fix certification match with onlycn and sans

project0 · Jan 1, 2018 · 5a94957 · 5a94957
1 parent d66a0b0
commit 5a94957
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 26 deletions.
diff --git a/certstore/certstore.go b/certstore/certstore.go
@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"log"
 	"sync"
-	"time"
 
 	"github.com/docker/libkv/store"
 	"github.com/xenolf/lego/acme"
@@ -130,16 +129,8 @@ func (c *CertStore) GetCertificate(request *CertRequest) (*CertificateResource,
 		return nil, err
 	}
 	if cert != nil {
-		// check if its still valid..
-		certInfo, err := cert.parseCert()
-		if err == nil {
-			validEndDay := time.Now().Add(time.Hour * time.Duration(24*request.ValidDays))
-			if certInfo.NotAfter.After(validEndDay) {
-				return cert, nil
-			}
-			log.Printf("Certificate is valid until %s, start renew", certInfo.NotAfter)
-			// cert is expired
-		}
+		// validation is already checked
+		return cert, nil
 	}
 
 	// continue with creating a new one
@@ -209,6 +200,10 @@ func (c *CertStore) getStoredCertByCN(r *CertRequest) (*CertificateResource, err
 	if err := json.Unmarshal(pair.Value, cert); err != nil {
 		return nil, err
 	}
+	ok, err := r.matchCertificate(cert)
+	if !ok || err != nil {
+		return nil, err
+	}
 	return cert, nil
 }
 
@@ -218,29 +213,19 @@ func (c *CertStore) findStoredCert(r *CertRequest) (*CertificateResource, error)
 		return nil, err
 	}
 
-	domains := r.domains()
 	for _, pair := range list {
-
 		cert := new(CertificateResource)
 		if err := json.Unmarshal(pair.Value, cert); err != nil {
 			log.Printf("Could not decode json from %s", pair.Key)
 			continue
 		}
 
-		certInfo, err := cert.parseCert()
+		ok, err := r.matchCertificate(cert)
 		if err != nil {
-			return nil, err
-		}
-
-		matches := 0
-		for _, host := range domains {
-			if certInfo.VerifyHostname(host) == nil {
-				matches += 1
-			}
+			log.Print(err)
+			continue
 		}
-
-		if len(domains) == matches {
-			// seems to be the perfect cert
+		if ok {
 			return cert, nil
 		}
 

diff --git a/certstore/request.go b/certstore/request.go
@@ -1,6 +1,10 @@
 package certstore
 
-import "strings"
+import (
+	"log"
+	"strings"
+	"time"
+)
 
 // CertRequest contains information about the requested cert
 type CertRequest struct {
@@ -19,6 +23,35 @@ func (r *CertRequest) domains() []string {
 	return removeDuplicates(append([]string{r.Domain}, r.San...))
 }
 
+func (r *CertRequest) matchCertificate(cert *CertificateResource) (bool, error) {
+	// First element in the list will get the common name
+
+	certInfo, err := cert.parseCert()
+	if err != nil {
+		return false, err
+	}
+
+	matches := 0
+	for _, host := range r.domains() {
+		if certInfo.VerifyHostname(host) == nil {
+			matches += 1
+		}
+	}
+
+	if len(r.domains()) == matches {
+		// seems to be the perfect cert
+		validEndDay := time.Now().Add(time.Hour * time.Duration(24*r.ValidDays))
+		if certInfo.NotAfter.After(validEndDay) {
+			return true, nil
+		}
+		// cert is expired
+		log.Printf("certificate is valid until %s but needs to be valid for %i days", certInfo.NotAfter, r.ValidDays)
+		return true, nil
+	}
+
+	return false, nil
+}
+
 func removeDuplicates(elements []string) []string {
 	// Use map to record duplicates as we find them.
 	encountered := map[string]bool{}