int OCSPD_load_crl ( CA_LIST_ENTRY *ca, OCSPD_CONFIG *conf ) {
int ret = 0;
if( !ca ) return PKI_ERR;
if( !ca->crl_url ) {
PKI_log_err ("CRL URL is empty (%s)!", ca->ca_id );
return PKI_ERR;
}
if ( ca->crl ) PKI_X509_CRL_free ( ca->crl );
if (( ca->crl = PKI_X509_CRL_get_url ( ca->crl_url,
NULL, NULL )) == NULL ) {
PKI_log_err ("Failed loading CRL for %s", ca->ca_id );
return PKI_ERR;
}
/* Let's check the CRL against the CA certificate */
if( (ret = check_crl( ca->crl, ca->ca_cert, conf )) < 1 ) {
PKI_log_err( "CRL/CA check error [ %s:%d ]",
ca->ca_id, ret );
return PKI_ERR;
}
/* Now we copy the lastUpdate and nextUpdate fields */
if( ca->crl ) {
ca->lastUpdate = PKI_TIME_dup(
PKI_X509_CRL_get_data (ca->crl,
PKI_X509_DATA_LASTUPDATE));
ca->nextUpdate = PKI_TIME_dup (
PKI_X509_CRL_get_data (ca->crl,
PKI_X509_DATA_NEXTUPDATE ));
}
if((ca->crl_status = check_crl_validity(ca, conf )) == CRL_OK ) {
if(conf->verbose) PKI_log( PKI_LOG_INFO, "CRL for %s is Valid",
ca->ca_id );
} else {
PKI_log_err ( "CRL for %s has ERRORS (%d)", ca->ca_id,
ca->crl_status );
}
/* Let's get the CRLs entries, if any */
if( ocspd_build_crl_entries_list ( ca, ca->crl ) == NULL ) {
PKI_log(PKI_LOG_ALWAYS, "No CRL Entries for %s", ca->ca_id );
};
if(conf->verbose) PKI_log( PKI_LOG_ALWAYS, "CRL loaded for %s", ca->ca_id );
return PKI_OK;
}
int PKI_X509_PKCS7_VALUE_print_bio ( PKI_IO *bio,
PKI_X509_PKCS7_VALUE *p7val ) {
int type;
int i,j;
int cert_num = -1;
int crl_num = -1;
int signers_num = -1;
char *tmp_str = NULL;
PKI_X509_PKCS7 *msg = NULL;
PKCS7_SIGNER_INFO *si = NULL;
PKI_X509_CERT *cert = NULL;
PKI_DIGEST *digest = NULL;
PKI_MEM *mem = NULL;
if (!bio || !p7val ) return PKI_ERR;
if (( msg = PKI_X509_new_dup_value ( PKI_DATATYPE_X509_PKCS7,
p7val, NULL )) == NULL ) {
return PKI_ERR;
}
type = PKI_X509_PKCS7_get_type ( msg );
BIO_printf( bio, "PKCS#7 Message:\r\n" );
BIO_printf( bio, " Message Type:\r\n " );
switch ( type ) {
case PKI_X509_PKCS7_TYPE_ENCRYPTED:
BIO_printf( bio, "Encrypted\r\n" );
break;
case PKI_X509_PKCS7_TYPE_SIGNED:
BIO_printf( bio, "Signed\r\n" );
break;
case PKI_X509_PKCS7_TYPE_SIGNEDANDENCRYPTED:
BIO_printf( bio, "Signed and Encrypted\r\n" );
break;
default:
BIO_printf( bio, "Unknown (%d)\r\n", type );
break;
}
BIO_printf( bio, " Message Data:\r\n");
if (( mem = PKI_X509_PKCS7_get_raw_data ( msg )) == NULL ) {
BIO_printf( bio, " None.\r\n");
} else {
int msg_type = 0;
BIO_printf( bio, " Size=%u bytes\r\n",
(unsigned int) mem->size );
msg_type = PKI_X509_PKCS7_get_type ( msg );
if ( msg_type == PKI_X509_PKCS7_TYPE_ENCRYPTED ||
msg_type ==
PKI_X509_PKCS7_TYPE_SIGNEDANDENCRYPTED){
BIO_printf( bio, " Encrypted=yes\r\n");
