Esempio n. 1
0
int OCSPD_load_crl ( CA_LIST_ENTRY *ca, OCSPD_CONFIG *conf ) {

	int ret = 0;

	if( !ca ) return PKI_ERR;

	if( !ca->crl_url ) {
		PKI_log_err ("CRL URL is empty (%s)!", ca->ca_id );
		return PKI_ERR;
	}

	if ( ca->crl ) PKI_X509_CRL_free ( ca->crl );

	if (( ca->crl = PKI_X509_CRL_get_url ( ca->crl_url, 
						NULL, NULL )) == NULL ) {
		PKI_log_err ("Failed loading CRL for %s", ca->ca_id );
		return PKI_ERR;
	}

	/* Let's check the CRL against the CA certificate */
	if( (ret = check_crl( ca->crl, ca->ca_cert, conf )) < 1 ) {
		PKI_log_err( "CRL/CA check error [ %s:%d ]",
						ca->ca_id, ret );
		return PKI_ERR;
	}

	/* Now we copy the lastUpdate and nextUpdate fields */
	if( ca->crl ) {
		ca->lastUpdate = PKI_TIME_dup(
			PKI_X509_CRL_get_data (ca->crl, 
				PKI_X509_DATA_LASTUPDATE));

		ca->nextUpdate = PKI_TIME_dup (
			PKI_X509_CRL_get_data (ca->crl,
				PKI_X509_DATA_NEXTUPDATE ));
	}

	if((ca->crl_status = check_crl_validity(ca, conf )) == CRL_OK ) {
		if(conf->verbose) PKI_log( PKI_LOG_INFO, "CRL for %s is Valid", 
				ca->ca_id );
	} else {
		PKI_log_err ( "CRL for %s has ERRORS (%d)", ca->ca_id, 
						ca->crl_status );
	}

	/* Let's get the CRLs entries, if any */
	if( ocspd_build_crl_entries_list ( ca, ca->crl ) == NULL ) { 
		PKI_log(PKI_LOG_ALWAYS, "No CRL Entries for %s", ca->ca_id );
	};

	if(conf->verbose) PKI_log( PKI_LOG_ALWAYS, "CRL loaded for %s", ca->ca_id );

	return PKI_OK;
}
Esempio n. 2
0
void auto_crl_check ( int sig ) {

	CA_LIST_ENTRY *ca = NULL;
	int i, ret;

	if( ocspd_conf->verbose == 1 ) {
		PKI_log(PKI_LOG_INFO, "auto_crl_check() started");
	}

	if( ocspd_conf->crl_auto_reload ) {
		ocspd_conf->current_crl_reload += 
					ocspd_conf->alarm_decrement;

		if( ocspd_conf->current_crl_reload >=
					ocspd_conf->crl_auto_reload ) {

			ocspd_conf->current_crl_reload = 0;

			/* Here we de-allocate the CRL entries and
			   reload the CRL */
			if( ocspd_reload_crls( ocspd_conf ) == 0 ) {
				PKI_log_err("Error reloading CRLs");
			} else {
				if( ocspd_conf->verbose )
					PKI_log(PKI_LOG_INFO, "CRLs reloaded.");
			}

			alarm( (unsigned int) ocspd_conf->alarm_decrement );

			return;
		}
	}

	if( ocspd_conf->verbose == 1 ) {
		PKI_log(PKI_LOG_INFO, "auto_crl_check() continuing");
	}

	for( i=0; i < PKI_STACK_elements (ocspd_conf->ca_list); i++ ) {

		if((ca = PKI_STACK_get_num (ocspd_conf->ca_list, i)) == NULL) {
			continue;
		}

		if( ocspd_conf->verbose && ca->ca_id )
			PKI_log(PKI_LOG_INFO, "Auto CRL checking [%s]", ca->ca_id);


		ret = check_crl_validity ( ca, ocspd_conf );

		if( ca->crl_status != ret ) {
			if(ocspd_conf->verbose) 
				PKI_log(PKI_LOG_INFO,"Detected CRL status change");
			ca->crl_status = ret;

			ocspd_load_ca_crl (ca, ocspd_conf);

			continue;
		} else {
			if( ocspd_conf->verbose && ca->ca_id ) 
				PKI_log(PKI_LOG_INFO,"No CRL status change for [%s]",
					ca->ca_id);
		}
		// syslog( LOG_INFO, "Forcing CRL Reloading for [%s]",
		// 	ca->ca_id ? ca->ca_id : "No Name" );
		// ocspd_load_ca_crl (ca, ocspd_conf);
	}

