direktil/local-server
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

check leaf certificates against their CA

Browse Source
This commit is contained in:
Mikaël Cluseau 2025-01-26 18:39:31 +01:00
parent 82f7cbcc92
commit b12ce7299f
1 changed files with 22 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
cmd/dkl-local-server/tls-ca.go
View File

@ -2,6 +2,8 @@ package main
import ( import (
"crypto" "crypto"
"crypto/x509"
"encoding/pem"
"errors" "errors"
"fmt" "fmt"
"log" "log"
@ -129,7 +131,26 @@ func getUsableKeyCert(cluster, caName, name, profile, label string, req *csr.Cer
if found { if found {
if rh == kc.ReqHash { if rh == kc.ReqHash {
err = func() (err error) {
err = checkCertUsable(kc.Cert) err = checkCertUsable(kc.Cert)
if err != nil {
return
}
pool := x509.NewCertPool()
if !pool.AppendCertsFromPEM(ca.Cert) {
panic("unexpected invalid CA certificate at this point")
}
certBlock, _ := pem.Decode(kc.Cert)
cert, err := x509.ParseCertificate(certBlock.Bytes)
if err != nil {
return
}
_, err = cert.Verify(x509.VerifyOptions{Roots: pool})
return
}()
if err == nil { if err == nil {
return // all good, no need to create or renew return // all good, no need to create or renew
} }