From fbba6a83482ed380a4d09655cdc43d2e2a95b712 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Apr 07 2011 17:17:43 +0000 Subject: - add a read-keyinfo cycle after key generation, so that we have proper records (we'll need them later) --- diff --git a/doc/design.txt b/doc/design.txt index 176b359..9b35aff 100644 --- a/doc/design.txt +++ b/doc/design.txt @@ -14,6 +14,9 @@ Now with some arbitrarily-named states for our per-certificate state machine: * Generating a key pair. States: NEED_KEY_PAIR, GENERATING_KEY_PAIR [*], NEED_KEY_GEN_PIN, HAVE_KEY_PAIR + * Reading info about key pair. + NEED_KEYINFO, READING_KEYINFO [*], + NEED_KEYINFO_READ_PIN, HAVE_KEYINFO * Generating a CSR containing public key. States: NEED_CSR, GENERATING_CSR [*], NEED_CSR_GEN_PIN, HAVE_CSR * Submitting CSR to a CA. @@ -83,13 +86,46 @@ State logic: break HAVE_KEY_PAIR: + state_next = NEED_KEYINFO + state_transition = now + break + + NEED_KEYINFO: + start-reading-key-information + state_next = READING_KEYINFO + state_transition = now + break + + READING_KEYINFO: + if starting-up + state_next = NEED_KEYINFO + state_transition = now + else + if finished-reading-key-information + state_next = HAVE_KEYINFO + state_transition = now + elseif key-store-needs-pin + state_next = NEED_KEYINFO_READ_PIN + state_transition = now + else + state_next = NEED_KEY_PAIR + state_transition = now + break + + NEED_KEYINFO_READ_PIN: + if starting-up + state_next = NEED_KEYINFO + state_transition = soon + break + + HAVE_KEYINFO: state_next = NEED_CSR state_transition = now break NEED_CSR: if starting-up - state_next = HAVE_KEY_PAIR + state_next = HAVE_KEYINFO state_transition = now else if don't-have-a-full-template @@ -101,7 +137,7 @@ State logic: GENERATING_CSR: if starting-up - state_next = HAVE_KEY_PAIR + state_next = HAVE_KEYINFO state_transition = now else if csrgen-finished @@ -121,7 +157,7 @@ State logic: NEED_CSR_GEN_PIN: if starting-up - state_next = HAVE_KEY_PAIR + state_next = HAVE_KEYINFO state_transition = now break diff --git a/src/getcert.c b/src/getcert.c index 4f05a49..c0d7a21 100644 --- a/src/getcert.c +++ b/src/getcert.c @@ -1790,6 +1790,10 @@ list(const char *argv0, int argc, char **argv) case CM_NEED_KEY_GEN_PIN: case CM_GENERATING_KEY_PAIR: case CM_HAVE_KEY_PAIR: + case CM_NEED_KEYINFO: + case CM_READING_KEYINFO: + case CM_NEED_KEYINFO_READ_PIN: + case CM_HAVE_KEYINFO: case CM_NEED_CSR: case CM_NEED_CSR_GEN_PIN: case CM_GENERATING_CSR: diff --git a/src/iterate.c b/src/iterate.c index 0fb6672..1b8a7d9 100644 --- a/src/iterate.c +++ b/src/iterate.c @@ -66,14 +66,24 @@ cm_entry_reset_state(struct cm_store_entry *entry) break; case CM_HAVE_KEY_PAIR: break; + case CM_NEED_KEYINFO: + break; + case CM_READING_KEYINFO: + entry->cm_state = CM_NEED_KEYINFO; + break; + case CM_NEED_KEYINFO_READ_PIN: + entry->cm_state = CM_NEED_KEYINFO; + break; + case CM_HAVE_KEYINFO: + break; case