Skip to content
This repository was archived by the owner on Jul 11, 2023. It is now read-only.

Commit 71e6847

Browse files
steelingshalier
steeling
authored and
shalier
committed
[backport] cherry-pick a016262 to release-v1.2
cert rotation now ignores monotonic clock readings when checking expiration (#5012) Signed-off-by: Sean Teeling <[email protected]> Signed-off-by: Shalier Xia <[email protected]>
1 parent 76db0c6 commit 71e6847

File tree

2 files changed

+8
-4
lines changed

2 files changed

+8
-4
lines changed

pkg/certificate/manager.go

+6-2
Original file line numberDiff line numberDiff line change
@@ -174,10 +174,14 @@ func (m *Manager) shouldRotate(c *Certificate) bool {
174174
intNoise := rand.Intn(noiseSeconds) // #nosec G404
175175
secondsNoise := time.Duration(intNoise) * time.Second
176176
renewBefore := RenewBeforeCertExpires + secondsNoise
177-
if time.Until(c.GetExpiration()) <= renewBefore {
177+
// Round is called to truncate monotonic clock to the nearest second. This is done to avoid environments where the
178+
// CPU clock may stop, resulting in a time measurement that differs significantly from the x509 timestamp.
179+
// See https://github.com/openservicemesh/osm/issues/5000#issuecomment-1218539412 for more details.
180+
expiration := c.GetExpiration().Round(0)
181+
if time.Until(expiration) <= renewBefore {
178182
log.Info().Msgf("Cert %s should be rotated; expires in %+v; renewBefore is %+v",
179183
c.GetCommonName(),
180-
time.Until(c.GetExpiration()),
184+
time.Until(expiration),
181185
renewBefore)
182186
return true
183187
}

pkg/debugger/certificate.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ func (ds DebugConfig) getCertHandler() http.Handler {
2929

3030
_, _ = fmt.Fprintf(w, "---[ %d ]---\n", idx)
3131
_, _ = fmt.Fprintf(w, "\t Common Name: %q\n", cert.GetCommonName())
32-
_, _ = fmt.Fprintf(w, "\t Valid Until: %+v (%+v remaining)\n", cert.GetExpiration(), time.Until(cert.GetExpiration()))
32+
_, _ = fmt.Fprintf(w, "\t Valid Until: %+v (%+v remaining)\n", cert.GetExpiration(), time.Until(cert.GetExpiration().Round(0)))
3333
_, _ = fmt.Fprintf(w, "\t Issuing CA (SHA256): %x\n", sha256.Sum256(ca))
3434
_, _ = fmt.Fprintf(w, "\t Trusted CAs (SHA256): %x\n", sha256.Sum256(trustedCAs))
3535
_, _ = fmt.Fprintf(w, "\t Cert Chain (SHA256): %x\n", sha256.Sum256(chain))
@@ -38,7 +38,7 @@ func (ds DebugConfig) getCertHandler() http.Handler {
3838
_, _ = fmt.Fprintf(w, "\t x509.SignatureAlgorithm: %+v\n", x509.SignatureAlgorithm)
3939
_, _ = fmt.Fprintf(w, "\t x509.PublicKeyAlgorithm: %+v\n", x509.PublicKeyAlgorithm)
4040
_, _ = fmt.Fprintf(w, "\t x509.Version: %+v\n", x509.Version)
41-
_, _ = fmt.Fprintf(w, "\t x509.SerialNumber: %x\n", x509.SerialNumber)
41+
_, _ = fmt.Fprintf(w, "\t x509.SerialNumber: %s\n", x509.SerialNumber)
4242
_, _ = fmt.Fprintf(w, "\t x509.Issuer: %+v\n", x509.Issuer)
4343
_, _ = fmt.Fprintf(w, "\t x509.Subject: %+v\n", x509.Subject)
4444
_, _ = fmt.Fprintf(w, "\t x509.NotBefore (begin): %+v (%+v ago)\n", x509.NotBefore, time.Since(x509.NotBefore))

0 commit comments

Comments
 (0)