personal_interest_mirrors/nebula
1
0
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2025-11-22 08:24:25 +01:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

[v1.9.x] do not panic when loading a V2 CA certificate (#1282)

Browse Source 
Co-authored-by: Jack Doan <jackdoan@rivian.com>
This commit is contained in:
Nate Brown
2024-12-03 09:49:54 -06:00
committed by GitHub
parent 9bfdfbafc1
commit 2e85d138cd
5 changed files with 64 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
pki.go
View File

@@ -223,22 +223,13 @@ func loadCAPoolFromConfig(l *logrus.Logger, c *config.C) (*cert.NebulaCAPool, er
}
}
caPool, err := cert.NewCAPoolFromBytes(rawCA)
if errors.Is(err, cert.ErrExpired) {
var expired int
for _, crt := range caPool.CAs {
if crt.Expired(time.Now()) {
expired++
l.WithField("cert", crt).Warn("expired certificate present in CA pool")
}
}
caPool, warnings, err := cert.NewCAPoolFromBytes(rawCA)
for _, w := range warnings {
l.WithError(w).Warn("parsing a CA certificate failed")
}
if expired >= len(caPool.CAs) {
return nil, errors.New("no valid CA certificates present")
}
} else if err != nil {
return nil, fmt.Errorf("error while adding CA certificate to CA trust store: %s", err)
if err != nil {
return nil, fmt.Errorf("could not create CA certificate pool: %s", err)
}
for _, fp := range c.GetStringSlice("pki.blocklist", []string{}) {