Juergen Brauckmann wrote:
Martin Bartosch wrote:How about the following approach: Before each cert issuance do the following: 1 write request file to a unique temp file 2 create an empty unique temp file (index.txt dummy) 3a set a mutex 3b get the next serial number from the *database* 3c create a unique temp file (serial dummy) and write the expected serial number to the file 4 copy the required openssl config file to a temp file and change the 'database' entry to the file created in 2 and the 'serial' entry to the file created in 3. 5 issue the certificate with the temporary config file
5.5 explicit database commit
6 clear the mutex I don't think we can do without the mutex without possibly creating 'holes' in the serial number sequence (if issuance for one certificate fails but succeeds for a second that is processed simultaneously). If we are ready to accept holes in the sequence, we can use a (database) sequence for the serial number instead of the mutex. This is obviously not an issue for CAs that use "concealed" (i. e. random) serial numbers. Ideas, comments?
Who has some time to offer ;)
Anything we can do in this regard for 0.9.2?A quick solution would be to create a big big lock in front of libIssueCertificate and clear it at the end. Perhaps something like this? sub libIssueCertificate { my $keys = [EMAIL PROTECTED]; my $ret; if ( not open ( LOCKFILE, ">> ".getRequired("LockFile")) ) { $errno = 6725; #FIXME: Errno $errval = gettext ("Cannot open lockfile ").getRequired("LockFile); return undef; } flock LOCKFILE, LOCK_EX; $ret = libIssueCertificate($keys); flock LOCKFILE, LOCK_UN; return $ret; } sub libIssueCertificate2() { [...] }
Looks good and really robust (with close). Do you already have a diff?
Problems: flock may not work on network devices.
... is this a real problem? Perhaps it is too late and I should go home :)BTW the HEAD can now issue certificates again. The migration continues slowly because I'm the only one who migrates stuff. If you want to touch OpenCA::Server::Crypto (issue_cert is the new home of libIssueCertificate) then please send a notice to the list to avoid merge conflicts.
Michael -- _______________________________________________________________ Michael Bell Humboldt-Universitaet zu Berlin Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice Fax: +49 (0)30-2093 2704 Unter den Linden 6 [EMAIL PROTECTED] D-10099 Berlin _______________________________________________________________
smime.p7s
Description: S/MIME Cryptographic Signature
