From 012c934e08af933b1b4924bea04ccaf75b67f469 Mon Sep 17 00:00:00 2001
From: Taylor Frey <taylor_frey@comcast.com>
Date: Tue, 25 Oct 2022 14:14:51 -0600
Subject: [PATCH 1/2] Include ssl DS 'version' (not TLS version) when
 reencrypting DS SSL Key information

---
 traffic_ops/app/db/reencrypt/reencrypt.go | 35 ++++++++++++++---------
 1 file changed, 21 insertions(+), 14 deletions(-)

diff --git a/traffic_ops/app/db/reencrypt/reencrypt.go b/traffic_ops/app/db/reencrypt/reencrypt.go
index cd25ac34c1..2453befdee 100644
--- a/traffic_ops/app/db/reencrypt/reencrypt.go
+++ b/traffic_ops/app/db/reencrypt/reencrypt.go
@@ -160,49 +160,56 @@ func readKey(keyLocation string) ([]byte, error) {
 	return key, nil
 }
 
+type sslInfo struct {
+	xmlId        string
+	version      string
+	previousData []byte
+	newData      []byte
+}
+
 func reEncryptSslKeys(tx *sql.Tx, previousKey []byte, newKey []byte) error {
-	rows, err := tx.Query("SELECT deliveryservice, data FROM sslkey")
+	rows, err := tx.Query("SELECT deliveryservice, version, data FROM sslkey")
 	if err != nil {
 		return fmt.Errorf("querying: %w", err)
 	}
 	defer rows.Close()
 
-	sslKeyMap := map[string][]byte{}
+	var sslKeyInfos []sslInfo
 
 	for rows.Next() {
-		xmlid := ""
-		var encryptedSslKeys []byte
-		if err = rows.Scan(&xmlid, &encryptedSslKeys); err != nil {
+		sslKeyInfo := sslInfo{}
+
+		if err = rows.Scan(&sslKeyInfo.xmlId, &sslKeyInfo.version, &sslKeyInfo.previousData); err != nil {
 			return fmt.Errorf("getting SSL Keys: %w", err)
 		}
-		jsonKeys, err := util.AESDecrypt(encryptedSslKeys, previousKey)
+		jsonKeys, err := util.AESDecrypt(sslKeyInfo.previousData, previousKey)
 		if err != nil {
 			return fmt.Errorf("reading SSL Keys: %w", err)
 		}
 
 		if !bytes.HasPrefix(jsonKeys, []byte("{")) {
-			return fmt.Errorf("decrypted SSL Key did not have prefix '{' for xmlid %s", xmlid)
+			return fmt.Errorf("decrypted SSL Key did not have prefix '{' for xmlid %s", sslKeyInfo.xmlId)
 		}
 
-		reencryptedKeys, err := util.AESEncrypt(jsonKeys, newKey)
+		sslKeyInfo.newData, err = util.AESEncrypt(jsonKeys, newKey)
 		if err != nil {
 			return fmt.Errorf("encrypting SSL Keys with new key: %w", err)
 		}
 
-		sslKeyMap[xmlid] = reencryptedKeys
+		sslKeyInfos = append(sslKeyInfos, sslKeyInfo)
 	}
 
-	for xmlid, reencryptedKeys := range sslKeyMap {
-		res, err := tx.Exec(`UPDATE sslkey SET data = $1 WHERE deliveryservice = $2`, reencryptedKeys, xmlid)
+	for _, sslKeyInfo := range sslKeyInfos {
+		res, err := tx.Exec(`UPDATE sslkey SET data = $1 WHERE deliveryservice = $2 AND version = $3`, sslKeyInfo.newData, sslKeyInfo.xmlId, sslKeyInfo.version)
 		if err != nil {
-			return fmt.Errorf("updating SSL Keys for xmlid %s: %w", xmlid, err)
+			return fmt.Errorf("updating SSL Keys for xmlid %s: %w", sslKeyInfo.xmlId, err)
 		}
 		rowsAffected, err := res.RowsAffected()
 		if err != nil {
-			return fmt.Errorf("determining rows affected for reencrypting SSL Keys with xmlid %s: %w", xmlid, err)
+			return fmt.Errorf("determining rows affected for reencrypting SSL Keys with xmlid %s: %w", sslKeyInfo.xmlId, err)
 		}
 		if rowsAffected == 0 {
-			return fmt.Errorf("no rows updated for reencrypting SSL Keys for xmlid %s", xmlid)
+			return fmt.Errorf("no rows updated for reencrypting SSL Keys for xmlid %s", sslKeyInfo.xmlId)
 		}
 	}
 

From 59c7cebc87ff6a967092fe86e14718aeee2ef8a0 Mon Sep 17 00:00:00 2001
From: Taylor Frey <taylor_frey@comcast.com>
Date: Tue, 25 Oct 2022 15:09:45 -0600
Subject: [PATCH 2/2] Changelog entry

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d2cd55cdaa..a84a14f39a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -38,6 +38,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 - [#7048](https://github.com/apache/trafficcontrol/issues/7048) *Traffic Stats* Add configuration value to set the client request timeout for calls to Traffic Ops.
 - Updated Apache Tomcat from 9.0.43 to 9.0.67
 - [#7125](https://github.com/apache/trafficcontrol/issues/7125) *Docs* Reflect implementation and deprecation notice for `letsencrypt/autorenew` endpoint.
+- [#7158](https://github.com/apache/trafficcontrol/issues/7158) *Traffic Vault* Fix the `reencrypt` utility to uniquely reencrypt each version of the SSL Certificates.
 
 ## [7.0.0] - 2022-07-19
 ### Added