ResiLien/nebula
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Root constraint usage and support in nebula-cert

Browse Source
This commit is contained in:
Nate Brown
2019-12-17 17:59:21 -08:00
parent 0dc9aafa14
commit 328db6bb82
5 changed files with 71 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
cmd/nebula-cert/sign.go
View File

@ -103,10 +103,6 @@ func signCert(args []string, out io.Writer, errOut io.Writer) error {
*sf.duration = time.Until(caCert.Details.NotAfter) - time.Second*1
}
if caCert.Details.NotAfter.Before(time.Now().Add(*sf.duration)) {
return fmt.Errorf("refusing to generate certificate with duration beyond root expiration: %s", caCert.Details.NotAfter)
}
ip, ipNet, err := net.ParseCIDR(*sf.ip)
if err != nil {
return newHelpErrorf("invalid ip definition: %s", err)
@ -165,6 +161,10 @@ func signCert(args []string, out io.Writer, errOut io.Writer) error {
},
}
if err := nc.CheckRootConstrains(caCert); err != nil {
return fmt.Errorf("refusing to sign, root certificate constraints violated: %s", err)
}
if *sf.outKeyPath == "" {
*sf.outKeyPath = *sf.name + ".key"
}