commit f62cfeb37962e7037507dfb9f075e0b7bb4ea3d7
author tylerliu <tylersiqi@163.com> Thu Jan 28 11:01:33 2021 -0800
committer tylerliu <tylersiqi@163.com> Thu Jan 28 11:01:33 2021 -0800
tree 0190f42dbaa700fe95653bb4a2360a552390c7a1
parent 4140fe81a9b2610eeef546af160de4a575928128

add validity check on new

Change-Id: I96c10650bd85c2acb305ef8e1512e084a093db08

src/ca-module.cpp

diff --git a/src/ca-module.cpp b/src/ca-module.cpp
index 0593610..2b9fcb8 100644
--- a/src/ca-module.cpp
+++ b/src/ca-module.cpp
@@ -195,6 +195,16 @@
 void
 CaModule::onNewRenewRevoke(const Interest& request, RequestType requestType)
 {
+
+  //verify ca cert validity
+  const auto& caCert = m_keyChain.getPib().getIdentity( m_config.caProfile.caPrefix).getDefaultKey().getDefaultCertificate();
+  if (!caCert.isValid()) {
+    NDN_LOG_ERROR("Server certificate invalid/expired");
+    m_face.put(generateErrorDataPacket(request.getName(), ErrorCode::BAD_VALIDITY_PERIOD,
+                                       "Server certificate invalid/expired"));
+    return;
+  }
+
   // NEW Naming Convention: /<CA-prefix>/CA/NEW/[SignedInterestParameters_Digest]
   // REVOKE Naming Convention: /<CA-prefix>/CA/REVOKE/[SignedInterestParameters_Digest]
   // get ECDH pub key and cert request
@@ -292,8 +302,7 @@
   }
   else if (requestType == RequestType::REVOKE) {
     //verify cert is from this CA
-    const auto& cert = m_keyChain.getPib().getIdentity( m_config.caProfile.caPrefix).getDefaultKey().getDefaultCertificate();
-    if (!security::verifySignature(*clientCert, cert)) {
+    if (!security::verifySignature(*clientCert, caCert)) {
       NDN_LOG_ERROR("Invalid signature in the certificate to revoke.");
       m_face.put(generateErrorDataPacket(request.getName(), ErrorCode::BAD_SIGNATURE,
                                          "Invalid signature in the certificate to revoke."));