Ta timing config

src/cli/report.rs

@@ -15,13 +15,9 @@ use crate::{
         },
         bgp::{BgpAnalysisAdvice, BgpAnalysisReport, BgpAnalysisSuggestion},
     },
-    daemon::{
-        ca::ResourceTaggedAttestation,
-        ta::{
-            TrustAnchorProxySignerExchanges, TrustAnchorSignedRequest, TrustAnchorSignedResponse, TrustAnchorSignerInfo,
-        },
-    },
+    daemon::ca::ResourceTaggedAttestation,
     pubd::RepoStats,
+    ta::{TrustAnchorProxySignerExchanges, TrustAnchorSignedRequest, TrustAnchorSignedResponse, TrustAnchorSignerInfo},
 };
 
 //------------ ApiResponse ---------------------------------------------------

src/commons/api/ca.rs

@@ -2170,7 +2170,7 @@ mod test {
 
     use rpki::crypto::PublicKeyFormat;
 
-    use crate::{commons::crypto::OpenSslSigner, daemon::ta::TrustAnchorLocator, test};
+    use crate::{commons::crypto::OpenSslSigner, ta::TrustAnchorLocator, test};
 
     use super::*;
 

src/commons/api/import.rs

@@ -12,7 +12,8 @@ use rpki::{
 
 use crate::{
     commons::{api::PublicationServerUris, error::Error, KrillResult},
-    daemon::{config, ta::ta_handle},
+    daemon::config,
+    ta::ta_handle,
 };
 
 use super::RoaConfiguration;

src/commons/crypto/signing/dispatch/krillsigner.rs

@@ -40,10 +40,7 @@ use crate::{
         KrillResult,
     },
     constants::ID_CERTIFICATE_VALIDITY_YEARS,
-    daemon::{
-        config::{SignerConfig, SignerType},
-        ta::TA_SIGNED_MESSAGE_DAYS,
-    },
+    daemon::config::{SignerConfig, SignerType},
 };
 
 #[cfg(feature = "hsm")]
@@ -327,8 +324,13 @@ impl KrillSigner {
         publication::PublicationCms::create(message, signing_key, &self.router).map_err(crypto::Error::signing)
     }
 
-    pub fn create_ta_signed_message(&self, data: Bytes, signing_key: &KeyIdentifier) -> CryptoResult<SignedMessage> {
-        let validity = SignSupport::sign_validity_days(TA_SIGNED_MESSAGE_DAYS);
+    pub fn create_ta_signed_message(
+        &self,
+        data: Bytes,
+        validity_days: i64,
+        signing_key: &KeyIdentifier,
+    ) -> CryptoResult<SignedMessage> {
+        let validity = SignSupport::sign_validity_days(validity_days);
 
         SignedMessage::create(data, validity, signing_key, &self.router).map_err(crypto::Error::signing)
     }

src/commons/error.rs

@@ -23,7 +23,8 @@ use crate::{
         eventsourcing::{AggregateStoreError, KeyValueError},
         util::httpclient,
     },
-    daemon::{ca::RoaPayloadJsonMapKey, http::tls_keys, ta},
+    daemon::{ca::RoaPayloadJsonMapKey, http::tls_keys},
+    ta,
     upgrades::UpgradeError,
 };
 

src/daemon/ca/manager.rs

@@ -48,13 +48,13 @@ use crate::{
         },
         config::Config,
         mq::{now, Task, TaskQueue},
-        ta::{
-            self, ta_handle, TrustAnchorProxy, TrustAnchorProxyCommand, TrustAnchorProxyInitCommand,
-            TrustAnchorSignedRequest, TrustAnchorSignedResponse, TrustAnchorSigner, TrustAnchorSignerCommand,
-            TrustAnchorSignerInfo, TrustAnchorSignerInitCommand, TrustAnchorSignerInitCommandDetails, TA_NAME,
-        },
     },
     pubd::RepositoryManager,
+    ta::{
+        self, ta_handle, TrustAnchorProxy, TrustAnchorProxyCommand, TrustAnchorProxyInitCommand,
+        TrustAnchorSignedRequest, TrustAnchorSignedResponse, TrustAnchorSigner, TrustAnchorSignerCommand,
+        TrustAnchorSignerInfo, TrustAnchorSignerInitCommand, TrustAnchorSignerInitCommandDetails, TA_NAME,
+    },
 };
 