CM_NEED_CSR: - entry->cm_state = CM_HAVE_KEY_PAIR; + entry->cm_state = CM_HAVE_KEYINFO; break; case CM_NEED_CSR_GEN_PIN: - entry->cm_state = CM_HAVE_KEY_PAIR; + entry->cm_state = CM_HAVE_KEYINFO; break; case CM_GENERATING_CSR: - entry->cm_state = CM_HAVE_KEY_PAIR; + entry->cm_state = CM_HAVE_KEYINFO; break; case CM_HAVE_CSR: break; @@ -338,6 +348,70 @@ cm_iterate(struct cm_store_entry *entry, struct cm_store_ca *ca, break; case CM_HAVE_KEY_PAIR: + entry->cm_state = CM_NEED_KEYINFO; + *when = cm_time_now; + break; + + case CM_NEED_KEYINFO: + /* Try to read information about the key. */ + state->cm_keyiread_state = cm_keyiread_start(entry); + if (state->cm_keyiread_state != NULL) { + entry->cm_state = CM_READING_KEYINFO; + /* Note that we're reading information about + * the key. */ + *readfd = cm_keyiread_get_fd(entry, + state->cm_keyiread_state); + if (*readfd == -1) { + *when = cm_time_soon; + } else { + *when = cm_time_no_time; + } + } else { + /* Failed to start reading info about the key; + * try again soon. */ + *when = cm_time_soonish; + } + break; + + case CM_READING_KEYINFO: + /* If we finished reading info about the key, move on to + * generating a CSR. */ + if (cm_keyiread_ready(entry, state->cm_keyiread_state) == 0) { + if (cm_keyiread_finished_reading(entry, + state->cm_keyiread_state) == 0) { + entry->cm_state = CM_HAVE_KEYINFO; + *when = cm_time_now; + } else + if (cm_keyiread_need_pin(entry, + state->cm_keyiread_state) == 0) { + /* If we need the PIN, just hang on. */ + entry->cm_state = CM_NEED_KEYINFO_READ_PIN; + *when = cm_time_now; + } else { + /* Otherwise try to generate a new key pair. */ + entry->cm_state = CM_NEED_KEY_PAIR; + *when = cm_time_soonish; + } + cm_keyiread_done(entry, state->cm_keyiread_state); + state->cm_keyiread_state = NULL; + } else { + /* Wait for status update, or poll. */ + *readfd = cm_keyiread_get_fd(entry, + state->cm_keyiread_state); + if (*readfd == -1) { + *when = cm_time_soon; + } else { + *when = cm_time_no_time; + } + } + break; + + case CM_NEED_KEYINFO_READ_PIN: + /* Revisit this later. */ + *when = cm_time_no_time; + break; + + case CM_HAVE_KEYINFO: entry->cm_state = CM_NEED_CSR; *when = cm_time_now; break; diff --git a/src/store-gen.c b/src/store-gen.c index 2dd5214..05ebe9c 100644 --- a/src/store-gen.c +++ b/src/store-gen.c @@ -36,8 +36,11 @@ static struct { {"NEED_KEY_PAIR", CM_NEED_KEY_PAIR}, {"NEED_KEY_GEN_PIN", CM_NEED_KEY_GEN_PIN}, {"GENERATING_KEY_PAIR", CM_GENERATING_KEY_PAIR}, - {"NEED_KEY_GEN_PIN", CM_NEED_KEY_GEN_PIN}, {"HAVE_KEY_PAIR", CM_HAVE_KEY_PAIR}, + {"NEED_KEYINFO", CM_NEED_KEYINFO}, + {"READING_KEYINFO", CM_READING_KEYINFO}, + {"NEED_KEYINFO_READ_PIN", CM_NEED_KEYINFO_READ_PIN}, + {"HAVE_KEYINFO", CM_HAVE_KEYINFO}, {"NEED_CSR", CM_NEED_CSR}, {"NEED_CSR_GEN_PIN", CM_NEED_CSR_GEN_PIN}, {"GENERATING_CSR", CM_GENERATING_CSR}, diff --git a/src/store-int.h b/src/store-int.h index