Implemented key rotation

ccdef34b · Sonia Zorba · 5c970e8a · ccdef34b · ccdef34b · ccdef34b
Commit ccdef34b authored 3 years ago by Sonia Zorba
--- a/README.md
+++ b/README.md
@@ -71,7 +71,9 @@ Copy the `config-example.yaml` into `config.yaml` and edit it for matching your

    php exec/generate-keypair.php

-A cron job for key rotation has to be set up.
+Once a day rotate the keys using a cron job that calls:
+
+    php exec/rotate-keys.php

 ### Logs directory


--- a/classes/JWKSHandler.php
+++ b/classes/JWKSHandler.php
@@ -76,6 +76,10 @@ class JWKSHandler {
        ];
    }

+    public function deleteKeyPair(RSAKeyPair $keyPair): void {
+        $this->locator->getJWKSDAO()->deleteKeyPair($keyPair->keyId);
+    }
+
    private function getTagContent(string $publicKeyXML, string $tagname): string {
        $matches = [];
        $pattern = "#<\s*?$tagname\b[^>]*>(.*?)</$tagname\b[^>]*>#s";

--- a/classes/datalayer/JWKSDAO.php
+++ b/classes/datalayer/JWKSDAO.php
@@ -17,4 +17,6 @@ interface JWKSDAO {
    public function insertRSAKeyPair(RSAKeyPair $keyPair): RSAKeyPair;

    public function getNewestKeyPair(): ?RSAKeyPair;
+
+    public function deleteKeyPair(string $id): void;
 }
--- a/classes/datalayer/mysql/MySQLJWKSDAO.php
+++ b/classes/datalayer/mysql/MySQLJWKSDAO.php
@@ -21,7 +21,7 @@ class MySQLJWKSDAO extends BaseMySQLDAO implements JWKSDAO {
        $query = "INSERT INTO rsa_keypairs(id, private_key, public_key, alg, creation_time) VALUES (:id, :private_key, :public_key, :alg, :creation_time)";

        $now = time();
-        
+
        $stmt = $dbh->prepare($query);
        $stmt->bindParam(':id', $keyPair->keyId);
        $stmt->bindParam(':private_key', $keyPair->privateKey);
@@ -38,7 +38,7 @@ class MySQLJWKSDAO extends BaseMySQLDAO implements JWKSDAO {

        $dbh = $this->getDBHandler();

-        $query = "SELECT id, private_key, public_key, alg, creation_time FROM rsa_keypairs";
+        $query = "SELECT id, private_key, public_key, alg, creation_time FROM rsa_keypairs ORDER BY creation_time DESC";

        $stmt = $dbh->prepare($query);
        $stmt->execute();
@@ -94,4 +94,15 @@ class MySQLJWKSDAO extends BaseMySQLDAO implements JWKSDAO {
        return $keyPair;
    }

+    public function deleteKeyPair(string $id): void {
+
+        $dbh = $this->getDBHandler();
+
+        $query = "DELETE FROM rsa_keypairs WHERE id = :id";
+
+        $stmt = $dbh->prepare($query);
+        $stmt->bindParam(':id', $id);
+        $stmt->execute();
+    }
+
 }
--- a/exec/rotate-keys.php
+++ b/exec/rotate-keys.php
+<?php
+
+chdir(dirname(__FILE__));
+
+include '../include/init.php';
+
+$handler = new \RAP\JWKSHandler($locator);
+$handler->generateKeyPair();
+
+$dao = $locator->getJWKSDAO();
+
+$keyPairs = $dao->getRSAKeyPairs();
+
+if (count($keyPairs) > 3) {
+    // delete oldest keypair
+    $handler->deleteKeyPair($keyPairs[count($keyPairs) - 1]);
+}