diff --git a/contracts/LCPClientZKDCAPBase.sol b/contracts/LCPClientZKDCAPBase.sol index 04a22f0..20f3cb0 100644 --- a/contracts/LCPClientZKDCAPBase.sol +++ b/contracts/LCPClientZKDCAPBase.sol @@ -191,15 +191,16 @@ abstract contract LCPClientZKDCAPBase is LCPClientBase { } // calculate the expiration time of the enclave key + uint64 maxExpiredAt = output.validityNotAfter + 1; uint64 expiredAt; if (clientState.key_expiration == 0) { - // If the value is 0, the validity period of the EK is `qv_output.validity.not_after`. - expiredAt = output.validityNotAfter; + // If the value is 0, the validity period of the EK is `output.validity.not_after` + 1. + expiredAt = maxExpiredAt; } else { - // If the value is greater than 0, the validity period of the EK is min(`output.validty.not_before + key_expiration`, `output.validity.not_after`). + // If the value is greater than 0, the validity period of the EK is min(`output.validity.not_before + key_expiration`, `output.validity.not_after` + 1). expiredAt = output.validityNotBefore + clientState.key_expiration; - if (expiredAt > output.validityNotAfter) { - expiredAt = output.validityNotAfter; + if (expiredAt > maxExpiredAt) { + expiredAt = maxExpiredAt; } if (expiredAt <= block.timestamp) { revert LCPClientEnclaveKeyExpired(); diff --git a/test/LCPClientZKDCAPTest.t.sol b/test/LCPClientZKDCAPTest.t.sol index 8e18bff..4f88ec7 100644 --- a/test/LCPClientZKDCAPTest.t.sol +++ b/test/LCPClientZKDCAPTest.t.sol @@ -51,7 +51,7 @@ contract LCPClientZKDCAPTest is BasicTest { // warp to the time of `output.validityNotBefore` vm.warp(output.validityNotBefore); lc.zkDCAPRegisterEnclaveKey(clientId, registerEnclaveKeyMessage(output)); - assertEq(lc.getEKInfo(clientId, output.enclaveKey).expiredAt, output.validityNotAfter); + assertEq(lc.getEKInfo(clientId, output.enclaveKey).expiredAt, output.validityNotAfter + 1); // if `validityNotBefore` is in the future, it should fail output = ZKDCAPTestHelper.qvOutput(); @@ -72,7 +72,7 @@ contract LCPClientZKDCAPTest is BasicTest { output.validityNotAfter = uint64(block.timestamp); output.enclaveKey = address(2); lc.zkDCAPRegisterEnclaveKey(clientId, registerEnclaveKeyMessage(output)); - assertEq(lc.getEKInfo(clientId, output.enclaveKey).expiredAt, output.validityNotAfter); + assertEq(lc.getEKInfo(clientId, output.enclaveKey).expiredAt, output.validityNotAfter + 1); } function testRegisterEnclaveKeyNotSetGracePeriod() public { @@ -300,11 +300,11 @@ contract LCPClientZKDCAPTest is BasicTest { DCAPValidator.Output memory output; // if `key_expiration` is 0 and the current time is within the validity period, it should succeed - // and the key expiration should be set to `validityNotAfter` + // and the key expiration should be set to `validityNotAfter` + 1 output = ZKDCAPTestHelper.qvOutput(); vm.warp(output.validityNotBefore); lc.zkDCAPRegisterEnclaveKey(clientId, registerEnclaveKeyMessage(output)); - assertEq(lc.getEKInfo(clientId, output.enclaveKey).expiredAt, output.validityNotAfter); + assertEq(lc.getEKInfo(clientId, output.enclaveKey).expiredAt, output.validityNotAfter + 1); } function testRegisterEnclaveKeySetKeyExpiration() public { @@ -356,7 +356,7 @@ contract LCPClientZKDCAPTest is BasicTest { output.enclaveKey = address(3); output.validityNotAfter = output.validityNotBefore + clientState.key_expiration - 1; lc.zkDCAPRegisterEnclaveKey(clientId, registerEnclaveKeyMessage(output)); - assertEq(lc.getEKInfo(clientId, output.enclaveKey).expiredAt, output.validityNotAfter); + assertEq(lc.getEKInfo(clientId, output.enclaveKey).expiredAt, output.validityNotAfter + 1); } function testRegisterEnclaveKeyInvalidZkvmType() public {