From 104335e174c702294a8f459cfb53f5d9066286cc Mon Sep 17 00:00:00 2001
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
Date: Wed, 11 Oct 2023 14:18:33 +0200
Subject: [PATCH] Use correct timing for issued cert under TA. (related #1097)

---
 src/daemon/ca/manager.rs  |  2 +-
 src/ta/config.rs          |  9 +++++++++
 src/ta/proxy.rs           | 13 ++++++-------
 test-resources/ta/ta.conf |  5 +++++
 4 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/src/daemon/ca/manager.rs b/src/daemon/ca/manager.rs
index 95852e201..f2c390b33 100644
--- a/src/daemon/ca/manager.rs
+++ b/src/daemon/ca/manager.rs
@@ -878,7 +878,7 @@ impl CaManager {
         } else {
             self.get_trust_anchor_proxy()
                 .await?
-                .entitlements(child, &self.config.issuance_timing)
+                .entitlements(child, &self.config.ta_timing)
                 .map(|entitlements| ResourceClassListResponse::new(vec![entitlements]))
         }?;
 
diff --git a/src/ta/config.rs b/src/ta/config.rs
index 1123ebee7..9fa50b4ca 100644
--- a/src/ta/config.rs
+++ b/src/ta/config.rs
@@ -17,6 +17,7 @@ use crate::{
 // TA timing defaults
 const DFLT_TA_CERTIFICATE_VALIDITY_YEARS: i32 = 100;
 const DFLT_TA_ISSUED_CERTIFICATE_VALIDITY_WEEKS: i64 = 52;
+const DFLT_TA_ISSUED_CERTIFICATE_REISSUE_WEEKS_BEFORE: i64 = 26;
 const DFLT_TA_MFT_NEXT_UPDATE_WEEKS: i64 = 12;
 const DFLT_TA_SIGNED_MESSAGE_VALIDITY_DAYS: i64 = 14;
 
@@ -30,6 +31,9 @@ pub struct TaTimingConfig {
     #[serde(default = "TaTimingConfig::dflt_ta_issued_certificate_validity_weeks")]
     pub issued_certificate_validity_weeks: i64,
 
+    #[serde(default = "TaTimingConfig::dflt_ta_issued_certificate_reissue_weeks_before")]
+    pub issued_certificate_reissue_weeks_before: i64,
+
     #[serde(default = "TaTimingConfig::dflt_ta_mft_next_update_weeks")]
     pub mft_next_update_weeks: i64,
 
@@ -42,6 +46,7 @@ impl Default for TaTimingConfig {
         Self {
             certificate_validity_years: DFLT_TA_CERTIFICATE_VALIDITY_YEARS,
             issued_certificate_validity_weeks: DFLT_TA_ISSUED_CERTIFICATE_VALIDITY_WEEKS,
+            issued_certificate_reissue_weeks_before: DFLT_TA_ISSUED_CERTIFICATE_REISSUE_WEEKS_BEFORE,
             mft_next_update_weeks: DFLT_TA_MFT_NEXT_UPDATE_WEEKS,
             signed_message_validity_days: DFLT_TA_SIGNED_MESSAGE_VALIDITY_DAYS,
         }
@@ -57,6 +62,10 @@ impl TaTimingConfig {
         DFLT_TA_ISSUED_CERTIFICATE_VALIDITY_WEEKS
     }
 
+    fn dflt_ta_issued_certificate_reissue_weeks_before() -> i64 {
+        DFLT_TA_ISSUED_CERTIFICATE_REISSUE_WEEKS_BEFORE
+    }
+
     fn dflt_ta_mft_next_update_weeks() -> i64 {
         DFLT_TA_MFT_NEXT_UPDATE_WEEKS
     }
diff --git a/src/ta/proxy.rs b/src/ta/proxy.rs
index dedd1acc9..828667e34 100644
--- a/src/ta/proxy.rs
+++ b/src/ta/proxy.rs
@@ -7,12 +7,14 @@ use super::*;
 
 use std::{collections::HashMap, convert::TryFrom, fmt, sync::Arc};
 
+use chrono::Duration;
 use rpki::{
     ca::{
         idexchange::{self, ChildHandle, MyHandle},
         provisioning::{ResourceClassEntitlements, SigningCert},
     },
     crypto::KeyIdentifier,
+    repository::x509::Time,
 };
 
 use crate::{
@@ -24,10 +26,7 @@ use crate::{
         eventsourcing::{self, Event, InitCommandDetails, InitEvent, WithStorableDetails},
         KrillResult,
     },
-    daemon::{
-        ca::{Rfc8183Id, UsedKeyState},
-        config::IssuanceTimingConfig,
-    },
+    daemon::ca::{Rfc8183Id, UsedKeyState},
 };
 
 //------------ TrustAnchorProxy --------------------------------------------
@@ -743,7 +742,7 @@ impl TrustAnchorProxy {
     pub fn entitlements(
         &self,
         child_handle: &ChildHandle,
-        issuance_timing: &IssuanceTimingConfig,
+        ta_timing: &TaTimingConfig,
     ) -> KrillResult<ResourceClassEntitlements> {
         let signer = self.signer.as_ref().ok_or(Error::TaNotInitialized)?;
         let child = self.get_child_details(child_handle)?;
@@ -758,8 +757,8 @@ impl TrustAnchorProxy {
 
         let mut issued_certs = vec![];
 
-        let mut not_after = issuance_timing.new_child_cert_not_after();
-        let threshold = issuance_timing.new_child_cert_issuance_threshold();
+        let mut not_after = Time::now() + Duration::weeks(ta_timing.issued_certificate_validity_weeks);
+        let threshold = Time::now() + Duration::weeks(ta_timing.issued_certificate_reissue_weeks_before);
         for ki in child.used_keys.keys() {
             if let Some(issued) = signer.objects.get_issued(ki) {
                 issued_certs.push(issued.to_rfc6492_issued_cert().map_err(|e| {
diff --git a/test-resources/ta/ta.conf b/test-resources/ta/ta.conf
index 3d233eee7..9cd28194e 100644
--- a/test-resources/ta/ta.conf
+++ b/test-resources/ta/ta.conf
@@ -62,6 +62,11 @@ storage_uri = "memory://"
 #
 ### issued_certificate_validity_weeks = 52
 
+# The threshold in weeks before expiry of a current issued certificate
+# used to determine when a new certificate should be requested.
+#
+### issued_certificate_reissue_weeks_before = 26
+
 # The time before the manifest and CRL expire for objects published by
 # the TA. This determines the minimal re-signing frequency needed.
 #