Cherry-pick "Fix generation of new keys when no keys are available"

debian/patches/cherry-pick/1619791926.v9-1-g5482313.fix-generation-of-new-keys-when-no-keys-are-available.patch

@@ -0,0 +1,96 @@
+Subject: Fix generation of new keys when no keys are available
+Origin: v9-1-g5482313 <https://github.com/latchset/tang/commit/v9-1-g5482313>
+Upstream-Author: Sergio Correia <scorreia@redhat.com>
+Date: Fri Apr 30 11:12:06 2021 -0300
+
+    When no keys are available, tang creates a new pair of keys, however
+    currently it checks the total number of keys, including rotated keys,
+    to decide whether to create new keys.
+
+    So not to have issues when all the keys have been rotated, let's check
+    instead the total number of "regular" keys, the ones that will be
+    advertised, and if there are none, then tang can create new keys.
+
+    This fixes an issue when we do have all keys rotated.
+    Tests added as well.
+
+--- a/src/keys.c
++++ b/src/keys.c
+@@ -392,12 +392,15 @@
+             json_t* arr = tki->m_keys;
+             if (d->d_name[0] == '.') {
+                 arr = tki->m_rotated_keys;
++                tki->m_rotated_keys_count++;
++            } else {
++                tki->m_keys_count++;
+             }
++
+             if (json_array_append(arr, json) == -1) {
+                 fprintf(stderr, "Unable to append JSON (%s) to array; skipping\n", d->d_name);
+                 continue;
+             }
+-            tki->m_keys_count++;
+         }
+     }
+     closedir(dir);
+--- a/src/keys.h
++++ b/src/keys.h
+@@ -34,8 +34,8 @@
+     json_t* m_sign;               /* Set of signing keys made from regular
+                                      keys. */
+ 
+-    size_t m_keys_count;          /* Number of keys (regular + rotated). */
+-
++    size_t m_keys_count;          /* Number of regular keys. */
++    size_t m_rotated_keys_count;  /* Number of rotated keys. */
+ };
+ 
+ void cleanup_tang_keys_info(struct tang_keys_info**);
+--- a/tests/adv
++++ b/tests/adv
+@@ -83,3 +83,15 @@
+                -g 1 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU
+ 
+ test "$(tang-show-keys $PORT)" == "$(jose jwk thp -i $TMP/db/sig.jwk)"
++
++# Check that new keys will be created if none exist.
++rm -rf "${TMP}/db" && mkdir -p "${TMP}/db"
++fetch /adv
++
++# Now let's rotate these keys and check if we still create new keys.
++cd "${TMP}/db"
++for k in *.jwk; do
++    mv -f -- "${k}" ".${k}"
++done
++cd -
++fetch /adv
+--- a/tests/test-keys.c.in
++++ b/tests/test-keys.c.in
+@@ -140,7 +140,7 @@
+     json_auto_t* keys = json_deep_copy(tki->m_keys);
+     ASSERT(keys);
+     ASSERT(json_array_extend(keys, tki->m_rotated_keys) == 0);
+-    ASSERT(json_array_size(keys) == (size_t)tki->m_keys_count);
++    ASSERT(json_array_size(keys) == (size_t)(tki->m_keys_count + tki->m_rotated_keys_count));
+ 
+     for (int i = 0; hashes[i]; i++) {
+         json_array_foreach(keys, idx, jwk) {
+@@ -203,7 +203,7 @@
+     json_auto_t* keys = json_deep_copy(tki->m_keys);
+     ASSERT(keys);
+     ASSERT(json_array_extend(keys, tki->m_rotated_keys) == 0);
+-    ASSERT(json_array_size(keys) == (size_t)tki->m_keys_count);
++    ASSERT(json_array_size(keys) == (size_t)(tki->m_keys_count + tki->m_rotated_keys_count));
+ 
+     for (int i = 0; hashes[i]; i++) {
+         json_array_foreach(keys, idx, jwk) {
+@@ -230,7 +230,8 @@
+      * - qgmqJSo6AEEuVQY7zVlklqdTMqY.jwk
+      * - -bWkGaJi0Zdvxaj4DCp28umLcRA.jwk
+      */
+-    ASSERT(tki->m_keys_count == 4);
++    ASSERT(tki->m_keys_count == 2);
++    ASSERT(tki->m_rotated_keys_count == 2);
+     ASSERT(json_array_size(tki->m_keys) == 2);
+     ASSERT(json_array_size(tki->m_rotated_keys) == 2);
+ 

debian/patches/series

@@ -1,5 +1,6 @@
 
 # cherry-picked commits. Keep in upstream's chronological order
+cherry-pick/1619791926.v9-1-g5482313.fix-generation-of-new-keys-when-no-keys-are-available.patch
 
 # patches for upstream
 for-upstream/2018-08-11.use-asciidoctor-to-build-manpages.patch