de926e0..4f49a2b 100644 --- a/src/store-int.h +++ b/src/store-int.h @@ -94,6 +94,8 @@ struct cm_store_entry { CM_INVALID, CM_NEED_KEY_PAIR, CM_GENERATING_KEY_PAIR, CM_NEED_KEY_GEN_PIN, CM_HAVE_KEY_PAIR, + CM_NEED_KEYINFO, CM_READING_KEYINFO, + CM_NEED_KEYINFO_READ_PIN, CM_HAVE_KEYINFO, CM_NEED_CSR, CM_GENERATING_CSR, CM_NEED_CSR_GEN_PIN, CM_HAVE_CSR, CM_NEED_TO_SUBMIT, CM_SUBMITTING, CM_NEED_CA, CM_CA_UNREACHABLE, CM_CA_UNCONFIGURED, diff --git a/src/tdbush.c b/src/tdbush.c index 60f335e..01c5c91 100644 --- a/src/tdbush.c +++ b/src/tdbush.c @@ -1829,6 +1829,9 @@ request_get_status(DBusConnection *conn, DBusMessage *msg, case CM_NEED_KEY_PAIR: case CM_GENERATING_KEY_PAIR: case CM_HAVE_KEY_PAIR: + case CM_NEED_KEYINFO: + case CM_READING_KEYINFO: + case CM_HAVE_KEYINFO: case CM_NEED_CSR: case CM_GENERATING_CSR: case CM_HAVE_CSR: @@ -1851,6 +1854,7 @@ request_get_status(DBusConnection *conn, DBusMessage *msg, case CM_NEWLY_ADDED_DECIDING: stuck = FALSE; break; + case CM_NEED_KEYINFO_READ_PIN: case CM_NEED_KEY_GEN_PIN: case CM_NEED_CSR_GEN_PIN: case CM_NEWLY_ADDED_NEED_KEYINFO_READ_PIN: diff --git a/tests/010-iterate/expected.out b/tests/010-iterate/expected.out index b5f3652..e639a45 100644 --- a/tests/010-iterate/expected.out +++ b/tests/010-iterate/expected.out @@ -3,11 +3,19 @@ NEED_KEY_PAIR -START- GENERATING_KEY_PAIR HAVE_KEY_PAIR +NEED_KEYINFO +-STOP- + +[Reading back key info.] +NEED_KEYINFO +-START- +READING_KEYINFO +HAVE_KEYINFO NEED_CSR -STOP- [Generating CSR.] -HAVE_KEY_PAIR +HAVE_KEYINFO -START- NEED_CSR GENERATING_CSR @@ -70,6 +78,13 @@ MONITORING [Retroactive issuing.] HAVE_KEY_PAIR -START- +NEED_KEYINFO +READING_KEYINFO +HAVE_KEYINFO +NEED_CSR +-STOP- +HAVE_KEYINFO +-START- NEED_CSR GENERATING_CSR HAVE_CSR @@ -116,6 +131,13 @@ NEED_CSR [Enroll until we notice we have no specified CA.] HAVE_KEY_PAIR -START- +NEED_KEYINFO +READING_KEYINFO +HAVE_KEYINFO +NEED_CSR +-STOP- +HAVE_KEYINFO +-START- NEED_CSR GENERATING_CSR HAVE_CSR @@ -129,6 +151,13 @@ NEED_CA [Enroll until the CA tells us to come back later.] HAVE_KEY_PAIR -START- +NEED_KEYINFO +READING_KEYINFO +HAVE_KEYINFO +NEED_CSR +-STOP- +HAVE_KEYINFO +-START- NEED_CSR GENERATING_CSR HAVE_CSR @@ -147,6 +176,13 @@ NEED_TO_SUBMIT [Enroll until the CA rejects us.] HAVE_KEY_PAIR -START- +NEED_KEYINFO +READING_KEYINFO +HAVE_KEYINFO +NEED_CSR +-STOP- +HAVE_KEYINFO +-START- NEED_CSR GENERATING_CSR HAVE_CSR @@ -165,6 +201,13 @@ CA_REJECTED [Enroll until the CA turns out to be unreachable.] HAVE_KEY_PAIR -START- +NEED_KEYINFO +READING_KEYINFO +HAVE_KEYINFO +NEED_CSR +-STOP- +HAVE_KEYINFO +-START- NEED_CSR GENERATING_CSR HAVE_CSR @@ -183,6 +226,13 @@ NEED_TO_SUBMIT [Enroll until the CA client turns out to be unconfigured.] HAVE_KEY_PAIR -START- +NEED_KEYINFO +READING_KEYINFO +HAVE_KEYINFO +NEED_CSR +-STOP- +HAVE_KEYINFO +-START- NEED_CSR GENERATING_CSR HAVE_CSR diff --git a/tests/010-iterate/run.sh