mirror of https://github.com/status-im/consul.git
fix a few leap-year related clock math inaccuracies and failing tests
This commit is contained in:
parent
e64c5c5899
commit
c7067645dd
|
@ -476,7 +476,7 @@ func (c *ConsulProvider) SignIntermediate(csr *x509.CertificateRequest) (string,
|
|||
x509.KeyUsageDigitalSignature,
|
||||
IsCA: true,
|
||||
MaxPathLenZero: true,
|
||||
NotAfter: effectiveNow.Add(365 * 24 * time.Hour),
|
||||
NotAfter: effectiveNow.AddDate(1, 0, 0),
|
||||
NotBefore: effectiveNow,
|
||||
SubjectKeyId: subjectKeyId,
|
||||
}
|
||||
|
@ -545,7 +545,7 @@ func (c *ConsulProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
|
|||
// leaf certs are still in use. They expire within 3 days currently so 7 is
|
||||
// safe. TODO(banks): make this be based on leaf expiry time when that is
|
||||
// configurable.
|
||||
template.NotAfter = effectiveNow.Add(7 * 24 * time.Hour)
|
||||
template.NotAfter = effectiveNow.AddDate(0, 0, 7)
|
||||
|
||||
bs, err := x509.CreateCertificate(
|
||||
rand.Reader, &template, rootCA, cert.PublicKey, privKey)
|
||||
|
@ -632,7 +632,7 @@ func (c *ConsulProvider) generateCA(privateKey string, sn uint64) (string, error
|
|||
x509.KeyUsageCRLSign |
|
||||
x509.KeyUsageDigitalSignature,
|
||||
IsCA: true,
|
||||
NotAfter: time.Now().Add(10 * 365 * 24 * time.Hour),
|
||||
NotAfter: time.Now().AddDate(10, 0, 0),
|
||||
NotBefore: time.Now(),
|
||||
AuthorityKeyId: keyId,
|
||||
SubjectKeyId: keyId,
|
||||
|
|
|
@ -62,7 +62,7 @@ func TestCA(t testing.T, xc *structs.CARoot) *structs.CARoot {
|
|||
x509.KeyUsageCRLSign |
|
||||
x509.KeyUsageDigitalSignature,
|
||||
IsCA: true,
|
||||
NotAfter: time.Now().Add(10 * 365 * 24 * time.Hour),
|
||||
NotAfter: time.Now().AddDate(10, 0, 0),
|
||||
NotBefore: time.Now(),
|
||||
AuthorityKeyId: testKeyID(t, signer.Public()),
|
||||
SubjectKeyId: testKeyID(t, signer.Public()),
|
||||
|
@ -179,7 +179,7 @@ func TestLeaf(t testing.T, service string, root *structs.CARoot) (string, string
|
|||
x509.ExtKeyUsageClientAuth,
|
||||
x509.ExtKeyUsageServerAuth,
|
||||
},
|
||||
NotAfter: time.Now().Add(10 * 365 * 24 * time.Hour),
|
||||
NotAfter: time.Now().AddDate(10, 0, 0),
|
||||
NotBefore: time.Now(),
|
||||
AuthorityKeyId: testKeyID(t, caSigner.Public()),
|
||||
SubjectKeyId: testKeyID(t, pkSigner.Public()),
|
||||
|
|
|
@ -28,6 +28,7 @@ type cmd struct {
|
|||
|
||||
func (c *cmd) init() {
|
||||
c.flags = flag.NewFlagSet("", flag.ContinueOnError)
|
||||
// TODO: perhaps add a -years arg to better capture user intent given that leap years are a thing
|
||||
c.flags.IntVar(&c.days, "days", 1825, "Provide number of days the CA is valid for from now on. Defaults to 5 years.")
|
||||
c.flags.BoolVar(&c.constraint, "name-constraint", false, "Add name constraints for the CA. Results in rejecting "+
|
||||
"certificates for other DNS than specified. If turned on localhost and -domain will be added to the allowed "+
|
||||
|
|
|
@ -93,7 +93,7 @@ func TestGenerateCA(t *testing.T) {
|
|||
|
||||
// format so that we don't take anything smaller than second into account.
|
||||
require.Equal(t, cert.NotBefore.Format(time.ANSIC), time.Now().UTC().Format(time.ANSIC))
|
||||
require.Equal(t, cert.NotAfter.Format(time.ANSIC), time.Now().AddDate(1, 0, 0).UTC().Format(time.ANSIC))
|
||||
require.Equal(t, cert.NotAfter.Format(time.ANSIC), time.Now().AddDate(0, 0, 365).UTC().Format(time.ANSIC))
|
||||
|
||||
require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)
|
||||
}
|
||||
|
@ -135,7 +135,7 @@ func TestGenerateCert(t *testing.T) {
|
|||
|
||||
// format so that we don't take anything smaller than second into account.
|
||||
require.Equal(t, cert.NotBefore.Format(time.ANSIC), time.Now().UTC().Format(time.ANSIC))
|
||||
require.Equal(t, cert.NotAfter.Format(time.ANSIC), time.Now().AddDate(1, 0, 0).UTC().Format(time.ANSIC))
|
||||
require.Equal(t, cert.NotAfter.Format(time.ANSIC), time.Now().AddDate(0, 0, 365).UTC().Format(time.ANSIC))
|
||||
|
||||
require.Equal(t, x509.KeyUsageDigitalSignature|x509.KeyUsageKeyEncipherment, cert.KeyUsage)
|
||||
require.Equal(t, extKeyUsage, cert.ExtKeyUsage)
|
||||
|
|
Loading…
Reference in New Issue