Merge pull request #680 from smallstep/identity-cert-lifetime

Identity certificate lifetime
smallstep · Aug 26, 2021 · c43d036 · c43d036
2 parents 9e57e4d + 833d28c
commit c43d036
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 5 deletions.
diff --git a/api/sshRekey.go b/api/sshRekey.go
@@ -2,6 +2,7 @@ package api
 
 import (
 	"net/http"
+	"time"
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority/provisioner"
@@ -72,7 +73,11 @@ func (h *caHandler) SSHRekey(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	identity, err := h.renewIdentityCertificate(r)
+	// Match identity cert with the SSH cert
+	notBefore := time.Unix(int64(oldCert.ValidAfter), 0)
+	notAfter := time.Unix(int64(oldCert.ValidBefore), 0)
+
+	identity, err := h.renewIdentityCertificate(r, notBefore, notAfter)
 	if err != nil {
 		WriteError(w, errs.ForbiddenErr(err))
 		return

diff --git a/api/sshRenew.go b/api/sshRenew.go
@@ -1,7 +1,9 @@
 package api
 
 import (
+	"crypto/x509"
 	"net/http"
+	"time"
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority/provisioner"
@@ -62,7 +64,11 @@ func (h *caHandler) SSHRenew(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	identity, err := h.renewIdentityCertificate(r)
+	// Match identity cert with the SSH cert
+	notBefore := time.Unix(int64(oldCert.ValidAfter), 0)
+	notAfter := time.Unix(int64(oldCert.ValidBefore), 0)
+
+	identity, err := h.renewIdentityCertificate(r, notBefore, notAfter)
 	if err != nil {
 		WriteError(w, errs.ForbiddenErr(err))
 		return
@@ -74,13 +80,28 @@ func (h *caHandler) SSHRenew(w http.ResponseWriter, r *http.Request) {
 	}, http.StatusCreated)
 }
 
-// renewIdentityCertificate request the client TLS certificate if present.
-func (h *caHandler) renewIdentityCertificate(r *http.Request) ([]Certificate, error) {
+// renewIdentityCertificate request the client TLS certificate if present. If notBefore and notAfter are passed the
+func (h *caHandler) renewIdentityCertificate(r *http.Request, notBefore, notAfter time.Time) ([]Certificate, error) {
 	if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
 		return nil, nil
 	}
 
-	certChain, err := h.Authority.Renew(r.TLS.PeerCertificates[0])
+	// Clone the certificate as we can modify it.
+	cert, err := x509.ParseCertificate(r.TLS.PeerCertificates[0].Raw)
+	if err != nil {
+		return nil, errors.Wrap(err, "error parsing client certificate")
+	}
+
+	// Enforce the cert to match another certificate, for example an ssh
+	// certificate.
+	if !notBefore.IsZero() {
+		cert.NotBefore = notBefore
+	}
+	if !notAfter.IsZero() {
+		cert.NotAfter = notAfter
+	}
+
+	certChain, err := h.Authority.Renew(cert)
 	if err != nil {
 		return nil, err
 	}