Switch from "validity_in_years" to flexible "validity_duration" with unit support

Enable different units to be selected (hours, days, months, years) for certificate and CA creation. Both TLS as well as SSL certs are supported.

Author: Emily Ehlert

backend/src/api.rs

@@ -12,7 +12,7 @@ use crate::certs::ssh_cert::{get_ssh_pem, SSHCertificateBuilder};
 use crate::certs::tls_cert::{get_timestamp, get_tls_pem, TLSCertificateBuilder};
 use crate::constants::VAULTLS_VERSION;
 use crate::data::api::{CallbackQuery, ChangePasswordRequest, CreateCARequest, CreateUserCertificateRequest, CreateUserRequest, DownloadResponse, IsSetupResponse, LoginRequest, SetupRequest};
-use crate::data::enums::{CAType, CertificateType, PasswordRule, UserRole};
+use crate::data::enums::{CAType, CertificateType, PasswordRule, TimespanUnit, UserRole};
 use crate::data::error::ApiError;
 use crate::data::objects::{AppState, User};
 use crate::notification::mail::{MailMessage, Mailer};
@@ -81,9 +81,11 @@ pub(crate) async fn setup(
 
     state.db.insert_user(user).await?;
 
+    let cert_validity = setup_req.validity_duration.unwrap_or(5);
+    let cert_validity_unit = setup_req.validity_unit.unwrap_or(TimespanUnit::Year);
     let mut ca = TLSCertificateBuilder::new()?
         .set_name(&setup_req.ca_name)?
-        .set_valid_until(setup_req.ca_validity_in_years)?
+        .set_valid_until(cert_validity, cert_validity_unit)?
         .build_ca()?;
     ca = state.db.insert_ca(ca).await?;
     save_ca(&ca)?;
@@ -287,10 +289,11 @@ pub(crate) async fn create_ca(
 ) -> Result<Json<i64>, ApiError> {
     let mut ca = match payload.ca_type {
         CAType::TLS => {
-            let validity = payload.validity_in_years.unwrap_or(5);
+            let cert_validity = payload.validity_duration.unwrap_or(5);
+            let cert_validity_unit = payload.validity_unit.unwrap_or(TimespanUnit::Year);
             TLSCertificateBuilder::new()?
                 .set_name(&payload.ca_name)?
-                .set_valid_until(validity)?
+                .set_valid_until(cert_validity, cert_validity_unit)?
                 .build_ca()?
         },
         CAType::SSH => {
@@ -320,9 +323,10 @@ pub(crate) async fn create_user_certificate(
 
     let mut ca = get_appropriate_ca(state, &payload).await?;
     ca = ensure_ca_validity(&mut ca, state, &payload).await?;
-    
-    let cert_validity_in_years = payload.validity_in_years.unwrap_or(1);
-    let mut cert = build_certificate(&payload, &ca, &cert_password, cert_validity_in_years, state).await?;
+
+    let cert_validity = payload.validity_duration.unwrap_or(1);
+    let cert_validity_unit = payload.validity_unit.unwrap_or(TimespanUnit::Year);
+    let mut cert = build_certificate(&payload, &ca, &cert_password, cert_validity, cert_validity_unit, state).await?;
 
     cert = state.db.insert_user_cert(cert).await?;
 
@@ -374,8 +378,9 @@ async fn get_appropriate_ca(state: &State<AppState>, payload: &CreateUserCertifi
 }
 
 async fn ensure_ca_validity(ca: &mut CA, state: &State<AppState>, payload: &CreateUserCertificateRequest) -> Result<CA, ApiError> {
-    let cert_validity_in_years = payload.validity_in_years.unwrap_or(1);
-    let cert_validity_timestamp = get_timestamp(cert_validity_in_years)?;
+    let cert_validity = payload.validity_duration.unwrap_or(1);
+    let cert_validity_unit = payload.validity_unit.unwrap_or(TimespanUnit::Year);
+    let cert_validity_timestamp = get_timestamp(cert_validity, cert_validity_unit)?;
 