 use super::{CertAuthInitCommand, CertAuthInitCommandDetails};
@@ -315,6 +315,7 @@ impl CaManager {
                 tal_https,
                 tal_rsync,
                 private_key_pem,
+                timing: self.config.ta_timing,
                 signer: self.signer.clone(),
             };
             let cmd = TrustAnchorSignerInitCommand::new(&handle, details, &self.system_actor);
@@ -375,7 +376,7 @@ impl CaManager {
         let cmd = TrustAnchorProxyCommand::make_signer_request(&ta_handle(), actor);
         let proxy = self.send_ta_proxy_command(cmd).await?;
 
-        proxy.get_signer_request(&self.signer)
+        proxy.get_signer_request(self.config.ta_timing, &self.signer)
     }
 
     /// Create a new request for the signer.
@@ -384,7 +385,9 @@ impl CaManager {
     /// - there is no proxy
     /// - the proxy already has a request
     pub async fn ta_proxy_signer_get_request(&self) -> KrillResult<TrustAnchorSignedRequest> {
-        self.get_trust_anchor_proxy().await?.get_signer_request(&self.signer)
+        self.get_trust_anchor_proxy()
+            .await?
+            .get_signer_request(self.config.ta_timing, &self.signer)
     }
 
     /// Process a sign response from the signer.
@@ -1183,13 +1186,14 @@ impl CaManager {
                 proxy = self.send_ta_proxy_command(sign_request_cmd).await?;
 
                 // get sign request for signer
-                let signed_request = proxy.get_signer_request(&self.signer)?;
+                let signed_request = proxy.get_signer_request(self.config.ta_timing, &self.signer)?;
                 let request_nonce = signed_request.content().nonce.clone(); // remember so we can retrieve it
 
                 // let signer process request
                 let signer_process_request_cmd = TrustAnchorSignerCommand::make_process_request_command(
                     &ta_handle,
                     signed_request,
+                    self.config.ta_timing,
                     self.signer.clone(),
                     &self.system_actor,
                 );

src/daemon/ca/rc.rs

@@ -30,8 +30,8 @@ use crate::{
             KeyState, NewKey, OldKey, PendingKey, Roas, Routes,
         },
         config::{Config, IssuanceTimingConfig},
-        ta::ta_handle,
     },
+    ta::ta_handle,
 };
 
 use super::{AspaDefinitions, BgpSecCertificateUpdates, BgpSecCertificates, BgpSecDefinitions, RoaInfo};

src/daemon/config.rs

@@ -35,6 +35,7 @@ use crate::{
         http::tls_keys::{self, HTTPS_SUB_DIR},
         mq::{in_seconds, Priority},
     },
+    ta::TaTimingConfig,
 };
 
 #[cfg(feature = "multi-user")]
@@ -414,7 +415,7 @@ where
     OneOrMany::<IpAddr>::deserialize(deserializer).map(|oom| oom.into())
 }
 
-fn deserialize_storage_uri<'de, D>(deserializer: D) -> Result<Url, D::Error>
+pub fn deserialize_storage_uri<'de, D>(deserializer: D) -> Result<Url, D::Error>
 where
     D: Deserializer<'de>,
 {
@@ -577,6 +578,9 @@ pub struct Config {
     pub testbed: Option<TestBed>,
 
     pub benchmark: Option<Benchmark>,
+
+    #[serde(default)]
+    pub ta_timing: TaTimingConfig,
 }
 
