.get()), &renewalStart) != -1; + return X509_cmp_time(X509_get_notBefore(cert.get()), &forceRenewalEnd) >= 0; +} + +bool IsCaUptodate(X509* cert) +{ + return !CertExpiresWithin(cert, LEAF_VALID_FOR); } String CertificateToString(const std::shared_ptr& cert) diff --git a/lib/base/tlsutility.hpp b/lib/base/tlsutility.hpp index 3b8a89c5e..1e46f1e31 100644 --- a/lib/base/tlsutility.hpp +++ b/lib/base/tlsutility.hpp @@ -61,6 +61,7 @@ std::shared_ptr StringToCertificate(const String& cert); std::shared_ptr CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject); std::shared_ptr CreateCertIcingaCA(const std::shared_ptr& cert); bool IsCertUptodate(const std::shared_ptr& cert); +bool IsCaUptodate(X509* cert); String PBKDF2_SHA1(const String& password, const String& salt, int iterations); String PBKDF2_SHA256(const String& password, const String& salt, int iterations);