Fix generation of new keys when no keys are available

When no keys are available, tang creates a new pair of keys, however
currently it checks the total number of keys, including rotated keys,
to decide whether to create new keys.

So not to have issues when all the keys have been rotated, let's check
instead the total number of "regular" keys, the ones that will be
advertised, and if there are none, then tang can create new keys.

This fixes an issue when we do have all keys rotated.
Tests added as well.

Author: sergio-correia

src/keys.c

@@ -392,12 +392,15 @@ load_keys(const char* jwkdir)
             json_t* arr = tki->m_keys;
             if (d->d_name[0] == '.') {
                 arr = tki->m_rotated_keys;
+                tki->m_rotated_keys_count++;
+            } else {
+                tki->m_keys_count++;
             }
+
             if (json_array_append(arr, json) == -1) {
                 fprintf(stderr, "Unable to append JSON (%s) to array; skipping\n", d->d_name);
                 continue;
             }
-            tki->m_keys_count++;
         }
     }
     closedir(dir);

src/keys.h

@@ -34,8 +34,8 @@ struct tang_keys_info {
     json_t* m_sign;               /* Set of signing keys made from regular
                                      keys. */
 
-    size_t m_keys_count;          /* Number of keys (regular + rotated). */
-
+    size_t m_keys_count;          /* Number of regular keys. */
+    size_t m_rotated_keys_count;  /* Number of rotated keys. */
 };
 
 void cleanup_tang_keys_info(struct tang_keys_info**);

tests/adv

@@ -84,3 +84,15 @@ fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` \
 
 THP_DEFAULT_HASH=S256     # SHA-256.
 test "$(tang-show-keys $PORT)" == "$(jose jwk thp -a "${THP_DEFAULT_HASH}" -i $TMP/db/sig.jwk)"
+
+# Check that new keys will be created if none exist.
+rm -rf "${TMP}/db" && mkdir -p "${TMP}/db"
+fetch /adv
+
+# Now let's rotate these keys and check if we still create new keys.
+cd "${TMP}/db"
+for k in *.jwk; do
+    mv -f -- "${k}" ".${k}"
+done
+cd -
+fetch /adv

tests/test-keys.c.in

@@ -140,7 +140,7 @@ test_find_jws(void)
     json_auto_t* keys = json_deep_copy(tki->m_keys);
     ASSERT(keys);
     ASSERT(json_array_extend(keys, tki->m_rotated_keys) == 0);
-    ASSERT(json_array_size(keys) == (size_t)tki->m_keys_count);
+    ASSERT(json_array_size(keys) == (size_t)(tki->m_keys_count + tki->m_rotated_keys_count));
 
     for (int i = 0; hashes[i]; i++) {
         json_array_foreach(keys, idx, jwk) {
@@ -203,7 +203,7 @@ test_find_jwk(void)
     json_auto_t* keys = json_deep_copy(tki->m_keys);
     ASSERT(keys);
     ASSERT(json_array_extend(keys, tki->m_rotated_keys) == 0);
-    ASSERT(json_array_size(keys) == (size_t)tki->m_keys_count);
+    ASSERT(json_array_size(keys) == (size_t)(tki->m_keys_count + tki->m_rotated_keys_count));
 
     for (int i = 0; hashes[i]; i++) {
         json_array_foreach(keys, idx, jwk) {
@@ -230,7 +230,8 @@ test_read_keys(void)
      * - qgmqJSo6AEEuVQY7zVlklqdTMqY.jwk
      * - -bWkGaJi0Zdvxaj4DCp28umLcRA.jwk
      */
-    ASSERT(tki->m_keys_count == 4);
+    ASSERT(tki->m_keys_count == 2);
+    ASSERT(tki->m_rotated_keys_count == 2);
     ASSERT(json_array_size(tki->m_keys) == 2);
     ASSERT(json_array_size(tki->m_rotated_keys) == 2);