Clone the certificate in case we need to look at it later.

smallstep · Aug 25, 2021 · 833d28c · 833d28c
1 parent 568fce2
commit 833d28c
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/api/sshRenew.go b/api/sshRenew.go
@@ -1,6 +1,7 @@
 package api
 
 import (
+	"crypto/x509"
 	"net/http"
 	"time"
 
@@ -85,7 +86,11 @@ func (h *caHandler) renewIdentityCertificate(r *http.Request, notBefore, notAfte
 		return nil, nil
 	}
 
-	cert := r.TLS.PeerCertificates[0]
+	// Clone the certificate as we can modify it.
+	cert, err := x509.ParseCertificate(r.TLS.PeerCertificates[0].Raw)
+	if err != nil {
+		return nil, errors.Wrap(err, "error parsing client certificate")
+	}
 
 	// Enforce the cert to match another certificate, for example an ssh
 	// certificate.