     if ca.valid_until == -1 || cert_validity_timestamp.0 <= ca.valid_until {
         return Ok(ca.clone());
@@ -400,31 +405,33 @@ async fn build_certificate(
     payload: &CreateUserCertificateRequest,
     ca: &CA,
     cert_password: &str,
-    cert_validity_in_years: u64,
+    validity_duration: u64,
+    validity_unit: TimespanUnit,
     state: &State<AppState>
 ) -> Result<Certificate, ApiError> {
     let cert_type = payload.cert_type.ok_or_else(|| {
         ApiError::BadRequest("Certificate type is required".to_string())
     })?;
 
     match cert_type {
-        CertificateType::SSHClient => build_ssh_cert(payload, ca, cert_password, cert_validity_in_years, true),
-        CertificateType::SSHServer => build_ssh_cert(payload, ca, cert_password, cert_validity_in_years, false),
-        CertificateType::TLSClient => build_tls_cert(payload, ca, cert_password, cert_validity_in_years, state, true).await,
-        CertificateType::TLSServer => build_tls_cert(payload, ca, cert_password, cert_validity_in_years, state, false).await,
+        CertificateType::SSHClient => build_ssh_cert(payload, ca, cert_password, validity_duration, validity_unit, true),
+        CertificateType::SSHServer => build_ssh_cert(payload, ca, cert_password, validity_duration, validity_unit, false),
+        CertificateType::TLSClient => build_tls_cert(payload, ca, cert_password, validity_duration, validity_unit, state, true).await,
+        CertificateType::TLSServer => build_tls_cert(payload, ca, cert_password, validity_duration, validity_unit, state, false).await,
     }
 }
 
 fn build_ssh_cert(
     payload: &CreateUserCertificateRequest,
     ca: &CA,
     cert_password: &str,
-    cert_validity_in_years: u64,
+    validity_duration: u64,
+    validity_unit: TimespanUnit,
     is_client: bool,
 ) -> Result<Certificate, ApiError> {
     let mut cert_builder = SSHCertificateBuilder::new()?
         .set_name(&payload.cert_name)?
-        .set_valid_until(cert_validity_in_years)?
+        .set_valid_until(validity_duration, validity_unit)?
         .set_renew_method(payload.renew_method.unwrap_or_default())?
         .set_ca(ca)?
         .set_user_id(payload.user_id)?;
@@ -448,13 +455,14 @@ async fn build_tls_cert(
     payload: &CreateUserCertificateRequest,
     ca: &CA,
     pkcs12_password: &str,
-    cert_validity_in_years: u64,
+    validity_duration: u64,
+    validity_unit: TimespanUnit,
     state: &State<AppState>,
     is_client: bool,
 ) -> Result<Certificate, ApiError> {
     let mut cert_builder = TLSCertificateBuilder::new()?
         .set_name(&payload.cert_name)?
-        .set_valid_until(cert_validity_in_years)?
+        .set_valid_until(validity_duration, validity_unit)?
         .set_renew_method(payload.renew_method.unwrap_or_default())?
         .set_password(pkcs12_password)?
         .set_ca(ca)?

backend/src/certs/ssh_cert.rs

@@ -1,5 +1,5 @@
 use crate::certs::common::{Certificate, CA};
-use crate::data::enums::{CertificateRenewMethod, CertificateType};
+use crate::data::enums::{CertificateRenewMethod, CertificateType, TimespanUnit};
 use anyhow::anyhow;
 use anyhow::Result;
 use rand::prelude::*;
@@ -46,8 +46,15 @@ impl SSHCertificateBuilder {
         Ok(self)
     }
 
-    pub fn set_valid_until(mut self, years: u64) -> Result<Self> {
-        let valid_until = self.created_on + (365 * 86400 * 1000) * years as i64;
+    pub fn set_valid_until(mut self, duration: u64, unit: TimespanUnit) -> Result<Self> {
+        let duration_per_unit_h = match unit {
+            TimespanUnit::Year => 365*24,
+            TimespanUnit::Month => 30*24,
+            TimespanUnit::Day => 24,
+            TimespanUnit::Hour => 1,
+        };
+        let duration_s = 60 * 60 * duration as i64 * duration_per_unit_h;
+        let valid_until = self.created_on + (duration_s * 1000);
         self.valid_until = Some(valid_until);
         Ok(self)
     }

