Fix some review items

slackhq · Sep 12, 2024 · 2626ff9 · 2626ff9
1 parent c686558
commit 2626ff9
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/cert/ca_pool.go b/cert/ca_pool.go
@@ -238,12 +238,12 @@ func CheckCAConstraints(signer Certificate, sub Certificate) error {
 
 // checkCAConstraints is a very generic function allowing both Certificates and TBSCertificates to be tested.
 func checkCAConstraints(signer Certificate, notBefore, notAfter time.Time, groups []string, networks, unsafeNetworks []netip.Prefix) error {
-	// Make sure this cert wasn't valid before the root
+	// Make sure this cert isn't valid after the root
 	if notAfter.After(signer.NotAfter()) {
 		return fmt.Errorf("certificate expires after signing certificate")
 	}
 
-	// Make sure this cert isn't valid after the root
+	// Make sure this cert wasn't valid before the root
 	if notBefore.Before(signer.NotBefore()) {
 		return fmt.Errorf("certificate is valid before the signing certificate")
 	}

diff --git a/pki.go b/pki.go
@@ -89,8 +89,8 @@ func (p *PKI) reloadCert(c *config.C, initial bool) *util.ContextualError {
 		newIPs := cs.Certificate.Networks()
 		if len(oldIPs) > 0 && len(newIPs) > 0 && oldIPs[0].String() != newIPs[0].String() {
 			return util.NewContextualError(
-				"IP in new cert was different from old",
-				m{"new_ip": newIPs[0], "old_ip": oldIPs[0]},
+				"Networks in new cert was different from old",
+				m{"new_network": newIPs[0], "old_network": oldIPs[0]},
 				nil,
 			)
 		}
@@ -208,7 +208,7 @@ func newCertStateFromConfig(c *config.C) (*CertState, error) {
 	}
 
 	if len(nebulaCert.Networks()) == 0 {
-		return nil, fmt.Errorf("no IPs encoded in certificate")
+		return nil, fmt.Errorf("no networks encoded in certificate")
 	}
 
 	if err = nebulaCert.VerifyPrivateKey(curve, rawKey); err != nil {