BIO_printf( bio, " Algorithm=%s\r\n",
PKI_ALGOR_get_parsed (
PKI_X509_PKCS7_get_encode_alg ( msg )));
} else {
BIO_printf( bio, " Encrypted=no\r\n");
}
PKI_MEM_free ( mem );
}
i = 0;
if (( si = PKI_X509_PKCS7_get_signer_info ( msg, i )) == NULL ) {
BIO_printf(bio, " Signature Info:\r\n" );
BIO_printf(bio, " No Signature found.\r\n" );
}
// Print the Signer Info
BIO_printf( bio, " Signer Info:\r\n");
signers_num = PKI_X509_PKCS7_get_signers_num ( msg );
for ( i = 0; i < signers_num; i++ ) {
PKCS7_ISSUER_AND_SERIAL *ias = NULL;
BIO_printf ( bio, " [%d of %d] Signer Details:\r\n",
i+1, signers_num );
if (( si = PKI_X509_PKCS7_get_signer_info ( msg, i )) == NULL )
break;
if((ias = si->issuer_and_serial) == NULL ) {
BIO_printf ( bio, " "
"ERROR::Missing Info!\r\n");
} else {
tmp_str = PKI_INTEGER_get_parsed ( ias->serial );
BIO_printf ( bio, " Serial=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
tmp_str = PKI_X509_NAME_get_parsed ( ias->issuer );
BIO_printf ( bio, " Issuer=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
}
if ( si->digest_enc_alg ) {
BIO_printf( bio, " "
"Encryption Algoritm=%s\r\n",
PKI_ALGOR_get_parsed ( si->digest_enc_alg ));
}
if ( si->digest_alg ) {
BIO_printf( bio, " Digest Algorithm=%s\r\n",
PKI_ALGOR_get_parsed ( si->digest_alg ));
}
BIO_printf( bio, " Signed Attributes:\r\n");
if ( si->auth_attr ) {
PKI_X509_ATTRIBUTE *a = NULL;
int attr_num = 0;
char * tmp_str = NULL;
for ( attr_num = 0; attr_num <
PKI_STACK_X509_ATTRIBUTE_elements (
si->auth_attr ); attr_num++ ) {
a = PKI_STACK_X509_ATTRIBUTE_get_num (
si->auth_attr, attr_num );
if ( PKI_OID_get_id ( a->object ) ==
NID_pkcs9_messageDigest ) {
tmp_str = PKI_X509_ATTRIBUTE_get_parsed
( a );
BIO_printf( bio, " "
"Message Digest:");
for ( j=0; j < strlen(tmp_str); j++ ) {
if ( ( j % 60 ) == 0 ) {
BIO_printf (bio,
"\r\n ");
}
BIO_printf(bio,"%c",tmp_str[j]);
} BIO_printf( bio, "\r\n");
// PKI_Free ( tmp_str );
} else {
BIO_printf( bio, " %s=",
PKI_X509_ATTRIBUTE_get_descr (
a ) );
tmp_str=
PKI_X509_ATTRIBUTE_get_parsed(a);
BIO_printf( bio, "%s\r\n", tmp_str );
PKI_Free ( tmp_str );
}
}
} else {
BIO_printf( bio, " None.\r\n");
}
BIO_printf( bio," Non Signed Attributes:\r\n");
if ( si->unauth_attr ) {
PKI_X509_ATTRIBUTE *a = NULL;
int attr_num = 0;
char * tmp_str = NULL;
for ( attr_num = 0; attr_num <
PKI_STACK_X509_ATTRIBUTE_elements (
si->auth_attr ); attr_num++ ) {
a = PKI_STACK_X509_ATTRIBUTE_get_num (
si->auth_attr, attr_num );
BIO_printf( bio, " %s=",
PKI_X509_ATTRIBUTE_get_descr ( a ) );
tmp_str = PKI_X509_ATTRIBUTE_get_parsed ( a );
BIO_printf( bio, "%s\r\n", tmp_str );
PKI_Free ( tmp_str );
}
BIO_printf( bio, "\r\n");
