Re: [Pki-devel] [PATCH] 0123 Do not attempt cert update unless signing key is present
On Tue, Jun 14, 2016 at 07:40:12PM -0500, Endi Sukma Dewata wrote:
> On 6/13/2016 9:38 PM, Fraser Tweedale wrote:
> > Hi all,
> >
> > The attached patch fixes https://fedorahosted.org/pki/ticket/2359.
> > Please review for inclusion in 10.3.3.
> >
> > Thanks,
> > Fraser
>
> It looks like the initSignUnit() is only called with retrieveKeys=true in
> init(). So the code that starts the key retriever thread probably can be
> moved out, becoming something like this:
>
> initDefCaAttrs();
>
> try {
> initSignUnit();
> checkForNewerCert();
>
> } catch (CAMissingCertException | CAMissingKeyException e) {
> // start key retriever thread
>
> } catch (EBaseException e) {
> ...
> }
>
> I think it would clarify a little bit how the missing cert/key is handled.
>
Yes, that will be a nice refactor. I may send a patch for that soon.
> So if I understand correctly if the cert/key is missing the LWCA object will
> still be created and registered, but it will be disabled (hasKeys=false)?
>
> When the key retriever thread is complete, will it automatically
> reinitialize and enable the LWCA object?
>
Yes to both question. The bug was that an exception could be thrown
when constructing the LWCA object (thus it was not registered).
Key retrieval had been initiated and successfully retrieved the key,
but there was no LWCA object to reinitialise.
> Regardless, feel free to push the patch as is.
>
Thanks, pushed to master (41aef5254c20301851716ef46b614d185b33a87b)
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] 0123 Do not attempt cert update unless signing key is present
On 6/13/2016 9:38 PM, Fraser Tweedale wrote:
Hi all,
The attached patch fixes https://fedorahosted.org/pki/ticket/2359.
Please review for inclusion in 10.3.3.
Thanks,
Fraser
It looks like the initSignUnit() is only called with retrieveKeys=true
in init(). So the code that starts the key retriever thread probably can
be moved out, becoming something like this:
initDefCaAttrs();
try {
initSignUnit();
checkForNewerCert();
} catch (CAMissingCertException | CAMissingKeyException e) {
// start key retriever thread
} catch (EBaseException e) {
...
}
I think it would clarify a little bit how the missing cert/key is handled.
So if I understand correctly if the cert/key is missing the LWCA object
will still be created and registered, but it will be disabled
(hasKeys=false)?
When the key retriever thread is complete, will it automatically
reinitialize and enable the LWCA object?
Regardless, feel free to push the patch as is.
--
Endi S. Dewata
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [PATCH] 0123 Do not attempt cert update unless signing key is present
Hi all,
The attached patch fixes https://fedorahosted.org/pki/ticket/2359.
Please review for inclusion in 10.3.3.
Thanks,
Fraser
From c9f7d91295f673055201ca528ebdadd9018e4978 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale
Date: Tue, 14 Jun 2016 12:19:25 +1000
Subject: [PATCH] Do not attempt cert update unless signing key is present
If an authority entry is read with the authoritySerial attribute,
and the serial differs from the known serial or the serial was
previously unknown, Dogtag attempts to update the certificate in the
NSSDB. The procedure is carried out during initialisation, and if it
fails an exception is thrown, causing the CA to remain unknown.
If the signing key is not yet in the NSSDB, the update is certain to
fail. This can happen e.g. if CA is created on one clone while
another clone is down. When the other clone comes up, it will
immediately see the authoritySerial and trigger this scenario.
To avoid this scenario, only attempt to update the certificate if
the signing unit initialisation completed successfully, implying the
presence of the signing key.
Fixes: https://fedorahosted.org/pki/ticket/2359
---
base/ca/src/com/netscape/ca/CertificateAuthority.java | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java
b/base/ca/src/com/netscape/ca/CertificateAuthority.java
index
c9de9f9a58ce91a56043e21d47cd63020b20c085..e501380c8dd6d2d6fc400ad9f43677bfae7e258e
100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
@@ -517,8 +517,9 @@ public class CertificateAuthority
}
// init signing unit & CA cert.
+boolean initSigUnitSucceeded = false;
try {
-initSigUnit(/* retrieveKeys */ true);
+initSigUnitSucceeded = initSigUnit(/* retrieveKeys */ true);
// init default CA attributes like cert version, validity.
initDefCaAttrs();
@@ -531,7 +532,10 @@ public class CertificateAuthority
}
}
-checkForNewerCert();
+/* Don't try to update the cert unless we already have
+ * the cert and key. */
+if (initSigUnitSucceeded)
+checkForNewerCert();
mUseNonces = mConfig.getBoolean("enableNonces", true);
mMaxNonces = mConfig.getInteger("maxNumberOfNonces", 100);
--
2.5.5
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
