From fa7af2fd8505a675f1fa0c1f42c956613e006245 Mon Sep 17 00:00:00 2001 From: Ties de Kock Date: Thu, 14 Dec 2023 12:00:26 +0100 Subject: [PATCH 1/2] Test manifest and crl invariants --- .../ta/integration/MainIntegrationTest.java | 50 ++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/src/test/java/net/ripe/rpki/ta/integration/MainIntegrationTest.java b/src/test/java/net/ripe/rpki/ta/integration/MainIntegrationTest.java index 92f47f4..3a39bf6 100644 --- a/src/test/java/net/ripe/rpki/ta/integration/MainIntegrationTest.java +++ b/src/test/java/net/ripe/rpki/ta/integration/MainIntegrationTest.java @@ -10,11 +10,14 @@ import net.ripe.rpki.ta.KeyStore; import net.ripe.rpki.ta.Main; import net.ripe.rpki.ta.TA; +import net.ripe.rpki.ta.config.Config; +import net.ripe.rpki.ta.config.Env; import net.ripe.rpki.ta.config.EnvStub; import net.ripe.rpki.ta.domain.TAState; import net.ripe.rpki.ta.serializers.legacy.SignedManifest; import net.ripe.rpki.ta.serializers.legacy.SignedObjectTracker; import net.ripe.rpki.ta.serializers.legacy.SignedResourceCertificate; +import org.joda.time.*; import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -148,6 +151,49 @@ public void test_process_request_revokes_manifest_ee_certificates() throws Excep assertThat(manifestEE).allMatch(secondCrl::isRevoked); } + /** + * Check the manifest and CRL invariants that should hold. + * * manifest and CRL validity period match + * * no CRL entries are after thisUpdate + * @param state + */ + private void validateManifestAndCrlInvariants(TAState state) { + // sanity check on config + assertThat(state.getConfig().getMinimumValidityPeriod().toDurationFrom(Instant.now()).toDuration()).isGreaterThan(Duration.standardDays(1)); + + var crl = state.getCrl(); + if (crl != null) { + // Check CRL lifetime is at least the minimum period + assertThat(crl.getThisUpdateTime().plus(state.getConfig().getMinimumValidityPeriod())).isLessThanOrEqualTo(crl.getNextUpdateTime()); + // check that CRL does not contain entries in the future + crl.getRevokedCertificates().forEach(revokedEntry -> { + assertThat(revokedEntry.getRevocationDateTime()).isLessThanOrEqualTo(crl.getThisUpdateTime()); + }); + } + + /** + * Check the manifest(s) against CRL validity. There are two parts here: + * * Manifest thisUpdate/nextUpdate + * * EE cert validity + */ + + // check manifest against CRL validity + state.getSignedManifests().forEach(manifestWrapper -> { + var manifest = manifestWrapper.getManifest(); + assertThat(manifestWrapper.getNotValidAfter()).isEqualTo(manifest.getNotValidAfter()); + + // thisUpdate/nextUpdate + assertThat(manifest.getThisUpdateTime()).isEqualTo(crl.getThisUpdateTime()); + assertThat(manifest.getNextUpdateTime()).isEqualTo(crl.getNextUpdateTime()); + + // EE validity + var eeValidityPeriod = manifest.getValidityPeriod(); + + assertThat(eeValidityPeriod.getNotValidBefore()).isEqualTo(crl.getThisUpdateTime()); + assertThat(eeValidityPeriod.getNotValidAfter()).isEqualTo(crl.getNextUpdateTime()); + }); + } + @Test public void test_process_request_reissue_revokes_old_cert() throws Exception { assertThat(run("--initialise --env=test").exitCode).isZero(); @@ -360,6 +406,8 @@ private X509ResourceCertificate getTaCertificate(TAState taState) throws Excepti } private TAState reloadTaState() throws Exception { - return TA.load(EnvStub.test()).getState(); + var state = TA.load(EnvStub.test()).getState(); + validateManifestAndCrlInvariants(state); + return state; } } From 0c52a2b81c3cd6c604a12681f34bb37a1e527028 Mon Sep 17 00:00:00 2001 From: Ties de Kock Date: Thu, 14 Dec 2023 12:02:28 +0100 Subject: [PATCH 2/2] Fix bug in manifest thisUpdate/nextUpdate calculation --- README.md | 1 + src/main/java/net/ripe/rpki/ta/TA.java | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 141f222..fa7a5d7 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ Changelog --------- ### main: + * **hotfix** fix bug in manifest this/nextUpdate calculation * Use the same timestamp for signing all the objects (TA certificate, MFT, CRL) * Publish docker image to GHCR insetead of dockerhub * Updated github actions diff --git a/src/main/java/net/ripe/rpki/ta/TA.java b/src/main/java/net/ripe/rpki/ta/TA.java index fb9e49e..9452a0c 100644 --- a/src/main/java/net/ripe/rpki/ta/TA.java +++ b/src/main/java/net/ripe/rpki/ta/TA.java @@ -548,8 +548,8 @@ private ManifestCmsBuilder createBasicManifestBuilder(X509ResourceCertificate ee ValidityPeriod validityPeriod = validityPeriods.manifest(); return new ManifestCmsBuilder(). withCertificate(eeCertificate) - .withNextUpdateTime(validityPeriod.getNotValidBefore()) - .withThisUpdateTime(validityPeriod.getNotValidAfter()) + .withThisUpdateTime(validityPeriod.getNotValidBefore()) + .withNextUpdateTime(validityPeriod.getNotValidAfter()) .withManifestNumber(nextManifestNumber(signCtx.taState)) .withSignatureProvider(getSignatureProvider()); }