commit 050b3ea18eba6407673adb0748796b18e87ef512
author Tianyuan Yu <tianyuan@cs.ucla.edu> Thu Mar 13 15:20:34 2025 -0700
committer Davide Pesavento <davidepesa@gmail.com> Thu Mar 20 23:21:22 2025 -0400
tree a2c8e0050bf255bced0c00da957866e9d3fc3304
parent ea5b8fc288eedfdd4f0269aa29586db258733e82

ca: relax checks on ValidityPeriod

Change-Id: I517d790f40eb5404dec5f0e1a84af8acbaea8a58

src/ca-module.cpp

diff --git a/src/ca-module.cpp b/src/ca-module.cpp
index 9606e24..3eb349e 100644
--- a/src/ca-module.cpp
+++ b/src/ca-module.cpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /*
- * Copyright (c) 2017-2024, Regents of the University of California.
+ * Copyright (c) 2017-2025, Regents of the University of California.
  *
  * This file is part of ndncert, a certificate management system based on NDN.
  *
@@ -38,7 +38,7 @@
 namespace ndncert::ca {
 
 constexpr time::milliseconds DEFAULT_DATA_FRESHNESS_PERIOD = 1_s;
-constexpr time::seconds REQUEST_VALIDITY_PERIOD_NOT_BEFORE_GRACE_PERIOD = 120_s;
+constexpr time::seconds REQUEST_VALIDITY_PERIOD_GRACE_PERIOD = 120_s;
 
 NDN_LOG_INIT(ndncert.ca);
 
@@ -266,10 +266,12 @@
   if (requestType == RequestType::NEW) {
     // check the validity period
     auto [notBefore, notAfter] = clientCert->getValidityPeriod().getPeriod();
-    auto currentTime = time::system_clock::now();
-    if (notBefore < currentTime - REQUEST_VALIDITY_PERIOD_NOT_BEFORE_GRACE_PERIOD ||
-        notAfter > currentTime + m_config.caProfile.maxValidityPeriod ||
-        notAfter <= notBefore) {
+    auto validFor = notAfter - notBefore;
+    auto now = time::system_clock::now();
+    if (notBefore < now - REQUEST_VALIDITY_PERIOD_GRACE_PERIOD ||
+        notAfter > now + m_config.caProfile.maxValidityPeriod + REQUEST_VALIDITY_PERIOD_GRACE_PERIOD ||
+        validFor > m_config.caProfile.maxValidityPeriod ||
+        validFor < 0_s) {
       NDN_LOG_ERROR("Invalid validity period requested");
       m_face.put(makeErrorPacket(request.getName(), ErrorCode::BAD_VALIDITY_PERIOD,
                                  "Invalid validity period requested."));

tests/unit-tests/ca-module.t.cpp

diff --git a/tests/unit-tests/ca-module.t.cpp b/tests/unit-tests/ca-module.t.cpp
index 9437f6f..2eeb4db 100644
--- a/tests/unit-tests/ca-module.t.cpp
+++ b/tests/unit-tests/ca-module.t.cpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /*
- * Copyright (c) 2017-2024, Regents of the University of California.
+ * Copyright (c) 2017-2025, Regents of the University of California.
  *
  * This file is part of ndncert, a certificate management system based on NDN.
  *
@@ -264,7 +264,7 @@
   BOOST_CHECK_EQUAL(count, 1);
 }
 
-BOOST_AUTO_TEST_CASE(HandleNewWithInvalidValidityPeriod1)
+BOOST_AUTO_TEST_CASE(HandleNewWithInvalidValidityPeriod)
 {
   auto identity = m_keyChain.createIdentity(Name("/ndn"));
   auto key = identity.getDefaultKey();
@@ -272,29 +272,38 @@
 
   ndn::DummyClientFace face(m_io, m_keyChain, {true, true});
   CaModule ca(face, m_keyChain, "tests/unit-tests/config-files/config-ca-1");
-  advanceClocks(time::milliseconds(20), 60);
+  advanceClocks(20_ms, 60);
 
   CaProfile item;
   item.caPrefix = Name("/ndn");
   item.cert = std::make_shared<Certificate>(cert);
   requester::Request state(m_keyChain, item, RequestType::NEW);
   auto client = m_keyChain.createIdentity(Name("/ndn/zhiyi"));
-  auto current_tp = time::system_clock::now();
-  auto interest1 = state.genNewInterest(client.getDefaultKey().getName(), current_tp, current_tp - time::hours(1));
-  auto interest2 = state.genNewInterest(client.getDefaultKey().getName(), current_tp, current_tp + time::days(361));
-  auto interest3 = state.genNewInterest(client.getDefaultKey().getName(),
-                                        current_tp - time::hours(1), current_tp + time::hours(2));
+
+  // max-validity-period is 10 days
+  auto now = time::system_clock::now();
+  auto interest1 = state.genNewInterest(client.getDefaultKey().getName(), now, now - 1_h);
+  auto interest2 = state.genNewInterest(client.getDefaultKey().getName(), now, now + 11_days);
+  auto interest3 = state.genNewInterest(client.getDefaultKey().getName(), now - 3_min, now + 1_day);
+  auto interest4 = state.genNewInterest(client.getDefaultKey().getName(), now + 1_day, now + 10_days + 3_min);
+  auto interest5 = state.genNewInterest(client.getDefaultKey().getName(), now - 1_min, now + 10_days + 1_min);
+
+  int count = 0;
   face.onSendData.connect([&](const Data& response) {
+    ++count;
     auto contentTlv = response.getContent();
     contentTlv.parse();
-    auto errorCode = static_cast<ErrorCode>(readNonNegativeInteger(contentTlv.get(tlv::ErrorCode)));
-    BOOST_CHECK(errorCode != ErrorCode::NO_ERROR);
+    auto err = ndn::readNonNegativeIntegerAs<ErrorCode>(contentTlv.get(tlv::ErrorCode));
+    BOOST_TEST(err == ErrorCode::BAD_VALIDITY_PERIOD);
   });
   face.receive(*interest1);
   face.receive(*interest2);
   face.receive(*interest3);
+  face.receive(*interest4);
+  face.receive(*interest5);
 
-  advanceClocks(time::milliseconds(20), 60);
+  advanceClocks(20_ms, 60);
+  BOOST_TEST(count == 5);
 }
 
 BOOST_AUTO_TEST_CASE(HandleNewWithServerBadValidity)
@@ -302,7 +311,7 @@
   auto identity = m_keyChain.createIdentity(Name("/ndn"));
   auto key = identity.getDefaultKey();
 
-  //build expired cert
+  // build expired cert
   Certificate cert;
   cert.setName(Name(key.getName()).append("self-sign").appendVersion());
   cert.setContentType(ndn::tlv::ContentType_Key);