Merge pull request #34 from datachainlab/fix-key-expiration-calculation

Fix to use `output.validity.not_after + 1` as key's `expiredAt` if the client state's key expiration is zero

Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>

Author: bluele

contracts/LCPClientZKDCAPBase.sol

@@ -191,15 +191,16 @@ abstract contract LCPClientZKDCAPBase is LCPClientBase {
         }
 
         // calculate the expiration time of the enclave key
+        uint64 maxExpiredAt = output.validityNotAfter + 1;
         uint64 expiredAt;
         if (clientState.key_expiration == 0) {
-            // If the value is 0, the validity period of the EK is `qv_output.validity.not_after`.
-            expiredAt = output.validityNotAfter;
+            // If the value is 0, the validity period of the EK is `output.validity.not_after` + 1.
+            expiredAt = maxExpiredAt;
         } else {
-            // If the value is greater than 0, the validity period of the EK is min(`output.validty.not_before + key_expiration`, `output.validity.not_after`).
+            // If the value is greater than 0, the validity period of the EK is min(`output.validity.not_before + key_expiration`, `output.validity.not_after` + 1).
             expiredAt = output.validityNotBefore + clientState.key_expiration;
-            if (expiredAt > output.validityNotAfter) {
-                expiredAt = output.validityNotAfter;
+            if (expiredAt > maxExpiredAt) {
+                expiredAt = maxExpiredAt;
             }
             if (expiredAt <= block.timestamp) {
                 revert LCPClientEnclaveKeyExpired();

test/LCPClientZKDCAPTest.t.sol

@@ -51,7 +51,7 @@ contract LCPClientZKDCAPTest is BasicTest {
         // warp to the time of `output.validityNotBefore`
         vm.warp(output.validityNotBefore);
         lc.zkDCAPRegisterEnclaveKey(clientId, registerEnclaveKeyMessage(output));
-        assertEq(lc.getEKInfo(clientId, output.enclaveKey).expiredAt, output.validityNotAfter);
+        assertEq(lc.getEKInfo(clientId, output.enclaveKey).expiredAt, output.validityNotAfter + 1);
 
         // if `validityNotBefore` is in the future, it should fail
         output = ZKDCAPTestHelper.qvOutput();
@@ -72,7 +72,7 @@ contract LCPClientZKDCAPTest is BasicTest {
         output.validityNotAfter = uint64(block.timestamp);
         output.enclaveKey = address(2);
         lc.zkDCAPRegisterEnclaveKey(clientId, registerEnclaveKeyMessage(output));
-        assertEq(lc.getEKInfo(clientId, output.enclaveKey).expiredAt, output.validityNotAfter);
+        assertEq(lc.getEKInfo(clientId, output.enclaveKey).expiredAt, output.validityNotAfter + 1);
     }
 
     function testRegisterEnclaveKeyNotSetGracePeriod() public {
@@ -300,11 +300,11 @@ contract LCPClientZKDCAPTest is BasicTest {
         DCAPValidator.Output memory output;
 
         // if `key_expiration` is 0 and the current time is within the validity period, it should succeed
-        // and the key expiration should be set to `validityNotAfter`
+        // and the key expiration should be set to `validityNotAfter` + 1
         output = ZKDCAPTestHelper.qvOutput();
         vm.warp(output.validityNotBefore);
         lc.zkDCAPRegisterEnclaveKey(clientId, registerEnclaveKeyMessage(output));
-        assertEq(lc.getEKInfo(clientId, output.enclaveKey).expiredAt, output.validityNotAfter);
+        assertEq(lc.getEKInfo(clientId, output.enclaveKey).expiredAt, output.validityNotAfter + 1);
     }
 
     function testRegisterEnclaveKeySetKeyExpiration() public {
@@ -356,7 +356,7 @@ contract LCPClientZKDCAPTest is BasicTest {
         output.enclaveKey = address(3);
         output.validityNotAfter = output.validityNotBefore + clientState.key_expiration - 1;
         lc.zkDCAPRegisterEnclaveKey(clientId, registerEnclaveKeyMessage(output));
-        assertEq(lc.getEKInfo(clientId, output.enclaveKey).expiredAt, output.validityNotAfter);
+        assertEq(lc.getEKInfo(clientId, output.enclaveKey).expiredAt, output.validityNotAfter + 1);
     }
 
     function testRegisterEnclaveKeyInvalidZkvmType() public {