fix(Certificate): Cap expiry date at issuer's (#230)

Not only is this semantically correct, but it helps with certificate rotation as subjects can simply check their own expiry dates without looking at the rest of the chain. This is the JVM counterpart to relaycorp/relaynet-core-js#430
relaycorp · Mar 17, 2022 · 9e104e0 · 9e104e0
1 parent a1d6a09
commit 9e104e0
Show file tree

Hide file tree

Showing 2 changed files with 271 additions and 216 deletions.
diff --git a/src/main/kotlin/tech/relaycorp/relaynet/wrappers/x509/Certificate.kt b/src/main/kotlin/tech/relaycorp/relaynet/wrappers/x509/Certificate.kt
@@ -60,7 +60,12 @@ class Certificate constructor(internal val certificateHolder: X509CertificateHol
             pathLenConstraint: Int = 0,
             validityStartDate: ZonedDateTime = ZonedDateTime.now()
         ): Certificate {
-            if (validityStartDate >= validityEndDate) {
+            val expiryDate = if (issuerCertificate != null) minOf(
+                issuerCertificate.expiryDate,
+                validityEndDate
+            ) else validityEndDate
+
+            if (validityStartDate >= expiryDate) {
                 throw CertificateException("The end date must be later than the start date")
             }
             if (issuerCertificate != null && !issuerCertificate.isCA) {
@@ -77,7 +82,7 @@ class Certificate constructor(internal val certificateHolder: X509CertificateHol
                 issuerDistinguishedName,
                 generateRandomBigInteger(),
                 Date.from(validityStartDate.toInstant()),
-                Date.from(validityEndDate.toInstant()),
+                Date.from(expiryDate.toInstant()),
                 subjectDistinguishedName,
                 subjectPublicKeyInfo
             )