	/*
	if( ocspd_conf->crl_check_validity ) {
		if( verbose )
			syslog(LOG_INFO, "Checking again CRL in %d secs",
				ocspd_conf->crl_check_validity );

		alarm( ocspd_conf->crl_check_validity );
	}
	*/

	if( ocspd_conf->verbose == 1 ) {
		PKI_log(LOG_INFO, "auto_crl_check() completed");
	}

	alarm( (unsigned int) ocspd_conf->alarm_decrement );

	return;
}
Esempio n. 3
0
int ocspd_load_ca_crl ( CA_LIST_ENTRY *a, OCSPD_CONFIG *conf ) {

	if(!a) return(-1);

	if( conf->debug )
		PKI_log_debug( "ACQUIRING WRITE LOCK -- BEGIN CRL RELOAD");

	PKI_RWLOCK_write_lock ( &conf->crl_lock );
	// pthread_rwlock_wrlock( &crl_lock );
	if( conf->debug )
		PKI_log_debug( "INFO::LOCK ACQUIRED (CRL RELOAD)");

	if( a->crl ) PKI_X509_CRL_free ( a->crl );

	a->crl = NULL;
	a->crl_list = NULL;

	if( a->crl_url == NULL ) {
		 PKI_log_err ( "Missing CRL URL for CA %s", a->ca_id );
		return(-1);
	}

	/* We now re-load the CRL */
	if( (a->crl = PKI_X509_CRL_get_url( a->crl_url, NULL, NULL)) == NULL ) {
		PKI_log_err ("Can not reload CRL [ %s ] for CA [%s]", 
						a->crl_url->addr, a->ca_id);
		PKI_RWLOCK_release_write ( &conf->crl_lock );
		return(-1);
	}

	if( conf->verbose )
		PKI_log( PKI_LOG_INFO, "INFO::CRL successfully reloaded [ %s ]",
			a->ca_id );

	/* Let's get the CRLs entries, if any */
	if( ocspd_build_crl_entries_list ( a, a->crl ) == NULL ) { 
		if( conf->verbose )
			PKI_log(PKI_LOG_INFO, "INFO::No Entries for CRL [ %s ]",
				a->ca_id );
	};

	if(conf->verbose)
		PKI_log( PKI_LOG_INFO, "INFO::CRL loaded successfully [ %s ]", 
								a->ca_id );

	/* If previous values are there, then we clear them up */
	if ( a->lastUpdate ) ASN1_TIME_free(a->lastUpdate);
	if ( a->nextUpdate ) ASN1_TIME_free(a->nextUpdate);

	/* Get new values from the recently loaded CRL */
	a->lastUpdate = M_ASN1_TIME_dup (
		PKI_X509_CRL_get_data ( a->crl, PKI_X509_DATA_LASTUPDATE ));
	a->nextUpdate = M_ASN1_TIME_dup (
		PKI_X509_CRL_get_data ( a->crl, PKI_X509_DATA_NEXTUPDATE ));

	if(conf->debug) PKI_log_debug("RELEASING LOCK (CRL RELOAD)");
	PKI_RWLOCK_release_write ( &conf->crl_lock );
	// pthread_rwlock_unlock ( &crl_lock );
	if(conf->debug) PKI_log_debug ( "LOCK RELEASED --END--");

	/* Now check the CRL validity */
	a->crl_status = check_crl_validity( a, conf );

	if( a->crl_status == CRL_OK ) {
		PKI_log(PKI_LOG_ALWAYS, "%s's CRL reloaded (OK)", a->ca_id);
	}

	return(0);
}