feat(ra-tls): adjust certificate validity periods for security

dstack-util/src/main.rs

@@ -13,7 +13,7 @@ use k256::schnorr::SigningKey;
 use ra_rpc::Attestation;
 use ra_tls::{
     attestation::QuoteContentType,
-    cert::generate_ra_cert,
+    cert::{generate_ra_cert, server_cert_not_after},
     kdf::{derive_ecdsa_key, derive_ecdsa_key_pair_from_bytes},
     rcgen::KeyPair,
 };
@@ -348,6 +348,7 @@ fn cmd_gen_ca_cert(args: GenCaCertArgs) -> Result<()> {
         .attestation(&attestation)
         .key(&key)
         .ca_level(args.ca_level)
+        .not_after(server_cert_not_after())
         .build();
 
     let cert = req
@@ -419,6 +420,7 @@ fn make_app_keys(
         .attestation(&attestation)
         .key(app_key)
         .ca_level(ca_level)
+        .not_after(server_cert_not_after())
         .build();
     let cert = req
         .self_signed()

gateway/src/main.rs

@@ -110,6 +110,7 @@ async fn maybe_gen_certs(config: &Config, tls_config: &TlsConfig) -> Result<()>
         .subject("dstack-gateway")
         .alt_names(std::slice::from_ref(&config.rpc_domain))
         .usage_server_auth(true)
+        .not_after(ra_tls::cert::server_cert_not_after())
         .build()
         .self_signed()
         .context("Failed to self-sign rpc cert")?;

kms/src/main_service.rs

@@ -17,7 +17,9 @@ use k256::ecdsa::SigningKey;
 use ra_rpc::{CallContext, RpcCall};
 use ra_tls::{
     attestation::VerifiedAttestation,
-    cert::{CaCert, CertRequest, CertSigningRequestV1, CertSigningRequestV2, Csr},
+    cert::{
+        server_cert_not_after, CaCert, CertRequest, CertSigningRequestV1, CertSigningRequestV2, Csr,
+    },
     kdf,
 };
 use scale::Decode;
@@ -224,6 +226,7 @@ impl RpcHandler {
             .ca_level(0)
             .app_id(app_id)
             .special_usage("app:ca")
+            .not_after(server_cert_not_after())
             .build();
         let app_ca = self
             .state

kms/src/onboard_service.rs

@@ -17,7 +17,7 @@ use k256::ecdsa::SigningKey;
 use ra_rpc::{client::RaClient, CallContext, RpcCall};
 use ra_tls::{
     attestation::{QuoteContentType, VersionedAttestation},
-    cert::{CaCert, CertRequest},
+    cert::{client_cert_not_after, server_cert_not_after, CaCert, CertRequest},
     rcgen::{Certificate, KeyPair, PKCS_ECDSA_P256_SHA256},
 };
 use safe_write::safe_write;
@@ -128,6 +128,7 @@ impl Keys {
             .subject("Dstack Client Temp CA")
             .ca_level(0)
             .key(&tmp_ca_key)
+            .not_after(server_cert_not_after())
             .build()
             .self_signed()?;
 
@@ -137,6 +138,7 @@ impl Keys {
             .subject("Dstack KMS CA")
             .ca_level(1)
             .key(&ca_key)
+            .not_after(server_cert_not_after())
             .build()
             .self_signed()?;
         let attestation = if quote_enabled {
@@ -159,6 +161,7 @@ impl Keys {
             .special_usage("kms:rpc")
             .maybe_attestation(attestation.as_ref())
             .key(&rpc_key)
+            .not_after(server_cert_not_after())
             .build()
             .signed_by(&ca_cert, &ca_key)?;
         Ok(Keys {
@@ -341,6 +344,7 @@ async fn gen_ra_cert(ca_cert_pem: String, ca_key_pem: String) -> Result<(String,
         .subject("RA-TLS TEMP Cert")
         .attestation(&attestation)
         .key(&key)
+        .not_after(client_cert_not_after())
         .build();
     let cert = ca.sign(req).context("Failed to sign certificate")?;
     Ok((cert.pem(), key.serialize_pem()))

ra-tls/src/cert.rs

@@ -32,6 +32,18 @@ use crate::traits::CertExt;
 use dstack_attest::attestation::QuoteContentType;
 use dstack_attest::attestation::{Attestation, AttestationQuote, VersionedAttestation};
 
+/// Returns the expiration time for long-lived server certificates (10 years from now).
+pub fn server_cert_not_after() -> SystemTime {
+    let day = Duration::from_secs(86400);
+    SystemTime::now() + day * 365 * 10
+}
+
+/// Returns the expiration time for short-lived client certificates (10 minutes from now).
+pub fn client_cert_not_after() -> SystemTime {
+    let minute = Duration::from_secs(60);
+    SystemTime::now() + minute * 10
+}
+
 /// A CA certificate and private key.
 pub struct CaCert {
     /// The original PEM certificate.
@@ -402,8 +414,8 @@ impl<Key> CertRequest<'_, Key> {
             .not_after
             .unwrap_or_else(|| {
                 let now = SystemTime::now();
-                let day = Duration::from_secs(86400);
-                now + day * 365 * 10
+                let hour = Duration::from_secs(3600);
+                now + hour
             })
             .into();
         Ok(params)
@@ -550,6 +562,7 @@ pub fn generate_ra_cert_with_app_id(
         .subject("RA-TLS TEMP Cert")
         .key(&key)
         .attestation(&attestation)
+        .not_after(client_cert_not_after())
         .build();
     let cert = ca.sign(req).context("Failed to sign certificate")?;
     Ok(CertPair {