tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-07-26 23:24:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

Refuse to sign certificate if it already has the correct chain and doesn’t expire soon

Browse Source 
refs #5450
This commit is contained in:
Gunnar Beutner 2017-08-30 15:48:02 +02:00
parent 440f848c7c
commit cc43dc734b
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
lib/remote/jsonrpcconnection-pki.cpp
View File

@ -92,7 +92,7 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
if (!Utility::PathExists(GetIcingaCADir() + "/ca.key")) if (!Utility::PathExists(GetIcingaCADir() + "/ca.key"))
goto delayed_request; goto delayed_request;
if (!origin->FromClient->IsAuthenticated()) { if (!VerifyCertificate(cacert, cert)) {
String salt = listener->GetTicketSalt(); String salt = listener->GetTicketSalt();
String ticket = params->Get("ticket"); String ticket = params->Get("ticket");
@ -107,7 +107,18 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
result->Set("error", "Invalid ticket."); result->Set("error", "Invalid ticket.");
return result; return result;
} }
} else {
time_t renewalStart;
time(&renewalStart);
renewalStart += 30 * 24 * 60 * 60;
if (X509_cmp_time(X509_get_notAfter(cert.get()), &renewalStart)) {
result->Set("status_code", 1);
result->Set("error", "The certificate cannot be renewed yet.");
return result;
} }
}
pubkey = X509_get_pubkey(cert.get()); pubkey = X509_get_pubkey(cert.get());
subject = X509_get_subject_name(cert.get()); subject = X509_get_subject_name(cert.get());