Correctly handle newlines in SerialFileGenerator

enj · enj · commit 8d2e78b1fae8 · 2018-02-01T21:39:42.000-05:00
This change makes it so that SerialFileGenerator correctly reads and
writes serial files that end in a newline.  This allows it to
interoperate with other tools that may interact with the serial file
such as openssl.  Tests were added to assert that the incrementing
logic works and that the serial file always ends with a newline.

Bug 1512825

Signed-off-by: Monis Khan &lt;mkhan@redhat.com&gt;
diff --git a/pkg/cmd/server/crypto/crypto.go b/pkg/cmd/server/crypto/crypto.go
@@ -320,27 +320,13 @@ type SerialFileGenerator struct {
 	Serial int64
 }
 
-func NewSerialFileGenerator(serialFile string, createIfNeeded bool) (*SerialFileGenerator, error) {
-	// read serial file
-	var serial int64
-	serialData, err := ioutil.ReadFile(serialFile)
-	if err == nil {
-		serial, _ = strconv.ParseInt(string(serialData), 16, 64)
-	}
-	if os.IsNotExist(err) && createIfNeeded {
-		if err := ioutil.WriteFile(serialFile, []byte("00"), 0644); err != nil {
-			return nil, err
-		}
-		serial = 1
-
-	} else if err != nil {
+func NewSerialFileGenerator(serialFile string) (*SerialFileGenerator, error) {
+	// read serial file, it must already exist
+	serial, err := fileToSerial(serialFile)
+	if err != nil {
 		return nil, err
 	}
 
-	if serial < 1 {
-		serial = 1
-	}
-
 	return &SerialFileGenerator{
 		Serial:     serial,
 		SerialFile: serialFile,
@@ -351,6 +337,16 @@ func NewSerialFileGenerator(serialFile string, createIfNeeded bool) (*SerialFile
 func (s *SerialFileGenerator) Next(template *x509.Certificate) (int64, error) {
 	s.lock.Lock()
 	defer s.lock.Unlock()
+
+	// do a best effort check to make sure concurrent external writes are not occurring to the underlying serial file
+	serial, err := fileToSerial(s.SerialFile)
+	if err != nil {
+		return 0, err
+	}
+	if serial != s.Serial {
+		return 0, fmt.Errorf("serial file %s out of sync ram=%d disk=%d", s.SerialFile, s.Serial, serial)
+	}
+
 	next := s.Serial + 1
 	s.Serial = next
 
@@ -359,13 +355,34 @@ func (s *SerialFileGenerator) Next(template *x509.Certificate) (int64, error) {
 	if len(serialText)%2 == 1 {
 		serialText = "0" + serialText
 	}
+	// always add a newline at the end to have a valid file
+	serialText += "\n"
 
 	if err := ioutil.WriteFile(s.SerialFile, []byte(serialText), os.FileMode(0640)); err != nil {
 		return 0, err
 	}
 	return next, nil
 }
 
+func fileToSerial(serialFile string) (int64, error) {
+	serialData, err := ioutil.ReadFile(serialFile)
+	if err != nil {
+		return 0, err
+	}
+
+	// read the file as a single hex number after stripping any whitespace
+	serial, err := strconv.ParseInt(string(bytes.TrimSpace(serialData)), 16, 64)
+	if err != nil {
+		return 0, err
+	}
+
+	if serial < 0 {
+		return 0, fmt.Errorf("invalid negative serial %d in serial file %s", serial, serialFile)
+	}
+
+	return serial, nil
+}
+
 // RandomSerialGenerator returns a serial based on time.Now and the subject
 type RandomSerialGenerator struct {
 }
@@ -394,7 +411,7 @@ func GetCA(certFile, keyFile, serialFile string) (*CA, error) {
 
 	var serialGenerator SerialGenerator
 	if len(serialFile) > 0 {
-		serialGenerator, err = NewSerialFileGenerator(serialFile, false)
+		serialGenerator, err = NewSerialFileGenerator(serialFile)
 		if err != nil {
 			return nil, err
 		}
@@ -431,10 +448,11 @@ func MakeCA(certFile, keyFile, serialFile, name string, expireDays int) (*CA, er
 
 	var serialGenerator SerialGenerator
 	if len(serialFile) > 0 {
-		if err := ioutil.WriteFile(serialFile, []byte("00"), 0644); err != nil {
+		// create / overwrite the serial file with a zero padded hex value (ending in a newline to have a valid file)
+		if err := ioutil.WriteFile(serialFile, []byte("00\n"), 0644); err != nil {
 			return nil, err
 		}
-		serialGenerator, err = NewSerialFileGenerator(serialFile, false)
+		serialGenerator, err = NewSerialFileGenerator(serialFile)
 		if err != nil {
 			return nil, err
 		}
diff --git a/test/cmd/certs.sh b/test/cmd/certs.sh
@@ -18,12 +18,29 @@ os::cmd::expect_success_and_not_text \
                                 --overwrite=true" \
     'WARNING: .* is greater than 5 years'
 
+os::cmd::expect_success_and_text "cat '${CERT_DIR}/ca.serial.txt'" '00'
+os::cmd::expect_success_and_text "tail -c 1 '${CERT_DIR}/ca.serial.txt' | wc -l" '1'  # check for newline at end
+
 expected_year="$(TZ=GMT date -d "+$((365*5)) days" +'%Y')"
 
 os::cmd::expect_success_and_text \
     "openssl x509 -in '${CERT_DIR}/ca.crt' -enddate -noout | awk '{print \$4}'" \
     "${expected_year}"
 
