opensmtpd-filter-dkimout/src/key.rs

use crate::config::Config;
use crate::Algorithm;
use sqlx::types::time::OffsetDateTime;
use sqlx::SqlitePool;
use tokio::time::Duration;
use uuid::Uuid;

pub async fn key_rotation(db: &SqlitePool, cnf: &Config) -> Duration {
	let mut durations = Vec::with_capacity(cnf.domains().len());
	let expiration = cnf
		.expiration()
		.map(Duration::from_secs)
		.unwrap_or_else(|| Duration::from_secs(cnf.cryptoperiod().get() / 10));
	for domain in cnf.domains() {
		if let Ok(d) = renew_key_if_expired(db, cnf, domain, cnf.algorithm(), expiration).await {
			durations.push(d);
		}
	}
	durations.push(Duration::from_secs(crate::KEY_CHECK_MIN_DELAY));
	durations.sort();
	durations[durations.len() - 1]
}

async fn renew_key_if_expired(
	db: &SqlitePool,
	cnf: &Config,
	domain: &str,
	algorithm: Algorithm,
	expiration: Duration,
) -> Result<Duration, ()> {
	let res: Option<(i64,)> = sqlx::query_as(crate::db::SELECT_LATEST_KEY)
		.bind(domain)
		.bind(algorithm.to_string())
		.fetch_optional(db)
		.await
		.map_err(|_| ())?;
	match res {
		Some((not_after,)) => {
			let not_after = OffsetDateTime::from_unix_timestamp(not_after).map_err(|_| ())?;
			log::debug!("{domain}: key is valid until {not_after}");
			if not_after - expiration <= OffsetDateTime::now_utc() {
				generate_key(db, cnf, domain, algorithm).await?;
			}
		}
		None => {
			log::debug!("no key found for domain {domain}");
			generate_key(db, cnf, domain, algorithm).await?;
		}
	};
	Ok(Duration::from_secs(10))
}

async fn generate_key(
	db: &SqlitePool,
	cnf: &Config,
	domain: &str,
	algorithm: Algorithm,
) -> Result<(), ()> {
	let selector = format!("dkim-{}", Uuid::new_v4().simple());
	let now = OffsetDateTime::now_utc();
	let not_after = now + Duration::from_secs(cnf.cryptoperiod().get());
	let revocation = not_after + Duration::from_secs(cnf.revocation());
	let (priv_key, pub_key) = algorithm.gen_keys();
	sqlx::query(crate::db::INSERT_KEY)
		.bind(selector)
		.bind(domain)
		.bind(algorithm.to_string())
		.bind(now.unix_timestamp())
		.bind(not_after.unix_timestamp())
		.bind(revocation.unix_timestamp())
		.bind(priv_key)
		.bind(pub_key)
		.execute(db)
		.await
		.map_err(|_| ())?;
	// TODO: dns_update_cmd
	log::debug!("{domain}: new {} key generated", algorithm.to_string());
	Ok(())
}
Connect to the key database 2023-04-09 17:21:17 +02:00			`use crate::config::Config;`
Generate keys 2023-04-09 23:31:16 +02:00			`use crate::Algorithm;`
			`use sqlx::types::time::OffsetDateTime;`
Connect to the key database 2023-04-09 17:21:17 +02:00			`use sqlx::SqlitePool;`
Generate keys 2023-04-09 23:31:16 +02:00			`use tokio::time::Duration;`
			`use uuid::Uuid;`
Connect to the key database 2023-04-09 17:21:17 +02:00
Generate keys 2023-04-09 23:31:16 +02:00			`pub async fn key_rotation(db: &SqlitePool, cnf: &Config) -> Duration {`
			`let mut durations = Vec::with_capacity(cnf.domains().len());`
			`let expiration = cnf`
			`.expiration()`
			`.map(Duration::from_secs)`
			`.unwrap_or_else(\|\| Duration::from_secs(cnf.cryptoperiod().get() / 10));`
			`for domain in cnf.domains() {`
			`if let Ok(d) = renew_key_if_expired(db, cnf, domain, cnf.algorithm(), expiration).await {`
			`durations.push(d);`
			`}`
			`}`
Check keys at least every 3 hours Doing so will permit to regularly populate the revocation file with the new entries. 2023-04-10 11:18:11 +02:00			`durations.push(Duration::from_secs(crate::KEY_CHECK_MIN_DELAY));`
Generate keys 2023-04-09 23:31:16 +02:00			`durations.sort();`
Check keys at least every 3 hours Doing so will permit to regularly populate the revocation file with the new entries. 2023-04-10 11:18:11 +02:00			`durations[durations.len() - 1]`
Generate keys 2023-04-09 23:31:16 +02:00			`}`

			`async fn renew_key_if_expired(`
			`db: &SqlitePool,`
			`cnf: &Config,`
			`domain: &str,`
			`algorithm: Algorithm,`
			`expiration: Duration,`
			`) -> Result<Duration, ()> {`
Move SQL queries to the db module 2023-04-10 11:21:53 +02:00			`let res: Option<(i64,)> = sqlx::query_as(crate::db::SELECT_LATEST_KEY)`
Generate keys 2023-04-09 23:31:16 +02:00			`.bind(domain)`
			`.bind(algorithm.to_string())`
			`.fetch_optional(db)`
			`.await`
			`.map_err(\|_\| ())?;`
			`match res {`
			`Some((not_after,)) => {`
Store the dates using unix timestamps 2023-04-10 00:30:31 +02:00			`let not_after = OffsetDateTime::from_unix_timestamp(not_after).map_err(\|_\| ())?;`
Generate keys 2023-04-09 23:31:16 +02:00			`log::debug!("{domain}: key is valid until {not_after}");`
			`if not_after - expiration <= OffsetDateTime::now_utc() {`
			`generate_key(db, cnf, domain, algorithm).await?;`
			`}`
			`}`
			`None => {`
			`log::debug!("no key found for domain {domain}");`
			`generate_key(db, cnf, domain, algorithm).await?;`
			`}`
			`};`
			`Ok(Duration::from_secs(10))`
			`}`

			`async fn generate_key(`
			`db: &SqlitePool,`
			`cnf: &Config,`
			`domain: &str,`
			`algorithm: Algorithm,`
			`) -> Result<(), ()> {`
			`let selector = format!("dkim-{}", Uuid::new_v4().simple());`
			`let now = OffsetDateTime::now_utc();`
			`let not_after = now + Duration::from_secs(cnf.cryptoperiod().get());`
			`let revocation = not_after + Duration::from_secs(cnf.revocation());`
			`let (priv_key, pub_key) = algorithm.gen_keys();`
Move SQL queries to the db module 2023-04-10 11:21:53 +02:00			`sqlx::query(crate::db::INSERT_KEY)`
Generate keys 2023-04-09 23:31:16 +02:00			`.bind(selector)`
			`.bind(domain)`
			`.bind(algorithm.to_string())`
Store the dates using unix timestamps 2023-04-10 00:30:31 +02:00			`.bind(now.unix_timestamp())`
			`.bind(not_after.unix_timestamp())`
			`.bind(revocation.unix_timestamp())`
Generate keys 2023-04-09 23:31:16 +02:00			`.bind(priv_key)`
			`.bind(pub_key)`
			`.execute(db)`
			`.await`
			`.map_err(\|_\| ())?;`
			`// TODO: dns_update_cmd`
			`log::debug!("{domain}: new {} key generated", algorithm.to_string());`
			`Ok(())`
Connect to the key database 2023-04-09 17:21:17 +02:00			`}`