Merge f82c9fb into 2b7173b

Symantec · Jan 27, 2019 · 5ec9765 · 5ec9765
2 parents 2b7173b + f82c9fb
commit 5ec9765
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 2 deletions.
diff --git a/cmd/show-cert/main.go b/cmd/show-cert/main.go
@@ -7,7 +7,9 @@ import (
 	"io/ioutil"
 	"os"
 	"sort"
+	"time"
 
+	"github.com/Symantec/Dominator/lib/format"
 	"github.com/Symantec/Dominator/lib/x509util"
 )
 
@@ -37,6 +39,14 @@ func showCert(filename string) {
 		fmt.Fprintf(os.Stderr, "Unable to parse certificate: %s\n", err)
 		return
 	}
+	now := time.Now()
+	if notYet := cert.NotBefore.Sub(now); notYet > 0 {
+		fmt.Fprintf(os.Stderr, "  Will not be valid for %s\n",
+			format.Duration(notYet))
+	}
+	if expired := now.Sub(cert.NotAfter); expired > 0 {
+		fmt.Fprintf(os.Stderr, "  Expired %s ago\n", format.Duration(expired))
+	}
 	username, err := x509util.GetUsername(cert)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "Unable to get username: %s\n", err)

diff --git a/lib/srpc/load.go b/lib/srpc/load.go
@@ -6,10 +6,12 @@ import (
 	"fmt"
 	"os"
 	"path"
+	"sort"
 	"strings"
 	"time"
 
 	"github.com/Symantec/Dominator/lib/format"
+	"github.com/Symantec/Dominator/lib/x509util"
 )
 
 func loadCertificates(directory string) ([]tls.Certificate, error) {
@@ -47,10 +49,18 @@ func loadCertificates(directory string) ([]tls.Certificate, error) {
 			return nil, fmt.Errorf("%s expired %s ago",
 				certName, format.Duration(expired))
 		}
+		cert.Leaf = x509Cert
 		certs = append(certs, cert)
 	}
 	if len(certs) < 1 {
 		return nil, nil
 	}
+	// Sort list so that certificates with the most permitted methods are listed
+	// first and in turn should be tried first when doing the TLS handshake.
+	sort.Slice(certs, func(leftIndex, rightIndex int) bool {
+		leftMethods, _ := x509util.GetPermittedMethods(certs[leftIndex].Leaf)
+		rightMethods, _ := x509util.GetPermittedMethods(certs[rightIndex].Leaf)
+		return len(leftMethods) > len(rightMethods)
+	})
 	return certs, nil
 }
diff --git a/scripts/make-cert b/scripts/make-cert
@@ -21,6 +21,8 @@ fi
 readonly signing_key="$1"
 readonly newkey="$2"
 
+KEY_LIFETIME=${KEY_LIFETIME:-1096}
+
 if [ "$3" = "AUTO" ]; then
     if [ -r .serial ]; then
 	old_serial=$(< .serial)
@@ -76,9 +78,10 @@ fi
 # Now generate the signed certificate.
 openssl genpkey -algorithm RSA -out "$newkey.key.pem" \
 		-pkeyopt rsa_keygen_bits:2048
-openssl req -new -key "$newkey.key.pem" -days 1096 -extensions v3_ca \
+openssl req -new -key "$newkey.key.pem" -days "$KEY_LIFETIME" \
+	    -extensions v3_ca \
 	    -batch -out "$newkey.csr" -utf8 -subj "/CN=$username"
-openssl x509 -req -sha256 -days 1096 -in "$newkey.csr" \
+openssl x509 -req -sha256 -days "$KEY_LIFETIME" -in "$newkey.csr" \
 	     -extfile "$tmpfile" $methods_args \
 	     -CAkey "$signing_key.key.pem" -CA "$signing_key.pem" \
 	     -set_serial "$serial" \