 #[derive(Clone, Debug, Deserialize)]
@@ -1121,6 +1125,7 @@ impl Config {
             metrics,
             testbed,
             benchmark: None,
+            ta_timing: TaTimingConfig::default(),
         }
     }
 

src/daemon/http/server.rs

@@ -60,8 +60,8 @@ use crate::{
         },
         krillserver::KrillServer,
         properties::PropertiesManager,
-        ta::{self, TA_NAME},
     },
+    ta::{self, TA_NAME},
     upgrades::{finalise_data_migration, post_start_upgrade, prepare_upgrade_data_migrations, UpgradeMode},
 };
 

src/daemon/http/testbed.rs

@@ -13,8 +13,8 @@ use crate::{
             },
             HttpResponse, Request, RequestPath, RoutingResult,
         },
-        ta::ta_handle,
     },
+    ta::ta_handle,
 };
 
 //------------ Support acting as a testbed -------------------------------------

src/daemon/krillserver.rs

@@ -35,14 +35,19 @@ use crate::{
     constants::*,
     daemon::{
         auth::{providers::AdminTokenAuthProvider, Authorizer, LoggedInUser},
-        ca::{self, testbed_ca_handle, CaStatus, ResourceTaggedAttestation, RtaContentRequest, RtaPrepareRequest},
+        ca::{
+            self, testbed_ca_handle, CaManager, CaStatus, ResourceTaggedAttestation, RtaContentRequest,
+            RtaPrepareRequest,
+        },
         config::{AuthType, Config},
         http::HttpResponse,
         mq::{now, Task, TaskQueue},
         scheduler::Scheduler,
-        ta::{ta_handle, TaCertDetails, TA_NAME},
     },
     pubd::{RepoStats, RepositoryManager},
+    ta::{
+        ta_handle, TaCertDetails, TrustAnchorSignedRequest, TrustAnchorSignedResponse, TrustAnchorSignerInfo, TA_NAME,
+    },
 };
 
 #[cfg(feature = "multi-user")]
@@ -51,11 +56,6 @@ use crate::daemon::auth::{
     providers::{ConfigFileAuthProvider, OpenIDConnectAuthProvider},
 };
 
-use super::{
-    ca::CaManager,
-    ta::{TrustAnchorSignedRequest, TrustAnchorSignedResponse, TrustAnchorSignerInfo},
-};
-
 //------------ KrillServer ---------------------------------------------------
 
 /// This is the Krill server that is doing all the orchestration for all components.

src/daemon/mod.rs

@@ -6,4 +6,3 @@ pub mod krillserver;
 pub mod mq;
 pub mod properties;
 pub mod scheduler;
-pub mod ta;

src/daemon/mq.rs

@@ -25,10 +25,8 @@ use crate::{
     commons::eventsourcing,
     commons::{eventsourcing::Aggregate, Error, KrillResult},
     constants::TASK_QUEUE_NS,
-    daemon::{
-        ca::{CertAuth, CertAuthEvent},
-        ta::{ta_handle, TrustAnchorProxy, TrustAnchorProxyEvent},
-    },
+    daemon::ca::{CertAuth, CertAuthEvent},
+    ta::{ta_handle, TrustAnchorProxy, TrustAnchorProxyEvent},
 };
 
 //------------ Task ---------------------------------------------------------

src/lib.rs

@@ -29,5 +29,6 @@ pub mod commons;
 pub mod constants;
 pub mod daemon;
 pub mod pubd;
+pub mod ta;
 pub mod test;
 pub mod upgrades;

src/pubd/repository.rs

@@ -46,12 +46,12 @@ use crate::{
     daemon::{
         ca::Rfc8183Id,
         config::{Config, RrdpUpdatesConfig},
-        ta::TA_NAME,
     },
     pubd::{
         publishers::Publisher, RepositoryAccessCommand, RepositoryAccessCommandDetails, RepositoryAccessEvent,
         RepositoryAccessInitEvent,
     },
+    ta::TA_NAME,
 };
 
 use super::commands::{RepositoryAccessInitCommand, RepositoryAccessInitCommandDetails};

src/daemon/ta/common.rs → src/ta/common.rs

@@ -32,13 +32,6 @@ use crate::{
     },
 };
 
