Merge pull request #4258 from oasisprotocol/kostko/feature/sentry-reg…

…en-tls-cert go/common/identity: Refresh sentry TLS certificates
oasisprotocol · Sep 14, 2021 · 425f2a4 · 425f2a4
2 parents a4ad6be + 671b4a0
commit 425f2a4
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 1 deletion.
diff --git a/.changelog/4239.bugfix.md b/.changelog/4239.bugfix.md
@@ -0,0 +1,4 @@
+go/common/identity: Refresh sentry TLS certificates
+
+Since we are using public keys for TLS authentication, we make sure that
+sentry TLS certificates are refreshed to avoid them expiring.
diff --git a/go/common/identity/identity.go b/go/common/identity/identity.go
@@ -322,8 +322,11 @@ func doLoadOrGenerate(dataDir string, signerFactory signature.SignerFactory, sho
 
 	// Load or generate the sentry client certificate for this node.
 	tlsSentryClientCertPath, tlsSentryClientKeyPath := TLSSentryClientCertPaths(dataDir)
-	sentryClientCert, err := tlsCert.Load(tlsSentryClientCertPath, tlsSentryClientKeyPath)
+	sentryClientCert, err := tlsCert.LoadFromKey(tlsSentryClientKeyPath, CommonName)
 	if err != nil {
+		if !os.IsNotExist(err) {
+			return nil, fmt.Errorf("identity: unable to read sentry client key from file: %w", err)
+		}
 		// Load failed, generate fresh sentry client cert.
 		sentryClientCert, err = tlsCert.Generate(CommonName)
 		if err != nil {

diff --git a/go/common/identity/identity_test.go b/go/common/identity/identity_test.go
@@ -4,6 +4,7 @@ import (
 	"io/ioutil"
 	"os"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/require"
 
@@ -24,6 +25,9 @@ func TestLoadOrGenerate(t *testing.T) {
 	require.NoError(t, err, "LoadOrGenerate")
 	require.EqualValues(t, []signature.PublicKey{identity.GetTLSSigner().Public()}, identity.GetTLSPubKeys())
 
+	// Sleep to make sure that any regenerated TLS certificates will have different expiration.
+	time.Sleep(2 * time.Second)
+
 	// Load an existing identity.
 	identity2, err := LoadOrGenerate(dataDir, factory, false)
 	require.NoError(t, err, "LoadOrGenerate (2)")
@@ -33,6 +37,8 @@ func TestLoadOrGenerate(t *testing.T) {
 	require.EqualValues(t, identity.GetTLSSigner(), identity2.GetTLSSigner())
 	require.EqualValues(t, identity.GetTLSCertificate(), identity2.GetTLSCertificate())
 	require.EqualValues(t, identity.GetTLSPubKeys(), identity2.GetTLSPubKeys())
+	require.NotEqual(t, identity.TLSSentryClientCertificate, identity2.TLSSentryClientCertificate)
+	require.EqualValues(t, identity.TLSSentryClientCertificate.PrivateKey, identity2.TLSSentryClientCertificate.PrivateKey)
 
 	dataDir2, err := ioutil.TempDir("", "oasis-identity-test2_")
 	require.NoError(t, err, "create data dir (2)")
@@ -46,6 +52,9 @@ func TestLoadOrGenerate(t *testing.T) {
 		identity3.GetNextTLSSigner().Public(),
 	}, identity3.GetTLSPubKeys())
 
+	// Sleep to make sure that any regenerated TLS certificates will have different expiration.
+	time.Sleep(2 * time.Second)
+
 	// Load it back.
 	identity4, err := LoadOrGenerate(dataDir2, factory, false)
 	require.NoError(t, err, "LoadOrGenerate (4)")
@@ -60,4 +69,6 @@ func TestLoadOrGenerate(t *testing.T) {
 	// Private key for identity4 must be the same, but the certificate might be regenerated
 	// and different if the wall clock minute changed.
 	require.Equal(t, identity3.GetTLSCertificate().PrivateKey, identity4.GetTLSCertificate().PrivateKey)
+	require.NotEqual(t, identity3.TLSSentryClientCertificate, identity4.TLSSentryClientCertificate)
+	require.EqualValues(t, identity4.TLSSentryClientCertificate.PrivateKey, identity4.TLSSentryClientCertificate.PrivateKey)
 }