0.3.0-alpha2: fix edge case where trifid would issue certs that outlive the CA sometimes
This commit is contained in:
parent
a5fb79288b
commit
6275cb6d3e
|
@ -3083,7 +3083,7 @@ dependencies = [
|
|||
|
||||
[[package]]
|
||||
name = "trifid-api"
|
||||
version = "0.3.0-alpha1"
|
||||
version = "0.3.0-alpha2"
|
||||
dependencies = [
|
||||
"actix-cors",
|
||||
"actix-web",
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
[package]
|
||||
name = "trifid-api"
|
||||
version = "0.3.0-alpha1"
|
||||
version = "0.3.0-alpha2"
|
||||
authors = ["core <core@e3t.cc>"]
|
||||
edition = "2021"
|
||||
description = "An open-source reimplementation of the Defined Networking API server"
|
||||
|
|
|
@ -4,9 +4,9 @@
|
|||
// Review carefully what you write here!
|
||||
|
||||
use crate::crypt::sign_cert_with_ca;
|
||||
use crate::models::{Host, HostKey, HostOverride, Network, Role, RoleFirewallRule, SigningCA};
|
||||
use crate::models::{Host, HostKey, HostOverride, Network, RoleFirewallRule, SigningCA};
|
||||
use crate::schema::{
|
||||
host_keys, host_overrides, hosts, networks, role_firewall_rules, roles, signing_cas,
|
||||
host_keys, host_overrides, hosts, networks, role_firewall_rules, signing_cas,
|
||||
};
|
||||
use crate::AppState;
|
||||
use actix_web::web::Data;
|
||||
|
@ -109,6 +109,15 @@ pub async fn generate_config(
|
|||
signature: vec![],
|
||||
};
|
||||
|
||||
let ca_cert: NebulaCertificate = serde_json::from_value(signing_ca.cert.clone()).unwrap();
|
||||
|
||||
if cert.details.not_before < ca_cert.details.not_before {
|
||||
cert.details.not_before = ca_cert.details.not_before; // prevent issuing invalid certs
|
||||
}
|
||||
if cert.details.not_after > ca_cert.details.not_after {
|
||||
cert.details.not_after = ca_cert.details.not_after; // prevent issuing invalid certs
|
||||
}
|
||||
|
||||
sign_cert_with_ca(signing_ca, &mut cert, &state.config).unwrap();
|
||||
|
||||
let all_blocked_hosts = hosts::dsl::hosts
|
||||
|
|
Loading…
Reference in New Issue