Close TLS and QUIC links on certificate expiration

Cargo.toml

@@ -167,6 +167,7 @@ socket2 = { version = "0.5.7", features = ["all"] }
 stop-token = "0.7.0"
 syn = "2.0"
 tide = "0.16.0"
+time = "0.3.36"
 token-cell = { version = "1.5.0", default-features = false }
 tokio = { version = "1.40.0", default-features = false } # Default features are disabled due to some crates' requirements
 tokio-util = "0.7.12"

DEFAULT_CONFIG.json5

@@ -466,6 +466,10 @@
         // This could be dangerous because your CA can have signed a server cert for foo.com, that's later being used to host a server at baz.com. If you wan't your
         // ca to verify that the server at baz.com is actually baz.com, let this be true (default).
         verify_name_on_connect: true,
+        // Whether or not to close links when remote certificates expires.
+        // If set to true, links that require certificates (tls/quic) will automatically disconnect when the time of expiration of the remote certificate chain is reached
+        // note that mTLS (client authentication) is required for a listener to disconnect a client on expiration
+        close_link_on_expiration: false,
       },
     },
     /// Shared memory configuration.

commons/zenoh-config/src/lib.rs

@@ -483,6 +483,7 @@ validated_struct::validator! {
                     connect_private_key: Option<String>,
                     connect_certificate: Option<String>,
                     verify_name_on_connect: Option<bool>,
+                    close_link_on_expiration: Option<bool>,
                     // Skip serializing field because they contain secrets
                     #[serde(skip_serializing)]
                     root_ca_certificate_base64: Option<SecretValue>,

io/zenoh-link-commons/Cargo.toml

@@ -35,6 +35,7 @@ futures = { workspace = true }
 rustls = { workspace = true, optional = true }
 rustls-webpki = { workspace = true, optional = true }
 serde = { workspace = true, features = ["default"] }
+time = { workspace = true }
 tokio = { workspace = true, features = [
   "fs",
   "io-util",

io/zenoh-link-commons/src/tls.rs

@@ -86,3 +86,104 @@ impl WebPkiVerifierAnyServerName {
         Self { roots }
     }
 }
+
+pub mod expiration {
+    use std::{net::SocketAddr, sync::Weak};
+
+    use time::OffsetDateTime;
+    use tokio::task::JoinHandle;
+    use tokio_util::sync::CancellationToken;
+
+    use crate::LinkUnicastTrait;
+
+    #[derive(Debug)]
+    pub struct LinkCertExpirationManager {
+        token: CancellationToken,
+        handle: Option<JoinHandle<()>>,
+    }
+
+    impl LinkCertExpirationManager {
+        pub fn new(
+            link: Weak<dyn LinkUnicastTrait>,
+            src_addr: SocketAddr,
+            dst_addr: SocketAddr,
+            link_type: String,
+            expiration_time: OffsetDateTime,
+        ) -> Self {
+            let token = CancellationToken::new();
+            let handle = zenoh_runtime::ZRuntime::Acceptor.spawn(expiration_task(
+                link,
+                src_addr,
+                dst_addr,
+                link_type,
+                expiration_time,
+                token.clone(),
+            ));
+            Self {
+                token,
+                handle: Some(handle),
+            }
+        }
+    }
+
+    // Cleanup expiration task when manager is dropped
+    impl Drop for LinkCertExpirationManager {
+        fn drop(&mut self) {
+            if let Some(handle) = self.handle.take() {
+                self.token.cancel();
+                zenoh_runtime::ZRuntime::Acceptor.block_in_place(async {
+                    let _ = handle.await;
+                })
+            }
+        }
+    }
+
+    async fn expiration_task(
+        link: Weak<dyn LinkUnicastTrait>,
+        src_addr: SocketAddr,
+        dst_addr: SocketAddr,
+        link_type: String,
+        expiration_time: OffsetDateTime,
+        token: CancellationToken,
+    ) {
+        // NOTE: should expose or tune sleep duration
+        const MAX_EXPIRATION_SLEEP_DURATION: tokio::time::Duration =
+            tokio::time::Duration::from_secs(600);
+
+        loop {
+            let now = OffsetDateTime::now_utc();
+            if expiration_time <= now {
+                // close link
+                if let Some(link) = link.upgrade() {
+                    tracing::warn!(
+                        "Closing {} link {:?} => {:?} : remote certificate chain expired",
+                        link_type.to_uppercase(),
+                        src_addr,
+                        dst_addr,
+                    );
+                    if let Err(e) = link.close().await {
+                        tracing::error!(
+                            "Error closing {} link {:?} => {:?} : {}",
+                            link_type.to_uppercase(),
+                            src_addr,
+                            dst_addr,
+                            e
+                        )
+                    }
+                }
+                break;
+            }
+            // next sleep duration is the minimum between MAX_EXPIRATION_SLEEP_DURATION and the duration till next expiration
+            // this mitigates the unsoundness of using `tokio::time::sleep` with long durations
+            let next_expiration_duration = std::time::Duration::try_from(expiration_time - now)
+                .expect("expiration_time should be greater than now");
+            let sleep_duration =
+                tokio::time::Duration::min(MAX_EXPIRATION_SLEEP_DURATION, next_expiration_duration);
+
+            tokio::select! {
+                _ = token.cancelled() => break,
+                _ = tokio::time::sleep(sleep_duration) => {},
+            }
+        }
+    }
+}

io/zenoh-links/zenoh-link-quic/Cargo.toml

@@ -33,6 +33,7 @@ rustls-pemfile = { workspace = true }
 rustls-pki-types = { workspace = true }
 rustls-webpki = { workspace = true }
 secrecy = { workspace = true }
+time = { workspace = true }
 tokio = { workspace = true, features = [
   "fs",
   "io-util",

io/zenoh-links/zenoh-link-quic/src/lib.rs

@@ -112,4 +112,7 @@ pub mod config {
 
     pub const TLS_VERIFY_NAME_ON_CONNECT: &str = "verify_name_on_connect";
     pub const TLS_VERIFY_NAME_ON_CONNECT_DEFAULT: bool = true;
+
+    pub const TLS_CLOSE_LINK_ON_EXPIRATION: &str = "close_link_on_expiration";
+    pub const TLS_CLOSE_LINK_ON_EXPIRATION_DEFAULT: bool = false;
 }