validate time before sign the identity certificate (#329)

jkralik · jkralik · commit 440fb9af2574 · 2023-01-09T14:27:50.000+01:00
diff --git a/client/client_test.go b/client/client_test.go
@@ -71,6 +71,8 @@ func NewTestSecureClient() (*client.Client, error) {
 func NewTestSecureClientWithGeneratedCertificate() (*client.Client, error) {
 	var cfgCA generateCertificate.Configuration
 	cfgCA.Subject.CommonName = "anotherClient"
+	cfgCA.ValidFrom = "now"
+	cfgCA.ValidFor = time.Hour
 
 	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
diff --git a/pkg/security/signer/signer.go b/pkg/security/signer/signer.go
@@ -43,6 +43,27 @@ func NewOCFIdentityCertificate(caCert []*x509.Certificate, caKey crypto.PrivateK
 }
 
 func (s *OCFIdentityCertificate) Sign(ctx context.Context, csr []byte) (signedCsr []byte, err error) {
+	now := time.Now()
+	notBefore := s.validNotBefore
+	notAfter := s.validNotAfter
+	for _, c := range s.caCert {
+		if notBefore.Before(c.NotBefore) {
+			notBefore = c.NotBefore
+		}
+		if notAfter.After(c.NotAfter) {
+			notAfter = c.NotAfter
+		}
+	}
+	if notBefore.After(notAfter) {
+		return nil, fmt.Errorf("invalid time range: not before %v limit is greater than not after limit %v", notBefore.Format(time.RFC3339), notAfter.Format(time.RFC3339))
+	}
+	if now.Before(notBefore) {
+		return nil, fmt.Errorf("not valid yet: current time %v is out of time range: %v <-> %v", now, notBefore.Format(time.RFC3339), notAfter.Format(time.RFC3339))
+	}
+	if now.After(notAfter) {
+		return nil, fmt.Errorf("expired: current time %v is out of time range: %v <-> %v", now, notBefore.Format(time.RFC3339), notAfter.Format(time.RFC3339))
+	}
+
 	csrBlock, _ := pem.Decode(csr)
 	if csrBlock == nil {
 		err = fmt.Errorf("pem not found")
@@ -59,8 +80,6 @@ func (s *OCFIdentityCertificate) Sign(ctx context.Context, csr []byte) (signedCs
 		return
 	}
 
-	notBefore := s.validNotBefore
-	notAfter := s.validNotAfter
 	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
 	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
 	if err != nil {
diff --git a/pkg/security/signer/signer_test.go b/pkg/security/signer/signer_test.go
@@ -0,0 +1,133 @@
+package signer
+
+import (
+	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/plgd-dev/kit/v2/security"
+	"github.com/plgd-dev/kit/v2/security/generateCertificate"
+	"github.com/stretchr/testify/require"
+)
+
+func TestOCFIdentityCertificate_Sign(t *testing.T) {
+	type fields struct {
+		caCert         []*x509.Certificate
+		caKey          crypto.PrivateKey
+		validNotBefore time.Time
+		validNotAfter  time.Time
+	}
+	type args struct {
+		ctx context.Context
+		csr []byte
+	}
+	caCert, err := security.LoadX509(os.Getenv("ROOT_CA_CRT"))
+	require.NoError(t, err)
+	caKey, err := security.LoadX509PrivateKey(os.Getenv("ROOT_CA_KEY"))
+	require.NoError(t, err)
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+	id := uuid.NewString()
+	csr, err := generateCertificate.GenerateIdentityCSR(generateCertificate.Configuration{}, id, priv)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "valid",
+			fields: fields{
+				caCert:         caCert,
+				caKey:          caKey,
+				validNotBefore: time.Now().Add(-time.Second),
+				validNotAfter:  time.Now().Add(time.Hour),
+			},
+			args: args{
+				ctx: context.Background(),
+				csr: csr,
+			},
+		},
+		{
+			name: "valid - bigger time range than ca signer chain supported",
+			fields: fields{
+				caCert:         caCert,
+				caKey:          caKey,
+				validNotBefore: time.Now().Add(-time.Hour * 8760 * 10),
+				validNotAfter:  time.Now().Add(time.Hour * 8760 * 10),
+			},
+			args: args{
+				ctx: context.Background(),
+				csr: csr,
+			},
+		},
+		{
+			name: "invalid time range",
+			fields: fields{
+				caCert:         caCert,
+				caKey:          caKey,
+				validNotBefore: time.Now().Add(time.Hour),
+				validNotAfter:  time.Now().Add(-time.Second),
+			},
+			args: args{
+				ctx: context.Background(),
+				csr: csr,
+			},
+			wantErr: true,
+		},
+		{
+			name: "invalid time range - now before not before",
+			fields: fields{
+				caCert:         caCert,
+				caKey:          caKey,
+				validNotBefore: time.Now().Add(time.Hour),
+				validNotAfter:  time.Now().Add(time.Hour * 2),
+			},
+			args: args{
+				ctx: context.Background(),
+				csr: csr,
+			},
+			wantErr: true,
+		},
+		{
+			name: "invalid time range - now after not after",
+			fields: fields{
+				caCert:         caCert,
+				caKey:          caKey,
+				validNotBefore: time.Now(),
+				validNotAfter:  time.Now().Add(time.Nanosecond),
+			},
+			args: args{
+				ctx: context.Background(),
+				csr: csr,
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s := &OCFIdentityCertificate{
+				caCert:         tt.fields.caCert,
+				caKey:          tt.fields.caKey,
+				validNotBefore: tt.fields.validNotBefore,
+				validNotAfter:  tt.fields.validNotAfter,
+			}
+			gotSignedCsr, err := s.Sign(tt.args.ctx, tt.args.csr)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			require.NotEmpty(t, gotSignedCsr)
+		})
+	}
+}
