Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-6786

VA Publisher should not update if revocation reason is permanent

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.13.0
    • Component/s: None
    • Labels:
      None

      Description

      In order to ensure consistency in asynchronously replicated clusters, we have to make sure that a "delayed" PublishQueueWorker doesn't overwrite a permanent revocation  (i.e. not On Hold) in the VA's database.

      Currently, the VA Publisher attempts insert, if that fails it tries to update the current row (or the other way around depending on 'doOnlyPublishRevoked'). However, it doesn't verify the current row in any way, hence a permanently revoke certificate may be reactivated by another node which hasn't emptied its publisher queue yet.

      A countermeasure would be to add a WHERE clause to the current update query used in "EnterpriseValidationAuthorityPublisher.storeCertificate()" which prevents updating if revocation reason is anything else than "On Hold". To cover additional edge cases, the update query could also be tweaked to compare timestamps in VA database and PublisherQueueData. E.g. a queued item which is older than the current rows lastUpdate should not be written.

      More details in linked issue.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                hsunmark Henrik Sunmark
                Reporter:
                hsunmark Henrik Sunmark
                Verified by:
                Samuel Lidén Borell
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 1 day
                  1d
                  Remaining:
                  Time Spent - 7 hours Remaining Estimate - 1 hour
                  1h
                  Logged:
                  Time Spent - 7 hours Remaining Estimate - 1 hour
                  7h