View Issue Details

IDProjectCategoryView StatusLast Update
0000796Main CAcert Websitecertificate issuingpublic2013-01-15 14:28
ReporterSourcerer Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionopen 
Fixed in Version2009 Q4 
Summary0000796: CRLs are not refreshed automatically
DescriptionCurrently the CRLs are not refreshed automatically, they are only issued when certificates are revoked. This will become a problem after we stop using a CA. (e.g. switching to a new class3 CA certificate or to a whole new CA hierarchy)
TagsNo tags attached.
Attached Files
client.pl.patch (4,879 bytes)   
--- client.pl.orig	2009-12-01 23:16:21.000000000 +0100
+++ client.pl	2009-12-01 23:52:32.000000000 +0100
@@ -50,7 +50,7 @@
 
 my $mysqlphp="/home/cacert/www/includes/mysql.php";
 
-my %revokefile=(2=>"../www/class3-revoke.crl",1=>"../www/revoke.crl",0=>"../www/revoke.crl");
+my %revokefile=(2=>"../www/class3-revoke.crl",1=>"../www/revoke.crl");
 
 my $newlayout=1;
 
@@ -484,6 +484,29 @@
   }
   return "";
 }
+
+sub CRLuptodate($)
+{
+  # TIMEZONE ?!?
+  my $data=`$opensslbin crl -in "$_[0]" -noout -lastupdate`; #inform=der ?
+
+  #lastUpdate=Aug  8 10:26:34 2007 GMT
+  if($data=~m/lastUpdate=(\w{2,4}) *(\d{1,2}) *(\d{1,2}:\d{1,2}:\d{1,2}) (\d{4}) GMT/)
+  {
+    my $date=sprintf("%04d-%02d-%02d",$4,$monarr{$1},$2);
+    SysLog "CRL Issueing Date found: $date\n" if($debug);
+    my $compare = strftime("%Y-%m-%d", localtime);
+    SysLog "Comparing $date with $compare\n" if($debug);
+    return $date eq $compare;
+  }
+  else
+  {
+    SysLog "Expiry Date not found. Perhaps DER format is necessary? Hint: $data\n";
+  }
+  return 0;
+}
+
+
 sub X509extractSerialNumber($)
 {
   # TIMEZONE ?!?
@@ -675,7 +698,9 @@
   {
   	print $smtp "Content-Type: text/plain; charset=\"utf-8\"\r\n";
   	print $smtp "Content-Transfer-Encoding: 8bit\r\n";
-  } else {
+  }
+  else 
+  {
   	print $smtp "Content-Type: text/plain; charset=\"iso-8859-1\"\r\n";
   	print $smtp "Content-Transfer-Encoding: quoted-printable\r\n";
   	print $smtp "Content-Disposition: inline\r\n";
@@ -860,8 +885,9 @@
       $body .= "Root cert fingerprint = 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33\n\n";
       $body .= _("Best regards")."\n"._("CAcert.org Support!")."\n\n";
       sendmail($user{email}, "[CAcert.org] "._("Your certificate"), $body, "support\@cacert.org", "", "", "CAcert Support");
-    } else {
-
+    }
+    else 
+    {
       SysLog("Could not find the issued certificate. $crtname ".$row{"id"}."\n");
       $dbh->do("update `$table` set warning=warning+1 where `id`='".$row{'id'}."'");
     }
@@ -869,6 +895,62 @@
 }
 
