ensureCompatible ensures that a CSR object is compatible with an original CSR
(new, orig *certificates.CertificateSigningRequest, privateKey interface{})
| 134 | |
| 135 | // ensureCompatible ensures that a CSR object is compatible with an original CSR |
| 136 | func ensureCompatible(new, orig *certificates.CertificateSigningRequest, privateKey interface{}) error { |
| 137 | newCSR, err := parseCSR(new) |
| 138 | if err != nil { |
| 139 | return fmt.Errorf("unable to parse new csr: %v", err) |
| 140 | } |
| 141 | origCSR, err := parseCSR(orig) |
| 142 | if err != nil { |
| 143 | return fmt.Errorf("unable to parse original csr: %v", err) |
| 144 | } |
| 145 | if !reflect.DeepEqual(newCSR.Subject, origCSR.Subject) { |
| 146 | return fmt.Errorf("csr subjects differ: new: %#v, orig: %#v", newCSR.Subject, origCSR.Subject) |
| 147 | } |
| 148 | signer, ok := privateKey.(crypto.Signer) |
| 149 | if !ok { |
| 150 | return fmt.Errorf("privateKey is not a signer") |
| 151 | } |
| 152 | newCSR.PublicKey = signer.Public() |
| 153 | if err := newCSR.CheckSignature(); err != nil { |
| 154 | return fmt.Errorf("error validating signature new CSR against old key: %v", err) |
| 155 | } |
| 156 | if len(new.Status.Certificate) > 0 { |
| 157 | certs, err := certutil.ParseCertsPEM(new.Status.Certificate) |
| 158 | if err != nil { |
| 159 | return fmt.Errorf("error parsing signed certificate for CSR: %v", err) |
| 160 | } |
| 161 | now := time.Now() |
| 162 | for _, cert := range certs { |
| 163 | if now.After(cert.NotAfter) { |
| 164 | return fmt.Errorf("one of the certificates for the CSR has expired: %s", cert.NotAfter) |
| 165 | } |
| 166 | } |
| 167 | } |
| 168 | return nil |
| 169 | } |
| 170 | |
| 171 | // formatError preserves the type of an API message but alters the message. Expects |
| 172 | // a single argument format string, and returns the wrapped error. |
no test coverage detected