feat: Rotate WebRTC Direct certificates

packages/transport-webrtc/src/index.ts

@@ -280,6 +280,7 @@ export interface TransportCertificate {
    * The hash of the certificate
    */
   certhash: string
+  notAfter: string
 }
 
 export type { WebRTCTransportDirectInit, WebRTCDirectTransportComponents }

packages/transport-webrtc/src/private-to-public/listener.ts

@@ -33,6 +33,7 @@ export interface WebRTCDirectListenerInit {
   dataChannel?: DataChannelOptions
   rtcConfiguration?: RTCConfiguration | (() => RTCConfiguration | Promise<RTCConfiguration>)
   useLibjuice?: boolean
+  certificateDuration?: number
 }
 
 export interface WebRTCListenerMetrics {
@@ -83,6 +84,15 @@ export class WebRTCDirectListener extends TypedEventEmitter<ListenerEvents> impl
     }
   }
 
+  private isCertificateExpiring (): boolean {
+    if (this.certificate == null) return true
+    const expiryDate = new Date(this.certificate.notAfter)
+    const now = new Date()
+    const timeToExpiry = expiryDate.getTime() - now.getTime()
+    const threshold = 30 * 24 * 60 * 60 * 1000
+    return timeToExpiry < threshold
+  }
+
   async listen (ma: Multiaddr): Promise<void> {
     const parts = ma.stringTuples()
     const ipVersion = IP4.matches(ma) ? 4 : 6
@@ -154,20 +164,19 @@ export class WebRTCDirectListener extends TypedEventEmitter<ListenerEvents> impl
       server: Promise.resolve()
         .then(async (): Promise<StunServer> => {
           // ensure we have a certificate
-          if (this.certificate == null) {
+          if (this.certificate == null || this.isCertificateExpiring()) {
             this.log.trace('creating TLS certificate')
             const keyPair = await crypto.subtle.generateKey({
               name: 'ECDSA',
               namedCurve: 'P-256'
             }, true, ['sign', 'verify'])
 
             const certificate = await generateTransportCertificate(keyPair, {
-              days: 365 * 10
+              days: this.init.certificateDuration ?? 365 * 10
             })
+            this.safeDispatchEvent('listening')
 
-            if (this.certificate == null) {
-              this.certificate = certificate
-            }
+            this.certificate = certificate
           }
 
           if (port === 0) {

packages/transport-webrtc/src/private-to-public/utils/generate-certificates.ts

@@ -46,6 +46,7 @@ export async function generateTransportCertificate (keyPair: CryptoKeyPair, opti
   return {
     privateKey: privateKeyPem,
     pem: cert.toString('pem'),
-    certhash: base64url.encode((await sha256.digest(new Uint8Array(cert.rawData))).bytes)
+    certhash: base64url.encode((await sha256.digest(new Uint8Array(cert.rawData))).bytes),
+    notAfter: notAfter.toISOString()
   }
 }

packages/transport-webrtc/test/certificate.spec.ts

@@ -0,0 +1,80 @@
+import { Crypto } from '@peculiar/webcrypto'
+import { expect } from 'aegir/utils/chai.js'
+import sinon from 'sinon'
+import { WebRTCDirectListener, type WebRTCDirectListenerInit } from '../src/private-to-public/listener.js'
+import { type WebRTCDirectTransportComponents } from '../src/private-to-public/transport.js'
+import { generateTransportCertificate } from '../src/private-to-public/utils/generate-certificates.js'
+import type { TransportCertificate } from '../src/index.js'
+
+const crypto = new Crypto()
+
+describe('WebRTCDirectListener', () => {
+  let listener: WebRTCDirectListener
+  let components: WebRTCDirectTransportComponents
+  let init: WebRTCDirectListenerInit
+
+  beforeEach(() => {
+    components = {
+      peerId: { toB58String: () => 'QmPeerId' } as any,
+      privateKey: {} as any,
+      logger: {
+        forComponent: () => ({
+          trace: () => {},
+          error: () => {}
+        })
+      } as any,
+      transportManager: {} as any
+    }
+
+    init = {
+      certificateDuration: 10,
+      upgrader: {} as any
+    }
+
+    listener = new WebRTCDirectListener(components, init)
+  })
+
+  afterEach(() => {
+    sinon.restore()
+  })
+
+  it('should generate a certificate with the configured duration', async () => {
+    const keyPair = await crypto.subtle.generateKey({
+      name: 'ECDSA',
+      namedCurve: 'P-256'
+    }, true, ['sign', 'verify'])
+
+    const certificate: TransportCertificate = await generateTransportCertificate(keyPair, {
+      days: init.certificateDuration!
+    })
+
+    expect(new Date(certificate.notAfter).getTime()).to.be.closeTo(
+      new Date().getTime() + init.certificateDuration! * 86400000,
+      1000
+    )
+  })
+
+  it('should re-emit listening event when a new certificate is generated', async () => {
+    const emitSpy = sinon.spy(listener as any, 'safeDispatchEvent')
+    const generateCertificateSpy = sinon.spy(generateTransportCertificate)
+
+    await (listener as any).startUDPMuxServer('127.0.0.1', 0)
+
+    expect(generateCertificateSpy.called).to.be.true
+    expect(emitSpy.calledWith('listening')).to.be.true
+  })
+
+  it('should generate a new certificate before expiry', async () => {
+    (listener as any).certificate = {
+      notAfter: new Date(Date.now() + 5 * 86400000).toISOString()
+    }
+
+    const isCertificateExpiringSpy = sinon.spy(listener as any, 'isCertificateExpiring')
+    const generateCertificateSpy = sinon.spy(generateTransportCertificate) 
+
+    await (listener as any).startUDPMuxServer('127.0.0.1', 0)
+
+    expect(isCertificateExpiringSpy.returned(true)).to.be.true
+    expect(generateCertificateSpy.called).to.be.true
+  })
+})