Skip to content
This repository was archived by the owner on Jul 31, 2025. It is now read-only.

Output warnings for cert within 6 months expiry, check intermediate cert expiry #802

Merged
endophage merged 3 commits into from
Aug 9, 2016
Merged

Output warnings for cert within 6 months expiry, check intermediate cert expiry #802

endophage merged 3 commits into from
Aug 9, 2016

Conversation

@riyazdf
Copy link
Contributor

@riyazdf riyazdf commented Jun 24, 2016
edited
Loading

Addresses #734 for root certificates, and cleans up some of the certificate validation logic. Also ensures we use non-expired and non-SHA1 certificates for intermediate certs. Though there is no way to include specific certs to the root at the moment, we will need this validation.

Last commit closes #860

Signed-off-by: Riyaz Faizullabhoy riyaz.faizullabhoy@docker.com

@riyazdf riyazdf modified the milestone: Notary 0.4 Jun 24, 2016
@riyazdf riyazdf force-pushed the cert-warnings-int-expiry branch 2 times, most recently from 0e019a5 to 7701deb Compare June 24, 2016 22:31
endophage
endophage reviewed Jul 6, 2016
View reviewed changes
trustmanager/x509utils.go Outdated
}
// If this certificate is expiring within 6 months, put out a warning
if (c.NotAfter).Before(time.Now().AddDate(0, 6, 0)) {
logrus.Warn("certificate is expiring within 6 months")
Copy link
Contributor

@endophage endophage Jul 6, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what other info can we include to make it clear which certificate is expiring?

@cyli
Copy link
Contributor

cyli commented Jul 11, 2016

Thanks for checking the intermediate certs too! If it isn't too much trouble, can we add a check for the SHA1 algorithms too for the ValidateCertificate tests? If not, no worries.

Other than that, this LGTM!

@riyazdf
Copy link
Contributor Author

riyazdf commented Jul 11, 2016

@cyli of course, great idea! Done.

@riyazdf riyazdf force-pushed the cert-warnings-int-expiry branch 2 times, most recently from 84b60d2 to e5957a4 Compare July 25, 2016 20:46
@riyazdf riyazdf self-assigned this Jul 25, 2016
riyazdf added 2 commits July 29, 2016 09:14
@riyazdf
Output warnings for cert within 6 months expiry, check int cert expir…
3baf0e4 
…y in root

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
@riyazdf
Unify certificate validation
2952229 
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
@riyazdf riyazdf force-pushed the cert-warnings-int-expiry branch from e5957a4 to 2952229 Compare July 29, 2016 16:18
endophage
endophage reviewed Aug 8, 2016
View reviewed changes
tuf/utils/x509.go Outdated
tomorrow := now.AddDate(0, 0, 1)
// Give one day leeway on creation "before" time, check "after" against today
if (tomorrow).Before(c.NotBefore) || now.After(c.NotAfter) {
return fmt.Errorf("certificate with CN %s is expired", c.Subject.CommonName)
Copy link
Contributor

@endophage endophage Aug 8, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The whole if checkExpiry block should probably be moved to the end of the function. This return here will cause us to accept delegation certs in tuf/tuf.go line 255 that may have serious flaws but have expired and we returned from this validation prematurely, c.f. comment in tuf/tuf.go line 249 Currently we do not reject expired delegation keys but warn if they might expire soon or have already

Copy link
Contributor Author

@riyazdf riyazdf Aug 8, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch, updated!

@riyazdf riyazdf force-pushed the cert-warnings-int-expiry branch 2 times, most recently from 1c7d922 to e146938 Compare August 9, 2016 00:14
@riyazdf
change ordering of expiry checks and add explicit error type for expired
fb03348 
certs

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
@riyazdf riyazdf force-pushed the cert-warnings-int-expiry branch from e146938 to fb03348 Compare August 9, 2016 00:16
@endophage
Copy link
Contributor

endophage commented Aug 9, 2016

LGTM

@endophage endophage merged commit dba9c36 into master Aug 9, 2016
@riyazdf riyazdf deleted the cert-warnings-int-expiry branch August 9, 2016 23:03
@cyli cyli mentioned this pull request Sep 30, 2016
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

@riyazdf riyazdf

Labels

status/0-triage

Projects

None yet

Milestone

Notary 0.4

Development

Successfully merging this pull request may close these issues.

Warn if a delegation key certificate is expiring

5 participants

@riyazdf @cyli @endophage @GordonTheTurtle