Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Output warnings for cert within 6 months expiry, check intermediate cert expiry #802

Merged
merged 3 commits into from
Aug 9, 2016
Merged

Output warnings for cert within 6 months expiry, check intermediate cert expiry #802

merged 3 commits into from
Aug 9, 2016

Conversation

riyazdf
Copy link
Contributor

@riyazdf riyazdf commented Jun 24, 2016
edited
Loading

Addresses #734 for root certificates, and cleans up some of the certificate validation logic. Also ensures we use non-expired and non-SHA1 certificates for intermediate certs. Though there is no way to include specific certs to the root at the moment, we will need this validation.

Last commit closes #860

Signed-off-by: Riyaz Faizullabhoy riyaz.faizullabhoy@docker.com

@riyazdf riyazdf modified the milestone: Notary 0.4 Jun 24, 2016
@riyazdf riyazdf force-pushed the cert-warnings-int-expiry branch 2 times, most recently from 0e019a5 to 7701deb Compare June 24, 2016 22:31
endophage
endophage reviewed Jul 6, 2016
View reviewed changes
trustmanager/x509utils.go
@@ -233,6 +233,10 @@ func ValidateCertificate(c *x509.Certificate) error {
if (tomorrow).Before(c.NotBefore) || now.After(c.NotAfter) {
return fmt.Errorf("certificate is expired")
}
// If this certificate is expiring within 6 months, put out a warning
if (c.NotAfter).Before(time.Now().AddDate(0, 6, 0)) {
logrus.Warn("certificate is expiring within 6 months")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what other info can we include to make it clear which certificate is expiring?

@cyli
Copy link
Contributor

cyli commented Jul 11, 2016

Thanks for checking the intermediate certs too! If it isn't too much trouble, can we add a check for the SHA1 algorithms too for the ValidateCertificate tests? If not, no worries.

Other than that, this LGTM!

@riyazdf
Copy link
Contributor Author

riyazdf commented Jul 11, 2016

@cyli of course, great idea! Done.

@riyazdf riyazdf force-pushed the cert-warnings-int-expiry branch 2 times, most recently from 84b60d2 to e5957a4 Compare July 25, 2016 20:46
@riyazdf riyazdf self-assigned this Jul 25, 2016
@riyazdf
Output warnings for cert within 6 months expiry, check int cert expir…
3baf0e4 
…y in root

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
@riyazdf
Unify certificate validation
2952229 
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
endophage
endophage reviewed Aug 8, 2016
View reviewed changes
tuf/utils/x509.go
tomorrow := now.AddDate(0, 0, 1)
// Give one day leeway on creation "before" time, check "after" against today
if (tomorrow).Before(c.NotBefore) || now.After(c.NotAfter) {
return fmt.Errorf("certificate with CN %s is expired", c.Subject.CommonName)
Copy link
Contributor

@endophage endophage Aug 8, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The whole if checkExpiry block should probably be moved to the end of the function. This return here will cause us to accept delegation certs in tuf/tuf.go line 255 that may have serious flaws but have expired and we returned from this validation prematurely, c.f. comment in tuf/tuf.go line 249 Currently we do not reject expired delegation keys but warn if they might expire soon or have already

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch, updated!

@riyazdf riyazdf force-pushed the cert-warnings-int-expiry branch 2 times, most recently from 1c7d922 to e146938 Compare August 9, 2016 00:14
@riyazdf
change ordering of expiry checks and add explicit error type for expired
fb03348 
certs

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
@endophage
Copy link
Contributor

LGTM

@endophage endophage merged commit dba9c36 into master Aug 9, 2016
@riyazdf riyazdf deleted the cert-warnings-int-expiry branch August 9, 2016 23:03
@cyli cyli mentioned this pull request Sep 30, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@riyazdf riyazdf

Labels
status/0-triage
Projects
None yet
Milestone
Notary 0.4
Development

Successfully merging this pull request may close these issues.

Warn if a delegation key certificate is expiring
4 participants
@riyazdf @cyli @endophage @GordonTheTurtle