From c2f86a8094dee372f314c8aa413f33f86187cf8b Mon Sep 17 00:00:00 2001
From: Jason Volk <jason@zemos.net>
Date: Sun, 23 Jun 2019 16:08:32 -0700
Subject: [PATCH] ircd::m::keys: Distill out expiration test from verification
 test.

---
 include/ircd/m/keys.h |  1 +
 modules/s_keys.cc     | 43 ++++++++++++++++++++++++++++---------------
 2 files changed, 29 insertions(+), 15 deletions(-)

diff --git a/include/ircd/m/keys.h b/include/ircd/m/keys.h
index e9e98e47d..94c73fc69 100644
--- a/include/ircd/m/keys.h
+++ b/include/ircd/m/keys.h
@@ -15,6 +15,7 @@ namespace ircd::m
 {
 	struct keys;
 
+	bool expired(const m::keys &);
 	bool verify(const m::keys &, std::nothrow_t) noexcept;
 	void verify(const m::keys &);
 }
diff --git a/modules/s_keys.cc b/modules/s_keys.cc
index cc9820d87..de8897301 100644
--- a/modules/s_keys.cc
+++ b/modules/s_keys.cc
@@ -39,17 +39,6 @@ void
 IRCD_MODULE_EXPORT
 ircd::m::verify(const m::keys &keys)
 {
-	const auto &valid_until_ts
-	{
-		at<"valid_until_ts"_>(keys)
-	};
-
-	if(valid_until_ts < ircd::time<milliseconds>())
-		throw ircd::error
-		{
-			"Key was valid until %s", timestr(valid_until_ts / 1000L)
-		};
-
 	const json::object &verify_keys
 	{
 		at<"verify_keys"_>(keys)
@@ -88,15 +77,18 @@ ircd::m::verify(const m::keys &keys)
 		signatures.at(server_name)
 	};
 
-	const ed25519::sig sig{[&server_signatures, &key_id](auto &sig)
+	const ed25519::sig sig
 	{
-		b64decode(sig, unquote(server_signatures.at(key_id)));
-	}};
+		[&server_signatures, &key_id](auto &sig)
+		{
+			b64decode(sig, unquote(server_signatures.at(key_id)));
+		}
+	};
 
 	m::keys copy{keys};
 	at<"signatures"_>(copy) = string_view{};
 
-	thread_local char buf[4096];
+	thread_local char buf[16_KiB];
 	const const_buffer preimage
 	{
 		json::stringify(mutable_buffer{buf}, copy)
@@ -109,6 +101,27 @@ ircd::m::verify(const m::keys &keys)
 			"Failed to verify signature for public key of '%s'",
 			server_name
 		};
+
+	if(expired(keys))
+		log::warning
+		{
+			m::log, "key '%s' for '%s' expired on %s.",
+			key_id,
+			json::get<"server_name"_>(keys, "<no server name>"_sv),
+			timestr(at<"valid_until_ts"_>(keys) / 1000L),
+		};
+}
+
+bool
+IRCD_MODULE_EXPORT
+ircd::m::expired(const m::keys &keys)
+{
+	const auto &valid_until_ts
+	{
+		at<"valid_until_ts"_>(keys)
+	};
+
+	return valid_until_ts > ircd::time<milliseconds>();
 }
 
 //