expire old SKPI hashes

2026-04-28 02:46:29 +03:00 · 2026-04-16 20:03:46 +02:00
parent 900cb7f7aa
commit 900d88c5eb
4 changed files with 19 additions and 4 deletions
--- a/src/net/tls.rs
+++ b/src/net/tls.rs
@@ -7,6 +7,7 @@ use anyhow::Result;

 use crate::net::session::SessionStream;
 use crate::sql::Sql;
+use crate::tools::time;

 use tokio_rustls::rustls;
 use tokio_rustls::rustls::client::ClientSessionStore;
@@ -164,9 +165,10 @@ pub async fn wrap_rustls<'a>(
        .peer_certificates()
        .and_then(|certs| certs.first())
    {
+        let now = time();
        let parsed_certificate = ParsedCertificate::try_from(end_entity)?;
        let spki = parsed_certificate.subject_public_key_info();
-        spki_hash_store.save_spki(hostname, &spki, sql).await?;
+        spki_hash_store.save_spki(hostname, &spki, sql, now).await?;
    }

    Ok(tls_stream)
--- a/src/net/tls/spki.rs
+++ b/src/net/tls/spki.rs
@@ -77,14 +77,15 @@ impl SpkiHashStore {
        hostname: &str,
        spki: &SubjectPublicKeyInfoDer<'_>,
        sql: &Sql,
+        timestamp: i64,
    ) -> Result<()> {
        let hash = spki_hash(spki);
        self.hash_store
            .write()
            .insert(hostname.to_string(), hash.clone());
        sql.execute(
-            "INSERT OR REPLACE INTO tls_spki (host, spki_hash) VALUES (?, ?)",
-            (hostname, hash),
+            "INSERT OR REPLACE INTO tls_spki (host, spki_hash, timestamp) VALUES (?, ?, ?)",
+            (hostname, hash, timestamp),
        )
        .await?;
        Ok(())
--- a/src/sql.rs
+++ b/src/sql.rs
@@ -874,6 +874,17 @@ pub async fn housekeeping(context: &Context) -> Result<()> {
        .log_err(context)
        .ok();

+    context
+        .sql
+        .execute(
+            "DELETE FROM tls_spki WHERE ? > timestamp + ?",
+            (time(), 30 * 24 * 60 * 60),
+        )
+        .await
+        .context("Failed to prune SPKI store")
+        .log_err(context)
+        .ok();
+
    // Cleanup `imap` and `imap_sync` entries for deleted transports.
    //
    // Transports may be deleted directly or via sync messages,
--- a/src/sql/migrations.rs
+++ b/src/sql/migrations.rs
@@ -2365,7 +2365,8 @@ ALTER TABLE contacts ADD COLUMN name_normalized TEXT;
        sql.execute_migration(
            "CREATE TABLE tls_spki (
               host TEXT NOT NULL UNIQUE,
-               spki_hash TEXT NOT NULL -- base64 of SPKI SHA-256 hash
+               spki_hash TEXT NOT NULL, -- base64 of SPKI SHA-256 hash
+               timestamp INTEGER NOT NULL -- timestamp of the last time we have seen this key
             ) STRICT",
            migration_version,
        )