Verified Commit e537013a authored by Vojtech Myslivec's avatar Vojtech Myslivec
Browse files

ca: Simplify random serial number generation

Something goes wrong if duplicated serial_number is generated. The
process will fail on UNIQUE db constraint then.
parent 1999d027
......@@ -10,7 +10,7 @@ import sn
from .exceptions import CAError, CASetupError
from .crypto import build_aki, build_client_cert, build_subject, cert_from_file, check_cert, key_from_file, key_match, random_serial_number, sign_cert
from .db import get_certs, store_cert, row_with_serial_number
from .db import get_certs, store_cert
logger = logging.getLogger("ca")
......@@ -53,7 +53,7 @@ class CA:
def issue_cert(self, csr, identity, days=CERT_DAYS):
serial_number = self.get_unique_serial_number()
serial_number = random_serial_number()
not_before = datetime.datetime.utcnow()
not_after = not_before + datetime.timedelta(days=days)
# raise a CAError when CA cert will not be valid till not_after
......@@ -77,16 +77,3 @@ class CA:
def check_cert_valid_at(self, at):
if self.cert.not_valid_after < at:
raise CAError("CA cert will expire sooner than requested")
def get_unique_serial_number(self):
# random_serial_number() gives unique values when everything is ok
# repeated s/n generation and check for accidental generation and/or OS issues
for i in range(42):
serial_number = random_serial_number()
if row_with_serial_number(self.db, serial_number):
logger.warning("random_serial_number() returns duplicated s/n")
return serial_number
raise CAError("Could not get unique certificate s/n")
......@@ -61,9 +61,3 @@ def store_cert(conn, cert):
(str(serial_number), "valid", identity, not_before, not_after, cert_bytes)
def row_with_serial_number(conn, serial_number):
with contextlib.closing(conn.cursor()) as c:
c.execute('SELECT * FROM certs WHERE sn=?', (str(serial_number),))
return c.fetchone()
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment