From 904f357b8180bbe92dc9880ddb8a0f97922ea32d Mon Sep 17 00:00:00 2001
From: Grégoire Duchêne <gduchene@awhk.org>
Date: Sat, 23 May 2020 10:42:38 +0100
Subject: Check that the certificate lifetime is valid

---
 main.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'main.go')

diff --git a/main.go b/main.go
index 590aff2..affb784 100644
--- a/main.go
+++ b/main.go
@@ -233,11 +233,18 @@ func main() {
 			log.Fatalln("error: could not parse the CA certificate:", err)
 		}
 	}
+	if tmpl.NotBefore.Before(parentCert.NotBefore) {
+		log.Fatalf("error: certificate starts before (%v) its parent (%v)",
+			tmpl.NotBefore, parentCert.NotBefore)
+	}
+	if tmpl.NotAfter.After(parentCert.NotAfter) {
+		log.Fatalf("error: certificate expires after (%v) its parent (%v)",
+			tmpl.NotAfter, parentCert.NotAfter)
+	}
 	cert, err := x509.CreateCertificate(rand.Reader, tmpl, parentCert, &key.PublicKey, parentKey)
 	if err != nil {
 		log.Fatalln("error: could not generate the certificate:", err)
 	}
-
 	keyOut, err := os.OpenFile(out+".key", os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0600)
 	if err != nil {
 		log.Fatalln("error: could not create the private key:", err)
-- 
cgit v1.2.3-70-g09d2