timeless hotfix (#275)

types/src/keyless/mod.rs

@@ -141,8 +141,9 @@ impl KeylessSignature {
  }
 
  pub fn verify_expiry(&self, current_time_microseconds: u64) -> anyhow::Result<()> {
- let block_time = UNIX_EPOCH + Duration::from_micros(current_time_microseconds);
- let expiry_time = seconds_from_epoch(self.exp_date_secs);
+ let block_time = UNIX_EPOCH.checked_add(Duration::from_micros(current_time_microseconds))
+ .ok_or_else(|| anyhow::anyhow!("Overflowed on UNIX_EPOCH + current_time_microseconds when checking exp_date_secs"))?;
+ let expiry_time = seconds_from_epoch(self.exp_date_secs)?;
 
  if block_time > expiry_time {
  bail!("Keyless signature is expired");
@@ -417,8 +418,10 @@ fn base64url_decode_as_str(b64: &str) -> anyhow::Result<String> {
  Ok(str)
 }
 
-fn seconds_from_epoch(secs: u64) -> SystemTime {
- UNIX_EPOCH + Duration::from_secs(secs)
+fn seconds_from_epoch(secs: u64) -> anyhow::Result<SystemTime> {
+ Ok(UNIX_EPOCH
+ .checked_add(Duration::from_secs(secs))
+ .ok_or_else(|| anyhow::anyhow!("Overflowed on UNIX_EPOCH + secs in seconds_from_epoch"))?)
 }
 
 #[cfg(test)]

types/src/keyless/openid_sig.rs

@@ -60,9 +60,16 @@ impl OpenIdSig {
  ) -> anyhow::Result<()> {
  let claims: Claims = serde_json::from_str(&self.jwt_payload_json)?;
 
- let max_expiration_date =
- seconds_from_epoch(claims.oidc_claims.iat + config.max_exp_horizon_secs);
- let expiration_date = seconds_from_epoch(exp_timestamp_secs);
+ let max_expiration_date = seconds_from_epoch(
+ claims
+ .oidc_claims
+ .iat
+ .checked_add(config.max_exp_horizon_secs)
+ .ok_or_else(|| {
+ anyhow::anyhow!("Overflow when adding iat and max_exp_horizon_secs")
+ })?,
+ )?;
+ let expiration_date = seconds_from_epoch(exp_timestamp_secs)?;
 
  ensure!(
  expiration_date < max_expiration_date,