} else {
BIO_printf( bio, " None.\r\n");
}
}
BIO_printf( bio, "\r\n Recipients Info:\r\n");
if( PKI_X509_PKCS7_has_recipients ( msg ) == PKI_ERR ) {
BIO_printf( bio, " No Recipients\r\n");
} else {
int rec_num = 0;
PKI_X509_CERT *rec = NULL;
rec_num = PKI_X509_PKCS7_get_recipients_num ( msg );
for ( i=0; i < rec_num; i++ ) {
rec = PKI_X509_PKCS7_get_recipient_cert ( msg, i );
if ( !rec ) {
PKCS7_RECIP_INFO *ri = NULL;
PKCS7_ISSUER_AND_SERIAL *ias = NULL;
BIO_printf( bio, " "
"[%d of %d] Recipient Details:\r\n",
i+1, rec_num );
ri = PKI_X509_PKCS7_get_recipient_info ( msg,i);
if (!ri) {
BIO_printf(bio," <ERROR>");
continue;
}
if((ias = ri->issuer_and_serial) != NULL ) {
tmp_str = PKI_INTEGER_get_parsed (
ias->serial );
BIO_printf( bio, " "
"Serial=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
tmp_str = PKI_X509_NAME_get_parsed (
ias->issuer );
BIO_printf( bio, " "
"Issuer=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
BIO_printf( bio, " "
"Key Encoding Algorithm=%s\r\n",
PKI_ALGOR_get_parsed (
ri->key_enc_algor ));
}
} else {
BIO_printf( bio, " "
"[%d] Recipient Certificate:\r\n", i );
tmp_str = PKI_X509_CERT_get_parsed( cert,
PKI_X509_DATA_SUBJECT );
BIO_printf( bio, " "
"Subject=%s\r\n", tmp_str);
PKI_Free ( tmp_str );
}
}
}
/* Now Let's Check the CRLs */
BIO_printf(bio, "\r\n Certificates:\r\n");
if ((cert_num = PKI_X509_PKCS7_get_certs_num ( msg )) > 0 ) {
PKI_X509_CERT * cert = NULL;
for (i = 0; i < cert_num; i++ ) {
BIO_printf( bio, " [%d of %d] Certificate:\r\n",
i+1, cert_num);
if((cert = PKI_X509_PKCS7_get_cert ( msg, i )) == NULL ) {
BIO_printf( bio, " Error.\r\n");
continue;
};
tmp_str = PKI_X509_CERT_get_parsed( cert,
PKI_X509_DATA_SERIAL );
BIO_printf( bio, " Serial=%s\r\n",
tmp_str );
PKI_Free ( tmp_str );
tmp_str = PKI_X509_CERT_get_parsed( cert,
PKI_X509_DATA_ISSUER );
BIO_printf( bio, " Issuer=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
tmp_str = PKI_X509_CERT_get_parsed( cert,
PKI_X509_DATA_SUBJECT );
BIO_printf( bio, " Subject=%s\r\n", tmp_str);
PKI_Free ( tmp_str );
digest = PKI_X509_CERT_fingerprint( cert,
PKI_DIGEST_ALG_DEFAULT );
tmp_str = PKI_DIGEST_get_parsed ( digest );
BIO_printf( bio, " Fingerprint [%s]:",
PKI_DIGEST_ALG_get_parsed (
PKI_DIGEST_ALG_DEFAULT ));
for ( j=0; j < strlen(tmp_str); j++ ) {
if ( ( j % 60 ) == 0 ) {
BIO_printf (bio,"\r\n ");
}
BIO_printf( bio, "%c", tmp_str[j] );
} BIO_printf( bio, "\r\n");
PKI_DIGEST_free ( digest );
PKI_Free ( tmp_str );
PKI_X509_CERT_free ( cert );
// X509_signature_print(bp,
// br->signatureAlgorithm, br->signature);
}
} else {
BIO_printf( bio, " None.\r\n");
}
BIO_printf(bio, "\r\n Certificate Revocation Lists:\r\n");
