consider key rotation frequency instead of earliest expiration for Expire header

author: Christian Grothoff <christian@grothoff.org> 2021-12-08 16:11:46 +0100
committer: Christian Grothoff <christian@grothoff.org> 2021-12-08 16:11:52 +0100
commit: ed7379d235b39d71e4cd94f90b52627c32c6d8e7 (patch)
tree: 1003cd5dd60a5cf7151c77ee84e33e4ef37c9254
parent: b64f718037aa318e83424fa6e2e83021908ff1dc (diff)
download: exchange-ed7379d235b39d71e4cd94f90b52627c32c6d8e7.tar.xz
1 files changed, 34 insertions, 22 deletions
diff --git a/src/exchange/taler-exchange-httpd_keys.c b/src/exchange/taler-exchange-httpd_keys.c
index 587e0eed9..fbca5d652 100644
--- a/src/exchange/taler-exchange-httpd_keys.c
+++ b/src/exchange/taler-exchange-httpd_keys.c
@@ -322,9 +322,10 @@ struct TEH_KeyStateHandle
   struct GNUNET_TIME_Absolute reload_time;
 
   /**
-   * When is the next key invalid and we expect to have a different reply?
+   * What is the period at which we rotate keys
+   * (signing or denomination keys)?
    */
-  struct GNUNET_TIME_Absolute next_reload;
+  struct GNUNET_TIME_Relative rekey_frequency;
 
   /**
    * When does our online signing key expire and we
@@ -1370,9 +1371,9 @@ auditor_denom_cb (
 struct SignKeyCtx
 {
   /**
-   * When does the next signing key expire. Updated.
+   * What is the current rotation frequency for signing keys. Updated.
    */
-  struct GNUNET_TIME_Absolute next_sk_expire;
+  struct GNUNET_TIME_Relative min_sk_frequency;
 
   /**
    * JSON array of signing keys (being created).
@@ -1399,10 +1400,14 @@ add_sign_key_cb (void *cls,
   struct SigningKey *sk = value;
 
   (void) pid;
-  ctx->next_sk_expire =
-    GNUNET_TIME_absolute_min (ctx->next_sk_expire,
-                              sk->meta.expire_sign);
-
+  if (GNUNET_TIME_absolute_is_future (sk->meta.expire_sign))
+  {
+    ctx->min_sk_frequency =
+      GNUNET_TIME_relative_min (ctx->min_sk_frequency,
+                                GNUNET_TIME_absolute_get_difference (
+                                  sk->meta.start,
+                                  sk->meta.expire_sign));
+  }
   GNUNET_assert (
     0 ==
     json_array_append_new (
@@ -1438,9 +1443,10 @@ struct DenomKeyCtx
   json_t *recoup;
 
   /**
-   * When does the next denomination key expire. Updated.
+   * What is the minimum key rotation frequency of
+   * valid denomination keys?
    */
-  struct GNUNET_TIME_Absolute next_dk_expire;
+  struct GNUNET_TIME_Relative min_dk_frequency;
 
 };
 
@@ -1475,9 +1481,14 @@ add_denom_key_cb (void *cls,
   }
   else
   {
-    dkc->next_dk_expire =
-      GNUNET_TIME_absolute_min (dkc->next_dk_expire,
-                                dk->meta.expire_withdraw);
+    if (GNUNET_TIME_absolute_is_future (dk->meta.start))
+    {
+      dkc->min_dk_frequency =
+        GNUNET_TIME_relative_min (dkc->min_dk_frequency,
+                                  GNUNET_TIME_absolute_get_difference (
+                                    dk->meta.start,
+                                    dk->meta.expire_withdraw));
+    }
     (void) GNUNET_CONTAINER_heap_insert (dkc->heap,
                                          dk,
                                          dk->meta.start.abs_value_us);
@@ -1562,13 +1573,14 @@ setup_general_response_headers (const struct TEH_KeyStateHandle *ksh,
                 MHD_add_response_header (response,
                                          MHD_HTTP_HEADER_LAST_MODIFIED,
                                          dat));
-  if (0 != ksh->next_reload.abs_value_us)
+  if (! GNUNET_TIME_relative_is_zero (ksh->rekey_frequency))
   {
+    struct GNUNET_TIME_Relative r;
     struct GNUNET_TIME_Absolute m;
 
-    m = GNUNET_TIME_relative_to_absolute (TEH_max_keys_caching);
-    m = GNUNET_TIME_absolute_min (m,
-                                  ksh->next_reload);
+    r = GNUNET_TIME_relative_min (TEH_max_keys_caching,
+                                  ksh->rekey_frequency);
+    m = GNUNET_TIME_relative_to_absolute (r);
     get_date_string (m,
                      dat);
     GNUNET_log (GNUNET_ERROR_TYPE_INFO,
@@ -1759,7 +1771,7 @@ finish_keys_response (struct TEH_KeyStateHandle *ksh)
 
   sctx.signkeys = json_array ();
   GNUNET_assert (NULL != sctx.signkeys);
-  sctx.next_sk_expire = GNUNET_TIME_UNIT_FOREVER_ABS;
+  sctx.min_sk_frequency = GNUNET_TIME_UNIT_FOREVER_REL;
   GNUNET_CONTAINER_multipeermap_iterate (ksh->signkey_map,
                                          &add_sign_key_cb,
                                          &sctx);
@@ -1770,15 +1782,15 @@ finish_keys_response (struct TEH_KeyStateHandle *ksh)
     struct DenomKeyCtx dkc = {
       .recoup = recoup,
       .heap = heap,
-      .next_dk_expire = GNUNET_TIME_UNIT_FOREVER_ABS,
+      .min_dk_frequency = GNUNET_TIME_UNIT_FOREVER_REL,
     };
 
     GNUNET_CONTAINER_multihashmap_iterate (ksh->denomkey_map,
                                            &add_denom_key_cb,
                                            &dkc);
-    ksh->next_reload
-      = GNUNET_TIME_absolute_min (dkc.next_dk_expire,
-                                  sctx.next_sk_expire);
+    ksh->rekey_frequency
+      = GNUNET_TIME_relative_min (dkc.min_dk_frequency,
+                                  sctx.min_sk_frequency);
   }
   denoms = json_array ();
   GNUNET_assert (NULL != denoms);
author	Christian Grothoff <christian@grothoff.org>	2021-12-08 16:11:46 +0100
committer	Christian Grothoff <christian@grothoff.org>	2021-12-08 16:11:52 +0100
commit	ed7379d235b39d71e4cd94f90b52627c32c6d8e7 (patch)
tree	1003cd5dd60a5cf7151c77ee84e33e4ef37c9254
parent	b64f718037aa318e83424fa6e2e83021908ff1dc (diff)
download	exchange-ed7379d235b39d71e4cd94f90b52627c32c6d8e7.tar.xz