This repository has been archived by the owner on Jul 11, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 277
/
certificate.go
66 lines (53 loc) · 2.26 KB
/
certificate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
package certificate
import (
"math/rand"
time "time"
"github.com/openservicemesh/osm/pkg/certificate/pem"
)
const (
// RenewBeforeCertExpires signifies how much earlier (before expiration) should a certificate be renewed
RenewBeforeCertExpires = 30 * time.Second
// So that we do not renew all certs at the same time - add noise.
// These define the min and max of the seconds of noise to be added
// to the early certificate renewal.
noiseSeconds = 5
)
// GetCommonName returns the Common Name of the certificate
func (c *Certificate) GetCommonName() CommonName {
return c.CommonName
}
// GetSerialNumber returns the serial number of the certificate
func (c *Certificate) GetSerialNumber() SerialNumber {
return c.SerialNumber
}
// GetExpiration returns the expiration time of the certificate
func (c *Certificate) GetExpiration() time.Time {
return c.Expiration
}
// GetCertificateChain returns the certificate chain of the certificate
func (c *Certificate) GetCertificateChain() pem.Certificate {
return c.CertChain
}
// GetPrivateKey returns the private key of the certificate
func (c *Certificate) GetPrivateKey() pem.PrivateKey {
return c.PrivateKey
}
// GetIssuingCA returns the issuing CA of the certificate
func (c *Certificate) GetIssuingCA() pem.RootCertificate {
return c.IssuingCA
}
// ShouldRotate determines whether a certificate should be rotated.
func (c *Certificate) ShouldRotate() bool {
// The certificate is going to expire at a timestamp T
// We want to renew earlier. How much earlier is defined in renewBeforeCertExpires.
// We add a few seconds noise to the early renew period so that certificates that may have been
// created at the same time are not renewed at the exact same time.
intNoise := rand.Intn(noiseSeconds) // #nosec G404
secondsNoise := time.Duration(intNoise) * time.Second
renewBefore := RenewBeforeCertExpires + secondsNoise
// Round is called to truncate monotonic clock to the nearest second. This is done to avoid environments where the
// CPU clock may stop, resulting in a time measurement that differs significantly from the x509 timestamp.
// See https://github.com/openservicemesh/osm/issues/5000#issuecomment-1218539412 for more details.
expiration := c.GetExpiration().Round(0)
return time.Until(expiration) <= renewBefore
}