From cc43dc734b13b02166ea86cf6c9df7fd86e8ad46 Mon Sep 17 00:00:00 2001
From: Gunnar Beutner <gunnar.beutner@icinga.com>
Date: Wed, 30 Aug 2017 15:48:02 +0200
Subject: [PATCH] =?UTF-8?q?Refuse=20to=20sign=20certificate=20if=20it=20al?=
 =?UTF-8?q?ready=20has=20the=20correct=20chain=20and=20doesn=E2=80=99t=20e?=
 =?UTF-8?q?xpire=20soon?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

refs #5450
---
 lib/remote/jsonrpcconnection-pki.cpp | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/lib/remote/jsonrpcconnection-pki.cpp b/lib/remote/jsonrpcconnection-pki.cpp
index 74457065e..8c221ee7f 100644
--- a/lib/remote/jsonrpcconnection-pki.cpp
+++ b/lib/remote/jsonrpcconnection-pki.cpp
@@ -92,7 +92,7 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
 	if (!Utility::PathExists(GetIcingaCADir() + "/ca.key"))
 		goto delayed_request;
 
-	if (!origin->FromClient->IsAuthenticated()) {
+	if (!VerifyCertificate(cacert, cert)) {
 		String salt = listener->GetTicketSalt();
 
 		String ticket = params->Get("ticket");
@@ -107,8 +107,19 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
 			result->Set("error", "Invalid ticket.");
 			return result;
 		}
+	} else {
+		time_t renewalStart;
+		time(&renewalStart);
+		renewalStart += 30 * 24 * 60 * 60;
+
+		if (X509_cmp_time(X509_get_notAfter(cert.get()), &renewalStart)) {
+			result->Set("status_code", 1);
+			result->Set("error", "The certificate cannot be renewed yet.");
+			return result;
+		}
 	}
 
+
 	pubkey = X509_get_pubkey(cert.get());
 	subject = X509_get_subject_name(cert.get());