0000796: CRLs are not refreshed automatically - CAcert Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0000796	Main CAcert Website	certificate issuing	public	2009-12-02 13:26	2013-01-15 14:28

Reporter	Sourcerer	Assigned To
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	open
Fixed in Version	2009 Q4

Summary	0000796: CRLs are not refreshed automatically
Description	Currently the CRLs are not refreshed automatically, they are only issued when certificates are revoked. This will become a problem after we stop using a CA. (e.g. switching to a new class3 CA certificate or to a whole new CA hierarchy)
Tags	No tags attached.

Reviewed by
Test Instructions

2009-12-02 13:26	client.pl.patch (4,879 bytes) --- client.pl.orig 2009-12-01 23:16:21.000000000 +0100 +++ client.pl 2009-12-01 23:52:32.000000000 +0100 @@ -50,7 +50,7 @@ my $mysqlphp="/home/cacert/www/includes/mysql.php"; -my %revokefile=(2=>"../www/class3-revoke.crl",1=>"../www/revoke.crl",0=>"../www/revoke.crl"); +my %revokefile=(2=>"../www/class3-revoke.crl",1=>"../www/revoke.crl"); my $newlayout=1; @@ -484,6 +484,29 @@ } return ""; } + +sub CRLuptodate($) +{ + # TIMEZONE ?!? + my $data=`$opensslbin crl -in "$_[0]" -noout -lastupdate`; #inform=der ? + + #lastUpdate=Aug 8 10:26:34 2007 GMT + if($data=~m/lastUpdate=(\w{2,4}) (\d{1,2}) (\d{1,2}:\d{1,2}:\d{1,2}) (\d{4}) GMT/) + { + my $date=sprintf("%04d-%02d-%02d",$4,$monarr{$1},$2); + SysLog "CRL Issueing Date found: $date\n" if($debug); + my $compare = strftime("%Y-%m-%d", localtime); + SysLog "Comparing $date with $compare\n" if($debug); + return $date eq $compare; + } + else + { + SysLog "Expiry Date not found. Perhaps DER format is necessary? Hint: $data\n"; + } + return 0; +} + + sub X509extractSerialNumber($) { # TIMEZONE ?!? @@ -675,7 +698,9 @@ { print $smtp "Content-Type: text/plain; charset=\"utf-8\"\r\n"; print $smtp "Content-Transfer-Encoding: 8bit\r\n"; - } else { + } + else + { print $smtp "Content-Type: text/plain; charset=\"iso-8859-1\"\r\n"; print $smtp "Content-Transfer-Encoding: quoted-printable\r\n"; print $smtp "Content-Disposition: inline\r\n"; @@ -860,8 +885,9 @@ $body .= "Root cert fingerprint = 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33\n\n"; $body .= _("Best regards")."\n"._("CAcert.org Support!")."\n\n"; sendmail($user{email}, "[CAcert.org] "._("Your certificate"), $body, "support\@cacert.org", "", "", "CAcert Support"); - } else { - + } + else + { SysLog("Could not find the issued certificate. $crtname ".$row{"id"}."\n"); $dbh->do("update `$table` set warning=warning+1 where `id`='".$row{'id'}."'"); } @@ -869,6 +895,62 @@ } +sub DoCRL($crl) +{ + my $crl=$_[0]; + my $crlname=$_[1]; + + if(length($crl)) + { + if(1) + { + open OUT,">$crlname.patch"; + print OUT $crl; + close OUT; + system "xdelta patch $crlname.patch $crlname $crlname.tmp"; + } + #if($crl=~m/^-----BEGIN X509 CRL-----/) + #{ + # open OUT,">$crlname.pem"; + # print OUT $crl; + # close OUT; + # system "$opensslbin crl -in $crlname.pem -outform der -out $crlname.tmp"; + #} + #else + #{ + # open OUT,">$crlname.tmp"; + # print OUT $crl; + # close OUT; + #} + # + # + #!!! We should verify the CRL format and validity here, before we rename it. + # + + my $res=`openssl crl -verify -in $crlname.tmp`; + + rename "$crlname.tmp","$crlname"; + return 1; + } + return 0; +} + + +sub RefreshCRLs() +{ + foreach my $rootcert (keys %revokefile) + { + if(CRLuptodate($revokefile{$_})) + { + my $crlname = $revokefile{$rootcert}; + my $revokehash=sha1_hex(readfile($crlname)); + my $crl=Request($ver,2,1,$rootcert-1,0,0,365,0,"","",$revokehash); + DoCRL($crl,$crlname); + } + } +} + + sub RevokeCerts($$) { my $org=$_[0]?"org":""; @@ -909,38 +991,9 @@ my $revokehash=sha1_hex(readfile($crlname)); my $crl=Request($ver,2,1,$row{'rootcert'}-1,0,0,365,0,$content,"",$revokehash); - if(length($crl)) - { - if(1) - { - open OUT,">$crlname.patch"; - print OUT $crl; - close OUT; - system "xdelta patch $crlname.patch $crlname $crlname.tmp"; + my $result=DoCRL($crl,$crlname); - } - #if($crl=~m/^-----BEGIN X509 CRL-----/) - #{ - # open OUT,">$crlname.pem"; - # print OUT $crl; - # close OUT; - # system "$opensslbin crl -in $crlname.pem -outform der -out $crlname.tmp"; - #} - #else - #{ - # open OUT,">$crlname.tmp"; - # print OUT $crl; - # close OUT; - #} - # - # - #!!! We should verify the CRL format and validity here, before we rename it. - # - rename "$crlname.tmp","$crlname"; - - } - - if(-s $crlname) + if($result) { setUsersLanguage($row{memid}); @@ -958,7 +1011,7 @@ } else { - SysLog("Error: $crtname $!\n") if($debug); + SysLog("Error in RevokeCerts: $crtname $!\n") if($debug); } } @@ -968,7 +1021,6 @@ - sub HandleGPG() { my $sth = $dbh->prepare("select * from gpg where crt='' and csr!='' "); @@ -1060,6 +1112,8 @@ RevokeCerts(1,0); #org client certs RevokeCerts(1,1); #org server certs + RefreshCRLs(); + #print "Sign Request X.509, Root0\n"; #my $reqcontent=""; #Request($ver,1,1,0,5,2,365,0,$reqcontent,"","/CN=supertest.cacert.at"); client.pl.patch (4,879 bytes)

NEOatNHNG 2012-05-30 21:17 administrator ~0003031	Closing issues that have been resolved more than one year ago…

Date Modified	Username	Field	Change
2009-12-02 13:26	Sourcerer	New Issue
2009-12-02 13:26	Sourcerer	File Added: client.pl.patch
2009-12-15 22:19	Sourcerer	Status	new => solved?
2012-05-30 21:17	NEOatNHNG	Note Added: 0003031
2012-05-30 21:17	NEOatNHNG	Status	solved? => closed
2013-01-15 14:28	Werner Dworak	Fixed in Version	=> 2009 Q4