Merge pull request #476 from sigstore/validfor-helpers

Add validity helpers
sigstore · Aug 8, 2023 · a4f0cd6 · a4f0cd6
2 parents 8e5c680 + 7d3eabe
commit a4f0cd6
Show file tree

Hide file tree

Showing 4 changed files with 80 additions and 12 deletions.
diff --git a/sigstore-java/src/main/java/dev/sigstore/trustroot/CertificateAuthorities.java b/sigstore-java/src/main/java/dev/sigstore/trustroot/CertificateAuthorities.java
@@ -63,7 +63,7 @@ public List<CertificateAuthority> find(Instant time) {
   public CertificateAuthority current() {
     var current =
         getCertificateAuthorities().stream()
-            .filter(ca -> ca.getValidFor().getEnd().isEmpty())
+            .filter(CertificateAuthority::isCurrent)
             .collect(Collectors.toList());
     if (current.size() == 0) {
       throw new IllegalStateException("Trust root contains no current certificate authorities");

diff --git a/sigstore-java/src/main/java/dev/sigstore/trustroot/CertificateAuthority.java b/sigstore-java/src/main/java/dev/sigstore/trustroot/CertificateAuthority.java
@@ -19,20 +19,25 @@
 import java.net.URI;
 import java.security.cert.CertPath;
 import java.security.cert.CertificateException;
+import java.time.Instant;
 import org.immutables.value.Value.Immutable;
 
 @Immutable
-public interface CertificateAuthority {
-  CertPath getCertPath();
+public abstract class CertificateAuthority {
+  public abstract CertPath getCertPath();
 
-  URI getUri();
+  public abstract URI getUri();
 
-  ValidFor getValidFor();
+  public abstract ValidFor getValidFor();
 
-  Subject getSubject();
+  public abstract Subject getSubject();
 
-  static CertificateAuthority from(dev.sigstore.proto.trustroot.v1.CertificateAuthority proto)
-      throws CertificateException {
+  public boolean isCurrent() {
+    return getValidFor().contains(Instant.now());
+  }
+
+  public static CertificateAuthority from(
+      dev.sigstore.proto.trustroot.v1.CertificateAuthority proto) throws CertificateException {
     return ImmutableCertificateAuthority.builder()
         .certPath(ProtoMutators.toCertPath(proto.getCertChain().getCertificatesList()))
         .validFor(ValidFor.from(proto.getValidFor()))

diff --git a/sigstore-java/src/main/java/dev/sigstore/trustroot/ValidFor.java b/sigstore-java/src/main/java/dev/sigstore/trustroot/ValidFor.java
@@ -22,12 +22,22 @@
 import org.immutables.value.Value.Immutable;
 
 @Immutable
-public interface ValidFor {
-  Instant getStart();
+public abstract class ValidFor {
+  public abstract Instant getStart();
 
-  Optional<Instant> getEnd();
+  public abstract Optional<Instant> getEnd();
 
-  static ValidFor from(TimeRange proto) {
+  public boolean contains(Instant instant) {
+    if (!getStart().isBefore(instant)) {
+      return false;
+    }
+    if (getEnd().isEmpty() || getEnd().get().isAfter(instant)) {
+      return true;
+    }
+    return false;
+  }
+
+  public static ValidFor from(TimeRange proto) {
     return ImmutableValidFor.builder()
         .start(ProtoMutators.toInstant(proto.getStart()))
         .end(

diff --git a/sigstore-java/src/test/java/dev/sigstore/trustroot/ValidForTest.java b/sigstore-java/src/test/java/dev/sigstore/trustroot/ValidForTest.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright 2023 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.trustroot;
+
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+class ValidForTest {
+
+  @Test
+  public void contains_withStartAndEnd() {
+    var start = Instant.now().minus(10, ChronoUnit.MINUTES);
+    var end = Instant.now().plus(10, ChronoUnit.MINUTES);
+    var range = ImmutableValidFor.builder().start(start).end(end).build();
+
+    Assertions.assertTrue(range.contains(Instant.now()));
+
+    Assertions.assertTrue(range.contains(start.plus(10, ChronoUnit.SECONDS)));
+    Assertions.assertFalse(range.contains(start));
+    Assertions.assertFalse(range.contains(start.minus(10, ChronoUnit.SECONDS)));
+
+    Assertions.assertTrue(range.contains(end.minus(10, ChronoUnit.SECONDS)));
+    Assertions.assertFalse(range.contains(end));
+    Assertions.assertFalse(range.contains(end.plus(10, ChronoUnit.SECONDS)));
+  }
+
+  public void contains_withNoEnd() {
+    var start = Instant.now().minus(10, ChronoUnit.MINUTES);
+    var range = ImmutableValidFor.builder().start(start).build();
+
+    Assertions.assertTrue(range.contains(Instant.now()));
+    Assertions.assertTrue(range.contains(Instant.now().plus(10, ChronoUnit.SECONDS)));
+
+    Assertions.assertTrue(range.contains(start.plus(10, ChronoUnit.SECONDS)));
+    Assertions.assertFalse(range.contains(start));
+    Assertions.assertFalse(range.contains(start.minus(10, ChronoUnit.SECONDS)));
+  }
+}