-
Notifications
You must be signed in to change notification settings - Fork 154
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
control: select a signer that covers the segment #4516
control: select a signer that covers the segment #4516
Conversation
When extending a segment we should select a signer that covers the whole validity of the segment. So far we only checked the end date, but with the introduction of enforcing that the AS certificate covers the whole AS entry (scionproto#4492) the verifier checks that the start date of the certificate also covers the whole segment lifetime. However for signing we so far only used the latest certificate, which might have a later start date than the timestamp of the segment. This is a problem because between creation of a segment and the signing of a AS entry in a downstream AS there can be quite some time. This commit now makes sure to select a signer/certificate that covers the start of the segments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 11 of 18 files at r1, 13 of 13 files at r2, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @lukedirtwalker and @matzf)
control/mgmtapi/api.go
line 698 at r2 (raw file):
return } now := time.Now()
nit: I think that should use s.now() for consistency
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: 22 of 24 files reviewed, all discussions resolved (waiting on @matzf and @oncilla)
control/mgmtapi/api.go
line 698 at r2 (raw file):
Previously, oncilla (Dominik Roos) wrote…
nit: I think that should use s.now() for consistency
Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 2 of 2 files at r3.
Reviewable status: all files reviewed (commit messages unreviewed), all discussions resolved (waiting on @matzf)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed all commit messages.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on @matzf)
When extending a segment we should select a signer that covers the whole validity of the segment. So far we only checked the end date, but with the introduction of enforcing that the AS certificate covers the whole AS entry (#4492) the verifier checks that the start date of the certificate also covers the whole segment lifetime. However for signing we so far only used the latest certificate, which might have a later start date than the timestamp of the segment.
This is a problem because between creation of a segment and the signing of a AS entry in a downstream AS there can be quite some time.
This commit now makes sure to select a signer/certificate that covers the start of the segments.