if((crl_num = PKI_X509_PKCS7_get_crls_num ( msg )) > 0 ) {
PKI_X509_CRL * crl = NULL;
for ( i = 0; i < crl_num; i++ ) {
BIO_printf( bio, " [%d of %d] CRL Details:\r\n",
i+1, crl_num );
if(( crl = PKI_X509_PKCS7_get_crl ( msg, i )) == NULL ) {
BIO_printf(bio," ERROR::Missing Data\r\n");
continue;
}
tmp_str = PKI_X509_CRL_get_parsed(crl,PKI_X509_DATA_VERSION);
BIO_printf( bio, " Version=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
// tmp_str = PKI_X509_CRL_get_parsed(crl,PKI_X509_DATA_SERIAL);
// BIO_printf( bio, " Serial=%s\r\n", tmp_str );
// PKI_Free ( tmp_str );
tmp_str = PKI_X509_CRL_get_parsed(crl,PKI_X509_DATA_ISSUER);
BIO_printf( bio, " Issuer=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
tmp_str = PKI_X509_CRL_get_parsed(crl,
PKI_X509_DATA_ALGORITHM);
BIO_printf( bio, " Algorithm=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
tmp_str = PKI_X509_CRL_get_parsed(crl,
PKI_X509_DATA_NOTBEFORE);
BIO_printf( bio, " Not Before=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
tmp_str = PKI_X509_CRL_get_parsed(crl,
PKI_X509_DATA_NOTAFTER);
BIO_printf( bio, " Not After=%s\r\n", tmp_str );
PKI_Free ( tmp_str );
PKI_X509_CRL_free ( crl );
}
} else {
BIO_printf( bio, " None.\r\n");
}
BIO_printf(bio, "\r\n");
return PKI_OK;
}
int main (int argc, char *argv[] ) {
PKI_TOKEN *tk = NULL;
PKI_X509_PROFILE *prof = NULL;
// PKI_OID *oid = NULL;
PKI_X509_CRL *crl = NULL;
PKI_X509_CRL_ENTRY *entry = NULL;
PKI_X509_CRL_ENTRY_STACK *sk = NULL;
printf("\n\nlibpki Test - Massimiliano Pala <*****@*****.**>\n");
printf("(c) 2006 by Massimiliano Pala and OpenCA Project\n");
printf("OpenCA Licensed Software\n\n");
if(( PKI_log_init (PKI_LOG_TYPE_STDERR, PKI_LOG_NOTICE, NULL,
PKI_LOG_FLAGS_ENABLE_DEBUG, NULL )) == PKI_ERR ) {
exit(1);
}
if((tk = PKI_TOKEN_new_null()) == NULL ) {
printf("ERROR, can not allocate token!\n\n");
exit(1);
}
if(( PKI_TOKEN_init( tk, "etc" , "Default" )) == PKI_ERR) {
printf("ERROR, can not configure token!\n\n");
exit(1);
}
if((PKI_TOKEN_set_algor ( tk, PKI_ALGOR_RSA_SHA256 )) == PKI_ERR ) {
printf("ERROR, can not set the RSA crypto scheme!\n");
return (0);
}
if((PKI_TOKEN_new_keypair ( tk, 1024, NULL )) == PKI_ERR) {
printf("ERROR, can not generate new keypair!\n");
return (0);
}
printf("* Self Signing certificate .... ");
if((PKI_TOKEN_self_sign( tk, NULL, "23429", 24*3600, "User" )) == PKI_ERR ) {
printf("ERROR, can not self sign certificate!\n");
return(0);
}
printf("Generating a new CRL ENTRY ... ");
if((entry = PKI_X509_CRL_ENTRY_new_serial ( "12345678",
CRL_REASON_KEY_COMPROMISE, NULL, NULL ))
== NULL ) {
printf("ERROR!\n");
exit(1);
}
printf("Ok\n");
