From 990be687c0fc862e0cd8f2d60cb6201162497b2d Mon Sep 17 00:00:00 2001
From: Livio Amstutz <livio.a@gmail.com>
Date: Fri, 28 Jan 2022 09:24:34 +0100
Subject: [PATCH] fix: handle first key rotation on newly created instance
 (#3118)

---
 internal/api/oidc/key.go | 10 +++++++---
 internal/query/key.go    |  5 ++++-
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/internal/api/oidc/key.go b/internal/api/oidc/key.go
index 254319612a..1006b5af65 100644
--- a/internal/api/oidc/key.go
+++ b/internal/api/oidc/key.go
@@ -70,7 +70,11 @@ func (o *OPStorage) getSigningKey(ctx context.Context, renewTimer *time.Timer, k
 		return
 	}
 	if len(keys.Keys) == 0 {
-		o.refreshSigningKey(ctx, keyCh, o.signingKeyAlgorithm, keys.LatestSequence)
+		var sequence uint64
+		if keys.LatestSequence != nil {
+			sequence = keys.LatestSequence.Sequence
+		}
+		o.refreshSigningKey(ctx, keyCh, o.signingKeyAlgorithm, sequence)
 		checkAfter := o.resetTimer(renewTimer, true)
 		logging.Log("OIDC-ASDf3").Infof("next signing key check in %s", checkAfter)
 		return
@@ -94,12 +98,12 @@ func (o *OPStorage) resetTimer(timer *time.Timer, shortRefresh bool) (nextCheck
 	return maxLifetime - o.signingKeyGracefulPeriod - o.signingKeyRotationCheck
 }
 
-func (o *OPStorage) refreshSigningKey(ctx context.Context, keyCh chan<- jose.SigningKey, algorithm string, sequence *query.LatestSequence) {
+func (o *OPStorage) refreshSigningKey(ctx context.Context, keyCh chan<- jose.SigningKey, algorithm string, sequence uint64) {
 	if o.currentKey != nil && o.currentKey.Expiry().Before(time.Now().UTC()) {
 		logging.Log("OIDC-ADg26").Info("unset current signing key")
 		keyCh <- jose.SigningKey{}
 	}
-	ok, err := o.ensureIsLatestKey(ctx, sequence.Sequence)
+	ok, err := o.ensureIsLatestKey(ctx, sequence)
 	if err != nil {
 		logging.Log("OIDC-sdz53").WithError(err).Error("could not ensure latest key")
 		return
diff --git a/internal/query/key.go b/internal/query/key.go
index ee0555ef16..9ca0b9f6c3 100644
--- a/internal/query/key.go
+++ b/internal/query/key.go
@@ -219,7 +219,10 @@ func (q *Queries) ActivePrivateSigningKey(ctx context.Context, t time.Time) (*Pr
 		return nil, err
 	}
 	keys.LatestSequence, err = q.latestSequence(ctx, keyTable)
-	return keys, err
+	if !errors.IsNotFound(err) {
+		return keys, err
+	}
+	return keys, nil
 }
 
 func preparePublicKeysQuery() (sq.SelectBuilder, func(*sql.Rows) (*PublicKeys, error)) {