From ccdef34b161b11d64cc1b085a26a8559860069a3 Mon Sep 17 00:00:00 2001
From: Sonia Zorba <sonia.zorba@inaf.it>
Date: Wed, 15 Dec 2021 15:02:20 +0100
Subject: [PATCH] Implemented key rotation
---
README.md | 4 +++-
classes/JWKSHandler.php | 4 ++++
classes/datalayer/JWKSDAO.php | 2 ++
classes/datalayer/mysql/MySQLJWKSDAO.php | 15 +++++++++++++--
exec/rotate-keys.php | 17 +++++++++++++++++
5 files changed, 39 insertions(+), 3 deletions(-)
create mode 100644 exec/rotate-keys.php
diff --git a/README.md b/README.md
index 974ffd7..a4e3e8a 100644
--- a/README.md
+++ b/README.md
@@ -71,7 +71,9 @@ Copy the `config-example.yaml` into `config.yaml` and edit it for matching your
php exec/generate-keypair.php
-A cron job for key rotation has to be set up.
+Once a day rotate the keys using a cron job that calls:
+
+ php exec/rotate-keys.php
### Logs directory
diff --git a/classes/JWKSHandler.php b/classes/JWKSHandler.php
index b6cd3b0..aa287e9 100644
--- a/classes/JWKSHandler.php
+++ b/classes/JWKSHandler.php
@@ -76,6 +76,10 @@ class JWKSHandler {
];
}
+ public function deleteKeyPair(RSAKeyPair $keyPair): void {
+ $this->locator->getJWKSDAO()->deleteKeyPair($keyPair->keyId);
+ }
+
private function getTagContent(string $publicKeyXML, string $tagname): string {
$matches = [];
$pattern = "#<\s*?$tagname\b[^>]*>(.*?)</$tagname\b[^>]*>#s";
diff --git a/classes/datalayer/JWKSDAO.php b/classes/datalayer/JWKSDAO.php
index f3bd067..8c2c215 100644
--- a/classes/datalayer/JWKSDAO.php
+++ b/classes/datalayer/JWKSDAO.php
@@ -17,4 +17,6 @@ interface JWKSDAO {
public function insertRSAKeyPair(RSAKeyPair $keyPair): RSAKeyPair;
public function getNewestKeyPair(): ?RSAKeyPair;
+
+ public function deleteKeyPair(string $id): void;
}
diff --git a/classes/datalayer/mysql/MySQLJWKSDAO.php b/classes/datalayer/mysql/MySQLJWKSDAO.php
index 8c5f7d7..a48c20f 100644
--- a/classes/datalayer/mysql/MySQLJWKSDAO.php
+++ b/classes/datalayer/mysql/MySQLJWKSDAO.php
@@ -21,7 +21,7 @@ class MySQLJWKSDAO extends BaseMySQLDAO implements JWKSDAO {
$query = "INSERT INTO rsa_keypairs(id, private_key, public_key, alg, creation_time) VALUES (:id, :private_key, :public_key, :alg, :creation_time)";
$now = time();
-
+
$stmt = $dbh->prepare($query);
$stmt->bindParam(':id', $keyPair->keyId);
$stmt->bindParam(':private_key', $keyPair->privateKey);
@@ -38,7 +38,7 @@ class MySQLJWKSDAO extends BaseMySQLDAO implements JWKSDAO {
$dbh = $this->getDBHandler();
- $query = "SELECT id, private_key, public_key, alg, creation_time FROM rsa_keypairs";
+ $query = "SELECT id, private_key, public_key, alg, creation_time FROM rsa_keypairs ORDER BY creation_time DESC";
$stmt = $dbh->prepare($query);
$stmt->execute();
@@ -94,4 +94,15 @@ class MySQLJWKSDAO extends BaseMySQLDAO implements JWKSDAO {
return $keyPair;
}
+ public function deleteKeyPair(string $id): void {
+
+ $dbh = $this->getDBHandler();
+
+ $query = "DELETE FROM rsa_keypairs WHERE id = :id";
+
+ $stmt = $dbh->prepare($query);
+ $stmt->bindParam(':id', $id);
+ $stmt->execute();
+ }
+
}
diff --git a/exec/rotate-keys.php b/exec/rotate-keys.php
new file mode 100644
index 0000000..8a98b85
--- /dev/null
+++ b/exec/rotate-keys.php
@@ -0,0 +1,17 @@
+<?php
+
+chdir(dirname(__FILE__));
+
+include '../include/init.php';
+
+$handler = new \RAP\JWKSHandler($locator);
+$handler->generateKeyPair();
+
+$dao = $locator->getJWKSDAO();
+
+$keyPairs = $dao->getRSAKeyPairs();
+
+if (count($keyPairs) > 3) {
+ // delete oldest keypair
+ $handler->deleteKeyPair($keyPairs[count($keyPairs) - 1]);
+}
--
GitLab