taler/exchange
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

consider key rotation frequency instead of earliest expiration for Expire header

Browse Source
This commit is contained in:
Christian Grothoff 2021-12-08 16:11:46 +01:00
parent b64f718037
commit ed7379d235
No known key found for this signature in database
GPG Key ID: 939E6BE1E29FC3CC
1 changed files with 34 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
src/exchange/taler-exchange-httpd_keys.c
View File

@ -322,9 +322,10 @@ struct TEH_KeyStateHandle
struct GNUNET_TIME_Absolute reload_time; struct GNUNET_TIME_Absolute reload_time;
/** /**
* When is the next key invalid and we expect to have a different reply? * What is the period at which we rotate keys
* (signing or denomination keys)?
*/ */
struct GNUNET_TIME_Absolute next_reload; struct GNUNET_TIME_Relative rekey_frequency;
/** /**
* When does our online signing key expire and we * When does our online signing key expire and we
@ -1370,9 +1371,9 @@ auditor_denom_cb (
struct SignKeyCtx struct SignKeyCtx
{ {
/** /**
* When does the next signing key expire. Updated. * What is the current rotation frequency for signing keys. Updated.
*/ */
struct GNUNET_TIME_Absolute next_sk_expire; struct GNUNET_TIME_Relative min_sk_frequency;
/** /**
* JSON array of signing keys (being created). * JSON array of signing keys (being created).
@ -1399,10 +1400,14 @@ add_sign_key_cb (void *cls,
struct SigningKey *sk = value; struct SigningKey *sk = value;
(void) pid; (void) pid;
ctx->next_sk_expire = if (GNUNET_TIME_absolute_is_future (sk->meta.expire_sign))
GNUNET_TIME_absolute_min (ctx->next_sk_expire, {
sk->meta.expire_sign); ctx->min_sk_frequency =
GNUNET_TIME_relative_min (ctx->min_sk_frequency,
GNUNET_TIME_absolute_get_difference (
sk->meta.start,
sk->meta.expire_sign));
}
GNUNET_assert ( GNUNET_assert (
0 == 0 ==
json_array_append_new ( json_array_append_new (
@ -1438,9 +1443,10 @@ struct DenomKeyCtx
json_t *recoup; json_t *recoup;
/** /**
* When does the next denomination key expire. Updated. * What is the minimum key rotation frequency of
* valid denomination keys?
*/ */
struct GNUNET_TIME_Absolute next_dk_expire; struct GNUNET_TIME_Relative min_dk_frequency;
}; };
@ -1475,9 +1481,14 @@ add_denom_key_cb (void *cls,
} }
else else
{ {
dkc->next_dk_expire = if (GNUNET_TIME_absolute_is_future (dk->meta.start))
GNUNET_TIME_absolute_min (dkc->next_dk_expire, {
dk->meta.expire_withdraw); dkc->min_dk_frequency =
GNUNET_TIME_relative_min (dkc->min_dk_frequency,
GNUNET_TIME_absolute_get_difference (
dk->meta.start,
dk->meta.expire_withdraw));
}
(void) GNUNET_CONTAINER_heap_insert (dkc->heap, (void) GNUNET_CONTAINER_heap_insert (dkc->heap,
dk, dk,
dk->meta.start.abs_value_us); dk->meta.start.abs_value_us);
@ -1562,13 +1573,14 @@ setup_general_response_headers (const struct TEH_KeyStateHandle *ksh,
MHD_add_response_header (response, MHD_add_response_header (response,
MHD_HTTP_HEADER_LAST_MODIFIED, MHD_HTTP_HEADER_LAST_MODIFIED,
dat)); dat));
if (0 != ksh->next_reload.abs_value_us) if (! GNUNET_TIME_relative_is_zero (ksh->rekey_frequency))
{ {
struct GNUNET_TIME_Relative r;
struct GNUNET_TIME_Absolute m; struct GNUNET_TIME_Absolute m;
m = GNUNET_TIME_relative_to_absolute (TEH_max_keys_caching); r = GNUNET_TIME_relative_min (TEH_max_keys_caching,
m = GNUNET_TIME_absolute_min (m, ksh->rekey_frequency);
ksh->next_reload); m = GNUNET_TIME_relative_to_absolute (r);
get_date_string (m, get_date_string (m,
dat); dat);
GNUNET_log (GNUNET_ERROR_TYPE_INFO, GNUNET_log (GNUNET_ERROR_TYPE_INFO,
@ -1759,7 +1771,7 @@ finish_keys_response (struct TEH_KeyStateHandle *ksh)
sctx.signkeys = json_array (); sctx.signkeys = json_array ();
GNUNET_assert (NULL != sctx.signkeys); GNUNET_assert (NULL != sctx.signkeys);
sctx.next_sk_expire = GNUNET_TIME_UNIT_FOREVER_ABS; sctx.min_sk_frequency = GNUNET_TIME_UNIT_FOREVER_REL;
GNUNET_CONTAINER_multipeermap_iterate (ksh->signkey_map, GNUNET_CONTAINER_multipeermap_iterate (ksh->signkey_map,
&add_sign_key_cb, &add_sign_key_cb,
&sctx); &sctx);
@ -1770,15 +1782,15 @@ finish_keys_response (struct TEH_KeyStateHandle *ksh)
struct DenomKeyCtx dkc = { struct DenomKeyCtx dkc = {
.recoup = recoup, .recoup = recoup,
.heap = heap, .heap = heap,
.next_dk_expire = GNUNET_TIME_UNIT_FOREVER_ABS, .min_dk_frequency = GNUNET_TIME_UNIT_FOREVER_REL,
}; };
GNUNET_CONTAINER_multihashmap_iterate (ksh->denomkey_map, GNUNET_CONTAINER_multihashmap_iterate (ksh->denomkey_map,
&add_denom_key_cb, &add_denom_key_cb,
&dkc); &dkc);
ksh->next_reload ksh->rekey_frequency
= GNUNET_TIME_absolute_min (dkc.next_dk_expire, = GNUNET_TIME_relative_min (dkc.min_dk_frequency,
sctx.next_sk_expire); sctx.min_sk_frequency);
} }
denoms = json_array (); denoms = json_array ();
GNUNET_assert (NULL != denoms); GNUNET_assert (NULL != denoms);