Skip to content

tls: fix daysUntilFirstCertExpires #20581

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zuercher merged 34 commits into from
May 12, 2022
Merged

tls: fix daysUntilFirstCertExpires #20581

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
ccb1537
tls: fix spiffe daysUntilFirstCertExpires
daixiang0 Mar 30, 2022
d4a0d5d
return -1 when expired
daixiang0 Mar 30, 2022
aabe78a
modify return type
daixiang0 Apr 7, 2022
68a62bc
fix CI
daixiang0 Apr 7, 2022
2f46bcb
update missing func
daixiang0 Apr 7, 2022
cde5fb3
update mock func
daixiang0 Apr 7, 2022
c98cc33
Merge branch 'main' into spiffe
daixiang0 Apr 8, 2022
92232e2
update value
daixiang0 Apr 8, 2022
8d72e7b
remove useless import
daixiang0 Apr 8, 2022
0f96607
fix null compare
daixiang0 Apr 8, 2022
9f7adeb
fix utility test
daixiang0 Apr 8, 2022
2fce764
feedback
daixiang0 Apr 11, 2022
d85d2f8
revert null
daixiang0 Apr 11, 2022
1ee6211
fix CI
daixiang0 Apr 13, 2022
3a337f4
feedback
daixiang0 Apr 21, 2022
037d89d
update api
daixiang0 Apr 24, 2022
ce79a84
Revert "update api"
daixiang0 Apr 25, 2022
f825b07
use 0
daixiang0 Apr 25, 2022
b72e9c1
feedback
daixiang0 Apr 26, 2022
06b3ae4
update tests
daixiang0 Apr 27, 2022
6bddf0e
fix format
daixiang0 Apr 28, 2022
c3d3df2
use int32_t rather than size_t
daixiang0 Apr 29, 2022
bb9cbd1
update tests
daixiang0 Apr 29, 2022
cf3a164
fix CI
daixiang0 Apr 29, 2022
18491a5
int32_t -> size_t
daixiang0 May 5, 2022
dacecb8
fix CI
daixiang0 May 5, 2022
9f4f684
size_t -> uint32_t
daixiang0 May 6, 2022
8e74e58
1
daixiang0 May 7, 2022
4c66b5d
update Utility::getDaysUntilExpiration
daixiang0 May 7, 2022
b1f5ab4
fix CI
daixiang0 May 9, 2022
4e854e1
fix CI
daixiang0 May 9, 2022
74cd906
add release note
daixiang0 May 11, 2022
1c27f07
Merge branch 'main' into spiffe
daixiang0 May 11, 2022
185afae
update changelog
daixiang0 May 11, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -269,8 +269,10 @@ size_t SPIFFEValidator::daysUntilFirstCertExpires() const {
}
size_t ret = SIZE_MAX;
for (auto& cert : ca_certs_) {
size_t tmp = Utility::getDaysUntilExpiration(cert.get(), time_source_);
if (tmp < ret) {
int32_t tmp = Utility::getDaysUntilExpiration(cert.get(), time_source_);
if (tmp == -1) {
return tmp;
} else if (tmp < static_cast<int>(ret)) {
Comment thread
daixiang0 marked this conversation as resolved.
Outdated
ret = tmp;
}
}
Expand Down
2 changes: 1 addition & 1 deletion source/extensions/transport_sockets/tls/utility.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -260,7 +260,7 @@ int32_t Utility::getDaysUntilExpiration(const X509* cert, TimeSource& time_sourc
int days, seconds;
if (ASN1_TIME_diff(&days, &seconds, currentASN1_Time(time_source).get(),
X509_get0_notAfter(cert))) {
return days;
return days < 0 ? -1 : days;
}
return 0;
}
Expand Down
21 changes: 21 additions & 0 deletions test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@

#include "test/extensions/transport_sockets/tls/cert_validator/test_common.h"
#include "test/extensions/transport_sockets/tls/ssl_test_utility.h"
#include "test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h"
#include "test/test_common/environment.h"
#include "test/test_common/simulated_time_system.h"
#include "test/test_common/test_runtime.h"
Expand Down Expand Up @@ -562,6 +563,26 @@ name: envoy.tls.cert_validator.spiffe
EXPECT_EQ(19221, validator().daysUntilFirstCertExpires());
}

TEST_F(TestSPIFFEValidator, TestDaysUntilFirstCertExpiresExpired) {
Event::SimulatedTimeSystem time_system;
// 2033-05-18 03:33:20 UTC
const time_t known_date_time = 2000000000;
time_system.setSystemTime(std::chrono::system_clock::from_time_t(known_date_time));

initialize(TestEnvironment::substitute(R"EOF(
name: envoy.tls.cert_validator.spiffe
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
trust_domains:
- name: example.com
trust_bundle:
filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem"
)EOF"),
time_system);

EXPECT_EQ(-1, validator().daysUntilFirstCertExpires());
}

TEST_F(TestSPIFFEValidator, TestAddClientValidationContext) {
Event::TestRealTimeSystem time_system;
initialize(TestEnvironment::substitute(R"EOF(
Expand Down
7 changes: 1 addition & 6 deletions test/extensions/transport_sockets/tls/utility_test.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,12 +122,7 @@ TEST(UtilityTest, TestDaysUntilExpiration) {
Event::SimulatedTimeSystem time_source;
time_source.setSystemTime(std::chrono::system_clock::from_time_t(known_date_time));

// Get expiration time from the certificate info.
const absl::Time expiration =
TestUtility::parseTime(TEST_SAN_DNS_CERT_NOT_AFTER, "%b %e %H:%M:%S %Y GMT");

int days = std::difftime(absl::ToTimeT(expiration), known_date_time) / (60 * 60 * 24);
EXPECT_EQ(days, Utility::getDaysUntilExpiration(cert.get(), time_source));
EXPECT_EQ(-1, Utility::getDaysUntilExpiration(cert.get(), time_source));
}

TEST(UtilityTest, TestDaysUntilExpirationWithNull) {
Expand Down