Check certificate notBefore and notAfter times
This commit is contained in:
adnano
parent
5a0f7cf631
commit
5535cff842
19
client.go
19
client.go
@ -10,6 +10,7 @@ import (
|
||||
"net/url"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
// Client errors.
|
||||
@ -218,6 +219,10 @@ func (c *Client) Send(req *Request) (*Response, error) {
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
// Validate the certificate
|
||||
if !validCertificate(cert) {
|
||||
return ErrInvalidCertificate
|
||||
}
|
||||
// Check that the certificate is valid for the hostname
|
||||
// Use our own implementation of verifyHostname
|
||||
if err := verifyHostname(cert, req.Hostname()); err != nil {
|
||||
@ -258,6 +263,20 @@ func (c *Client) Send(req *Request) (*Response, error) {
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
// validCertificate determines whether cert is a valid certificate
|
||||
func validCertificate(cert *x509.Certificate) bool {
|
||||
// Check notBefore and notAfter
|
||||
now := time.Now()
|
||||
if cert.NotBefore.After(now) {
|
||||
return false
|
||||
}
|
||||
if cert.NotAfter.Before(now) {
|
||||
return false
|
||||
}
|
||||
// No need to check hash algorithms, hopefully tls has checked for us already
|
||||
return true
|
||||
}
|
||||
|
||||
// hostname extracts the host name from a valid host or host:port
|
||||
func hostname(host string) string {
|
||||
i := strings.LastIndexByte(host, ':')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user