new collateral issuance date must be strictly higher than the issuance date of existing collaterals

Author: preston4896

src/bases/FmspcTcbDao.sol

@@ -185,7 +185,7 @@ abstract contract FmspcTcbDao is DaoBase, SigVerifyBase {
             /// I don't think there can be a scenario where an existing tcbinfo with a higher evaluation data number
             /// to be issued BEFORE a new tcbinfo with a lower evaluation data number
             bool outOfDate = tcbInfo.evaluationDataNumber < existingEvaluationDataNumber ||
-                tcbInfo.issueDate < existingIssueDate;
+                tcbInfo.issueDate <= existingIssueDate;
             if (outOfDate) {
                 revert TCB_Out_Of_Date();
             }

src/bases/PckDao.sol

@@ -294,7 +294,7 @@ abstract contract PckDao is DaoBase, SigVerifyBase {
         bytes memory existingData = _fetchDataFromResolver(key, false);
         if (existingData.length > 0) {
             (uint256 existingCertNotValidBefore, ) = pckLib.getCertValidity(existingData);
-            bool outOfDate = existingCertNotValidBefore > pck.validityNotBefore;
+            bool outOfDate = existingCertNotValidBefore >= pck.validityNotBefore;
             if (outOfDate) {
                 revert Pck_Out_Of_Date();
             }

src/bases/PcsDao.sol

@@ -143,8 +143,6 @@ abstract contract PcsDao is DaoBase, SigVerifyBase {
     function _upsertPcsCrl(CA ca, bytes calldata crl) private returns (bytes32 attestationId) {
         (bytes32 hash, bytes32 key) = _validatePcsCrl(ca, crl);
 
-        _checkCollateralDuplicate(key, hash);
-
         attestationId = _attestPcs(crl, hash, key);
 
         emit UpsertedPCSCollateral(ca, true);
@@ -173,7 +171,7 @@ abstract contract PcsDao is DaoBase, SigVerifyBase {
         bytes memory existingData = _fetchDataFromResolver(key, false);
         if (existingData.length > 0) {
             (uint256 existingCertNotValidBefore, ) = x509Lib.getCertValidity(existingData);
-            bool outOfDate = existingCertNotValidBefore > currentCert.validityNotBefore;
+            bool outOfDate = existingCertNotValidBefore >= currentCert.validityNotBefore;
             if (outOfDate) {
                 revert Certificate_Out_Of_Date();
             }
@@ -234,6 +232,11 @@ abstract contract PcsDao is DaoBase, SigVerifyBase {
 
     function _validatePcsCrl(CA ca, bytes calldata crl) private view returns (bytes32 hash, bytes32 key) {
         X509CRLObj memory currentCrl = crlLib.parseCRLDER(crl);
+
+        key = PCS_KEY(ca, true);
+        hash = keccak256(currentCrl.tbs);
+
+        _checkCollateralDuplicate(key, hash);
 
         // Step 1: Check whether CRL has expired
         bool validTimestamp = 
@@ -245,11 +248,10 @@ abstract contract PcsDao is DaoBase, SigVerifyBase {
 
         // Step 2: Rollback prevention: new CRL should not have an issued date
         // that is older than the existing CRL
-        key = PCS_KEY(ca, true);
         bytes memory existingData = _fetchDataFromResolver(key, false);
         if (existingData.length > 0) {
             (uint256 existingCrlNotValidBefore, ) = crlLib.getCrlValidity(existingData);
-            bool outOfDate = existingCrlNotValidBefore > currentCrl.validityNotBefore;
+            bool outOfDate = existingCrlNotValidBefore >= currentCrl.validityNotBefore;
             if (outOfDate) {
                 revert Certificate_Out_Of_Date();
             }
@@ -272,8 +274,6 @@ abstract contract PcsDao is DaoBase, SigVerifyBase {
         if (!sigVerified) {
             revert Invalid_Signature();
         }
-
-        hash = keccak256(currentCrl.tbs);
     }
 
     function _getIssuer(CA ca) private view returns (bytes memory issuerCert) {