backend/src/certs/tls_cert.rs

@@ -16,7 +16,7 @@ use openssl::x509::extension::{AuthorityKeyIdentifier, BasicConstraints, Extende
 use openssl::x509::X509Builder;
 use tracing::info;
 use crate::constants::{CA_DIR_PATH, CA_FILE_PATTERN, CA_TLS_FILE_PATH};
-use crate::data::enums::{CAType, CertificateRenewMethod, CertificateType};
+use crate::data::enums::{CAType, CertificateRenewMethod, CertificateType, TimespanUnit};
 use crate::data::enums::CertificateType::{TLSClient, TLSServer};
 #[cfg(not(feature = "test-mode"))]
 use crate::ApiError;
@@ -38,7 +38,7 @@ impl TLSCertificateBuilder {
     pub fn new() -> Result<Self> {
         let private_key = generate_private_key()?;
         let asn1_serial = generate_serial_number()?;
-        let (created_on_unix, created_on_openssl) = get_timestamp(0)?;
+        let (created_on_unix, created_on_openssl) = get_timestamp(0, TimespanUnit::Hour)?;
 
         let mut x509 = X509Builder::new()?;
         x509.set_version(2)?;
@@ -67,11 +67,11 @@ impl TLSCertificateBuilder {
     ///     - Renew Method\
     ///     - User ID\
     pub fn try_from(old_cert: &Certificate) -> Result<Self> {
-        let validity_in_years = ((old_cert.valid_until - old_cert.created_on) / 1000 / 60 / 60 / 24 / 365).max(1);
+        let validity_d = ((old_cert.valid_until - old_cert.created_on) / 1000 / 60 / 60 / 24).max(14);
 
         Self::new()?
             .set_name(&old_cert.name)?
-            .set_valid_until(validity_in_years as u64)?
+            .set_valid_until(validity_d as u64, TimespanUnit::Day)?
             .set_password(&old_cert.password)?
             .set_renew_method(old_cert.renew_method)?
             .set_user_id(old_cert.user_id)
@@ -81,11 +81,11 @@ impl TLSCertificateBuilder {
         if old_ca.ca_type != TLS {
             return Err(anyhow!("CA is not of type SSH"));
         }
-        let validity_in_years = ((old_ca.valid_until - old_ca.created_on) / 1000 / 60 / 60 / 24 / 365).max(1);
+        let validity_h = ((old_ca.valid_until - old_ca.created_on) / 1000 / 60 / 60 / 24).max(14);
 
         Self::new()?
             .set_name(&old_ca.name)?
-            .set_valid_until(validity_in_years as u64)?
+            .set_valid_until(validity_h as u64, TimespanUnit::Day)?
             .build_ca()
 
     }
@@ -97,9 +97,9 @@ impl TLSCertificateBuilder {
         Ok(self)
     }
 
-    pub fn set_valid_until(mut self, years: u64) -> Result<Self, anyhow::Error> {
-        let (valid_until_unix, valid_until_openssl) = if years != 0 {
-            get_timestamp(years)?
+    pub fn set_valid_until(mut self, duration: u64, unit: TimespanUnit) -> Result<Self, anyhow::Error> {
+        let (valid_until_unix, valid_until_openssl) = if duration != 0 {
+            get_timestamp(duration, unit)?
         } else {
             get_short_lifetime()?
         };
@@ -314,12 +314,19 @@ fn generate_serial_number() -> Result<Asn1Integer, ErrorStack> {
 }
 
 /// Returns the current UNIX timestamp in milliseconds and an OpenSSL Asn1Time object.
-pub(crate) fn get_timestamp(from_now_in_years: u64) -> Result<(i64, Asn1Time), ErrorStack> {
-    let time = SystemTime::now() + std::time::Duration::from_secs(60 * 60 * 24 * 365 * from_now_in_years);
-    let time_unix = time.duration_since(UNIX_EPOCH).unwrap().as_millis() as i64;
-    let time_openssl = Asn1Time::days_from_now(365 * from_now_in_years as u32)?;
-
-    Ok((time_unix, time_openssl))
+pub(crate) fn get_timestamp(duration: u64, unit: TimespanUnit) -> Result<(i64, Asn1Time), ErrorStack> {
+    let duration_per_unit_h = match unit {
+        TimespanUnit::Year => 365*24,
+        TimespanUnit::Month => 30*24,
+        TimespanUnit::Day => 24,
+        TimespanUnit::Hour => 1,
+    };
+    let duration_s = 60 * 60 * duration * duration_per_unit_h;
+    let time = SystemTime::now() + std::time::Duration::from_secs(duration_s);
+    let time_unix_ms = time.duration_since(UNIX_EPOCH).unwrap().as_millis() as i64;
+    let time_openssl = Asn1Time::from_unix(time_unix_ms / 1000)?;
+
+    Ok((time_unix_ms, time_openssl))
 }
 