 
+sub DoCRL($crl)
+{
+  my $crl=$_[0];
+  my $crlname=$_[1];
+  
+  if(length($crl))
+  {
+    if(1)
+    {
+      open OUT,">$crlname.patch";
+      print OUT $crl;
+      close OUT;
+      system "xdelta patch $crlname.patch $crlname $crlname.tmp"; 
+    }
+        #if($crl=~m/^-----BEGIN X509 CRL-----/)
+        #{
+        #  open OUT,">$crlname.pem";
+        #  print OUT $crl;
+        #  close OUT;
+        #  system "$opensslbin crl -in $crlname.pem -outform der -out $crlname.tmp";
+        #}
+        #else
+        #{
+        #  open OUT,">$crlname.tmp";
+        #  print OUT $crl;
+        #  close OUT;
+        #}
+	#
+	#
+	#!!! We should verify the CRL format and validity here, before we rename it.
+	#
+	
+    my $res=`openssl crl -verify -in $crlname.tmp`;	
+	
+    rename "$crlname.tmp","$crlname";
+    return 1;
+  }
+  return 0;
+}
+
+
+sub RefreshCRLs()
+{
+  foreach my $rootcert (keys %revokefile)
+  {
+    if(CRLuptodate($revokefile{$_}))
+    {
+      my $crlname = $revokefile{$rootcert};
+      my $revokehash=sha1_hex(readfile($crlname));
+      my $crl=Request($ver,2,1,$rootcert-1,0,0,365,0,"","",$revokehash);
+      DoCRL($crl,$crlname);
+    }
+  }
+}
+
+
 sub RevokeCerts($$)
 {
   my $org=$_[0]?"org":"";
@@ -909,38 +991,9 @@
       my $revokehash=sha1_hex(readfile($crlname));
 
       my $crl=Request($ver,2,1,$row{'rootcert'}-1,0,0,365,0,$content,"",$revokehash);
-      if(length($crl))
-      {
-        if(1)
-	{
-          open OUT,">$crlname.patch";
-          print OUT $crl;
-          close OUT;
-          system "xdelta patch $crlname.patch $crlname $crlname.tmp"; 
+      my $result=DoCRL($crl,$crlname);
 
-	}
-        #if($crl=~m/^-----BEGIN X509 CRL-----/)
-        #{
-        #  open OUT,">$crlname.pem";
-        #  print OUT $crl;
-        #  close OUT;
-        #  system "$opensslbin crl -in $crlname.pem -outform der -out $crlname.tmp";
-        #}
-        #else
-        #{
-        #  open OUT,">$crlname.tmp";
-        #  print OUT $crl;
-        #  close OUT;
-        #}
-	#
-	#
-	#!!! We should verify the CRL format and validity here, before we rename it.
-	#
-        rename "$crlname.tmp","$crlname";
-
-      }
-
-      if(-s $crlname)
+      if($result)
       {
         setUsersLanguage($row{memid});
 
@@ -958,7 +1011,7 @@
     }
     else
     {
-      SysLog("Error: $crtname $!\n") if($debug);
+      SysLog("Error in RevokeCerts: $crtname $!\n") if($debug);
     }
 
   }
@@ -968,7 +1021,6 @@
 
 
 
-
 sub HandleGPG()
 {
   my $sth = $dbh->prepare("select * from gpg where crt='' and csr!='' ");
@@ -1060,6 +1112,8 @@
   RevokeCerts(1,0); #org client certs
   RevokeCerts(1,1); #org server certs
 
+  RefreshCRLs();
+
   #print "Sign Request X.509, Root0\n";
   #my $reqcontent="";
   #Request($ver,1,1,0,5,2,365,0,$reqcontent,"","/CN=supertest.cacert.at");
client.pl.patch (4,879 bytes)   
Reviewed by
Test Instructions

Activities

NEOatNHNG

2012-05-30 21:17

administrator   ~0003031

Closing issues that have been resolved more than one year ago…

Issue History

Date Modified Username Field Change
2009-12-02 13:26 Sourcerer New Issue
2009-12-02 13:26 Sourcerer File Added: client.pl.patch
2009-12-15 22:19 Sourcerer Status new => solved?
2012-05-30 21:17 NEOatNHNG Note Added: 0003031
2012-05-30 21:17 NEOatNHNG Status solved? => closed
2013-01-15 14:28 Werner Dworak Fixed in Version => 2009 Q4