chore: improve /cose/renew_kek API

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/BurntSushi/toml v1.3.2
 	github.com/aliyun/aliyun-oss-go-sdk v3.0.2+incompatible
 	github.com/fxamacker/cbor/v2 v2.5.0
-	github.com/go-playground/validator/v10 v10.16.0
+	github.com/go-playground/validator/v10 v10.17.0
 	github.com/google/uuid v1.5.0
 	github.com/klauspost/compress v1.17.4
 	github.com/ldclabs/cose v1.2.0
@@ -15,7 +15,7 @@ require (
 	github.com/stretchr/testify v1.8.4
 	github.com/teambition/gear v1.27.3
 	go.uber.org/dig v1.17.1
-	golang.org/x/oauth2 v0.15.0
+	golang.org/x/oauth2 v0.16.0
 )
 
 require (
@@ -30,8 +30,8 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/teambition/trie-mux v1.5.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	golang.org/x/crypto v0.17.0 // indirect
-	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/crypto v0.18.0 // indirect
+	golang.org/x/net v0.20.0 // indirect
 	golang.org/x/sys v0.16.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0 // indirect

go.sum

@@ -1,5 +1,6 @@
 github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/aliyun/aliyun-oss-go-sdk v2.0.0/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
 github.com/aliyun/aliyun-oss-go-sdk v3.0.2+incompatible h1:8psS8a+wKfiLt1iVDX79F7Y6wUM49Lcha2FMXt4UM8g=
 github.com/aliyun/aliyun-oss-go-sdk v3.0.2+incompatible/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -22,6 +23,8 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.16.0 h1:x+plE831WK4vaKHO/jpgUGsvLKIqRRkz6M78GuJAfGE=
 github.com/go-playground/validator/v10 v10.16.0/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU=
+github.com/go-playground/validator/v10 v10.17.0 h1:SmVVlfAOtlZncTxRuinDPomC2DkXJ4E5T9gDA0AIH74=
+github.com/go-playground/validator/v10 v10.17.0/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
@@ -66,14 +69,20 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
+golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
 golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo=
+golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
 golang.org/x/oauth2 v0.15.0 h1:s8pnnxNVzjWyrvYdFUQq5llS1PX2zhPXmccZv99h7uQ=
 golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM=
+golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ=
+golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=

src/api/cose.go

@@ -18,6 +18,7 @@ const DEFAULT_PATH = "m/123456789'/0'/0'/1/0"
 type RenewKEKInput struct {
 	State *util.Bytes `json:"state" cbor:"state"`
 	Sig   *util.Bytes `json:"sig" cbor:"sig"`
+	Renew bool        `json:"renew" cbor:"renew"`
 }
 
 func (i *RenewKEKInput) Validate() error {
@@ -32,7 +33,7 @@ func (i *RenewKEKInput) Validate() error {
 type RenewKEKOutput struct {
 	Key       key.Key     `json:"key" cbor:"key"` // private key
 	State     util.Bytes  `json:"state" cbor:"state"`
-	KeyStale  bool        `json:"key_stale" cbor:"key_stale"`
+	IssAt     int64       `json:"iss_at" cbor:"iss_at"`
 	NextKey   *key.Key    `json:"next_key" cbor:"next_key"` // private key
 	NextState *util.Bytes `json:"next_state" cbor:"next_state"`
 }
@@ -56,8 +57,7 @@ func (a *AuthN) COSERenewKEK(ctx *gear.Context) error {
 			return gear.ErrBadRequest.From(err)
 		}
 
-		output.KeyStale = time.Now().Unix()-issAt > 3600*24*3
-
+		output.IssAt = issAt
 		res, err := a.blls.Session.DeriveUserKey(ctx, *sess.UID, path)
 		if err != nil {
 			return gear.ErrInternalServerError.From(err)
@@ -75,7 +75,7 @@ func (a *AuthN) COSERenewKEK(ctx *gear.Context) error {
 			return gear.ErrBadRequest.From(err)
 		}
 
-		if output.KeyStale {
+		if input.Renew {
 			path, err = util.NextDerivePath(path)
 			if err != nil {
 				return gear.ErrBadRequest.From(err)
@@ -91,7 +91,7 @@ func (a *AuthN) COSERenewKEK(ctx *gear.Context) error {
 				return gear.ErrInternalServerError.From(err)
 			}
 
-			nextState, err := a.createKEKState(*sess.UID, path)
+			nextState, err := a.createKEKState(*sess.UID, path, time.Now().Unix())
 			if err != nil {
 				return gear.ErrInternalServerError.From(err)
 			}
@@ -109,20 +109,22 @@ func (a *AuthN) COSERenewKEK(ctx *gear.Context) error {
 			return gear.ErrInternalServerError.From(err)
 		}
 
-		output.State, err = a.createKEKState(*sess.UID, DEFAULT_PATH)
+		output.IssAt = time.Now().Unix()
+		output.State, err = a.createKEKState(*sess.UID, DEFAULT_PATH, output.IssAt)
 		if err != nil {
 			return gear.ErrInternalServerError.From(err)
 		}
+
 	}
 
 	return ctx.OkSend(output)
 }
 
-func (a *AuthN) createKEKState(uid util.ID, path string) (util.Bytes, error) {
+func (a *AuthN) createKEKState(uid util.ID, path string, issAt int64) (util.Bytes, error) {
 	obj := &cose.Mac0Message[key.IntMap]{
 		Unprotected: cose.Headers{},
 		Payload: key.IntMap{
-			0: time.Now().Unix(),
+			0: issAt,
 			1: uid,
 			2: path,
 		},