 /// For E2E testing generate a short lifetime certificate.

backend/src/data/api.rs

@@ -8,7 +8,7 @@ use rocket_okapi::okapi::schemars;
 use rocket_okapi::{okapi, JsonSchema, OpenApiError};
 use rocket_okapi::okapi::openapi3::{Responses, Response as OAResponse, MediaType, RefOr};
 use rocket_okapi::response::OpenApiResponderInner;
-use crate::data::enums::{CAType, CertificateRenewMethod, CertificateType, UserRole};
+use crate::data::enums::{CAType, CertificateRenewMethod, CertificateType, TimespanUnit, UserRole};
 
 #[derive(Serialize, Deserialize, JsonSchema)]
 pub struct IsSetupResponse {
@@ -22,7 +22,8 @@ pub struct SetupRequest {
     pub name: String,
     pub email: String,
     pub ca_name: String,
-    pub ca_validity_in_years: u64,
+    pub validity_duration: Option<u64>,
+    pub validity_unit: Option<TimespanUnit>,
     pub password: Option<String>,
 }
 
@@ -48,13 +49,15 @@ pub struct CallbackQuery {
 pub struct CreateCARequest {
     pub ca_name: String,
     pub ca_type: CAType,
-    pub validity_in_years: Option<u64>
+    pub validity_duration: Option<u64>,
+    pub validity_unit: Option<TimespanUnit>,
 }
 
 #[derive(Serialize, Deserialize, JsonSchema, Debug)]
 pub struct CreateUserCertificateRequest {
     pub cert_name: String,
-    pub validity_in_years: Option<u64>,
+    pub validity_duration: Option<u64>,
+    pub validity_unit: Option<TimespanUnit>,
     pub user_id: i64,
     pub notify_user: Option<bool>,
     pub system_generated_password: bool,

backend/src/data/enums.rs

@@ -118,4 +118,14 @@ impl FromSql for CertificateRenewMethod {
             _ => Err(FromSqlError::InvalidType),
         }
     }
+}
+
+#[derive(Serialize_repr, Deserialize_repr, JsonSchema, TryFromPrimitive, Clone, Debug, Copy, PartialEq, Eq, Default)]
+#[repr(u8)]
+pub enum TimespanUnit {
+    #[default]
+    Year = 0,
+    Month = 1,
+    Day = 2,
+    Hour = 3
 }

backend/tests/api/api_test_functionality.rs

@@ -19,7 +19,7 @@ use ssh_key::certificate::CertType;
 use tokio::io::{duplex, AsyncReadExt, AsyncWriteExt};
 use tokio::time::sleep;
 use tokio_rustls::{TlsAcceptor, TlsConnector};
-use vaultls::data::enums::{CAType, CertificateRenewMethod, CertificateType, UserRole};
+use vaultls::data::enums::{CAType, CertificateRenewMethod, CertificateType, TimespanUnit, UserRole};
 use vaultls::data::objects::User;
 use x509_parser::asn1_rs::FromDer;
 use x509_parser::prelude::X509Certificate;
@@ -107,7 +107,8 @@ async fn test_setup_hash() -> Result<()> {
         name: TEST_USER_NAME.to_string(),
         email: TEST_USER_EMAIL.to_string(),
         ca_name: TEST_CA_NAME.to_string(),
-        ca_validity_in_years: 1,
+        validity_duration: Some(1),
+        validity_unit: Some(TimespanUnit::Year),
         password: Some(password_hash.to_string()),
     };
 
