Re: [Pki-devel] [PATCH] 0123 Do not attempt cert update unless signing key is present
On Tue, Jun 14, 2016 at 07:40:12PM -0500, Endi Sukma Dewata wrote:
On 6/13/2016 9:38 PM, Fraser Tweedale wrote:
> Hi all,
>
> The attached patch fixes https://fedorahosted.org/pki/ticket/2359.
> Please review for inclusion in 10.3.3.
>
> Thanks,
> Fraser
It looks like the initSignUnit() is only called with retrieveKeys=true in
init(). So the code that starts the key retriever thread probably can be
moved out, becoming something like this:
initDefCaAttrs();
try {
initSignUnit();
checkForNewerCert();
} catch (CAMissingCertException | CAMissingKeyException e) {
// start key retriever thread
} catch (EBaseException e) {
...
}
I think it would clarify a little bit how the missing cert/key is handled.
Yes, that will be a nice refactor. I may send a patch for that soon.
So if I understand correctly if the cert/key is missing the LWCA
object will
still be created and registered, but it will be disabled (hasKeys=false)?
When the key retriever thread is complete, will it automatically
reinitialize and enable the LWCA object?
Yes to both question. The bug was that an exception could be thrown
when constructing the LWCA object (thus it was not registered).
Key retrieval had been initiated and successfully retrieved the key,
but there was no LWCA object to reinitialise.
Regardless, feel free to push the patch as is.
Thanks, pushed to master (41aef5254c20301851716ef46b614d185b33a87b)