Refuse to sign certificate if it already has the correct chain and doesn’t expire...

refs #5450

diff --git a/lib/remote/jsonrpcconnection-pki.cpp b/lib/remote/jsonrpcconnection-pki.cpp
index 74457065e69d59420e9f3aae1303303da928e2b4..8c221ee7fe3cc841fc07f7bfe711e6bf850f4683 100644 (file)
--- a/lib/remote/jsonrpcconnection-pki.cpp
+++ b/lib/remote/jsonrpcconnection-pki.cpp
@@ -92,7 +92,7 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
        if (!Utility::PathExists(GetIcingaCADir() + "/ca.key"))
                goto delayed_request;
 
-       if (!origin->FromClient->IsAuthenticated()) {
+       if (!VerifyCertificate(cacert, cert)) {
                String salt = listener->GetTicketSalt();
 
                String ticket = params->Get("ticket");
@@ -107,8 +107,19 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
                        result->Set("error", "Invalid ticket.");
                        return result;
                }
+       } else {
+               time_t renewalStart;
+               time(&renewalStart);
+               renewalStart += 30 * 24 * 60 * 60;
+
+               if (X509_cmp_time(X509_get_notAfter(cert.get()), &renewalStart)) {
+                       result->Set("status_code", 1);
+                       result->Set("error", "The certificate cannot be renewed yet.");
+                       return result;
+               }
        }
 
+
        pubkey = X509_get_pubkey(cert.get());
        subject = X509_get_subject_name(cert.get());