[PD1] Fixed checking certificate NotAfter and NotBefore dates
This commit is contained in:
parent
4ea8315aed
commit
91bc887ba5
SSH key fingerprint:
SHA256:aiLbdlPwXKJS5wMnghdtod0SPy8imZjlVvCyUX9DJNk
4 changed files with 38 additions and 6 deletions
|
|
@ -9,6 +9,7 @@ import (
|
|||
"crypto/x509"
|
||||
"encoding/binary"
|
||||
"errors"
|
||||
"time"
|
||||
|
||||
"log"
|
||||
"os"
|
||||
|
|
@ -85,6 +86,13 @@ func (k KeyStore) CheckCert(cert *x509.Certificate, uid string) error {
|
|||
return err
|
||||
}
|
||||
|
||||
if cert.NotAfter.Before(time.Now()) {
|
||||
return errors.New("certificate has expired")
|
||||
}
|
||||
if cert.NotBefore.After(time.Now()) {
|
||||
return errors.New("certificate is not valid yet")
|
||||
}
|
||||
|
||||
//Check if the pseudonym field is set to UID
|
||||
oidMap := ExtractAllOIDValues(cert)
|
||||
if oidMap["2.5.4.65"] != uid {
|
||||
|
|
@ -129,6 +137,14 @@ func (k *KeyStore) GetServerTLSConfig() *tls.Config {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if cert.NotAfter.Before(time.Now()) {
|
||||
return errors.New("certificate has expired")
|
||||
}
|
||||
if cert.NotBefore.After(time.Now()) {
|
||||
return errors.New("certificate is not valid yet")
|
||||
}
|
||||
|
||||
// Check if the certificate is signed by the specified CA
|
||||
_, err = cert.Verify(opts)
|
||||
if err != nil {
|
||||
|
|
@ -160,6 +176,13 @@ func (k *KeyStore) GetClientTLSConfig() *tls.Config {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if cert.NotAfter.Before(time.Now()) {
|
||||
return errors.New("certificate has expired")
|
||||
}
|
||||
if cert.NotBefore.After(time.Now()) {
|
||||
return errors.New("certificate is not valid yet")
|
||||
}
|
||||
oidMap := ExtractAllOIDValues(cert)
|
||||
|
||||
// Check if the certificate is signed by the specified CA
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue