View Issue Details

IDProjectCategoryView StatusLast Update
0001360Main CAcert WebsiteGPG/PGPpublic2015-10-20 20:14
ReporterwytzeAssigned ToEva 
PrioritynormalSeveritymajorReproducibilityalways
Status needs reviewResolutionopen 
Product Version2015 Q1 
Target Version2015 Q1Fixed in Version 
Summary0001360: signing of gpg keys stalls due to missing directory, and also causes delays for X.509 certificate signing and revocation
DescriptionThe signing of gpg keys by the CAcert application may stall due to a missing directory for storing the signed keys.

The current code allocates a new subdirectory for every 1000 signed keys, but the code to create this new subdirectory is missing for the gpg case (it is present though for the X.509 case). The CommModule client.pl code attempts to write the signed gpg key to a file in this non-existing directory and fails, which leads eventually to an error message: "Could not find the issued gpg key.". However, the same request will be retried over and over without limit, causing delays for all signing requests, including X.509 certificates.
Steps To ReproduceRemove empty subdirectories under /home/cacert/www/crt/gpg.
Then issue more than 1000 gpg signing requests, so somewhere along the line a new subdirectory is needed.
Additional InformationAs a work-around, a number of subdirectories have been pre-created on the production server, so this failure will not occur again anytime soon, even without a code fix.

The problem is in this code fragment from CommModule/client.pl:

sub HandleGPG()
{
  my $sth = $dbh->prepare("select * from gpg where crt='' and csr!='' ");
  $sth->execute();
  my $rowdata;
  while ( $rowdata = $sth->fetchrow_hashref() )
  {
    my %row=%{$rowdata};

    my $prefix="gpg";
    my $short=int($row{'id'}/1000);
    my $csrname = "../csr/$prefix-".$row{'id'}.".csr";
    $csrname = "../csr/$prefix/$short/$prefix-".$row{'id'}.".csr" if($newlayout);
    SysLog("New Layout: "."../csr/$prefix/$short/$prefix-".$row{'id'}.".csr\n");

    #my $crtname = "../crt/$prefix-".$row{'id'}.".crt";
    my $crtname=$csrname; $crtname=~s/^\.\.\/csr/..\/crt/; $crtname=~s/\.csr$/.crt/;
    SysLog("New Layout: $crtname\n");

The following code should be inserted before the last line:

    my $dirname=$crtname; $dirname=~s/\/[^\/]*\.crt//;
    mkdir $dirname,0755;

TagsNo tags attached.
Reviewed byBenBE
Test InstructionsSee Steps to Reproduce

Activities

wytze

2015-01-16 12:28

developer   ~0005242

See https://lists.cacert.org/wws/arc/cacert-systemlog/2015-01/msg00015.html

BenBE

2015-01-16 17:57

updater   ~0005244

The change was performed slightly different than suggested to remove a minor code duplication in the process and also ensure all paths are built based on the directory name.

felixd

2015-01-20 23:02

updater   ~0005254

Test:

I issued enough pgp signatures for the pgp-signer daemon to require a new directory (around 200).
I was told that the signer created that new directory.

Test is therefore PASSED.

INOPIAE

2015-01-21 20:39

updater   ~0005256

I create certs for client and org server certificates.
For both certs the new directory was created.

=> ok

Issue History

Date Modified Username Field Change
2015-01-16 12:25 wytze New Issue
2015-01-16 12:28 wytze Note Added: 0005242
2015-01-16 12:28 wytze Assigned To => BenBE
2015-01-16 12:28 wytze Status new => confirmed
2015-01-16 17:57 BenBE Note Added: 0005244
2015-01-16 17:57 BenBE Assigned To BenBE => dastrath
2015-01-16 17:57 BenBE Status confirmed => needs review & testing
2015-01-20 23:02 felixd Note Added: 0005254
2015-01-21 20:39 INOPIAE Note Added: 0005256
2015-01-21 21:57 BenBE Reviewed by => BenBE
2015-01-21 21:57 BenBE Status needs review & testing => needs review
2015-01-21 21:57 BenBE Product Version => 2015 Q1
2015-01-21 21:57 BenBE Target Version => 2015 Q1
2015-10-20 20:14 BenBE Assigned To dastrath => Eva