+# Make a cert with the CA to see the counter increment
+# We can then check to see if it gets reset due to overwrite
+os::cmd::expect_success \
+    "oc adm create-api-client-config \
+            --client-dir='${CERT_DIR}' \
+            --user=some-user \
+            --certificate-authority='${CERT_DIR}/ca.crt' \
+            --signer-cert='${CERT_DIR}/ca.crt' \
+            --signer-key='${CERT_DIR}/ca.key' \
+            --signer-serial='${CERT_DIR}/ca.serial.txt'"
+
+os::cmd::expect_success_and_text "cat '${CERT_DIR}/ca.serial.txt'" '01'
+os::cmd::expect_success_and_text "tail -c 1 '${CERT_DIR}/ca.serial.txt' | wc -l" '1'  # check for newline at end
+
 # oc adm ca create-signer-cert should generate certificate with specified number of days and show warning
 os::cmd::expect_success_and_text \
     "oc adm ca create-signer-cert --cert='${CERT_DIR}/ca.crt' \
@@ -33,6 +50,9 @@ os::cmd::expect_success_and_text \
                                 --expire-days=$((365*6))" \
     'WARNING: .* is greater than 5 years'
 
+os::cmd::expect_success_and_text "cat '${CERT_DIR}/ca.serial.txt'" '00'
+os::cmd::expect_success_and_text "tail -c 1 '${CERT_DIR}/ca.serial.txt' | wc -l" '1'  # check for newline at end
+
 expected_year="$(TZ=GMT date -d "+$((365*6)) days" +'%Y')"
 
 os::cmd::expect_success_and_text \
@@ -58,6 +78,9 @@ os::cmd::expect_success_and_not_text \
             --signer-serial='${CERT_DIR}/ca.serial.txt'" \
     'WARNING: .* is greater than 2 years'
 
+os::cmd::expect_success_and_text "cat '${CERT_DIR}/ca.serial.txt'" '02'
+os::cmd::expect_success_and_text "tail -c 1 '${CERT_DIR}/ca.serial.txt' | wc -l" '1'  # check for newline at end
+
 expected_year="$(TZ=GMT date -d "+$((365*2)) days" +'%Y')"
 for CERT_FILE in master-client.crt server.crt; do
     os::cmd::expect_success_and_text \
@@ -84,6 +107,9 @@ os::cmd::expect_success_and_text \
             --expire-days=$((365*3))" \
     'WARNING: .* is greater than 2 years'
 
+os::cmd::expect_success_and_text "cat '${CERT_DIR}/ca.serial.txt'" '04'
+os::cmd::expect_success_and_text "tail -c 1 '${CERT_DIR}/ca.serial.txt' | wc -l" '1'  # check for newline at end
+
 expected_year="$(TZ=GMT date -d "+$((365*3)) days" +'%Y')"
 
 for CERT_FILE in master-client.crt server.crt; do
@@ -106,6 +132,10 @@ os::cmd::expect_success_and_not_text \
             --signer-serial='${CERT_DIR}/ca.serial.txt'" \
     'WARNING: .* is greater than 2 years'
 
+
+os::cmd::expect_success_and_text "cat '${CERT_DIR}/ca.serial.txt'" '05'
+os::cmd::expect_success_and_text "tail -c 1 '${CERT_DIR}/ca.serial.txt' | wc -l" '1'  # check for newline at end
+
 expected_year="$(TZ=GMT date -d "+$((365*2)) days" +'%Y')"
 os::cmd::expect_success_and_text \
     "openssl x509 -in '${CERT_DIR}/test-user.crt' -enddate -noout | awk '{print \$4}'" \
@@ -125,6 +155,9 @@ os::cmd::expect_success_and_text \
             --expire-days=$((365*3))" \
     'WARNING: .* is greater than 2 years'
 
+os::cmd::expect_success_and_text "cat '${CERT_DIR}/ca.serial.txt'" '06'
+os::cmd::expect_success_and_text "tail -c 1 '${CERT_DIR}/ca.serial.txt' | wc -l" '1'  # check for newline at end
+
 expected_year="$(TZ=GMT date -d "+$((365*3)) days" +'%Y')"
 os::cmd::expect_success_and_text \
     "openssl x509 -in '${CERT_DIR}/test-user.crt' -enddate -noout | awk '{print \$4}'" \
@@ -143,6 +176,9 @@ os::cmd::expect_success_and_not_text \
                                 --key='${CERT_DIR}/example.org.key'" \
     'WARNING: .* is greater than 2 years'
 
+os::cmd::expect_success_and_text "cat '${CERT_DIR}/ca.serial.txt'" '07'
+os::cmd::expect_success_and_text "tail -c 1 '${CERT_DIR}/ca.serial.txt' | wc -l" '1'  # check for newline at end
+
 expected_year="$(TZ=GMT date -d "+$((365*2)) days" +'%Y')"
 
 os::cmd::expect_success_and_text \
@@ -161,6 +197,9 @@ os::cmd::expect_success_and_text \
                                 --expire-days=$((365*3))" \
     'WARNING: .* is greater than 2 years'
 
+os::cmd::expect_success_and_text "cat '${CERT_DIR}/ca.serial.txt'" '08'
+os::cmd::expect_success_and_text "tail -c 1 '${CERT_DIR}/ca.serial.txt' | wc -l" '1'  # check for newline at end
+
 expected_year="$(TZ=GMT date -d "+$((365*3)) days" +'%Y')"
 
 os::cmd::expect_success_and_text \
