tyler.durden
/
icinga2
mirror of https://github.com/Icinga/icinga2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Refuse to sign certificate if it already has the correct chain and doesn’t expire soon 

refs #5450
This commit is contained in:
Gunnar Beutner 2017-08-30 15:48:02 +02:00
parent 440f848c7c
commit cc43dc734b
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
lib/remote/jsonrpcconnection-pki.cpp
View File

@ -92,7 +92,7 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
if (!Utility::PathExists(GetIcingaCADir() + "/ca.key"))
goto delayed_request;
if (!origin->FromClient->IsAuthenticated()) {
if (!VerifyCertificate(cacert, cert)) {
String salt = listener->GetTicketSalt();
String ticket = params->Get("ticket");
@ -107,8 +107,19 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
result->Set("error", "Invalid ticket.");
return result;
}
} else {
time_t renewalStart;
time(&renewalStart);
renewalStart += 30 * 24 * 60 * 60;
if (X509_cmp_time(X509_get_notAfter(cert.get()), &renewalStart)) {
result->Set("status_code", 1);
result->Set("error", "The certificate cannot be renewed yet.");
return result;
}
}
pubkey = X509_get_pubkey(cert.get());
subject = X509_get_subject_name(cert.get());