Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve the feedback provided by krillta proxy signer show-request #1243

Open
wants to merge 5 commits into
base: improve-ta
Choose a base branch
from
Open

Improve the feedback provided by krillta proxy signer show-request #1243

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c51c506
Improve the feedback provided by `krillta proxy signer show-request`
Koenvh1 Dec 10, 2024
b03f178
Drop the word "ergo"
Koenvh1 Dec 12, 2024
6502762
Switch to main branch rpki-rs.
partim Dec 12, 2024
6f2dd38
Make TA timing config optional
Koenvh1 Dec 16, 2024
c3696aa
Make Clippy happy
Koenvh1 Dec 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

24 changes: 23 additions & 1 deletion src/ta/common.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ use std::{
};

use bytes::Bytes;
use chrono::TimeDelta;
use rpki::{
ca::{
idexchange::{ChildHandle, RecipientHandle, SenderHandle},
Expand Down Expand Up @@ -36,6 +37,8 @@ use crate::{
},
};

use super::TaTimingConfig;

//------------ TrustAnchorObjects ------------------------------------------

/// Contains all Trust Anchor objects, including the the TA certificate
Expand Down Expand Up @@ -553,6 +556,8 @@ impl fmt::Display for TrustAnchorSignedRequest {
pub struct TrustAnchorSignerRequest {
pub nonce: Nonce, // should be matched in response (replay protection)
pub child_requests: Vec<TrustAnchorChildRequests>,
pub timing: Option<TaTimingConfig>,
pub renew_time: Option<Time>
}

impl TrustAnchorSignerRequest {
Expand Down Expand Up @@ -599,7 +604,24 @@ impl fmt::Display for TrustAnchorSignerRequest {
}
}
writeln!(f)?;
}
}
if let Some(ta_timing) = self.timing {
if let Some(rt) = self.renew_time {
writeln!(f, "Certificates will be reissued {} weeks before expiry.",
ta_timing.issued_certificate_reissue_weeks_before)?;

writeln!(f, "The current certificate expires on {}.",
rt.to_rfc3339())?;
if let Some(weeks) = TimeDelta::try_weeks(
ta_timing.issued_certificate_reissue_weeks_before
) {
let t = rt - weeks;
writeln!(f, "The certificate is eligible for renewal on {}."
, t.to_rfc3339())?;
}
}
}
writeln!(f)?;
writeln!(f, "NOTE: Use the JSON output for the signer.")?;

Ok(())
Expand Down
2 changes: 1 addition & 1 deletion src/ta/config.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ const DFLT_TA_SIGNED_MESSAGE_VALIDITY_DAYS: i64 = 14;
//------------------------ TaTimingConfig
//------------------------ ---------------------------------------

#[derive(Clone, Copy, Debug, Deserialize)]
#[derive(Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
pub struct TaTimingConfig {
#[serde(default = "TaTimingConfig::dflt_ta_certificate_validity_years")]
pub certificate_validity_years: i32,
Expand Down
18 changes: 15 additions & 3 deletions src/ta/proxy.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,12 @@
/// function is handled by the Trust Anchor Signer instead.
use super::*;

use std::{collections::HashMap, fmt, sync::Arc};
use std::{cmp, collections::HashMap, fmt, sync::Arc};

use chrono::Duration;
use rpki::{
ca::{
idexchange::{self, ChildHandle, MyHandle},
provisioning::{ResourceClassEntitlements, SigningCert},
idcert::IdCert, idexchange::{self, ChildHandle, MyHandle}, provisioning::{ResourceClassEntitlements, SigningCert}
},
crypto::KeyIdentifier,
repository::x509::Time,
Expand Down Expand Up @@ -886,6 +885,8 @@ impl TrustAnchorProxy {
) -> KrillResult<TrustAnchorSignedRequest> {
if let Some(nonce) = self.open_signer_request.as_ref().cloned() {
let mut child_requests = vec![];
let mut renew_time = None;

for (child, details) in &self.child_details {
if !details.open_requests.is_empty() {
child_requests.push(TrustAnchorChildRequests {
Expand All @@ -894,11 +895,22 @@ impl TrustAnchorProxy {
requests: details.open_requests.clone(),
});
}

if let Ok(cert) = IdCert::try_from(&details.id) {
let v = cert.validity();
if let Some(rt) = renew_time {
renew_time = Some(cmp::min(rt, v.not_after()));
} else {
renew_time = Some(v.not_after());
}
}
}

TrustAnchorSignerRequest {
nonce,
child_requests,
timing: Some(timing),
renew_time
}
.sign(
self.id.public_key().key_identifier(),
Expand Down
10 changes: 10 additions & 0 deletions src/ta/signer.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -465,6 +465,16 @@ impl TrustAnchorSigner {
// and the 'content' is not tampered with.
signed_request.validate(&self.proxy_id)?;

// Check whether the timing configs match
if let Some(ta_timing) = signed_request.content().timing {
if ta_timing_config != ta_timing {
return Err(Error::Custom(
"TA timing config between krillta and krill do not match!"
.to_string()
));
}
}

let mut objects = self.objects.clone();

let mut child_responses: HashMap<
Expand Down
Loading