From 28b87063e3ff5a2d51a18f5fdead673479ccb43c Mon Sep 17 00:00:00 2001 From: "R.B. Boyer" Date: Fri, 1 Mar 2019 10:25:37 -0600 Subject: [PATCH] fix a few leap-year related clock math inaccuracies and failing tests --- agent/connect/ca/provider_consul.go | 6 +++--- agent/connect/testing_ca.go | 4 ++-- command/tls/ca/create/tls_ca_create.go | 1 + command/tls/generate_test.go | 4 ++-- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/agent/connect/ca/provider_consul.go b/agent/connect/ca/provider_consul.go index a61686ca6..6d2999348 100644 --- a/agent/connect/ca/provider_consul.go +++ b/agent/connect/ca/provider_consul.go @@ -476,7 +476,7 @@ func (c *ConsulProvider) SignIntermediate(csr *x509.CertificateRequest) (string, x509.KeyUsageDigitalSignature, IsCA: true, MaxPathLenZero: true, - NotAfter: effectiveNow.Add(365 * 24 * time.Hour), + NotAfter: effectiveNow.AddDate(1, 0, 0), NotBefore: effectiveNow, SubjectKeyId: subjectKeyId, } @@ -545,7 +545,7 @@ func (c *ConsulProvider) CrossSignCA(cert *x509.Certificate) (string, error) { // leaf certs are still in use. They expire within 3 days currently so 7 is // safe. TODO(banks): make this be based on leaf expiry time when that is // configurable. - template.NotAfter = effectiveNow.Add(7 * 24 * time.Hour) + template.NotAfter = effectiveNow.AddDate(0, 0, 7) bs, err := x509.CreateCertificate( rand.Reader, &template, rootCA, cert.PublicKey, privKey) @@ -632,7 +632,7 @@ func (c *ConsulProvider) generateCA(privateKey string, sn uint64) (string, error x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature, IsCA: true, - NotAfter: time.Now().Add(10 * 365 * 24 * time.Hour), + NotAfter: time.Now().AddDate(10, 0, 0), NotBefore: time.Now(), AuthorityKeyId: keyId, SubjectKeyId: keyId, diff --git a/agent/connect/testing_ca.go b/agent/connect/testing_ca.go index 02f360594..817ae93f6 100644 --- a/agent/connect/testing_ca.go +++ b/agent/connect/testing_ca.go @@ -62,7 +62,7 @@ func TestCA(t testing.T, xc *structs.CARoot) *structs.CARoot { x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature, IsCA: true, - NotAfter: time.Now().Add(10 * 365 * 24 * time.Hour), + NotAfter: time.Now().AddDate(10, 0, 0), NotBefore: time.Now(), AuthorityKeyId: testKeyID(t, signer.Public()), SubjectKeyId: testKeyID(t, signer.Public()), @@ -179,7 +179,7 @@ func TestLeaf(t testing.T, service string, root *structs.CARoot) (string, string x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth, }, - NotAfter: time.Now().Add(10 * 365 * 24 * time.Hour), + NotAfter: time.Now().AddDate(10, 0, 0), NotBefore: time.Now(), AuthorityKeyId: testKeyID(t, caSigner.Public()), SubjectKeyId: testKeyID(t, pkSigner.Public()), diff --git a/command/tls/ca/create/tls_ca_create.go b/command/tls/ca/create/tls_ca_create.go index bbe54a89a..25975865b 100644 --- a/command/tls/ca/create/tls_ca_create.go +++ b/command/tls/ca/create/tls_ca_create.go @@ -28,6 +28,7 @@ type cmd struct { func (c *cmd) init() { c.flags = flag.NewFlagSet("", flag.ContinueOnError) + // TODO: perhaps add a -years arg to better capture user intent given that leap years are a thing c.flags.IntVar(&c.days, "days", 1825, "Provide number of days the CA is valid for from now on. Defaults to 5 years.") c.flags.BoolVar(&c.constraint, "name-constraint", false, "Add name constraints for the CA. Results in rejecting "+ "certificates for other DNS than specified. If turned on localhost and -domain will be added to the allowed "+ diff --git a/command/tls/generate_test.go b/command/tls/generate_test.go index 2e37e4803..19822e80f 100644 --- a/command/tls/generate_test.go +++ b/command/tls/generate_test.go @@ -93,7 +93,7 @@ func TestGenerateCA(t *testing.T) { // format so that we don't take anything smaller than second into account. require.Equal(t, cert.NotBefore.Format(time.ANSIC), time.Now().UTC().Format(time.ANSIC)) - require.Equal(t, cert.NotAfter.Format(time.ANSIC), time.Now().AddDate(1, 0, 0).UTC().Format(time.ANSIC)) + require.Equal(t, cert.NotAfter.Format(time.ANSIC), time.Now().AddDate(0, 0, 365).UTC().Format(time.ANSIC)) require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage) } @@ -135,7 +135,7 @@ func TestGenerateCert(t *testing.T) { // format so that we don't take anything smaller than second into account. require.Equal(t, cert.NotBefore.Format(time.ANSIC), time.Now().UTC().Format(time.ANSIC)) - require.Equal(t, cert.NotAfter.Format(time.ANSIC), time.Now().AddDate(1, 0, 0).UTC().Format(time.ANSIC)) + require.Equal(t, cert.NotAfter.Format(time.ANSIC), time.Now().AddDate(0, 0, 365).UTC().Format(time.ANSIC)) require.Equal(t, x509.KeyUsageDigitalSignature|x509.KeyUsageKeyEncipherment, cert.KeyUsage) require.Equal(t, extKeyUsage, cert.ExtKeyUsage)