Certificate expiry

[julienmalard]

Summary

As self-signed WebRTC certificates expire after 30 days, the rust peer should generate a new certificate once the old one has expired.

Expected behavior

The rust peer should, when loading an expired certificate, automatically detect that it is no longer valid and instead generate and advertise (and locally save) a new certificate.

Actual behavior

The peer seems to keep using and advertising the expired certificate in the peer address, which leads to unsuccessful connection attempts by other peers that rely on WebRTC.

Relevant log output

No response

Possible Solution

I was unable to find a programmatic way of detecting the certificate's expiry date in rust-libp2p. If this could be done, then regenerating and saving a new certificate should be trivial.

Version

No response

Would you like to work on fixing this bug ?

Yes

[dariusc93]

Hey! Thanks for the report. Depending on the use-case, it might be more ideal to set a fix expiration date that is far into the future. Ie, 50 years or more from the time of creation. Right now though, the certificate in webrtc is generate at random unless you provide your own you wont be able to change the expiration date without modifying the code

rust-libp2p/transports/webrtc/src/tokio/certificate.rs

Lines 36 to 47 in 3837e33

	pub fn generate<R>(_rng: &mut R) -> Result<Self, Error>
	where
	R: CryptoRng + Rng,
	{
	let mut params = rcgen::CertificateParams::new(vec![
	rand::distributions::Alphanumeric.sample_string(&mut rand::thread_rng(), 16)
	]);
	params.alg = &rcgen::PKCS_ECDSA_P256_SHA256;
	Ok(Self {
	inner: RTCCertificate::from_params(params).expect("default params to work"),
	})
	}

[julienmalard]

Hello,

Would browsers accept such a far-away expiration date? In any case, is there a way of reading the actual expiry date from the certificate in rust? If this is possible, then even a short certificate validity would work, since we could regenerate the certificate when it expires.

[dariusc93]

Hello,

Would browsers accept such a far-away expiration date?

I would not see why they wouldnt given webrtc certificates are self-signed.

In any case, is there a way of reading the actual expiry date from the certificate in rust? If this is possible, then even a short certificate validity would work, since we could regenerate the certificate when it expires.

It is possible by parsing the PEM and extract it manually. The other way is to use rcgen to parse the PEM and use the struct it returns to access the expiration date.

Maybe in the future, if applicable, we could have some type of checks or maybe an event emitted from the transport to alert about the expiration of the certificate and could attempt to regenerate it with a new expiration date. Of course the connections would need to be reestablished unless webrtc has a way to share the new certificate without dropping and reestablishing the connection.