sk = PKI_STACK_X509_CRL_ENTRY_new();
PKI_STACK_X509_CRL_ENTRY_push( sk, entry );
printf("Generating new CRL ... ");
if((crl = PKI_TOKEN_issue_crl (tk, "3",
PKI_VALIDITY_ONE_WEEK, sk, "crl")) == NULL ) {
printf("ERROR, can not generate new CRL!\n");
exit(1);
}
printf("Ok\n");
if( tk ) PKI_TOKEN_free ( tk );
if( prof ) PKI_X509_PROFILE_free ( prof );
if( crl ) PKI_X509_CRL_free ( crl );
PKI_log_end();
printf("\n\n[ Test Ended Succesfully ]\n\n");
return (0);
}
PKI_X509_CRL *PKI_X509_CRL_new(const PKI_X509_KEYPAIR *k,
const PKI_X509_CERT *cert,
const char * crlNumber_s,
unsigned long validity,
const PKI_X509_CRL_ENTRY_STACK *sk,
const PKI_X509_PROFILE *profile,
const PKI_CONFIG *oids,
HSM *hsm) {
PKI_X509_CRL *ret = NULL;
PKI_X509_CRL_VALUE *val = NULL;
ASN1_INTEGER *crlNumber = NULL;
ASN1_TIME *time = NULL;
int rv = PKI_OK;
int i = 0;
char * tmp_s = NULL;
PKI_X509_CRL_ENTRY *entry = NULL;
PKI_DIGEST_ALG *dgst = NULL;
long long lastUpdateVal = 0;
long long nextUpdateVal = 0;
/* Checks for the Key and its internal value */
if( !k || !k->value ) return NULL;
/* checks for the certificate and its internal value */
if( !cert || !cert->value ) return ( NULL );
if(( ret = PKI_X509_CRL_new_null()) == NULL ) {
PKI_ERROR(PKI_ERR_OBJECT_CREATE, NULL);
goto err;
}
/* Alloc memory structure for the Certificate */
if((ret->value = ret->cb->create()) == NULL ) {
PKI_ERROR(PKI_ERR_OBJECT_CREATE, NULL);
goto err;
}
val = ret->value;
if ( !crlNumber_s && profile ) {
if(( tmp_s = PKI_CONFIG_get_value( profile,
"/profile/crlNumber")) != NULL ) {
crlNumber = PKI_INTEGER_new_char ( tmp_s );
PKI_Free ( tmp_s );
};
} else if ( crlNumber_s ) {
crlNumber = PKI_INTEGER_new_char( crlNumber_s );
// Let's add the CRLSerial extension
X509_CRL_add1_ext_i2d(val, NID_crl_number, crlNumber, 0, 0);
};
/* Set the start date (notBefore) */
if (profile)
{
int years = 0;
int days = 0;
int hours = 0;
int mins = 0;
int secs = 0;
if(( tmp_s = PKI_CONFIG_get_value( profile,
"/profile/notBefore/years")) != NULL ) {
years = atoi( tmp_s );
PKI_Free ( tmp_s );
};
if(( tmp_s = PKI_CONFIG_get_value( profile,
"/profile/notBefore/days")) != NULL ) {
days = atoi( tmp_s );
PKI_Free ( tmp_s );
};
if(( tmp_s = PKI_CONFIG_get_value( profile,
"/profile/notBefore/hours")) != NULL ) {
hours = atoi( tmp_s );
PKI_Free ( tmp_s );
};
if(( tmp_s = PKI_CONFIG_get_value( profile,
"/profile/notBefore/minutes")) != NULL ) {
mins = atoi( tmp_s );
PKI_Free ( tmp_s );
};
if(( tmp_s = PKI_CONFIG_get_value( profile,
"/profile/notBefore/minutes")) != NULL ) {
secs = atoi( tmp_s );
PKI_Free ( tmp_s );
};
lastUpdateVal = secs +
( mins * 60 ) +
( hours * 3600 ) +
( days * 3600 * 24 ) +
