Improve the feedback provided by krillta proxy signer show-request

Cargo.toml

@@ -52,7 +52,7 @@ rand            = "0.8"
 regex           = { version = "1.5.5", optional = true, default-features = false, features = [ "std" ] }
 reqwest         = { version = "0.12.5", features = ["json"] }
 rpassword       = { version = "7.3.1", optional = true }
-rpki            = { version = "0.18.4", features = ["ca", "compat", "rrdp"], git = "https://github.com/NLnetLabs/rpki-rs.git" }
+rpki            = { version = "0.18.4", features = ["ca", "compat", "rrdp"], git = "https://github.com/NLnetLabs/rpki-rs.git", rev = "26397568f564836a1ef94ac5449e8e1e462de01f" }
 rustls-pemfile  = "2.1.2"
 scrypt          = { version = "0.11", optional = true, default-features = false }
 secrecy         = { version = "0.8", features = ["serde"] }

src/ta/common.rs

@@ -7,6 +7,7 @@ use std::{
 };
 
 use bytes::Bytes;
+use chrono::TimeDelta;
 use rpki::{
     ca::{
         idexchange::{ChildHandle, RecipientHandle, SenderHandle},
@@ -36,6 +37,8 @@ use crate::{
     },
 };
 
+use super::TaTimingConfig;
+
 //------------ TrustAnchorObjects ------------------------------------------
 
 /// Contains all Trust Anchor objects, including the the TA certificate
@@ -553,6 +556,8 @@ impl fmt::Display for TrustAnchorSignedRequest {
 pub struct TrustAnchorSignerRequest {
     pub nonce: Nonce, // should be matched in response (replay protection)
     pub child_requests: Vec<TrustAnchorChildRequests>,
+    pub timing: TaTimingConfig,
+    pub renew_time: Option<Time>
 }
 
 impl TrustAnchorSignerRequest {
@@ -599,7 +604,17 @@ impl fmt::Display for TrustAnchorSignerRequest {
                 }
             }
             writeln!(f)?;
-        }
+        }   
+        writeln!(f, "Certificates will be reissued {} weeks before expiry.", 
+            self.timing.issued_certificate_reissue_weeks_before)?;
+        if let Some(rt) = self.renew_time { 
+            writeln!(f, "The current certificate expires on {}.", rt.to_rfc3339())?; 
+            if let Some(weeks) = TimeDelta::try_weeks(self.timing.issued_certificate_reissue_weeks_before) {
+                let t = rt - weeks;
+                writeln!(f, "Ergo the certificate is eligible for renewal on {}.", t.to_rfc3339())?; 
+            }
+        }         
+        writeln!(f)?;
         writeln!(f, "NOTE: Use the JSON output for the signer.")?;
 
         Ok(())

src/ta/config.rs

@@ -24,7 +24,7 @@ const DFLT_TA_SIGNED_MESSAGE_VALIDITY_DAYS: i64 = 14;
 //------------------------ TaTimingConfig
 //------------------------ ---------------------------------------
 
-#[derive(Clone, Copy, Debug, Deserialize)]
+#[derive(Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
 pub struct TaTimingConfig {
     #[serde(default = "TaTimingConfig::dflt_ta_certificate_validity_years")]
     pub certificate_validity_years: i32,

src/ta/proxy.rs

@@ -5,13 +5,12 @@
 /// function is handled by the Trust Anchor Signer instead.
 use super::*;
 
-use std::{collections::HashMap, fmt, sync::Arc};
+use std::{cmp, collections::HashMap, fmt, sync::Arc};
 
 use chrono::Duration;
 use rpki::{
     ca::{
-        idexchange::{self, ChildHandle, MyHandle},
-        provisioning::{ResourceClassEntitlements, SigningCert},
+        idcert::IdCert, idexchange::{self, ChildHandle, MyHandle}, provisioning::{ResourceClassEntitlements, SigningCert}
     },
     crypto::KeyIdentifier,
     repository::x509::Time,
@@ -886,6 +885,8 @@ impl TrustAnchorProxy {
     ) -> KrillResult<TrustAnchorSignedRequest> {
         if let Some(nonce) = self.open_signer_request.as_ref().cloned() {
             let mut child_requests = vec![];
+            let mut renew_time  = None;
+
             for (child, details) in &self.child_details {
                 if !details.open_requests.is_empty() {
                     child_requests.push(TrustAnchorChildRequests {
@@ -894,11 +895,22 @@ impl TrustAnchorProxy {
                         requests: details.open_requests.clone(),
                     });
                 }
+
+                if let Ok(cert) = IdCert::try_from(&details.id) {
+                    let v = cert.validity();
+                    if let Some(rt) = renew_time {
+                        renew_time = Some(cmp::min(rt, v.not_after()));
+                    } else {
+                        renew_time = Some(v.not_after());
+                    }
+                }
             }
 
             TrustAnchorSignerRequest {
                 nonce,
                 child_requests,
+                timing,
+                renew_time
             }
             .sign(
                 self.id.public_key().key_identifier(),

src/ta/signer.rs

@@ -465,6 +465,13 @@ impl TrustAnchorSigner {
         // and the 'content' is not tampered with.
         signed_request.validate(&self.proxy_id)?;
 
+        // Check whether the timing configs match
+        if ta_timing_config != signed_request.content().timing {
+            return Err(Error::Custom(format!(
+                "TA timing config between krillta and krill do not match!"
+            )));
+        }
+
         let mut objects = self.objects.clone();
 
         let mut child_responses: HashMap<