search

NLnetLabs / routinator

An RPKI Validator and RTR server written in Rust
https://nlnetlabs.nl/projects/routing/routinator/
BSD 3-Clause "New" or "Revised" License
470 stars 71 forks source link

jsonext does not seem to include EE/crl/manifest expiry time #931

Closed ties closed 8 months ago

ties commented 10 months ago

When looking at the chainValidity in the jsonext output it seems like manifest/crl expiry is not considered. It might be nice to include this information in the result so a user can see how long an object currently really is valid.

Very low priority.

// curl https://rpki-validator.ripe.net/jsonext 2>/dev/null | grep rpki.ripe.net | head -n 10 | tail -n 1 | sed -e's/,$//' | jq '.'
{
  "asn": "AS12479",
  "prefix": "1.178.248.0/21",
  "maxLength": 21,
  "source": [
    {
      "type": "roa",
      "uri": "rsync://rpki.ripe.net/repository/DEFAULT/a7/1a830a-f061-4cdc-bafb-a2fe9f015d71/1/lTI6zlhbGxM_MiAwrBp26vfY0BM.roa",
      "tal": "ripe",
      "validity": {
        "notBefore": "2024-01-23T10:07:11Z",
        "notAfter": "2025-07-01T00:00:00Z"
      },
      "chainValidity": {
        "notBefore": "2024-01-23T14:32:31Z",
        "notAfter": "2024-07-01T00:00:00Z"
      }
    }
  ]
}
partim commented 10 months ago

The chain validity currently doesn’t consider the validity of the manifest’s EE cert.

The time when manifest’s and CRL’s next update time make it go stale should probably be a separate value.