Merge branch 'feature/manifest-crl-validity-invariant-checks' into 'm…

…ain' Test manifest and crl invariants See merge request rpki/rpki-ta-0!129
RIPE-NCC · Dec 14, 2023 · 115c95a · 115c95a
2 parents f8b8d63 + 0c52a2b
commit 115c95a
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -16,6 +16,7 @@ Changelog
 ---------
 
 ### main:
+  * **hotfix** fix bug in manifest this/nextUpdate calculation
   * Use the same timestamp for signing all the objects (TA certificate, MFT, CRL)
   * Publish docker image to GHCR insetead of dockerhub
   * Updated github actions

diff --git a/src/main/java/net/ripe/rpki/ta/TA.java b/src/main/java/net/ripe/rpki/ta/TA.java
@@ -548,8 +548,8 @@ private ManifestCmsBuilder createBasicManifestBuilder(X509ResourceCertificate ee
         ValidityPeriod validityPeriod = validityPeriods.manifest();
         return new ManifestCmsBuilder().
                 withCertificate(eeCertificate)
-                .withNextUpdateTime(validityPeriod.getNotValidBefore())
-                .withThisUpdateTime(validityPeriod.getNotValidAfter())
+                .withThisUpdateTime(validityPeriod.getNotValidBefore())
+                .withNextUpdateTime(validityPeriod.getNotValidAfter())
                 .withManifestNumber(nextManifestNumber(signCtx.taState))
                 .withSignatureProvider(getSignatureProvider());
     }

diff --git a/src/test/java/net/ripe/rpki/ta/integration/MainIntegrationTest.java b/src/test/java/net/ripe/rpki/ta/integration/MainIntegrationTest.java
@@ -10,11 +10,14 @@
 import net.ripe.rpki.ta.KeyStore;
 import net.ripe.rpki.ta.Main;
 import net.ripe.rpki.ta.TA;
+import net.ripe.rpki.ta.config.Config;
+import net.ripe.rpki.ta.config.Env;
 import net.ripe.rpki.ta.config.EnvStub;
 import net.ripe.rpki.ta.domain.TAState;
 import net.ripe.rpki.ta.serializers.legacy.SignedManifest;
 import net.ripe.rpki.ta.serializers.legacy.SignedObjectTracker;
 import net.ripe.rpki.ta.serializers.legacy.SignedResourceCertificate;
+import org.joda.time.*;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -148,6 +151,49 @@ public void test_process_request_revokes_manifest_ee_certificates() throws Excep
         assertThat(manifestEE).allMatch(secondCrl::isRevoked);
     }
 
+    /**
+     * Check the manifest and CRL invariants that should hold.
+     *   * manifest and CRL validity period match
+     *   * no CRL entries are after thisUpdate
+     * @param state
+     */
+    private void validateManifestAndCrlInvariants(TAState state) {
+        // sanity check on config
+        assertThat(state.getConfig().getMinimumValidityPeriod().toDurationFrom(Instant.now()).toDuration()).isGreaterThan(Duration.standardDays(1));
+
+        var crl = state.getCrl();
+        if (crl != null) {
+            // Check CRL lifetime is at least the minimum period
+            assertThat(crl.getThisUpdateTime().plus(state.getConfig().getMinimumValidityPeriod())).isLessThanOrEqualTo(crl.getNextUpdateTime());
+            // check that CRL does not contain entries in the future
+            crl.getRevokedCertificates().forEach(revokedEntry -> {
+                assertThat(revokedEntry.getRevocationDateTime()).isLessThanOrEqualTo(crl.getThisUpdateTime());
+            });
+        }
+
+        /**
+         * Check the manifest(s) against CRL validity. There are two parts here:
+         *   * Manifest thisUpdate/nextUpdate
+         *   * EE cert validity
+         */
+
+        // check manifest against CRL validity
+        state.getSignedManifests().forEach(manifestWrapper -> {
+            var manifest = manifestWrapper.getManifest();
+            assertThat(manifestWrapper.getNotValidAfter()).isEqualTo(manifest.getNotValidAfter());
+
+            // thisUpdate/nextUpdate
+            assertThat(manifest.getThisUpdateTime()).isEqualTo(crl.getThisUpdateTime());
+            assertThat(manifest.getNextUpdateTime()).isEqualTo(crl.getNextUpdateTime());
+
+            // EE validity
+            var eeValidityPeriod = manifest.getValidityPeriod();
+
+            assertThat(eeValidityPeriod.getNotValidBefore()).isEqualTo(crl.getThisUpdateTime());
+            assertThat(eeValidityPeriod.getNotValidAfter()).isEqualTo(crl.getNextUpdateTime());
+        });
+    }
+
     @Test
     public void test_process_request_reissue_revokes_old_cert() throws Exception {
         assertThat(run("--initialise --env=test").exitCode).isZero();
@@ -360,6 +406,8 @@ private X509ResourceCertificate getTaCertificate(TAState taState) throws Excepti
     }
 
     private TAState reloadTaState() throws Exception {
-        return TA.load(EnvStub.test()).getState();
+        var state = TA.load(EnvStub.test()).getState();
+        validateManifestAndCrlInvariants(state);
+        return state;
     }
 }