From 74f52c6fcd7f8fb7a56ed49cad96d3e6138a26e8 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Tue, 12 Dec 2023 17:07:42 +0100 Subject: [PATCH] Introduce IsCaUptodate() by splitting IsCertUptodate() --- lib/base/tlsutility.cpp | 21 +++++++++++++++++---- lib/base/tlsutility.hpp | 1 + 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp index 5577bd2dd..eaefccc10 100644 --- a/lib/base/tlsutility.cpp +++ b/lib/base/tlsutility.cpp @@ -760,18 +760,31 @@ std::shared_ptr CreateCertIcingaCA(const std::shared_ptr& cert) return CreateCertIcingaCA(pkey.get(), X509_get_subject_name(cert.get())); } +static inline +bool CertExpiresWithin(X509* cert, int seconds) +{ + time_t renewalStart = time(nullptr) + seconds; + + return X509_cmp_time(X509_get_notAfter(cert), &renewalStart) < 0; +} + bool IsCertUptodate(const std::shared_ptr& cert) { - time_t now; - time(&now); + if (CertExpiresWithin(cert.get(), RENEW_THRESHOLD)) { + return false; + } /* auto-renew all certificates which were created before 2017 to force an update of the CA, * because Icinga versions older than 2.4 sometimes create certificates with an invalid * serial number. */ time_t forceRenewalEnd = 1483228800; /* January 1st, 2017 */ - time_t renewalStart = now + RENEW_THRESHOLD; - return X509_cmp_time(X509_get_notBefore(cert.get()), &forceRenewalEnd) != -1 && X509_cmp_time(X509_get_notAfter(cert.get()), &renewalStart) != -1; + return X509_cmp_time(X509_get_notBefore(cert.get()), &forceRenewalEnd) >= 0; +} + +bool IsCaUptodate(X509* cert) +{ + return !CertExpiresWithin(cert, LEAF_VALID_FOR); } String CertificateToString(const std::shared_ptr& cert) diff --git a/lib/base/tlsutility.hpp b/lib/base/tlsutility.hpp index 968e55a19..523b30d5d 100644 --- a/lib/base/tlsutility.hpp +++ b/lib/base/tlsutility.hpp @@ -64,6 +64,7 @@ std::shared_ptr StringToCertificate(const String& cert); std::shared_ptr CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject); std::shared_ptr CreateCertIcingaCA(const std::shared_ptr& cert); bool IsCertUptodate(const std::shared_ptr& cert); +bool IsCaUptodate(X509* cert); String PBKDF2_SHA1(const String& password, const String& salt, int iterations); String PBKDF2_SHA256(const String& password, const String& salt, int iterations);