search

google / exposure-notifications-server

Exposure Notification Reference Server | Covid-19 Exposure Notifications
https://www.google.com/covid19/exposurenotifications/
Apache License 2.0
2.44k stars 311 forks source link

Server time synchronization tolerance #1511

Closed ethanmdavidson closed 3 years ago

ethanmdavidson commented 3 years ago

Question

How much clock drift is accepted between Verification Server and Key Server?

e2e-runner is intermittently failing with error messages like "token is not valid yet" and "token used before issued". This seems to indicate a clock sync issue between MVS and NKS. How much tolerance is built into these checks?

Full errors here in case I'm misinterpreting them: error uploading teks: POST https://prod.exposurenotification.health/v1/publish - 401: error response from API: unable to validate diagnosis verification: token is not valid yet, err: %!w(<nil>), body: {"error":"unable to validate diagnosis verification: token is not valid yet","code":"health_authority_verification_certificate_invalid"

error uploading teks: POST https://prod.exposurenotification.health/v1/publish - 401: error response from API: unable to validate diagnosis verification: Token used before issued, err: %!w(<nil>), body: {"error":"unable to validate diagnosis verification: Token used before issued","code":"health_authority_verification_certificate_invalid"

mikehelmick commented 3 years ago

The clock skew allowance is currently 1 second

https://github.com/google/exposure-notifications-verification-server/blob/32253afb64ce876cd8e354a355695eda34a0ed3b/pkg/controller/certapi/certificate.go#L125

ethanmdavidson commented 3 years ago

thanks