notes on locking and concurrency

server-ca/CSR.py

@@ -208,6 +208,11 @@ def encrypt(key, data):
 def issue(csr, subjects):
     """Issue a certificate requested by CSR, specifying the subject names
     indicated in subjects, and return the certificate."""
+    # TODO: The caller should have to acquire a lock in the database to
+    #       prevent two certs from being issued at exactly the same time,
+    #       because openssl ca doesn't handle this case safely.  There
+    #       is a longer comment in daemon.py describing how to implement
+    #       this lock with Redis setnx.
     if not subjects:
         return None
     csr = str(csr)

server-ca/daemon.py

@@ -38,7 +38,19 @@
 # request, period, while still allowing clients to look
 # up successfully issued certs.
 # TODO: implement multithreading to allow several parallel
-# worker processes.
+# worker processes.  But note:
+
+#       The ca command is effectively a single user command: no locking
+#       is done on the various files and attempts to run more than one
+#       ca command on the same database can have unpredictable results.
+#
+#                             -- ca(1SSL)
+
+# So we need to implement our own locking mechanism.  This
+# can be done easily in Redis with "setnx":
+#            http://redis.io/commands/setnx
+# However apparently the proper recovery after crashes can
+# be complicated.
 
 # NOTE: The daemon enforces its own timeouts, which are
 # defined in the ancient() function.  These timeouts apply