feat: configuratle threshold and timeout before certificate expiry

Author: Aryakoste

packages/transport-webrtc/src/index.ts

@@ -280,7 +280,7 @@ export interface TransportCertificate {
    * The hash of the certificate
    */
   certhash: string
-  notAfter: string
+  notAfter: number
 }
 
 export type { WebRTCTransportDirectInit, WebRTCDirectTransportComponents }

packages/transport-webrtc/src/private-to-public/listener.ts

@@ -34,6 +34,7 @@ export interface WebRTCDirectListenerInit {
   rtcConfiguration?: RTCConfiguration | (() => RTCConfiguration | Promise<RTCConfiguration>)
   useLibjuice?: boolean
   certificateDuration?: number
+  certificateExpiryThreshold?: number
 }
 
 export interface WebRTCListenerMetrics {
@@ -86,10 +87,10 @@ export class WebRTCDirectListener extends TypedEventEmitter<ListenerEvents> impl
 
   private isCertificateExpiring (): boolean {
     if (this.certificate == null) return true
-    const expiryDate = new Date(this.certificate.notAfter)
+    const expiryDate = this.certificate.notAfter
     const now = new Date()
-    const timeToExpiry = expiryDate.getTime() - now.getTime()
-    const threshold = 30 * 24 * 60 * 60 * 1000
+    const timeToExpiry = expiryDate - now.getTime()
+    const threshold = this.init.certificateExpiryThreshold ?? 7 * 86400000
     return timeToExpiry < threshold
   }
 
@@ -166,17 +167,7 @@ export class WebRTCDirectListener extends TypedEventEmitter<ListenerEvents> impl
           // ensure we have a certificate
           if (this.certificate == null || this.isCertificateExpiring()) {
             this.log.trace('creating TLS certificate')
-            const keyPair = await crypto.subtle.generateKey({
-              name: 'ECDSA',
-              namedCurve: 'P-256'
-            }, true, ['sign', 'verify'])
-
-            const certificate = await generateTransportCertificate(keyPair, {
-              days: this.init.certificateDuration ?? 365 * 10
-            })
-            this.safeDispatchEvent('listening')
-
-            this.certificate = certificate
+            await this.createAndSetCertificate()
           }
 
           if (port === 0) {
@@ -196,6 +187,37 @@ export class WebRTCDirectListener extends TypedEventEmitter<ListenerEvents> impl
     }
   }
 
+  private async createAndSetCertificate (): Promise<void> {
+    const keyPair = await crypto.subtle.generateKey({
+      name: 'ECDSA',
+      namedCurve: 'P-256'
+    }, true, ['sign', 'verify'])
+
+    const certificate = await generateTransportCertificate(keyPair, {
+      days: this.init.certificateDuration ?? 365 * 10
+    })
+
+    this.certificate = certificate
+    this.setCertificateExpiryTimeout()
+  }
+
+  private setCertificateExpiryTimeout (): void {
+    if (this.certificate == null) {
+      return
+    }
+
+    const expiryDate = new Date(this.certificate.notAfter)
+    const now = new Date()
+    const timeToExpiry = expiryDate.getTime() - now.getTime()
+    const timeoutDuration = timeToExpiry - 7 * 86400000
+
+    setTimeout(async () => {
+      this.log.trace('renewing TLS certificate')
+      await this.createAndSetCertificate()
+      this.safeDispatchEvent('listening')
+    }, timeoutDuration)
+  }
+
   private async incomingConnection (ufrag: string, remoteHost: string, remotePort: number): Promise<void> {
     const key = `${remoteHost}:${remotePort}:${ufrag}`
     let peerConnection = this.connections.get(key)

packages/transport-webrtc/src/private-to-public/utils/generate-certificates.ts

@@ -47,6 +47,6 @@ export async function generateTransportCertificate (keyPair: CryptoKeyPair, opti
     privateKey: privateKeyPem,
     pem: cert.toString('pem'),
     certhash: base64url.encode((await sha256.digest(new Uint8Array(cert.rawData))).bytes),
-    notAfter: notAfter.toISOString()
+    notAfter: notAfter.getTime()
   }
 }

packages/transport-webrtc/test/certificate.spec.ts

@@ -1,10 +1,13 @@
+import { defaultLogger } from '@libp2p/logger'
 import { Crypto } from '@peculiar/webcrypto'
 import { expect } from 'aegir/utils/chai.js'
 import sinon from 'sinon'
+import { stubInterface } from 'sinon-ts'
 import { WebRTCDirectListener, type WebRTCDirectListenerInit } from '../src/private-to-public/listener.js'
 import { type WebRTCDirectTransportComponents } from '../src/private-to-public/transport.js'
 import { generateTransportCertificate } from '../src/private-to-public/utils/generate-certificates.js'
 import type { TransportCertificate } from '../src/index.js'
+import type { TransportManager } from '@libp2p/interface-internal'
 
 const crypto = new Crypto()
 
@@ -17,13 +20,8 @@ describe('WebRTCDirectListener', () => {
     components = {
       peerId: { toB58String: () => 'QmPeerId' } as any,
       privateKey: {} as any,
-      logger: {
-        forComponent: () => ({
-          trace: () => {},
-          error: () => {}
-        })
-      } as any,
-      transportManager: {} as any
+      logger: defaultLogger(),
+      transportManager: stubInterface<TransportManager>()
     }
 
     init = {
@@ -64,13 +62,29 @@ describe('WebRTCDirectListener', () => {
     expect(emitSpy.calledWith('listening')).to.be.true
   })
 
-  it('should generate a new certificate before expiry', async () => {
+  it('should generate a new certificate before expiry with default threshold', async () => {
+    init.certificateExpiryThreshold = undefined
+    listener = new WebRTCDirectListener(components, init)
+    ;(listener as any).certificate = {
+      notAfter: new Date(Date.now() + 5 * 86400000).getTime()
+    }
+
+    const isCertificateExpiringSpy = sinon.spy(listener as any, 'isCertificateExpiring')
+    const generateCertificateSpy = sinon.spy(listener as any, 'createAndSetCertificate')
+
+    await (listener as any).startUDPMuxServer('127.0.0.1', 0)
+
+    expect(isCertificateExpiringSpy.returned(true)).to.be.true
+    expect(generateCertificateSpy.called).to.be.true
+  })
+
+  it('should generate a new certificate before expiry with custom threshold', async () => {
     (listener as any).certificate = {
-      notAfter: new Date(Date.now() + 5 * 86400000).toISOString()
+      notAfter: new Date(Date.now() + 4 * 86400000).getTime()
     }
 
     const isCertificateExpiringSpy = sinon.spy(listener as any, 'isCertificateExpiring')
-    const generateCertificateSpy = sinon.spy(generateTransportCertificate) 
+    const generateCertificateSpy = sinon.spy(listener as any, 'createAndSetCertificate')
 
     await (listener as any).startUDPMuxServer('127.0.0.1', 0)