From 875723a3f91102d2b78e742faea1e1bcb47ac791 Mon Sep 17 00:00:00 2001
From: Andrey Meshkov <am@adguard.com>
Date: Mon, 17 Dec 2018 11:21:45 +0300
Subject: [PATCH] added certinfo fields: notbefore, notafter

---
 dnscrypt.go      | 28 +++++++++++-----------------
 dnscrypt_test.go |  2 +-
 2 files changed, 12 insertions(+), 18 deletions(-)

diff --git a/dnscrypt.go b/dnscrypt.go
index 48cf284..1c3bcb4 100644
--- a/dnscrypt.go
+++ b/dnscrypt.go
@@ -61,12 +61,13 @@ type Client struct {
 
 // CertInfo contains DnsCrypt server certificate data retrieved from the server
 type CertInfo struct {
-	Serial             uint32
-	ServerPk           [32]byte
-	SharedKey          [32]byte
+	Serial             uint32   // Cert serial number (the cert can be superseded by another one with a higher serial number)
+	ServerPk           [32]byte // Server public key
+	SharedKey          [32]byte // Shared key
 	MagicQuery         [clientMagicLen]byte
-	CryptoConstruction CryptoConstruction
-	ForwardSecurity    bool
+	CryptoConstruction CryptoConstruction // Encryption algorithm
+	NotBefore          uint32             // Cert is valid starting from this date (epoch time)
+	NotAfter           uint32             // Cert is valid until this date (epoch time)
 }
 
 // ServerInfo contains DNSCrypt server information necessary for decryption/encryption
@@ -405,22 +406,15 @@ func txtToCertInfo(answerRr dns.RR, serverInfo *ServerInfo) (CertInfo, error) {
 	certInfo.Serial = binary.BigEndian.Uint32(binCert[112:116])
 
 	// Validate the certificate date
-	tsBegin := binary.BigEndian.Uint32(binCert[116:120])
-	tsEnd := binary.BigEndian.Uint32(binCert[120:124])
-	if tsBegin >= tsEnd {
-		return certInfo, fmt.Errorf("certificate ends before it starts (%v >= %v)", tsBegin, tsEnd)
+	certInfo.NotBefore = binary.BigEndian.Uint32(binCert[116:120])
+	certInfo.NotAfter = binary.BigEndian.Uint32(binCert[120:124])
+	if certInfo.NotBefore >= certInfo.NotAfter {
+		return certInfo, fmt.Errorf("certificate ends before it starts (%v >= %v)", certInfo.NotBefore, certInfo.NotAfter)
 	}
-	if now > tsEnd || now < tsBegin {
+	if now > certInfo.NotAfter || now < certInfo.NotBefore {
 		return certInfo, errors.New("certificate not valid at the current date")
 	}
 
-	ttl := tsEnd - tsBegin
-	if ttl > 86400*7 {
-		certInfo.ForwardSecurity = false
-	} else {
-		certInfo.ForwardSecurity = true
-	}
-
 	var serverPk [32]byte
 	copy(serverPk[:], binCert[72:104])
 	certInfo.SharedKey = computeSharedKey(certInfo.CryptoConstruction, &serverInfo.SecretKey, &serverPk, &serverInfo.ProviderName)
diff --git a/dnscrypt_test.go b/dnscrypt_test.go
index 2931e46..9db6926 100644
--- a/dnscrypt_test.go
+++ b/dnscrypt_test.go
@@ -102,7 +102,7 @@ func checkDnsCryptServer(t *testing.T, stampStr string, proto string) {
 		t.Fatalf("Could not establish connection with %s", stampStr)
 	}
 
-	log.Printf("Established a connection with %s, rtt=%v, proto=%s", serverInfo.ProviderName, rtt, proto)
+	log.Printf("Established a connection with %s, ttl=%v, rtt=%v, proto=%s", serverInfo.ProviderName, time.Unix(int64(serverInfo.ServerCert.NotAfter), 0), rtt, proto)
 	req := dns.Msg{}
 	req.Id = dns.Id()
 	req.RecursionDesired = true