1 files changed, 24 insertions, 10 deletions

diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c
index ab12b90445..2482f59421 100644
--- a/src/or/routerkeys.c
+++ b/src/or/routerkeys.c
@@ -306,9 +306,6 @@ load_ed_keys(const or_options_t *options, time_t now)
 
   /* XXXX support encrypted identity keys fully */
 
-  /* XXXX use options. */
-  (void) options;
-
   /* First try to get the signing key to see how it is. */
   if (master_signing_key) {
     check_signing_cert = signing_key_cert;
@@ -329,7 +326,7 @@ load_ed_keys(const or_options_t *options, time_t now)
     EXPIRES_SOON(check_signing_cert, 0);
   const int want_new_signing_key =
     need_new_signing_key ||
-    EXPIRES_SOON(check_signing_cert, 86400/*???*/);
+    EXPIRES_SOON(check_signing_cert, options->TestingSigningKeySlop);
 
   {
     uint32_t flags =
@@ -365,7 +362,7 @@ load_ed_keys(const or_options_t *options, time_t now)
                options_get_datadir_fname2(options, "keys", "ed25519_signing"),
                                  flags, LOG_WARN,
                                  sign_signing_key_with_id, now,
-                                 30*86400/*XXX option*/,
+                                 options->SigningKeyLifetime,
                                  CERT_TYPE_ID_SIGNING, &sign_cert);
     if (!sign)
       FAIL("Missing signing key");
@@ -383,18 +380,22 @@ load_ed_keys(const or_options_t *options, time_t now)
    * it, if we loaded it in the first place. */
   memwipe(id->seckey.seckey, 0, sizeof(id->seckey));
 
-  if (!current_link_key || EXPIRES_SOON(link_key_cert, 7200/*???*/)) {
+  if (!current_link_key ||
+      EXPIRES_SOON(link_key_cert, options->TestingLinkKeySlop)) {
     link = ed_key_new(use_signing, INIT_ED_KEY_NEEDCERT,
-                      now, 2*86400/*XXX option??*/,
+                      now,
+                      options->TestingLinkKeyLifetime,
                       CERT_TYPE_SIGNING_LINK, &link_cert);
 
     if (!link)
       FAIL("Can't create link key");
   }
 
-  if (!current_auth_key || EXPIRES_SOON(auth_key_cert, 7200)/*???*/) {
+  if (!current_auth_key ||
+      EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop)) {
     auth = ed_key_new(use_signing, INIT_ED_KEY_NEEDCERT,
-                      now, 2*86400/*XXX option??*/,
+                      now,
+                      options->TestingAuthKeyLifetime,
                       CERT_TYPE_SIGNING_AUTH, &auth_cert);
 
     if (!auth)
@@ -434,9 +435,22 @@ load_ed_keys(const or_options_t *options, time_t now)
 #undef FAIL
 #undef SET_KEY
 #undef SET_CERT
-#undef EXPIRES_SOON
 }
 
+int
+should_make_new_ed_keys(const or_options_t *options, const time_t now)
+{
+  return (!master_identity_key ||
+          !master_signing_key ||
+          !current_link_key ||
+          !current_auth_key ||
+          EXPIRES_SOON(signing_key_cert, options->TestingSigningKeySlop) ||
+          EXPIRES_SOON(link_key_cert, options->TestingLinkKeySlop) ||
+          EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop));
+}
+
+#undef EXPIRES_SOON
+
 const ed25519_public_key_t *
 get_master_identity_key(void)
 {