From 35eae1d67d7e8aa8dd8176093cbc190a3cc8e00e Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Fri, 18 Nov 2011 10:14:17 -0700
Subject: [PATCH] add 'domain_key_creation_date' to session_context wsapi -
 issue #599

---
 lib/browserid/views.js        |  2 +-
 lib/keysigner/ca.js           |  4 ++--
 lib/secrets.js                | 28 +++++++++++++++++++++++++---
 lib/verifier/certassertion.js |  2 +-
 lib/wsapi/session_context.js  | 10 ++++++++--
 5 files changed, 37 insertions(+), 9 deletions(-)

diff --git a/lib/browserid/views.js b/lib/browserid/views.js
index 93de723d3..d4dbd13e8 100644
--- a/lib/browserid/views.js
+++ b/lib/browserid/views.js
@@ -104,7 +104,7 @@ exports.setup = function(app) {
   }
 
   try {
-    const publicKey = secrets.loadPublicKey('root', config.get('var_path'));
+    const publicKey = secrets.loadPublicKey();
   } catch(e){
     logger.error("can't read public key, exiting: " + e);
     setTimeout(function() { process.exit(1); }, 0);
diff --git a/lib/keysigner/ca.js b/lib/keysigner/ca.js
index 6ef88224f..5ae54a7db 100644
--- a/lib/keysigner/ca.js
+++ b/lib/keysigner/ca.js
@@ -50,8 +50,8 @@ logger.info("Certs will be issued from: " + HOSTNAME);
 
 
 try {
-  const secret_key = secrets.loadSecretKey('root', config.get('var_path'));
-  const public_key = secrets.loadPublicKey('root', config.get('var_path'));
+  const secret_key = secrets.loadSecretKey();
+  const public_key = secrets.loadPublicKey();
 } catch(e){
   logger.error("can't read keys, exiting: " + e);
   setTimeout(function() { process.exit(1); }, 0);
diff --git a/lib/secrets.js b/lib/secrets.js
index b3ca9ad06..1dffcad9f 100644
--- a/lib/secrets.js
+++ b/lib/secrets.js
@@ -47,9 +47,21 @@ exports.generate = function(chars) {
   return str;
 }
 
+// functions to set defaults
+
+// default key name is 'root'
+function checkName(name) {
+  return name ? name : 'root';
+}
+
+// default directory is the var dir.
+function checkDir(dir) {
+  return dir ? dir :  require('./configuration').get('var_path');
+}
+
 exports.hydrateSecret = function(name, dir) {
+  dir = checkDir(dir);
   var p = path.join(dir, name + ".sekret");
-  var fileExists = false;
   var secret = undefined;
 
   try{ secret = fs.readFileSync(p).toString(); } catch(e) {};
@@ -64,8 +76,9 @@ exports.hydrateSecret = function(name, dir) {
 };
 
 exports.loadSecretKey = function(name, dir) {
+  name = checkName(name);
+  dir = checkDir(dir);
   var p = path.join(dir, name + ".secretkey");
-  var fileExists = false;
   var secret = undefined;
 
   // may throw
@@ -79,9 +92,18 @@ exports.loadSecretKey = function(name, dir) {
   return jwk.SecretKey.deserialize(secret);
 }
 
+exports.publicKeyCreationDate = function(name, dir) {
+  name = checkName(name);
+  dir = checkDir(dir);
+  var p = path.join(dir, name + ".publickey");
+  var stats = fs.statSync(p);
+  return stats.ctime;
+};
+
 exports.loadPublicKey = function(name, dir) {
+  name = checkName(name);
+  dir = checkDir(dir);
   var p = path.join(dir, name + ".publickey");
-  var fileExists = false;
   var secret = undefined;
 
   // may throw
diff --git a/lib/verifier/certassertion.js b/lib/verifier/certassertion.js
index 23d3dc9bb..e7beb9c8f 100644
--- a/lib/verifier/certassertion.js
+++ b/lib/verifier/certassertion.js
@@ -54,7 +54,7 @@ const HOSTMETA_URL = "/.well-known/host-meta";
 var publicKeys = {};
 
 try {
-  const publicKey = secrets.loadPublicKey('root', config.get('var_path'));
+  const publicKey = secrets.loadPublicKey();
 } catch(e){
   logger.error("can't read public key, exiting: " + e);
   setTimeout(function() { process.exit(1); }, 0);
diff --git a/lib/wsapi/session_context.js b/lib/wsapi/session_context.js
index 3a73014ef..f941f0025 100644
--- a/lib/wsapi/session_context.js
+++ b/lib/wsapi/session_context.js
@@ -2,7 +2,8 @@ const
 db = require('../db.js'),
 logger = require('../logging.js').logger,
 crypto = require('crypto'),
-wsapi = require('../wsapi.js');
+wsapi = require('../wsapi.js'),
+secrets = require('../secrets.js');
 
 // return the CSRF token, authentication status, and current server time (for assertion signing)
 // IMPORTANT: this is safe because it's only readable by same-origin code
@@ -11,6 +12,10 @@ exports.method = 'get';
 exports.writes_db = false;
 exports.authed = false;
 
+// determine the domain key creation date - issue #599
+const domainKeyCreationDate = secrets.publicKeyCreationDate();
+logger.debug("domain key was created at " + domainKeyCreationDate + " (certs issued prior to this are bogus)");
+
 exports.process = function(req, res) {
   if (typeof req.session == 'undefined') {
     req.session = {};
@@ -29,7 +34,8 @@ exports.process = function(req, res) {
     res.json({
       csrf_token: req.session.csrf,
       server_time: (new Date()).getTime(),
-      authenticated: auth_status
+      authenticated: auth_status,
+      domain_key_creation_date: domainKeyCreationDate.getTime()
     });
   };
 
-- 
GitLab