@@ -365,8 +366,8 @@ async fn test_create_new_ca() -> Result<()> {
     assert_eq!(new_cas.len(), 2);
     assert_eq!(new_cas[1].name, TEST_SECOND_CA_NAME.to_string());
     assert_eq!(new_cas[1].id, 2);
-    assert!(now > new_cas[1].created_on && new_cas[1].created_on > now - 10000 /* 10 seconds */);
-    assert!(valid_until > new_cas[1].valid_until && new_cas[1].valid_until > valid_until - 10000 /* 10 seconds */);
+    assert!(now >= new_cas[1].created_on && new_cas[1].created_on > now - 10000 /* 10 seconds */);
+    assert!(valid_until >= new_cas[1].valid_until && new_cas[1].valid_until > valid_until - 10000 /* 10 seconds */);
 
     let ca_by_id_pem = client.download_tls_ca_by_id(2).await?;
     let ca_pem = client.download_current_tls_ca().await?;
@@ -404,7 +405,8 @@ async fn test_create_certificate_with_short_lived_ca() -> Result<()> {
 
     let cert_req = CreateUserCertificateRequest {
         cert_name: TEST_CLIENT_CERT_NAME.to_string(),
-        validity_in_years: Some(2),
+        validity_duration: Some(2),
+        validity_unit: Some(TimespanUnit::Year),
         user_id: 1,
         notify_user: None,
         system_generated_password: false,

backend/tests/common/test_client.rs

@@ -7,7 +7,7 @@ use std::ops::{Deref, DerefMut};
 use serde_json::Value;
 use vaultls::create_test_rocket;
 use vaultls::data::api::{CreateCARequest, CreateUserCertificateRequest, CreateUserRequest, LoginRequest, SetupRequest};
-use vaultls::data::enums::{CAType, CertificateRenewMethod, CertificateType, UserRole};
+use vaultls::data::enums::{CAType, CertificateRenewMethod, CertificateType, TimespanUnit, UserRole};
 use x509_parser::pem::Pem;
 use vaultls::certs::common::{Certificate, CA};
 use vaultls::data::enums::CertificateType::{SSHClient, TLSClient};
@@ -46,7 +46,8 @@ impl VaulTLSClient {
             name: TEST_USER_NAME.to_string(),
             email: TEST_USER_EMAIL.to_string(),
             ca_name: TEST_CA_NAME.to_string(),
-            ca_validity_in_years: 2,
+            validity_duration: Some(2),
+            validity_unit: Some(TimespanUnit::Year),
             password: Some(TEST_PASSWORD.to_string()),
         };
 
@@ -83,7 +84,8 @@ impl VaulTLSClient {
     pub(crate) async fn create_client_cert(&self, user_id: Option<i64>, password: Option<String>, ca_id: Option<i64>) -> Result<Certificate> {
         let cert_req = CreateUserCertificateRequest {
             cert_name: TEST_CLIENT_CERT_NAME.to_string(),
-            validity_in_years: Some(1),
+            validity_duration: Some(1),
+            validity_unit: Some(TimespanUnit::Year),
             user_id: user_id.unwrap_or(1),
             notify_user: None,
             system_generated_password: false,
@@ -108,7 +110,8 @@ impl VaulTLSClient {
     pub(crate) async fn create_ssh_client_cert(&self) -> Result<Certificate> {
         let cert_req = CreateUserCertificateRequest {
             cert_name: TEST_SSH_CLIENT_CERT_NAME.to_string(),
-            validity_in_years: Some(1),
+            validity_duration: Some(1),
+            validity_unit: Some(TimespanUnit::Year),
             user_id: 1,
             notify_user: None,
             system_generated_password: false,
@@ -133,7 +136,8 @@ impl VaulTLSClient {
     pub(crate) async fn create_server_cert(&self) -> Result<()> {
         let cert_req = CreateUserCertificateRequest {
             cert_name: TEST_SERVER_CERT_NAME.to_string(),
-            validity_in_years: Some(1),
+            validity_duration: Some(1),
+            validity_unit: Some(TimespanUnit::Year),
             user_id: 1,
             notify_user: None,
             system_generated_password: false,
@@ -294,7 +298,8 @@ impl VaulTLSClient {
         let data = CreateCARequest {
             ca_name: TEST_SECOND_CA_NAME.to_string(),
             ca_type: CAType::TLS,
-            validity_in_years: Some(15)
+            validity_duration: Some(15),
+            validity_unit: Some(TimespanUnit::Year),
         };
 
         let request = self
@@ -311,7 +316,8 @@ impl VaulTLSClient {
         let data = CreateCARequest {
             ca_name: TEST_SSH_CA_NAME.to_string(),
             ca_type: CAType::SSH,
-            validity_in_years: None
+            validity_duration: None,
+            validity_unit: None,
         };
 
         let request = self