crl-updater: UpdatePeriod safety check (#8131)
The current requirement is that CRLs must be published within 24 hours after revoking a certificate. Fixes #8110
This commit is contained in:
Jacob Hoffman-Andrews
GitHub
parent
967d722cf4
commit
c95ab5c75f
|
|
@ -57,10 +57,9 @@ type Config struct {
|
||||||
LookbackPeriod config.Duration `validate:"-"`
|
LookbackPeriod config.Duration `validate:"-"`
|
||||||
|
|
||||||
// UpdatePeriod controls how frequently the crl-updater runs and publishes
|
// UpdatePeriod controls how frequently the crl-updater runs and publishes
|
||||||
// new versions of every CRL shard. The Baseline Requirements, Section 4.9.7
|
// new versions of every CRL shard. The Baseline Requirements, Section 4.9.7:
|
||||||
// state that this MUST NOT be more than 7 days. We believe that future
|
// "MUST update and publish a new CRL within twenty‐four (24) hours after
|
||||||
// updates may require that this not be more than 24 hours, and currently
|
// recording a Certificate as revoked."
|
||||||
// recommend an UpdatePeriod of 6 hours.
|
|
||||||
UpdatePeriod config.Duration
|
UpdatePeriod config.Duration
|
||||||
|
|
||||||
// UpdateTimeout controls how long a single CRL shard is allowed to attempt
|
// UpdateTimeout controls how long a single CRL shard is allowed to attempt
|
||||||
|
|
|
||||||
|
|
@ -80,8 +80,8 @@ func NewUpdater(
|
||||||
return nil, fmt.Errorf("must have positive number of shards, got: %d", numShards)
|
return nil, fmt.Errorf("must have positive number of shards, got: %d", numShards)
|
||||||
}
|
}
|
||||||
|
|
||||||
if updatePeriod >= 7*24*time.Hour {
|
if updatePeriod >= 24*time.Hour {
|
||||||
return nil, fmt.Errorf("must update CRLs at least every 7 days, got: %s", updatePeriod)
|
return nil, fmt.Errorf("must update CRLs at least every 24 hours, got: %s", updatePeriod)
|
||||||
}
|
}
|
||||||
|
|
||||||
if updateTimeout >= updatePeriod {
|
if updateTimeout >= updatePeriod {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue