[backport] cherry-pick a016262 to release-v1.1

steeling · shalier · commit 45f0452e70b3 · 2022-10-18T12:53:24.000-07:00
Signed-off-by: Shalier Xia <shalierxia@microsoft.com> cert rotation now ignores monotonic clock readings when checking expiration (openservicemesh#5012) Signed-off-by: Sean Teeling <seanteeling@microsoft.com>
diff --git a/pkg/certificate/manager.go b/pkg/certificate/manager.go
@@ -1,6 +1,7 @@
 package certificate
 
 import (
+	"math/rand"
 	"time"
 
 	"github.com/pkg/errors"
@@ -58,7 +59,16 @@ func (m *manager) IssueCertificate(cn CommonName, validityPeriod time.Duration)
 	start := time.Now()
 
 	if cert := m.getFromCache(cn); cert != nil {
-		return cert, nil
+		intNoise := rand.Intn(noiseSeconds) // #nosec G404
+		secondsNoise := time.Duration(intNoise) * time.Second
+		renewBefore := RenewBeforeCertExpires + secondsNoise
+		// Round is called to truncate monotonic clock to the nearest second. This is done to avoid environments where the
+		// CPU clock may stop, resulting in a time measurement that differs significantly from the x509 timestamp.
+		// See https://github.com/openservicemesh/osm/issues/5000#issuecomment-1218539412 for more details.
+		expiration := cert.GetExpiration().Round(0)
+		if time.Until(expiration) > renewBefore {
+			return cert, nil
+		}
 	}
 
 	cert, err := m.client.IssueCertificate(cn, validityPeriod)
diff --git a/pkg/debugger/certificate.go b/pkg/debugger/certificate.go
@@ -28,15 +28,15 @@ func (ds DebugConfig) getCertHandler() http.Handler {
 
 			_, _ = fmt.Fprintf(w, "---[ %d ]---\n", idx)
 			_, _ = fmt.Fprintf(w, "\t Common Name: %q\n", cert.GetCommonName())
-			_, _ = fmt.Fprintf(w, "\t Valid Until: %+v (%+v remaining)\n", cert.GetExpiration(), time.Until(cert.GetExpiration()))
+			_, _ = fmt.Fprintf(w, "\t Valid Until: %+v (%+v remaining)\n", cert.GetExpiration(), time.Until(cert.GetExpiration().Round(0)))
 			_, _ = fmt.Fprintf(w, "\t Issuing CA (SHA256): %x\n", sha256.Sum256(ca))
 			_, _ = fmt.Fprintf(w, "\t Cert Chain (SHA256): %x\n", sha256.Sum256(chain))
 
 			// Show only some x509 fields to keep the output clean
 			_, _ = fmt.Fprintf(w, "\t x509.SignatureAlgorithm: %+v\n", x509.SignatureAlgorithm)
 			_, _ = fmt.Fprintf(w, "\t x509.PublicKeyAlgorithm: %+v\n", x509.PublicKeyAlgorithm)
 			_, _ = fmt.Fprintf(w, "\t x509.Version: %+v\n", x509.Version)
-			_, _ = fmt.Fprintf(w, "\t x509.SerialNumber: %x\n", x509.SerialNumber)
+			_, _ = fmt.Fprintf(w, "\t x509.SerialNumber: %s\n", x509.SerialNumber)
 			_, _ = fmt.Fprintf(w, "\t x509.Issuer: %+v\n", x509.Issuer)
 			_, _ = fmt.Fprintf(w, "\t x509.Subject: %+v\n", x509.Subject)
 			_, _ = fmt.Fprintf(w, "\t x509.NotBefore (begin): %+v (%+v ago)\n", x509.NotBefore, time.Since(x509.NotBefore))
