From 2eba5326db6d427cd9c0bc7338a0a21a0309df94 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Thu, 22 Sep 2022 12:17:16 -0700 Subject: [PATCH] Remove policy validation on renew --- authority/tls.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/authority/tls.go b/authority/tls.go index 32b85e11..29053ddf 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -348,9 +348,12 @@ func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x5 newCert.ExtraExtensions = append(newCert.ExtraExtensions, ext) } - // Check if the certificate is allowed to be renewed, policies or - // constraints might change over time. - if err := a.isAllowedToSignX509Certificate(newCert); err != nil { + // Check if the certificate is allowed to be renewed, name constraints might + // change over time. + // + // TODO(hslatman,maraino): consider adding policies too and consider if + // RenewSSH should check policies. + if err := a.constraintsEngine.ValidateCertificate(newCert); err != nil { var ee *errs.Error if errors.As(err, &ee) { return nil, errs.ApplyOptions(ee, opts...)