1619791926.v9-1-g5482313.fix-generation-of-new-keys-when-no-keys-are-available.patch 3.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596
  1. Subject: Fix generation of new keys when no keys are available
  2. Origin: upstream, v9-1-g5482313 <https://github.com/latchset/tang/commit/v9-1-g5482313>
  3. Upstream-Author: Sergio Correia <scorreia@redhat.com>
  4. Date: Fri Apr 30 11:12:06 2021 -0300
  5. When no keys are available, tang creates a new pair of keys, however
  6. currently it checks the total number of keys, including rotated keys,
  7. to decide whether to create new keys.
  8. So not to have issues when all the keys have been rotated, let's check
  9. instead the total number of "regular" keys, the ones that will be
  10. advertised, and if there are none, then tang can create new keys.
  11. This fixes an issue when we do have all keys rotated.
  12. Tests added as well.
  13. --- a/src/keys.c
  14. +++ b/src/keys.c
  15. @@ -392,12 +392,15 @@
  16. json_t* arr = tki->m_keys;
  17. if (d->d_name[0] == '.') {
  18. arr = tki->m_rotated_keys;
  19. + tki->m_rotated_keys_count++;
  20. + } else {
  21. + tki->m_keys_count++;
  22. }
  23. +
  24. if (json_array_append(arr, json) == -1) {
  25. fprintf(stderr, "Unable to append JSON (%s) to array; skipping\n", d->d_name);
  26. continue;
  27. }
  28. - tki->m_keys_count++;
  29. }
  30. }
  31. closedir(dir);
  32. --- a/src/keys.h
  33. +++ b/src/keys.h
  34. @@ -34,8 +34,8 @@
  35. json_t* m_sign; /* Set of signing keys made from regular
  36. keys. */
  37. - size_t m_keys_count; /* Number of keys (regular + rotated). */
  38. -
  39. + size_t m_keys_count; /* Number of regular keys. */
  40. + size_t m_rotated_keys_count; /* Number of rotated keys. */
  41. };
  42. void cleanup_tang_keys_info(struct tang_keys_info**);
  43. --- a/tests/adv
  44. +++ b/tests/adv
  45. @@ -83,3 +83,15 @@
  46. -g 1 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU
  47. test "$(tang-show-keys $PORT)" == "$(jose jwk thp -i $TMP/db/sig.jwk)"
  48. +
  49. +# Check that new keys will be created if none exist.
  50. +rm -rf "${TMP}/db" && mkdir -p "${TMP}/db"
  51. +fetch /adv
  52. +
  53. +# Now let's rotate these keys and check if we still create new keys.
  54. +cd "${TMP}/db"
  55. +for k in *.jwk; do
  56. + mv -f -- "${k}" ".${k}"
  57. +done
  58. +cd -
  59. +fetch /adv
  60. --- a/tests/test-keys.c.in
  61. +++ b/tests/test-keys.c.in
  62. @@ -140,7 +140,7 @@
  63. json_auto_t* keys = json_deep_copy(tki->m_keys);
  64. ASSERT(keys);
  65. ASSERT(json_array_extend(keys, tki->m_rotated_keys) == 0);
  66. - ASSERT(json_array_size(keys) == (size_t)tki->m_keys_count);
  67. + ASSERT(json_array_size(keys) == (size_t)(tki->m_keys_count + tki->m_rotated_keys_count));
  68. for (int i = 0; hashes[i]; i++) {
  69. json_array_foreach(keys, idx, jwk) {
  70. @@ -203,7 +203,7 @@
  71. json_auto_t* keys = json_deep_copy(tki->m_keys);
  72. ASSERT(keys);
  73. ASSERT(json_array_extend(keys, tki->m_rotated_keys) == 0);
  74. - ASSERT(json_array_size(keys) == (size_t)tki->m_keys_count);
  75. + ASSERT(json_array_size(keys) == (size_t)(tki->m_keys_count + tki->m_rotated_keys_count));
  76. for (int i = 0; hashes[i]; i++) {
  77. json_array_foreach(keys, idx, jwk) {
  78. @@ -230,7 +230,8 @@
  79. * - qgmqJSo6AEEuVQY7zVlklqdTMqY.jwk
  80. * - -bWkGaJi0Zdvxaj4DCp28umLcRA.jwk
  81. */
  82. - ASSERT(tki->m_keys_count == 4);
  83. + ASSERT(tki->m_keys_count == 2);
  84. + ASSERT(tki->m_rotated_keys_count == 2);
  85. ASSERT(json_array_size(tki->m_keys) == 2);
  86. ASSERT(json_array_size(tki->m_rotated_keys) == 2);