( years * 3600 * 24 * 365 );
}
else
{
// Sets lastUpdate to current time
lastUpdateVal = 0;
};
if ( profile && validity <= 0 ) {
long long years = 0;
long long days = 0;
long long hours = 0;
long long mins = 0;
long long secs = 0;
if((tmp_s = PKI_CONFIG_get_value ( profile,
"/profile/validity/years")) != NULL ) {
years = atoll( tmp_s );
PKI_Free(tmp_s);
}
if((tmp_s = PKI_CONFIG_get_value ( profile,
"/profile/validity/days")) != NULL ) {
days = atoll( tmp_s );
PKI_Free( tmp_s );
}
if((tmp_s = PKI_CONFIG_get_value ( profile,
"/profile/validity/hours")) != NULL ) {
hours = atoll( tmp_s );
PKI_Free( tmp_s );
}
if((tmp_s = PKI_CONFIG_get_value ( profile,
"/profile/validity/mins")) != NULL ) {
mins = atoll( tmp_s );
PKI_Free ( tmp_s );
}
if((tmp_s = PKI_CONFIG_get_value ( profile,
"/profile/validity/secs")) != NULL ) {
secs = atoll( tmp_s );
PKI_Free ( tmp_s );
}
nextUpdateVal = secs +
60 * ( mins +
60 * (hours +
24 * ( days +
365 * years
)
)
);
}
else
{
nextUpdateVal = (long long) validity;
};
/* Generates a new time for lastUpdate field */
if((time = PKI_TIME_new( lastUpdateVal )) == NULL ) {
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
goto err;
};
/* Set the Last Update field */
if(X509_CRL_set_lastUpdate( val, time ) == 0 ) {
PKI_log_err ( "ERROR, can not set lastUpdate field in CRL");
goto err;
}
PKI_TIME_free ( time );
time = NULL; // Memory
/* Generates a new time for lastUpdate field */
if((time = PKI_TIME_new( nextUpdateVal )) == NULL ) {
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
goto err;
};
/* Set the nextUpdate field */
if(X509_CRL_set_nextUpdate( val, time ) == 0 ) {
PKI_log_err ( "ERROR, can not set lastUpdate field in CRL");
goto err;
}
PKI_TIME_free ( time );
time = NULL; // Memory
/* Now we need to add the CRL issuer name and details */
if (X509_CRL_set_issuer_name( val,
X509_get_subject_name(cert->value)) == 0) {
PKI_log_debug( "Can not set CRL issuer name");
goto err;
}
if ( sk ) {
/* Adds the list of revoked certificates */
for(i=0; i < PKI_STACK_X509_CRL_ENTRY_elements(sk); i++ ) {
PKI_log_debug("CRL::ADDING ENTRY %d\n", i );
entry = PKI_STACK_X509_CRL_ENTRY_get_num(sk, i);
if(!entry) break;
X509_CRL_add0_revoked(val, entry);
};
}
/* Sorts the CRL entries */
X509_CRL_sort ( val );
/*
if((ret = PKI_X509_new_value( PKI_DATATYPE_X509_CRL, val, hsm)) == NULL ) {
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
X509_CRL_free ( val );
return ( NULL );
}
*/
/* Get the extensions from the profile */
if( profile ) {
PKI_TOKEN * tk;
if((tk = PKI_TOKEN_new_null()) == NULL ) {
PKI_log_err ( "Memory allocation failure");
PKI_X509_CRL_free ( ret );
return NULL;
}
PKI_TOKEN_set_cert(tk, (PKI_X509_CERT *)cert);
