From: Gunnar Beutner <gunnar.beutner@icinga.com>
Date: Wed, 30 Aug 2017 13:48:02 +0000 (+0200)
Subject: Refuse to sign certificate if it already has the correct chain and doesn’t expire... 
X-Git-Tag: v2.8.0~87^2~27
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=cc43dc734b13b02166ea86cf6c9df7fd86e8ad46;p=icinga2

Refuse to sign certificate if it already has the correct chain and doesn’t expire soon

refs #5450
---

diff --git a/lib/remote/jsonrpcconnection-pki.cpp b/lib/remote/jsonrpcconnection-pki.cpp
index 74457065e..8c221ee7f 100644
--- a/lib/remote/jsonrpcconnection-pki.cpp
+++ b/lib/remote/jsonrpcconnection-pki.cpp
@@ -92,7 +92,7 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
 	if (!Utility::PathExists(GetIcingaCADir() + "/ca.key"))
 		goto delayed_request;
 
-	if (!origin->FromClient->IsAuthenticated()) {
+	if (!VerifyCertificate(cacert, cert)) {
 		String salt = listener->GetTicketSalt();
 
 		String ticket = params->Get("ticket");
@@ -107,8 +107,19 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
 			result->Set("error", "Invalid ticket.");
 			return result;
 		}
+	} else {
+		time_t renewalStart;
+		time(&renewalStart);
+		renewalStart += 30 * 24 * 60 * 60;
+
+		if (X509_cmp_time(X509_get_notAfter(cert.get()), &renewalStart)) {
+			result->Set("status_code", 1);
+			result->Set("error", "The certificate cannot be renewed yet.");
+			return result;
+		}
 	}
 
+
 	pubkey = X509_get_pubkey(cert.get());
 	subject = X509_get_subject_name(cert.get());