ndncert: set ValidityPeriod in client cert request

yoursunny · Jan 15, 2021 · bbc4926 · bbc4926
1 parent ddb7bc4
commit bbc4926
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 12 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 /build*
+/*.out
 /.vscode
diff --git a/src/ndnph/app/ndncert/client.hpp b/src/ndnph/app/ndncert/client.hpp
@@ -406,10 +406,13 @@ class Client : public PacketHandler
     }
 
     time_t now = time(nullptr);
-    ValidityPeriod validity(now, now + 3600);
-    // auto validity = ValidityPeriod::getMax(); // TODO set proper ValidityPeriod
-    auto cert = pub.selfSign(m_region, validity, m_pvt);
+    auto validity = certificate::getValidity(m_profile.cert)
+                      .intersect(ValidityPeriod(now, now + m_profile.maxValidityPeriod));
+    if (!validity.includes(now)) {
+      return;
+    }
 
+    auto cert = pub.selfSign(m_region, validity, m_pvt);
     m_newRequest.certRequest = m_region.create<Data>();
     if (!m_newRequest.certRequest || !m_newRequest.certRequest.decodeFrom(cert)) {
       return;

diff --git a/src/ndnph/app/ndncert/server.hpp b/src/ndnph/app/ndncert/server.hpp
@@ -323,6 +323,8 @@ class Session
       return makeError(packetRegion, interest, ErrorCode::BadParameterFormat, m_signer);
     }
 
+    // TODO check ValidityPeriod
+
     mbedtls::Mpi ecdhPvt;
     if (mbedtls_ecdh_gen_public(mbedtls::P256::group(), &ecdhPvt, &m_newResponse.ecdhPub,
                                 mbedtls::rng, nullptr) != 0 ||
@@ -368,7 +370,7 @@ class Session
     m_challengeResponse.params = result.params;
     if (result.success) {
       m_issuedCert = m_region.create<Data>();
-      auto validity = ValidityPeriod::getMax(); // TODO set proper ValidityPeriod
+      auto validity = certificate::getValidity(m_newRequest.certRequest);
       if (m_issuedCert.decodeFrom(m_newRequest.pub.buildCertificate(
             m_region, m_newRequest.pub.getName(), validity, m_signer)) &&
           !!(m_challengeResponse.issuedCertName = m_issuedCert.getFullName(m_region))) {

diff --git a/src/ndnph/keychain/validity-period.hpp b/src/ndnph/keychain/validity-period.hpp
@@ -58,6 +58,12 @@ class ValidityPeriod
     return notBefore <= t && t <= notAfter;
   }
 
+  /** @brief Calculate the intersection of this and @c other ValidityPeriod. */
+  ValidityPeriod intersect(const ValidityPeriod& other) const
+  {
+    return ValidityPeriod(std::max(notBefore, other.notBefore), std::min(notAfter, other.notAfter));
+  }
+
   void encodeTo(Encoder& encoder) const
   {
     encoder.prependTlv(

diff --git a/tests/unit/app/ndncert.t.cpp b/tests/unit/app/ndncert.t.cpp
@@ -18,18 +18,15 @@ class NdncertFixture : public BridgeFixture
 
   void SetUp() override
   {
-    DynamicRegion packetRegion(4096);
-
     sProfile.prefix = Name::parse(sRegion, "/authority");
     ASSERT_TRUE(sProfile.prefix);
     sProfile.maxValidityPeriod = 86400;
-    ASSERT_TRUE(ec::generate(sRegion, sProfile.prefix.getPrefix(-1), sPvt, sPub));
+    ASSERT_TRUE(ec::generate(sRegion, sProfile.prefix, sPvt, sPub));
     sProfile.cert = sRegion.create<Data>();
-    ASSERT_TRUE(
-      sProfile.cert.decodeFrom(sPub.selfSign(packetRegion, ValidityPeriod::getMax(), sPvt)));
+    ASSERT_TRUE(sProfile.cert.decodeFrom(sPub.selfSign(sRegion, ValidityPeriod::getMax(), sPvt)));
 
-    Data profileData = packetRegion.create<Data>();
-    ASSERT_TRUE(profileData.decodeFrom(sProfile.toData(packetRegion, sPvt)));
+    Data profileData = cRegion.create<Data>();
+    ASSERT_TRUE(profileData.decodeFrom(sProfile.toData(cRegion, sPvt)));
     EXPECT_EQ(test::toString(profileData.getName().getPrefix(3)), "/8=authority/8=CA/8=INFO");
     ASSERT_TRUE(cProfile.fromData(cRegion, profileData));
     EXPECT_EQ(test::toString(cProfile.prefix), "/8=authority");
@@ -45,12 +42,20 @@ class NdncertFixture : public BridgeFixture
     if (!!cert) {
       EXPECT_TRUE(ec::isCertificate(cert));
       self->cIssuedCertName = test::toString(cert.getName());
+
+      auto validity = certificate::getValidity(cert);
+      auto now = time(nullptr);
+      EXPECT_TRUE(validity.includes(now));
+      EXPECT_TRUE(validity.includes(now + 23 * 3600));
+      EXPECT_FALSE(validity.includes(now - 1 * 3600));
+      EXPECT_FALSE(validity.includes(now + 25 * 3600));
     } else {
       self->cIssuedCertName = "FAIL";
     }
   }
 
-  void executeWorkflow(server::ChallengeList sChallenges, client::ChallengeList cChallenges)
+  void executeWorkflow(const server::ChallengeList& sChallenges,
+                       const client::ChallengeList& cChallenges)
   {
     server::NopChallenge sNopChallenge;
     Server server(Server::Options{

diff --git a/tests/unit/face/face.t.cpp b/tests/unit/face/face.t.cpp
@@ -289,6 +289,8 @@ TEST_F(FacePendingFixture, MismatchPitToken)
 TEST_F(FacePendingFixture, Expire)
 {
   interest.setName(Name::parse(cRegion, "/A"));
+
+  EXPECT_CALL(transport, doSend).Times(1);
   h.send(interest, 100);
 
   EXPECT_FALSE(h.expired());