PKI_TOKEN_set_keypair(tk, (PKI_X509_KEYPAIR *)k);
if(PKI_X509_EXTENSIONS_crl_add_profile( profile, oids, ret, tk) == 0 ) {
PKI_log_debug( "ERROR, can not set extensions!");
PKI_X509_CRL_free ( ret );
tk->cert = NULL;
tk->keypair = NULL;
PKI_TOKEN_free ( tk );
return ( NULL );
}
tk->cert = NULL;
tk->keypair = NULL;
PKI_TOKEN_free ( tk );
}
/* Get the Digest Algorithm */
if( (dgst = PKI_DIGEST_ALG_get_by_key( k )) == NULL ) {
PKI_log_err("Can not get digest algor from keypair!");
goto err;
}
rv = PKI_X509_sign ( ret, dgst, k );
if ( rv == PKI_ERR ) {
PKI_log_debug ("ERROR, can not sign CRL!");
goto err;
}
return( ret );
err:
if ( time ) PKI_TIME_free ( time );
if ( ret ) PKI_X509_CRL_free ( ret );
return NULL;
}
int ocspd_load_ca_crl ( CA_LIST_ENTRY *a, OCSPD_CONFIG *conf ) {
if(!a) return(-1);
if( conf->debug )
PKI_log_debug( "ACQUIRING WRITE LOCK -- BEGIN CRL RELOAD");
PKI_RWLOCK_write_lock ( &conf->crl_lock );
// pthread_rwlock_wrlock( &crl_lock );
if( conf->debug )
PKI_log_debug( "INFO::LOCK ACQUIRED (CRL RELOAD)");
if( a->crl ) PKI_X509_CRL_free ( a->crl );
a->crl = NULL;
a->crl_list = NULL;
if( a->crl_url == NULL ) {
PKI_log_err ( "Missing CRL URL for CA %s", a->ca_id );
return(-1);
}
/* We now re-load the CRL */
if( (a->crl = PKI_X509_CRL_get_url( a->crl_url, NULL, NULL)) == NULL ) {
PKI_log_err ("Can not reload CRL [ %s ] for CA [%s]",
a->crl_url->addr, a->ca_id);
PKI_RWLOCK_release_write ( &conf->crl_lock );
return(-1);
}
if( conf->verbose )
PKI_log( PKI_LOG_INFO, "INFO::CRL successfully reloaded [ %s ]",
a->ca_id );
/* Let's get the CRLs entries, if any */
if( ocspd_build_crl_entries_list ( a, a->crl ) == NULL ) {
if( conf->verbose )
PKI_log(PKI_LOG_INFO, "INFO::No Entries for CRL [ %s ]",
a->ca_id );
};
if(conf->verbose)
PKI_log( PKI_LOG_INFO, "INFO::CRL loaded successfully [ %s ]",
a->ca_id );
/* If previous values are there, then we clear them up */
if ( a->lastUpdate ) ASN1_TIME_free(a->lastUpdate);
if ( a->nextUpdate ) ASN1_TIME_free(a->nextUpdate);
/* Get new values from the recently loaded CRL */
a->lastUpdate = M_ASN1_TIME_dup (
PKI_X509_CRL_get_data ( a->crl, PKI_X509_DATA_LASTUPDATE ));
a->nextUpdate = M_ASN1_TIME_dup (
PKI_X509_CRL_get_data ( a->crl, PKI_X509_DATA_NEXTUPDATE ));
if(conf->debug) PKI_log_debug("RELEASING LOCK (CRL RELOAD)");
PKI_RWLOCK_release_write ( &conf->crl_lock );
// pthread_rwlock_unlock ( &crl_lock );
if(conf->debug) PKI_log_debug ( "LOCK RELEASED --END--");
/* Now check the CRL validity */
a->crl_status = check_crl_validity( a, conf );
if( a->crl_status == CRL_OK ) {
PKI_log(PKI_LOG_ALWAYS, "%s's CRL reloaded (OK)", a->ca_id);
}
return(0);
}
