|
@@ -0,0 +1,96 @@
|
|
|
+Subject: Fix generation of new keys when no keys are available
|
|
|
+Origin: v9-1-g5482313 <https://github.com/latchset/tang/commit/v9-1-g5482313>
|
|
|
+Upstream-Author: Sergio Correia <scorreia@redhat.com>
|
|
|
+Date: Fri Apr 30 11:12:06 2021 -0300
|
|
|
+
|
|
|
+ When no keys are available, tang creates a new pair of keys, however
|
|
|
+ currently it checks the total number of keys, including rotated keys,
|
|
|
+ to decide whether to create new keys.
|
|
|
+
|
|
|
+ So not to have issues when all the keys have been rotated, let's check
|
|
|
+ instead the total number of "regular" keys, the ones that will be
|
|
|
+ advertised, and if there are none, then tang can create new keys.
|
|
|
+
|
|
|
+ This fixes an issue when we do have all keys rotated.
|
|
|
+ Tests added as well.
|
|
|
+
|
|
|
+--- a/src/keys.c
|
|
|
++++ b/src/keys.c
|
|
|
+@@ -392,12 +392,15 @@
|
|
|
+ json_t* arr = tki->m_keys;
|
|
|
+ if (d->d_name[0] == '.') {
|
|
|
+ arr = tki->m_rotated_keys;
|
|
|
++ tki->m_rotated_keys_count++;
|
|
|
++ } else {
|
|
|
++ tki->m_keys_count++;
|
|
|
+ }
|
|
|
++
|
|
|
+ if (json_array_append(arr, json) == -1) {
|
|
|
+ fprintf(stderr, "Unable to append JSON (%s) to array; skipping\n", d->d_name);
|
|
|
+ continue;
|
|
|
+ }
|
|
|
+- tki->m_keys_count++;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ closedir(dir);
|
|
|
+--- a/src/keys.h
|
|
|
++++ b/src/keys.h
|
|
|
+@@ -34,8 +34,8 @@
|
|
|
+ json_t* m_sign; /* Set of signing keys made from regular
|
|
|
+ keys. */
|
|
|
+
|
|
|
+- size_t m_keys_count; /* Number of keys (regular + rotated). */
|
|
|
+-
|
|
|
++ size_t m_keys_count; /* Number of regular keys. */
|
|
|
++ size_t m_rotated_keys_count; /* Number of rotated keys. */
|
|
|
+ };
|
|
|
+
|
|
|
+ void cleanup_tang_keys_info(struct tang_keys_info**);
|
|
|
+--- a/tests/adv
|
|
|
++++ b/tests/adv
|
|
|
+@@ -83,3 +83,15 @@
|
|
|
+ -g 1 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU
|
|
|
+
|
|
|
+ test "$(tang-show-keys $PORT)" == "$(jose jwk thp -i $TMP/db/sig.jwk)"
|
|
|
++
|
|
|
++# Check that new keys will be created if none exist.
|
|
|
++rm -rf "${TMP}/db" && mkdir -p "${TMP}/db"
|
|
|
++fetch /adv
|
|
|
++
|
|
|
++# Now let's rotate these keys and check if we still create new keys.
|
|
|
++cd "${TMP}/db"
|
|
|
++for k in *.jwk; do
|
|
|
++ mv -f -- "${k}" ".${k}"
|
|
|
++done
|
|
|
++cd -
|
|
|
++fetch /adv
|
|
|
+--- a/tests/test-keys.c.in
|
|
|
++++ b/tests/test-keys.c.in
|
|
|
+@@ -140,7 +140,7 @@
|
|
|
+ json_auto_t* keys = json_deep_copy(tki->m_keys);
|
|
|
+ ASSERT(keys);
|
|
|
+ ASSERT(json_array_extend(keys, tki->m_rotated_keys) == 0);
|
|
|
+- ASSERT(json_array_size(keys) == (size_t)tki->m_keys_count);
|
|
|
++ ASSERT(json_array_size(keys) == (size_t)(tki->m_keys_count + tki->m_rotated_keys_count));
|
|
|
+
|
|
|
+ for (int i = 0; hashes[i]; i++) {
|
|
|
+ json_array_foreach(keys, idx, jwk) {
|
|
|
+@@ -203,7 +203,7 @@
|
|
|
+ json_auto_t* keys = json_deep_copy(tki->m_keys);
|
|
|
+ ASSERT(keys);
|
|
|
+ ASSERT(json_array_extend(keys, tki->m_rotated_keys) == 0);
|
|
|
+- ASSERT(json_array_size(keys) == (size_t)tki->m_keys_count);
|
|
|
++ ASSERT(json_array_size(keys) == (size_t)(tki->m_keys_count + tki->m_rotated_keys_count));
|
|
|
+
|
|
|
+ for (int i = 0; hashes[i]; i++) {
|
|
|
+ json_array_foreach(keys, idx, jwk) {
|
|
|
+@@ -230,7 +230,8 @@
|
|
|
+ * - qgmqJSo6AEEuVQY7zVlklqdTMqY.jwk
|
|
|
+ * - -bWkGaJi0Zdvxaj4DCp28umLcRA.jwk
|
|
|
+ */
|
|
|
+- ASSERT(tki->m_keys_count == 4);
|
|
|
++ ASSERT(tki->m_keys_count == 2);
|
|
|
++ ASSERT(tki->m_rotated_keys_count == 2);
|
|
|
+ ASSERT(json_array_size(tki->m_keys) == 2);
|
|
|
+ ASSERT(json_array_size(tki->m_rotated_keys) == 2);
|
|
|
+
|