Implemented minor improvements to error messages and documentation for

key storage.
pendulum-project · Feb 21, 2024 · f67e2a3 · f67e2a3
1 parent 98747f2
commit f67e2a3
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 4 deletions.
diff --git a/docs/guide/nts.md b/docs/guide/nts.md
@@ -129,6 +129,8 @@ key-storage-path="/path/to/store/key/material"
 
 Note that, like with the TLS private key, an attacker having access to the file
 specified under `key-storage-path` can compromise all connections to clients.
+Furthermore, the daemon will not create any parent directories if they don't exist.
+It will create the file if it doesn't exist.
 
 ### Certificates using certbot
 Let's encrypt recommends using certbot for managing certificates on your server.

diff --git a/docs/man/ntp.toml.5.md b/docs/man/ntp.toml.5.md
@@ -203,6 +203,9 @@ relevant configuration in the `[[nts-ke-server]]` section.
 :   If set, stores the internal NTS keys in the file indicated by *path*. This
     allows keys to survive a server reboot. If not set, clients using NTS may
     need to redo a key exchange operation to get new NTS cookies.
+    The daemon will not create any parent directories if they don't exist.
+    It will create the file if it doesn't exist.
+
 
 ## `[[nts-ke-server]]`
 The daemon can be configured to operate as an NTS key exchange server by

diff --git a/docs/precompiled/man/ntp.toml.5 b/docs/precompiled/man/ntp.toml.5
@@ -259,6 +259,9 @@ If set, stores the internal NTS keys in the file indicated by
 This allows keys to survive a server reboot.
 If not set, clients using NTS may need to redo a key exchange operation
 to get new NTS cookies.
+The daemon will not create any parent directories if they don\[cq]t
+exist.
+It will create the file if it doesn\[cq]t exist.
 .SS \f[V][[nts-ke-server]]\f[R]
 .PP
 The daemon can be configured to operate as an NTS key exchange server by

diff --git a/ntp.server.toml b/ntp.server.toml
@@ -28,3 +28,6 @@ single-step-panic-threshold = 1800
 startup-step-panic-threshold = { forward="inf", backward = 1800 }
 #accumulated-threshold = 1800
 #minimum-agreeing-sources = 3
+
+[keyset]
+key-storage-path="/path/to/store/key/material"
diff --git a/ntpd/src/daemon/nts_key_provider.rs b/ntpd/src/daemon/nts_key_provider.rs
@@ -56,9 +56,7 @@ pub async fn spawn(config: KeysetConfig) -> watch::Receiver<Arc<KeySet>> {
     };
     let (tx, rx) = watch::channel(provider.get());
     tokio::task::spawn_blocking(move || loop {
-        std::thread::sleep(next_interval);
-        next_interval = std::time::Duration::from_secs(config.key_rotation_interval as _);
-        provider.rotate();
+        // First save, then sleep. Ensures new sets created at boot are also saved.
         if let Some(path) = &config.key_storage_path {
             if let Err(e) = (|| -> std::io::Result<()> {
                 let mut output = OpenOptions::new()
@@ -69,12 +67,21 @@ pub async fn spawn(config: KeysetConfig) -> watch::Receiver<Arc<KeySet>> {
                     .open(path)?;
                 provider.store(&mut output)
             })() {
-                warn!(error = ?e, "Could not store nts server keys");
+                if e.kind() == std::io::ErrorKind::NotFound
+                    || e.kind() == std::io::ErrorKind::PermissionDenied
+                {
+                    warn!(error = ?e, "Could not store nts server keys, parent directory does not exist or has insufficient permissions");
+                } else {
+                    warn!(error = ?e, "Could not store nts server keys");
+                }
             }
         }
         if tx.send(provider.get()).is_err() {
             break;
         }
+        std::thread::sleep(next_interval);
+        next_interval = std::time::Duration::from_secs(config.key_rotation_interval as _);
+        provider.rotate();
     });
     rx
 }