123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596 |
- Subject: Fix generation of new keys when no keys are available
- Origin: upstream, v9-1-g5482313 <https://github.com/latchset/tang/commit/v9-1-g5482313>
- Upstream-Author: Sergio Correia <scorreia@redhat.com>
- Date: Fri Apr 30 11:12:06 2021 -0300
- When no keys are available, tang creates a new pair of keys, however
- currently it checks the total number of keys, including rotated keys,
- to decide whether to create new keys.
- So not to have issues when all the keys have been rotated, let's check
- instead the total number of "regular" keys, the ones that will be
- advertised, and if there are none, then tang can create new keys.
- This fixes an issue when we do have all keys rotated.
- Tests added as well.
- --- a/src/keys.c
- +++ b/src/keys.c
- @@ -392,12 +392,15 @@
- json_t* arr = tki->m_keys;
- if (d->d_name[0] == '.') {
- arr = tki->m_rotated_keys;
- + tki->m_rotated_keys_count++;
- + } else {
- + tki->m_keys_count++;
- }
- +
- if (json_array_append(arr, json) == -1) {
- fprintf(stderr, "Unable to append JSON (%s) to array; skipping\n", d->d_name);
- continue;
- }
- - tki->m_keys_count++;
- }
- }
- closedir(dir);
- --- a/src/keys.h
- +++ b/src/keys.h
- @@ -34,8 +34,8 @@
- json_t* m_sign; /* Set of signing keys made from regular
- keys. */
-
- - size_t m_keys_count; /* Number of keys (regular + rotated). */
- -
- + size_t m_keys_count; /* Number of regular keys. */
- + size_t m_rotated_keys_count; /* Number of rotated keys. */
- };
-
- void cleanup_tang_keys_info(struct tang_keys_info**);
- --- a/tests/adv
- +++ b/tests/adv
- @@ -83,3 +83,15 @@
- -g 1 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU
-
- test "$(tang-show-keys $PORT)" == "$(jose jwk thp -i $TMP/db/sig.jwk)"
- +
- +# Check that new keys will be created if none exist.
- +rm -rf "${TMP}/db" && mkdir -p "${TMP}/db"
- +fetch /adv
- +
- +# Now let's rotate these keys and check if we still create new keys.
- +cd "${TMP}/db"
- +for k in *.jwk; do
- + mv -f -- "${k}" ".${k}"
- +done
- +cd -
- +fetch /adv
- --- a/tests/test-keys.c.in
- +++ b/tests/test-keys.c.in
- @@ -140,7 +140,7 @@
- json_auto_t* keys = json_deep_copy(tki->m_keys);
- ASSERT(keys);
- ASSERT(json_array_extend(keys, tki->m_rotated_keys) == 0);
- - ASSERT(json_array_size(keys) == (size_t)tki->m_keys_count);
- + ASSERT(json_array_size(keys) == (size_t)(tki->m_keys_count + tki->m_rotated_keys_count));
-
- for (int i = 0; hashes[i]; i++) {
- json_array_foreach(keys, idx, jwk) {
- @@ -203,7 +203,7 @@
- json_auto_t* keys = json_deep_copy(tki->m_keys);
- ASSERT(keys);
- ASSERT(json_array_extend(keys, tki->m_rotated_keys) == 0);
- - ASSERT(json_array_size(keys) == (size_t)tki->m_keys_count);
- + ASSERT(json_array_size(keys) == (size_t)(tki->m_keys_count + tki->m_rotated_keys_count));
-
- for (int i = 0; hashes[i]; i++) {
- json_array_foreach(keys, idx, jwk) {
- @@ -230,7 +230,8 @@
- * - qgmqJSo6AEEuVQY7zVlklqdTMqY.jwk
- * - -bWkGaJi0Zdvxaj4DCp28umLcRA.jwk
- */
- - ASSERT(tki->m_keys_count == 4);
- + ASSERT(tki->m_keys_count == 2);
- + ASSERT(tki->m_rotated_keys_count == 2);
- ASSERT(json_array_size(tki->m_keys) == 2);
- ASSERT(json_array_size(tki->m_rotated_keys) == 2);
-
|