View Issue Details

IDProjectCategoryView StatusLast Update
0001530Main CAcert WebsiteGPG/PGPpublic2021-06-21 18:09
Reporterjandd Assigned Toegal  
PrioritynormalSeverityminorReproducibilityalways
Status needs review & testingResolutionopen 
PlatformMain CAcert WebsiteOSN/AOS Versionstable
Summary0001530: inconsistent retry behaviour for empty/missing/broken gpg signatures
DescriptionThe signer client handles incomplete/missing gpg signatures differently than X.509 certificates. The database table already has a warning column (tinyint) that is initialized with 0. For X.509 certificates this field is incremented for every failed signing attempt. For OpenPGP this is not the case. They are retried without an abort condition.
Steps To ReproduceHave a signer failure or write some garbage in the CSR file on the webdb system. See the failed gpg signing attempt on every signer loop run (in HandleGPG of CommModule/client.pl).
Additional InformationWe have > 100 such failing gpg requests in the production system but none in the test system.
TagsNo tags attached.
Reviewed by
Test Instructions

Activities

jandd

2021-06-20 17:24

administrator   ~0006015

The attached patch implements the OpenPGP variant of the warning threshold and allows consistent configuration of the threshold for X.509 and OpenPGP.
1530_Implement_warning_thresholds_for_OpenPGP.patch (1,991 bytes)   
Index: CommModule/client.pl
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/CommModule/client.pl b/CommModule/client.pl
--- a/CommModule/client.pl	(revision d328ebd6ad641a9caf4c80208a14d3b8f768edc0)
+++ b/CommModule/client.pl	(revision 5815dc8f6520047cf9fd7270cf0d968641b89289)
@@ -40,6 +40,9 @@
 
 my $debug=0;
 
+# number of attempts before giving up
+my $warn_threshold = 3;
+
 #my $serialport="/dev/ttyS0";
 my $serialport="/dev/ttyUSB0";
 
@@ -734,7 +737,9 @@
 
   SysLog "HandleCerts $table\n";
 
-  my $sth = $dbh->prepare("select * from $table where crt_name='' and csr_name!='' and warning<3");
+  my $sth = $dbh->prepare(sprintf(
+    "select * from %s where crt_name='' and csr_name!='' and warning<%d", $table, $warn_threshold
+  ));
   $sth->execute();
   #$rowdata;
   while ( my $rowdata = $sth->fetchrow_hashref() )
@@ -904,7 +909,7 @@
     else
     {
       SysLog("Could not find the issued certificate. $crtname ".$row{"id"}."\n");
-      $dbh->do("update `$table` set warning=warning+1 where `id`='".$row{'id'}."'");
+      $dbh->do(sprintf("update %s set warning=warning+1 where id=%d", $table, $row{'id'}));
     }
   }
 }
@@ -1078,7 +1083,9 @@
 
 sub HandleGPG()
 {
-  my $sth = $dbh->prepare("select * from gpg where crt='' and csr!='' ");
+  my $sth = $dbh->prepare(sprintf(
+    "select * from gpg where crt='' and csr!='' and warning<%d", $warn_threshold
+  ));
   $sth->execute();
   my $rowdata;
   while ( $rowdata = $sth->fetchrow_hashref() )
@@ -1144,7 +1151,7 @@
       sendmail($user{email}, "[CAcert.org] Your GPG/PGP Key", $body, "support\@cacert.org", "", "", "CAcert Support");
     } else {
       SysLog("Could not find the issued gpg key. ".$row{"id"}."\n");
-      #$dbh->do("delete from `gpg` where `id`='".$row{'id'}."'");
+      $dbh->do(sprintf("update gpg set warning=warning+1 where id=%d", $row{'id'}));
     }
   }
 }

bdmc

2021-06-21 18:09

developer   ~0006016

This solution appears reasonable, and should correct the issue.

Issue History

Date Modified Username Field Change
2021-06-20 17:17 jandd New Issue
2021-06-20 17:17 jandd Assigned To => jandd
2021-06-20 17:17 jandd Status new => confirmed
2021-06-20 17:24 jandd Note Added: 0006015
2021-06-20 17:24 jandd File Added: 1530_Implement_warning_thresholds_for_OpenPGP.patch
2021-06-20 17:25 jandd Assigned To jandd => egal
2021-06-20 17:25 jandd Status confirmed => needs review & testing
2021-06-21 18:09 bdmc Note Added: 0006016