int OCSPD_load_crl ( CA_LIST_ENTRY *ca, OCSPD_CONFIG *conf ) { int ret = 0; if( !ca ) return PKI_ERR; if( !ca->crl_url ) { PKI_log_err ("CRL URL is empty (%s)!", ca->ca_id ); return PKI_ERR; } if ( ca->crl ) PKI_X509_CRL_free ( ca->crl ); if (( ca->crl = PKI_X509_CRL_get_url ( ca->crl_url, NULL, NULL )) == NULL ) { PKI_log_err ("Failed loading CRL for %s", ca->ca_id ); return PKI_ERR; } /* Let's check the CRL against the CA certificate */ if( (ret = check_crl( ca->crl, ca->ca_cert, conf )) < 1 ) { PKI_log_err( "CRL/CA check error [ %s:%d ]", ca->ca_id, ret ); return PKI_ERR; } /* Now we copy the lastUpdate and nextUpdate fields */ if( ca->crl ) { ca->lastUpdate = PKI_TIME_dup( PKI_X509_CRL_get_data (ca->crl, PKI_X509_DATA_LASTUPDATE)); ca->nextUpdate = PKI_TIME_dup ( PKI_X509_CRL_get_data (ca->crl, PKI_X509_DATA_NEXTUPDATE )); } if((ca->crl_status = check_crl_validity(ca, conf )) == CRL_OK ) { if(conf->verbose) PKI_log( PKI_LOG_INFO, "CRL for %s is Valid", ca->ca_id ); } else { PKI_log_err ( "CRL for %s has ERRORS (%d)", ca->ca_id, ca->crl_status ); } /* Let's get the CRLs entries, if any */ if( ocspd_build_crl_entries_list ( ca, ca->crl ) == NULL ) { PKI_log(PKI_LOG_ALWAYS, "No CRL Entries for %s", ca->ca_id ); }; if(conf->verbose) PKI_log( PKI_LOG_ALWAYS, "CRL loaded for %s", ca->ca_id ); return PKI_OK; }
void auto_crl_check ( int sig ) { CA_LIST_ENTRY *ca = NULL; int i, ret; if( ocspd_conf->verbose == 1 ) { PKI_log(PKI_LOG_INFO, "auto_crl_check() started"); } if( ocspd_conf->crl_auto_reload ) { ocspd_conf->current_crl_reload += ocspd_conf->alarm_decrement; if( ocspd_conf->current_crl_reload >= ocspd_conf->crl_auto_reload ) { ocspd_conf->current_crl_reload = 0; /* Here we de-allocate the CRL entries and reload the CRL */ if( ocspd_reload_crls( ocspd_conf ) == 0 ) { PKI_log_err("Error reloading CRLs"); } else { if( ocspd_conf->verbose ) PKI_log(PKI_LOG_INFO, "CRLs reloaded."); } alarm( (unsigned int) ocspd_conf->alarm_decrement ); return; } } if( ocspd_conf->verbose == 1 ) { PKI_log(PKI_LOG_INFO, "auto_crl_check() continuing"); } for( i=0; i < PKI_STACK_elements (ocspd_conf->ca_list); i++ ) { if((ca = PKI_STACK_get_num (ocspd_conf->ca_list, i)) == NULL) { continue; } if( ocspd_conf->verbose && ca->ca_id ) PKI_log(PKI_LOG_INFO, "Auto CRL checking [%s]", ca->ca_id); ret = check_crl_validity ( ca, ocspd_conf ); if( ca->crl_status != ret ) { if(ocspd_conf->verbose) PKI_log(PKI_LOG_INFO,"Detected CRL status change"); ca->crl_status = ret; ocspd_load_ca_crl (ca, ocspd_conf); continue; } else { if( ocspd_conf->verbose && ca->ca_id ) PKI_log(PKI_LOG_INFO,"No CRL status change for [%s]", ca->ca_id); } // syslog( LOG_INFO, "Forcing CRL Reloading for [%s]", // ca->ca_id ? ca->ca_id : "No Name" ); // ocspd_load_ca_crl (ca, ocspd_conf); } /* if( ocspd_conf->crl_check_validity ) { if( verbose ) syslog(LOG_INFO, "Checking again CRL in %d secs", ocspd_conf->crl_check_validity ); alarm( ocspd_conf->crl_check_validity ); } */ if( ocspd_conf->verbose == 1 ) { PKI_log(LOG_INFO, "auto_crl_check() completed"); } alarm( (unsigned int) ocspd_conf->alarm_decrement ); return; }
int ocspd_load_ca_crl ( CA_LIST_ENTRY *a, OCSPD_CONFIG *conf ) { if(!a) return(-1); if( conf->debug ) PKI_log_debug( "ACQUIRING WRITE LOCK -- BEGIN CRL RELOAD"); PKI_RWLOCK_write_lock ( &conf->crl_lock ); // pthread_rwlock_wrlock( &crl_lock ); if( conf->debug ) PKI_log_debug( "INFO::LOCK ACQUIRED (CRL RELOAD)"); if( a->crl ) PKI_X509_CRL_free ( a->crl ); a->crl = NULL; a->crl_list = NULL; if( a->crl_url == NULL ) { PKI_log_err ( "Missing CRL URL for CA %s", a->ca_id ); return(-1); } /* We now re-load the CRL */ if( (a->crl = PKI_X509_CRL_get_url( a->crl_url, NULL, NULL)) == NULL ) { PKI_log_err ("Can not reload CRL [ %s ] for CA [%s]", a->crl_url->addr, a->ca_id); PKI_RWLOCK_release_write ( &conf->crl_lock ); return(-1); } if( conf->verbose ) PKI_log( PKI_LOG_INFO, "INFO::CRL successfully reloaded [ %s ]", a->ca_id ); /* Let's get the CRLs entries, if any */ if( ocspd_build_crl_entries_list ( a, a->crl ) == NULL ) { if( conf->verbose ) PKI_log(PKI_LOG_INFO, "INFO::No Entries for CRL [ %s ]", a->ca_id ); }; if(conf->verbose) PKI_log( PKI_LOG_INFO, "INFO::CRL loaded successfully [ %s ]", a->ca_id ); /* If previous values are there, then we clear them up */ if ( a->lastUpdate ) ASN1_TIME_free(a->lastUpdate); if ( a->nextUpdate ) ASN1_TIME_free(a->nextUpdate); /* Get new values from the recently loaded CRL */ a->lastUpdate = M_ASN1_TIME_dup ( PKI_X509_CRL_get_data ( a->crl, PKI_X509_DATA_LASTUPDATE )); a->nextUpdate = M_ASN1_TIME_dup ( PKI_X509_CRL_get_data ( a->crl, PKI_X509_DATA_NEXTUPDATE )); if(conf->debug) PKI_log_debug("RELEASING LOCK (CRL RELOAD)"); PKI_RWLOCK_release_write ( &conf->crl_lock ); // pthread_rwlock_unlock ( &crl_lock ); if(conf->debug) PKI_log_debug ( "LOCK RELEASED --END--"); /* Now check the CRL validity */ a->crl_status = check_crl_validity( a, conf ); if( a->crl_status == CRL_OK ) { PKI_log(PKI_LOG_ALWAYS, "%s's CRL reloaded (OK)", a->ca_id); } return(0); }