opensource/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-11-01 22:32:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

caddypki: check intermediate lifetime to actual root cert lifetime (#7272)

Browse Source
This commit is contained in:
Y.Horie
2025-09-27 01:24:52 +09:00
committed by GitHub
parent 25be2f26fc
commit 1e82f9652e
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
modules/caddypki/ca.go
View File

@ -124,8 +124,6 @@ func (ca *CA) Provision(ctx caddy.Context, id string, log *zap.Logger) error {
} }
if ca.IntermediateLifetime == 0 { if ca.IntermediateLifetime == 0 {
ca.IntermediateLifetime = caddy.Duration(defaultIntermediateLifetime) ca.IntermediateLifetime = caddy.Duration(defaultIntermediateLifetime)
} else if time.Duration(ca.IntermediateLifetime) >= defaultRootLifetime {
return fmt.Errorf("intermediate certificate lifetime must be less than root certificate lifetime (%s)", defaultRootLifetime)
} }
// load the certs and key that will be used for signing // load the certs and key that will be used for signing
@ -144,6 +142,10 @@ func (ca *CA) Provision(ctx caddy.Context, id string, log *zap.Logger) error {
if err != nil { if err != nil {
return err return err
} }
actualRootLifetime := time.Until(rootCert.NotAfter)
if time.Duration(ca.IntermediateLifetime) >= actualRootLifetime {
return fmt.Errorf("intermediate certificate lifetime must be less than actual root certificate lifetime (%s)", actualRootLifetime)
}
if ca.Intermediate != nil { if ca.Intermediate != nil {
interCert, interKey, err = ca.Intermediate.Load() interCert, interKey, err = ca.Intermediate.Load()
} else { } else {