-// Some timing constants used by the Trust Anchor code. We may need to support
-// configuring these things instead..
-pub const TA_CERTIFICATE_VALIDITY_YEARS: i32 = 100;
-pub const TA_ISSUED_CERTIFICATE_VALIDITY_WEEKS: i64 = 52;
-pub const TA_MFT_NEXT_UPDATE_WEEKS: i64 = 12;
-pub const TA_SIGNED_MESSAGE_DAYS: i64 = 14;
-
 //------------ TrustAnchorObjects ------------------------------------------
 
 /// Contains all Trust Anchor objects, including the the TA certificate
@@ -77,8 +70,8 @@ pub struct TrustAnchorObjects {
 
 impl TrustAnchorObjects {
     /// Creates a new TrustAnchorObjects for the signing certificate.
-    pub fn create(signing_cert: &ReceivedCert, signer: &KrillSigner) -> KrillResult<Self> {
-        let revision = ObjectSetRevision::new(1, Self::this_update(), Self::next_update());
+    pub fn create(signing_cert: &ReceivedCert, next_update_weeks: i64, signer: &KrillSigner) -> KrillResult<Self> {
+        let revision = ObjectSetRevision::new(1, Self::this_update(), Self::next_update(next_update_weeks));
         let key_identifier = signing_cert.key_identifier();
         let base_uri = signing_cert.ca_repository().clone();
         let revocations = Revocations::default();
@@ -107,8 +100,13 @@ impl TrustAnchorObjects {
     /// Publish next revision of the published objects.
     /// - Update CRL (times and revocations)
     /// - Update Manifest (times and listed objects)
-    pub fn republish(&mut self, signing_cert: &ReceivedCert, signer: &KrillSigner) -> KrillResult<()> {
-        self.revision.next(Self::next_update());
+    pub fn republish(
+        &mut self,
+        signing_cert: &ReceivedCert,
+        next_update_weeks: i64,
+        signer: &KrillSigner,
+    ) -> KrillResult<()> {
+        self.revision.next(Self::next_update(next_update_weeks));
 
         let signing_key = signing_cert.key_identifier();
 
@@ -178,8 +176,8 @@ impl TrustAnchorObjects {
         Time::five_minutes_ago()
     }
 
-    pub fn next_update() -> Time {
-        Time::now() + chrono::Duration::weeks(TA_MFT_NEXT_UPDATE_WEEKS)
+    pub fn next_update(weeks: i64) -> Time {
+        Time::now() + chrono::Duration::weeks(weeks)
     }
 
     // Adds a new issued certificate, replaces and revokes the previous if present.
@@ -481,12 +479,17 @@ pub struct TrustAnchorSignerRequest {
 }
 
 impl TrustAnchorSignerRequest {
-    pub fn sign(&self, signing_key: KeyIdentifier, signer: &KrillSigner) -> Result<TrustAnchorSignedRequest, Error> {
+    pub fn sign(
+        &self,
+        signing_key: KeyIdentifier,
+        validity_days: i64,
+        signer: &KrillSigner,
+    ) -> Result<TrustAnchorSignedRequest, Error> {
         let data = serde_json::to_string_pretty(&self).unwrap();
         let data = Bytes::from(data);
 
         signer
-            .create_ta_signed_message(data, &signing_key)
+            .create_ta_signed_message(data, validity_days, &signing_key)
             .map(|msg| TrustAnchorSignedRequest {
                 request: self.clone(),
                 signed: msg.into(),
@@ -591,12 +594,17 @@ pub struct TrustAnchorSignerResponse {
 }
 
 impl TrustAnchorSignerResponse {
-    pub fn sign(&self, signing_key: KeyIdentifier, signer: &KrillSigner) -> Result<TrustAnchorSignedResponse, Error> {
+    pub fn sign(
+        &self,
+        validity_days: i64,
+        signing_key: KeyIdentifier,
+        signer: &KrillSigner,
+    ) -> Result<TrustAnchorSignedResponse, Error> {
         let data = serde_json::to_string_pretty(&self).unwrap();
         let data = Bytes::from(data);
 
         signer
-            .create_ta_signed_message(data, &signing_key)
+            .create_ta_signed_message(data, validity_days, &signing_key)
             .map(|msg| TrustAnchorSignedResponse {
                 response: self.clone(),
                 signed: msg.into(),