View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001530 | Main CAcert Website | GPG/PGP | public | 2021-06-20 17:17 | 2021-06-21 18:09 |
| Reporter | jandd | Assigned To | egal | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | needs review & testing | Resolution | open | ||
| Platform | Main CAcert Website | OS | N/A | OS Version | stable |
| Summary | 0001530: inconsistent retry behaviour for empty/missing/broken gpg signatures | ||||
| Description | The signer client handles incomplete/missing gpg signatures differently than X.509 certificates. The database table already has a warning column (tinyint) that is initialized with 0. For X.509 certificates this field is incremented for every failed signing attempt. For OpenPGP this is not the case. They are retried without an abort condition. | ||||
| Steps To Reproduce | Have a signer failure or write some garbage in the CSR file on the webdb system. See the failed gpg signing attempt on every signer loop run (in HandleGPG of CommModule/client.pl). | ||||
| Additional Information | We have > 100 such failing gpg requests in the production system but none in the test system. | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
|
|
The attached patch implements the OpenPGP variant of the warning threshold and allows consistent configuration of the threshold for X.509 and OpenPGP. 1530_Implement_warning_thresholds_for_OpenPGP.patch (1,991 bytes)
Index: CommModule/client.pl
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/CommModule/client.pl b/CommModule/client.pl
--- a/CommModule/client.pl (revision d328ebd6ad641a9caf4c80208a14d3b8f768edc0)
+++ b/CommModule/client.pl (revision 5815dc8f6520047cf9fd7270cf0d968641b89289)
@@ -40,6 +40,9 @@
my $debug=0;
+# number of attempts before giving up
+my $warn_threshold = 3;
+
#my $serialport="/dev/ttyS0";
my $serialport="/dev/ttyUSB0";
@@ -734,7 +737,9 @@
SysLog "HandleCerts $table\n";
- my $sth = $dbh->prepare("select * from $table where crt_name='' and csr_name!='' and warning<3");
+ my $sth = $dbh->prepare(sprintf(
+ "select * from %s where crt_name='' and csr_name!='' and warning<%d", $table, $warn_threshold
+ ));
$sth->execute();
#$rowdata;
while ( my $rowdata = $sth->fetchrow_hashref() )
@@ -904,7 +909,7 @@
else
{
SysLog("Could not find the issued certificate. $crtname ".$row{"id"}."\n");
- $dbh->do("update `$table` set warning=warning+1 where `id`='".$row{'id'}."'");
+ $dbh->do(sprintf("update %s set warning=warning+1 where id=%d", $table, $row{'id'}));
}
}
}
@@ -1078,7 +1083,9 @@
sub HandleGPG()
{
- my $sth = $dbh->prepare("select * from gpg where crt='' and csr!='' ");
+ my $sth = $dbh->prepare(sprintf(
+ "select * from gpg where crt='' and csr!='' and warning<%d", $warn_threshold
+ ));
$sth->execute();
my $rowdata;
while ( $rowdata = $sth->fetchrow_hashref() )
@@ -1144,7 +1151,7 @@
sendmail($user{email}, "[CAcert.org] Your GPG/PGP Key", $body, "support\@cacert.org", "", "", "CAcert Support");
} else {
SysLog("Could not find the issued gpg key. ".$row{"id"}."\n");
- #$dbh->do("delete from `gpg` where `id`='".$row{'id'}."'");
+ $dbh->do(sprintf("update gpg set warning=warning+1 where id=%d", $row{'id'}));
}
}
}
|
|
|
This solution appears reasonable, and should correct the issue. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2021-06-20 17:17 | jandd | New Issue | |
| 2021-06-20 17:17 | jandd | Assigned To | => jandd |
| 2021-06-20 17:17 | jandd | Status | new => confirmed |
| 2021-06-20 17:24 | jandd | Note Added: 0006015 | |
| 2021-06-20 17:24 | jandd | File Added: 1530_Implement_warning_thresholds_for_OpenPGP.patch | |
| 2021-06-20 17:25 | jandd | Assigned To | jandd => egal |
| 2021-06-20 17:25 | jandd | Status | confirmed => needs review & testing |
| 2021-06-21 18:09 | bdmc | Note Added: 0006016 |
