[GitHub] [mina-sshd] alex-sherwin commented on a change in pull request #198: SSHD-1166 - Support creating signed OpenSSH Certificates

Fri, 28 May 2021 08:14:51 -0700 


alex-sherwin commented on a change in pull request #198:
URL: https://github.com/apache/mina-sshd/pull/198#discussion_r641627958



##########
File path: 
sshd-common/src/main/java/org/apache/sshd/common/config/keys/OpenSshCertificate.java
##########
@@ -52,26 +57,34 @@
     Collection<String> getPrincipals();
 
     /**
-     * Retrieves the time in number of seconds since the {@link 
java.time.Instant#EPOCH} at which this certificate
-     * becomes or became valid.
-     *
-     * @return the number of seconds since the Instant.EPOCH <em>as an 
unsigned 64bit value</em>
-     * @see    {{@link #isValidNow(OpenSshCertificate)}
+     * When null, implies forever
      */
-    long getValidAfter();
+    Instant getValidAfter();
+
+    default long getValidAfterEpochSeconds() {
+        if (getValidAfter() == null) {
+            return VALID_AFTER_FOREVER_EPOCH;
+        }
+        return getValidAfter().getEpochSecond();

Review comment:
       My observation was that for the `validAfter` field, a certificate has a 
uint64 encoded as `0` in the case of a "forever" certificate, so my intention 
was to treat this as a special case in two ways:
   
   1. during decoding (in `OpenSSHCertPublicKeyParser`), when it decodes the 
bytes as a uint64 `0`, leave the `Instant` as null (to signify forever)
   2. On `OpenSshCertificate.getValidAfterEpochSeconds` (simply a helper), 
apply this same logic in reverse, if the value is null, return the magic 
"forever" epoch that should be encoded
   
   The intention would be that the business code a developer writes only needs 
to interact with the `Instant` (null for forever, otherwise set a value), and 
`OpenSshCertificate.getValidAfterEpochSeconds` and 
`OpenSshCertificate.getValidBeforeEpochSeconds` are simply used when encoding 
the bytes of the certificate into a `Buffer`
   
   




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to