From cf6ae55991209d0a558f9a314ce7ec9d0537ecfd Mon Sep 17 00:00:00 2001 From: Rene Krenn Date: Mon, 17 Jun 2019 14:05:41 +0200 Subject: [PATCH] TT#60850 fix api cert unique serial generator the client cert serial was taken from epoch time in secs. if a computer is fast enough, there is the chance a subsequent POST /admincert did not invalidate the old cert properly (as expected by api-cert-auth.t), but created an identical one. Change-Id: Ifd906489029efd17df0997c5aceec3ac1db08fb1 --- lib/NGCP/Panel/Utils/Admin.pm | 7 ++++++- t/api-rest/api-cert-auth.t | 6 ++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/lib/NGCP/Panel/Utils/Admin.pm b/lib/NGCP/Panel/Utils/Admin.pm index 9d1362973c..282f20f9c3 100644 --- a/lib/NGCP/Panel/Utils/Admin.pm +++ b/lib/NGCP/Panel/Utils/Admin.pm @@ -98,8 +98,13 @@ sub generate_client_cert { my $updated; my ($serial, $pem, $p12); - while (!$updated) { + $serial = $c->model('DB')->resultset('admins')->get_column('ssl_client_m_serial')->max(); + if ($serial) { + $serial++; + } else { $serial = time; + } + while (!$updated) { try { $pem = $c->model('CA')->make_client($c, $serial); $p12 = $c->model('CA')->make_pkcs12($c, $serial, $pem, 'sipwise'); diff --git a/t/api-rest/api-cert-auth.t b/t/api-rest/api-cert-auth.t index 4c903d627d..9c14ff71fb 100644 --- a/t/api-rest/api-cert-auth.t +++ b/t/api-rest/api-cert-auth.t @@ -16,7 +16,8 @@ my ($invalid_ssl_client_cert, $valid_ssl_client_cert) = _download_certs($uri); my ($ua, $res); $ua = LWP::UserAgent->new; -SKIP: { +SKIP1: +{ # invalid cert $ua->ssl_opts( SSL_cert_file => $invalid_ssl_client_cert, @@ -28,7 +29,8 @@ SKIP: { is($res->code, 403, "check invalid client certificate") || note ($res->message); } -SKIP: { +SKIP2: +{ $ua->ssl_opts( SSL_cert_file => $valid_ssl_client_cert, SSL_key_file => $valid_ssl_client_cert,