0.3.0-alpha2: fix edge case where trifid would issue certs that outlive the CA sometimes

This commit is contained in:
core 2024-01-02 20:13:57 -05:00
parent a5fb79288b
commit 6275cb6d3e
Signed by: core
GPG Key ID: FDBF740DADDCEECF
3 changed files with 13 additions and 4 deletions

2
Cargo.lock generated
View File

@ -3083,7 +3083,7 @@ dependencies = [
[[package]]
name = "trifid-api"
version = "0.3.0-alpha1"
version = "0.3.0-alpha2"
dependencies = [
"actix-cors",
"actix-web",

View File

@ -1,6 +1,6 @@
[package]
name = "trifid-api"
version = "0.3.0-alpha1"
version = "0.3.0-alpha2"
authors = ["core <core@e3t.cc>"]
edition = "2021"
description = "An open-source reimplementation of the Defined Networking API server"

View File

@ -4,9 +4,9 @@
// Review carefully what you write here!
use crate::crypt::sign_cert_with_ca;
use crate::models::{Host, HostKey, HostOverride, Network, Role, RoleFirewallRule, SigningCA};
use crate::models::{Host, HostKey, HostOverride, Network, RoleFirewallRule, SigningCA};
use crate::schema::{
host_keys, host_overrides, hosts, networks, role_firewall_rules, roles, signing_cas,
host_keys, host_overrides, hosts, networks, role_firewall_rules, signing_cas,
};
use crate::AppState;
use actix_web::web::Data;
@ -109,6 +109,15 @@ pub async fn generate_config(
signature: vec![],
};
let ca_cert: NebulaCertificate = serde_json::from_value(signing_ca.cert.clone()).unwrap();
if cert.details.not_before < ca_cert.details.not_before {
cert.details.not_before = ca_cert.details.not_before; // prevent issuing invalid certs
}
if cert.details.not_after > ca_cert.details.not_after {
cert.details.not_after = ca_cert.details.not_after; // prevent issuing invalid certs
}
sign_cert_with_ca(signing_ca, &mut cert, &state.config).unwrap();
let all_blocked_hosts = hosts::dsl::hosts