Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Renew expiring endpoint certificates #223

Merged
merged 1 commit into from
Apr 21, 2022
Merged

feat: Renew expiring endpoint certificates #223

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion lib/src/main/java/tech/relaycorp/awaladroid/Awala.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,9 @@ import tech.relaycorp.awala.keystores.file.FileKeystoreRoot
import tech.relaycorp.awala.keystores.file.FileSessionPublicKeystore
import tech.relaycorp.awaladroid.background.ServiceInteractor
import tech.relaycorp.awaladroid.endpoint.ChannelManager
import tech.relaycorp.awaladroid.endpoint.FirstPartyEndpoint
import tech.relaycorp.awaladroid.endpoint.HandleGatewayCertificateChange
import tech.relaycorp.awaladroid.endpoint.RenewExpiringCertificates
import tech.relaycorp.awaladroid.storage.StorageImpl
import tech.relaycorp.awaladroid.storage.persistence.DiskPersistence
import tech.relaycorp.relaynet.nodes.EndpointManager
Expand Down Expand Up @@ -53,7 +55,10 @@ public object Awala {
)

coroutineScope {
launch { fileCertificateStore.deleteExpired() }
launch {
RenewExpiringCertificates(androidPrivateKeyStore, FirstPartyEndpoint::load)()
fileCertificateStore.deleteExpired()
}
}
}

Expand Down
31 changes: 31 additions & 0 deletions lib/src/main/java/tech/relaycorp/awaladroid/endpoint/RenewExpiringCertificates.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
package tech.relaycorp.awaladroid.endpoint

import java.time.ZonedDateTime
import kotlin.time.Duration
import kotlin.time.days
import tech.relaycorp.relaynet.keystores.PrivateKeyStore
import tech.relaycorp.relaynet.wrappers.privateAddress
import tech.relaycorp.relaynet.wrappers.x509.Certificate

internal class RenewExpiringCertificates(
private val privateKeyStore: PrivateKeyStore,
private val firstPartyEndpointLoader: suspend (String) -> FirstPartyEndpoint?
) {

suspend operator fun invoke() {
privateKeyStore.retrieveAllIdentityKeys()
.mapNotNull { firstPartyEndpointLoader(it.privateAddress) }
.forEach {
if (it.identityCertificate.isExpiring) {
it.reRegister()
}
}
}

private val Certificate.isExpiring get() =
expiryDate <= ZonedDateTime.now().plusSeconds(EXPIRATION_THRESHOLD.inWholeSeconds)

companion object {
internal val EXPIRATION_THRESHOLD = Duration.days(60)
}
}
55 changes: 55 additions & 0 deletions lib/src/test/java/tech/relaycorp/awaladroid/endpoint/RenewExpiringCertificatesTest.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
package tech.relaycorp.awaladroid.endpoint

import com.nhaarman.mockitokotlin2.mock
import com.nhaarman.mockitokotlin2.never
import com.nhaarman.mockitokotlin2.verify
import com.nhaarman.mockitokotlin2.whenever
import java.time.ZonedDateTime
import kotlinx.coroutines.test.runBlockingTest
import org.junit.Before
import org.junit.Test
import tech.relaycorp.relaynet.issueEndpointCertificate
import tech.relaycorp.relaynet.keystores.PrivateKeyStore
import tech.relaycorp.relaynet.testing.pki.KeyPairSet

internal class RenewExpiringCertificatesTest() {

private val privateKeyStore = mock<PrivateKeyStore>()

@Before
fun setUp() = runBlockingTest {
whenever(privateKeyStore.retrieveAllIdentityKeys())
.thenReturn(listOf(KeyPairSet.PRIVATE_ENDPOINT.private))
}

@Test
fun `renews expiring certificates`() = runBlockingTest {
val expiringEndpoint = buildFirstPartyEndpoint(ZonedDateTime.now().plusDays(50))
val subject = RenewExpiringCertificates(privateKeyStore) { expiringEndpoint }

subject()

verify(expiringEndpoint).reRegister()
}

@Test
fun `does not renew not expiring certificates`() = runBlockingTest {
val notExpiringEndpoint = buildFirstPartyEndpoint(ZonedDateTime.now().plusDays(70))
val subject = RenewExpiringCertificates(privateKeyStore) { notExpiringEndpoint }

subject()

verify(notExpiringEndpoint, never()).reRegister()
}

private fun buildFirstPartyEndpoint(certExpiryDate: ZonedDateTime): FirstPartyEndpoint {
val firstPartyEndpoint = mock<FirstPartyEndpoint>()
val expiringCert = issueEndpointCertificate(
KeyPairSet.PRIVATE_ENDPOINT.public,
KeyPairSet.PRIVATE_GW.private,
certExpiryDate
)
whenever(firstPartyEndpoint.identityCertificate).thenReturn(expiringCert)
return firstPartyEndpoint
}
}