b/tests/010-iterate/run.sh index bb131cd..97026ec 100755 --- a/tests/010-iterate/run.sh +++ b/tests/010-iterate/run.sh @@ -47,15 +47,24 @@ EOF # to be tried again, so that we don't hit infinite loops. echo '[Generating key pair.]' $toolsdir/iterate ca entry GENERATING_KEY_PAIR,HAVE_KEY_PAIR +if test "`grep ^state entry`" != state=NEED_KEYINFO ; then + echo Key generation failed or did not move to key info reading. + grep ^state entry + exit 1 +fi + +echo +echo '[Reading back key info.]' +$toolsdir/iterate ca entry NEED_KEYINFO,START_READING_KEYINFO,READING_KEYINFO,HAVE_KEYINFO if test "`grep ^state entry`" != state=NEED_CSR ; then - echo Key generation failed or did not move to CSR generation. + echo Key info read failed or did not move to CSR generation. grep ^state entry exit 1 fi echo echo '[Generating CSR.]' -$toolsdir/iterate ca entry NEED_CSR,GENERATING_CSR +$toolsdir/iterate ca entry HAVE_KEYINFO,NEED_CSR,GENERATING_CSR if test "`grep ^state entry`" != state=HAVE_CSR ; then echo CSR generation failed or did not move to submission. grep ^state entry @@ -152,6 +161,7 @@ id=SelfSign ca_type=INTERNAL:SELF ca_internal_issue_time=0 EOF +$toolsdir/iterate ca2 entry2 NEED_KEYINFO,READING_KEYINFO,HAVE_KEYINFO $toolsdir/iterate ca2 entry2 NEED_CSR,GENERATING_CSR $toolsdir/iterate ca2 entry2 NEED_TO_SUBMIT,SUBMITTING $toolsdir/iterate ca2 entry2 SAVING_CERT,NEED_TO_READ_CERT,READING_CERT,SAVED_CERT @@ -189,6 +199,7 @@ id=Meanie ca_type=EXTERNAL ca_external_helper=$tmpdir/ca-reject EOF +$toolsdir/iterate ca3 entry3 NEED_KEYINFO,READING_KEYINFO,HAVE_KEYINFO $toolsdir/iterate ca3 entry3 NEED_CSR,GENERATING_CSR $toolsdir/iterate ca3 entry3 NEED_TO_SUBMIT,SUBMITTING echo @@ -205,6 +216,7 @@ id=Busy ca_type=EXTERNAL ca_external_helper=$tmpdir/ca-ask-again EOF +$toolsdir/iterate ca3 entry3 NEED_KEYINFO,READING_KEYINFO,HAVE_KEYINFO $toolsdir/iterate ca3 entry3 NEED_CSR,GENERATING_CSR $toolsdir/iterate ca3 entry3 NEED_TO_SUBMIT,SUBMITTING $toolsdir/iterate ca3 entry3 "" @@ -222,6 +234,7 @@ id=Meanie ca_type=EXTERNAL ca_external_helper=$tmpdir/ca-reject EOF +$toolsdir/iterate ca3 entry3 NEED_KEYINFO,READING_KEYINFO,HAVE_KEYINFO $toolsdir/iterate ca3 entry3 NEED_CSR,GENERATING_CSR $toolsdir/iterate ca3 entry3 NEED_TO_SUBMIT,SUBMITTING $toolsdir/iterate ca3 entry3 "" @@ -239,6 +252,7 @@ id=Lostie ca_type=EXTERNAL ca_external_helper=$tmpdir/ca-unreachable EOF +$toolsdir/iterate ca3 entry3 NEED_KEYINFO,READING_KEYINFO,HAVE_KEYINFO $toolsdir/iterate ca3 entry3 NEED_CSR,GENERATING_CSR $toolsdir/iterate ca3 entry3 NEED_TO_SUBMIT,SUBMITTING $toolsdir/iterate ca3 entry3 "" @@ -256,6 +270,7 @@ id=Lostie ca_type=EXTERNAL ca_external_helper=$tmpdir/ca-unconfigured EOF +$toolsdir/iterate ca3 entry3 NEED_KEYINFO,READING_KEYINFO,HAVE_KEYINFO $toolsdir/iterate ca3 entry3 NEED_CSR,GENERATING_CSR $toolsdir/iterate ca3 entry3 NEED_TO_SUBMIT,SUBMITTING $toolsdir/iterate ca3 entry3 ""