Use correct timing for issued cert under TA. (related #1097)

NLnetLabs · Oct 11, 2023 · 104335e · 104335e
1 parent 13ca167
commit 104335e
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 8 deletions.
diff --git a/src/daemon/ca/manager.rs b/src/daemon/ca/manager.rs
@@ -878,7 +878,7 @@ impl CaManager {
         } else {
             self.get_trust_anchor_proxy()
                 .await?
-                .entitlements(child, &self.config.issuance_timing)
+                .entitlements(child, &self.config.ta_timing)
                 .map(|entitlements| ResourceClassListResponse::new(vec![entitlements]))
         }?;
 

diff --git a/src/ta/config.rs b/src/ta/config.rs
@@ -17,6 +17,7 @@ use crate::{
 // TA timing defaults
 const DFLT_TA_CERTIFICATE_VALIDITY_YEARS: i32 = 100;
 const DFLT_TA_ISSUED_CERTIFICATE_VALIDITY_WEEKS: i64 = 52;
+const DFLT_TA_ISSUED_CERTIFICATE_REISSUE_WEEKS_BEFORE: i64 = 26;
 const DFLT_TA_MFT_NEXT_UPDATE_WEEKS: i64 = 12;
 const DFLT_TA_SIGNED_MESSAGE_VALIDITY_DAYS: i64 = 14;
 
@@ -30,6 +31,9 @@ pub struct TaTimingConfig {
     #[serde(default = "TaTimingConfig::dflt_ta_issued_certificate_validity_weeks")]
     pub issued_certificate_validity_weeks: i64,
 
+    #[serde(default = "TaTimingConfig::dflt_ta_issued_certificate_reissue_weeks_before")]
+    pub issued_certificate_reissue_weeks_before: i64,
+
     #[serde(default = "TaTimingConfig::dflt_ta_mft_next_update_weeks")]
     pub mft_next_update_weeks: i64,
 
@@ -42,6 +46,7 @@ impl Default for TaTimingConfig {
         Self {
             certificate_validity_years: DFLT_TA_CERTIFICATE_VALIDITY_YEARS,
             issued_certificate_validity_weeks: DFLT_TA_ISSUED_CERTIFICATE_VALIDITY_WEEKS,
+            issued_certificate_reissue_weeks_before: DFLT_TA_ISSUED_CERTIFICATE_REISSUE_WEEKS_BEFORE,
             mft_next_update_weeks: DFLT_TA_MFT_NEXT_UPDATE_WEEKS,
             signed_message_validity_days: DFLT_TA_SIGNED_MESSAGE_VALIDITY_DAYS,
         }
@@ -57,6 +62,10 @@ impl TaTimingConfig {
         DFLT_TA_ISSUED_CERTIFICATE_VALIDITY_WEEKS
     }
 
+    fn dflt_ta_issued_certificate_reissue_weeks_before() -> i64 {
+        DFLT_TA_ISSUED_CERTIFICATE_REISSUE_WEEKS_BEFORE
+    }
+
     fn dflt_ta_mft_next_update_weeks() -> i64 {
         DFLT_TA_MFT_NEXT_UPDATE_WEEKS
     }

diff --git a/src/ta/proxy.rs b/src/ta/proxy.rs
@@ -7,12 +7,14 @@ use super::*;
 
 use std::{collections::HashMap, convert::TryFrom, fmt, sync::Arc};
 
+use chrono::Duration;
 use rpki::{
     ca::{
         idexchange::{self, ChildHandle, MyHandle},
         provisioning::{ResourceClassEntitlements, SigningCert},
     },
     crypto::KeyIdentifier,
+    repository::x509::Time,
 };
 
 use crate::{
@@ -24,10 +26,7 @@ use crate::{
         eventsourcing::{self, Event, InitCommandDetails, InitEvent, WithStorableDetails},
         KrillResult,
     },
-    daemon::{
-        ca::{Rfc8183Id, UsedKeyState},
-        config::IssuanceTimingConfig,
-    },
+    daemon::ca::{Rfc8183Id, UsedKeyState},
 };
 
 //------------ TrustAnchorProxy --------------------------------------------
@@ -743,7 +742,7 @@ impl TrustAnchorProxy {
     pub fn entitlements(
         &self,
         child_handle: &ChildHandle,
-        issuance_timing: &IssuanceTimingConfig,
+        ta_timing: &TaTimingConfig,
     ) -> KrillResult<ResourceClassEntitlements> {
         let signer = self.signer.as_ref().ok_or(Error::TaNotInitialized)?;
         let child = self.get_child_details(child_handle)?;
@@ -758,8 +757,8 @@ impl TrustAnchorProxy {
 
         let mut issued_certs = vec![];
 
-        let mut not_after = issuance_timing.new_child_cert_not_after();
-        let threshold = issuance_timing.new_child_cert_issuance_threshold();
+        let mut not_after = Time::now() + Duration::weeks(ta_timing.issued_certificate_validity_weeks);
+        let threshold = Time::now() + Duration::weeks(ta_timing.issued_certificate_reissue_weeks_before);
         for ki in child.used_keys.keys() {
             if let Some(issued) = signer.objects.get_issued(ki) {
                 issued_certs.push(issued.to_rfc6492_issued_cert().map_err(|e| {

diff --git a/test-resources/ta/ta.conf b/test-resources/ta/ta.conf
@@ -62,6 +62,11 @@ storage_uri = "memory://"
 #
 ### issued_certificate_validity_weeks = 52
 
+# The threshold in weeks before expiry of a current issued certificate
+# used to determine when a new certificate should be requested.
+#
+### issued_certificate_reissue_weeks_before = 26
+
 # The time before the manifest and CRL expire for objects published by
 # the TA. This determines the minimal re-signing frequency needed.
 #