Martin Bartosch wrote:
> How about the following approach:
>
> Before each cert issuance do the following:
> 1 write request file to a unique temp file
> 2 create an empty unique temp file (index.txt dummy)
> 3a set a mutex
> 3b get the next serial number from the *database*
> 3c create a unique temp file (serial dummy) and write the expected
> serial number to the file
> 4 copy the required openssl config file to a temp file and change
> the 'database' entry to the file created in 2 and the 'serial'
> entry to the file created in 3.
> 5 issue the certificate with the temporary config file
> 6 clear the mutex
>
> I don't think we can do without the mutex without possibly creating
> 'holes' in the serial number sequence (if issuance for one certificate
> fails but succeeds for a second that is processed simultaneously).
> If we are ready to accept holes in the sequence, we can use a (database)
> sequence for the serial number instead of the mutex. This is obviously
> not an issue for CAs that use "concealed" (i. e. random) serial numbers.
>
> Ideas, comments?
Yes, this is the way to go.
> Anything we can do in this regard for 0.9.2?
A quick solution would be to create a big big lock in front of
libIssueCertificate and clear it at the end.
Perhaps something like this?
sub libIssueCertificate
{
my $keys = [EMAIL PROTECTED];
my $ret;
if ( not open ( LOCKFILE, ">> ".getRequired("LockFile")) ) {
$errno = 6725; #FIXME: Errno
$errval = gettext ("Cannot open lockfile
").getRequired("LockFile);
return undef;
}
flock LOCKFILE, LOCK_EX;
$ret = libIssueCertificate($keys);
flock LOCKFILE, LOCK_UN;
return $ret;
}
sub libIssueCertificate2()
{
[...]
}
Problems: flock may not work on network devices.
Regards,
Juergen
-------------------------------------------------------
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel
