Subject: Fix generation of new keys when no keys are available
Origin: v9-1-g5482313 <https://github.com/latchset/tang/commit/v9-1-g5482313>
Upstream-Author: Sergio Correia <scorreia@redhat.com>
Date: Fri Apr 30 11:12:06 2021 -0300

    When no keys are available, tang creates a new pair of keys, however
    currently it checks the total number of keys, including rotated keys,
    to decide whether to create new keys.

    So not to have issues when all the keys have been rotated, let's check
    instead the total number of "regular" keys, the ones that will be
    advertised, and if there are none, then tang can create new keys.

    This fixes an issue when we do have all keys rotated.
    Tests added as well.

--- a/src/keys.c
+++ b/src/keys.c
@@ -392,12 +392,15 @@
             json_t* arr = tki->m_keys;
             if (d->d_name[0] == '.') {
                 arr = tki->m_rotated_keys;
+                tki->m_rotated_keys_count++;
+            } else {
+                tki->m_keys_count++;
             }
+
             if (json_array_append(arr, json) == -1) {
                 fprintf(stderr, "Unable to append JSON (%s) to array; skipping\n", d->d_name);
                 continue;
             }
-            tki->m_keys_count++;
         }
     }
     closedir(dir);
--- a/src/keys.h
+++ b/src/keys.h
@@ -34,8 +34,8 @@
     json_t* m_sign;               /* Set of signing keys made from regular
                                      keys. */
 
-    size_t m_keys_count;          /* Number of keys (regular + rotated). */
-
+    size_t m_keys_count;          /* Number of regular keys. */
+    size_t m_rotated_keys_count;  /* Number of rotated keys. */
 };
 
 void cleanup_tang_keys_info(struct tang_keys_info**);
--- a/tests/adv
+++ b/tests/adv
@@ -83,3 +83,15 @@
                -g 1 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU
 
 test "$(tang-show-keys $PORT)" == "$(jose jwk thp -i $TMP/db/sig.jwk)"
+
+# Check that new keys will be created if none exist.
+rm -rf "${TMP}/db" && mkdir -p "${TMP}/db"
+fetch /adv
+
+# Now let's rotate these keys and check if we still create new keys.
+cd "${TMP}/db"
+for k in *.jwk; do
+    mv -f -- "${k}" ".${k}"
+done
+cd -
+fetch /adv
--- a/tests/test-keys.c.in
+++ b/tests/test-keys.c.in
@@ -140,7 +140,7 @@
     json_auto_t* keys = json_deep_copy(tki->m_keys);
     ASSERT(keys);
     ASSERT(json_array_extend(keys, tki->m_rotated_keys) == 0);
-    ASSERT(json_array_size(keys) == (size_t)tki->m_keys_count);
+    ASSERT(json_array_size(keys) == (size_t)(tki->m_keys_count + tki->m_rotated_keys_count));
 
     for (int i = 0; hashes[i]; i++) {
         json_array_foreach(keys, idx, jwk) {
@@ -203,7 +203,7 @@
     json_auto_t* keys = json_deep_copy(tki->m_keys);
     ASSERT(keys);
     ASSERT(json_array_extend(keys, tki->m_rotated_keys) == 0);
-    ASSERT(json_array_size(keys) == (size_t)tki->m_keys_count);
+    ASSERT(json_array_size(keys) == (size_t)(tki->m_keys_count + tki->m_rotated_keys_count));
 
     for (int i = 0; hashes[i]; i++) {
         json_array_foreach(keys, idx, jwk) {
@@ -230,7 +230,8 @@
      * - qgmqJSo6AEEuVQY7zVlklqdTMqY.jwk
      * - -bWkGaJi0Zdvxaj4DCp28umLcRA.jwk
      */
-    ASSERT(tki->m_keys_count == 4);
+    ASSERT(tki->m_keys_count == 2);
+    ASSERT(tki->m_rotated_keys_count == 2);
     ASSERT(json_array_size(tki->m_keys) == 2);
     ASSERT(json_array_size(tki->m_rotated_keys) == 2);