feat: Rotate WebRTC Direct certificates #2997

Aryakoste · 2025-02-23T18:56:09Z

Title

Rotating web RTC certificate when expiring

Description

Fixes #2989

Notes & open questions

I know this PR is not be perfect. Please provide me suggestions or changes that needed to be done.

Change checklist

I have performed a self-review of my own code
I have made corresponding changes to the documentation if necessary (this includes comments as well)
I have added tests that prove my fix is effective or that my feature works

achingbrain

Thanks for opening this, comments inline.

achingbrain · 2025-03-05T16:02:47Z

packages/transport-webrtc/src/private-to-public/listener.ts

@@ -154,20 +164,19 @@ export class WebRTCDirectListener extends TypedEventEmitter<ListenerEvents> impl
      server: Promise.resolve()
        .then(async (): Promise<StunServer> => {
          // ensure we have a certificate
-          if (this.certificate == null) {
+          if (this.certificate == null || this.isCertificateExpiring()) {


This check will only run when the node is started.

If the certificate expires while the node is running it will continue using it and connections will start to fail.

Instead a timeout should be set that fires a short(ish) time before the certificate expiry that creates a new certificate, restarts the server with the new cert and emits the "listening" event.

achingbrain · 2025-03-05T16:05:16Z

packages/transport-webrtc/src/index.ts

@@ -280,6 +280,7 @@ export interface TransportCertificate {
   * The hash of the certificate
   */
  certhash: string
+  notAfter: string


This would be better as a number so we don't have to convert the string back to a date in order to see if the cert is about to expire, instead it can just be compared to Date.now() - threshold .

achingbrain · 2025-03-05T16:05:26Z

packages/transport-webrtc/src/private-to-public/listener.ts

+    const expiryDate = new Date(this.certificate.notAfter)
+    const now = new Date()
+    const timeToExpiry = expiryDate.getTime() - now.getTime()
+    const threshold = 30 * 24 * 60 * 60 * 1000


threshold should be configurable.

achingbrain · 2025-03-05T16:06:13Z

packages/transport-webrtc/test/certificate.spec.ts

+      peerId: { toB58String: () => 'QmPeerId' } as any,
+      privateKey: {} as any,
+      logger: {
+        forComponent: () => ({
+          trace: () => {},
+          error: () => {}
+        })
+      } as any,


These fields can be filled using actual values, see other tests here for an example.

achingbrain · 2025-03-05T16:06:38Z

packages/transport-webrtc/test/certificate.spec.ts

+          error: () => {}
+        })
+      } as any,
+      transportManager: {} as any


You can use stubInterface<TransportManager>() from sinon-ts here to avoid casting to any.

feat: Rotate WebRTC Direct certificates

4666793

Aryakoste requested a review from a team as a code owner February 23, 2025 18:56

changes to the test file

2c545d8

achingbrain requested changes Mar 5, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Rotate WebRTC Direct certificates #2997

feat: Rotate WebRTC Direct certificates #2997

Aryakoste commented Feb 23, 2025

achingbrain left a comment

achingbrain Mar 5, 2025

achingbrain Mar 5, 2025

achingbrain Mar 5, 2025

achingbrain Mar 5, 2025

achingbrain Mar 5, 2025

feat: Rotate WebRTC Direct certificates #2997

Are you sure you want to change the base?

feat: Rotate WebRTC Direct certificates #2997

Conversation

Aryakoste commented Feb 23, 2025

Title

Description

Notes & open questions

Change checklist

achingbrain left a comment

Choose a reason for hiding this comment

achingbrain Mar 5, 2025

Choose a reason for hiding this comment

achingbrain Mar 5, 2025

Choose a reason for hiding this comment

achingbrain Mar 5, 2025

Choose a reason for hiding this comment

achingbrain Mar 5, 2025

Choose a reason for hiding this comment

achingbrain Mar 5, 2025

Choose a reason for hiding this comment