int OCSPD_load_crl ( CA_LIST_ENTRY *ca, OCSPD_CONFIG *conf ) {
int ret = 0;
if( !ca ) return PKI_ERR;
if( !ca->crl_url ) {
PKI_log_err ("CRL URL is empty (%s)!", ca->ca_id );
return PKI_ERR;
}
if ( ca->crl ) PKI_X509_CRL_free ( ca->crl );
if (( ca->crl = PKI_X509_CRL_get_url ( ca->crl_url,
NULL, NULL )) == NULL ) {
PKI_log_err ("Failed loading CRL for %s", ca->ca_id );
return PKI_ERR;
}
/* Let's check the CRL against the CA certificate */
if( (ret = check_crl( ca->crl, ca->ca_cert, conf )) < 1 ) {
PKI_log_err( "CRL/CA check error [ %s:%d ]",
ca->ca_id, ret );
return PKI_ERR;
}
/* Now we copy the lastUpdate and nextUpdate fields */
if( ca->crl ) {
ca->lastUpdate = PKI_TIME_dup(
PKI_X509_CRL_get_data (ca->crl,
PKI_X509_DATA_LASTUPDATE));
ca->nextUpdate = PKI_TIME_dup (
PKI_X509_CRL_get_data (ca->crl,
PKI_X509_DATA_NEXTUPDATE ));
}
if((ca->crl_status = check_crl_validity(ca, conf )) == CRL_OK ) {
if(conf->verbose) PKI_log( PKI_LOG_INFO, "CRL for %s is Valid",
ca->ca_id );
} else {
PKI_log_err ( "CRL for %s has ERRORS (%d)", ca->ca_id,
ca->crl_status );
}
/* Let's get the CRLs entries, if any */
if( ocspd_build_crl_entries_list ( ca, ca->crl ) == NULL ) {
PKI_log(PKI_LOG_ALWAYS, "No CRL Entries for %s", ca->ca_id );
};
if(conf->verbose) PKI_log( PKI_LOG_ALWAYS, "CRL loaded for %s", ca->ca_id );
return PKI_OK;
}
char * PKI_X509_CRL_get_parsed(const PKI_X509_CRL *x, PKI_X509_DATA type ) {
char *ret = NULL;
const PKI_ALGOR *al = NULL;
if (!x || !x->value) return NULL;
switch (type)
{
case PKI_X509_DATA_VERSION:
ret = PKI_INTEGER_get_parsed(
PKI_X509_CRL_get_data(x, type));
if (!ret) ret = strdup("NONE");
break;
case PKI_X509_DATA_ISSUER:
ret = PKI_X509_NAME_get_parsed(
PKI_X509_CRL_get_data(x, type));
if (!ret) ret = strdup("NONE");
break;
case PKI_X509_DATA_ALGORITHM:
if ((al = PKI_X509_CRL_get_data(x, type)) != NULL)
ret = strdup(PKI_OID_get_descr(al->algorithm));
else
ret = strdup("NONE");
break;
case PKI_X509_DATA_LASTUPDATE:
case PKI_X509_DATA_NEXTUPDATE:
case PKI_X509_DATA_NOTBEFORE:
case PKI_X509_DATA_NOTAFTER:
ret = PKI_TIME_get_parsed(
PKI_X509_CRL_get_data(x, type));
if (!ret) ret = strdup("NONE");
break;
default:
/* Not Recognized/Supported DATATYPE */
return NULL;
}
return ret;
}
int ocspd_load_ca_crl ( CA_LIST_ENTRY *a, OCSPD_CONFIG *conf ) {
if(!a) return(-1);
if( conf->debug )
PKI_log_debug( "ACQUIRING WRITE LOCK -- BEGIN CRL RELOAD");
PKI_RWLOCK_write_lock ( &conf->crl_lock );
// pthread_rwlock_wrlock( &crl_lock );
if( conf->debug )
PKI_log_debug( "INFO::LOCK ACQUIRED (CRL RELOAD)");
if( a->crl ) PKI_X509_CRL_free ( a->crl );
a->crl = NULL;
a->crl_list = NULL;
if( a->crl_url == NULL ) {
PKI_log_err ( "Missing CRL URL for CA %s", a->ca_id );
return(-1);
}
/* We now re-load the CRL */
if( (a->crl = PKI_X509_CRL_get_url( a->crl_url, NULL, NULL)) == NULL ) {
PKI_log_err ("Can not reload CRL [ %s ] for CA [%s]",
a->crl_url->addr, a->ca_id);
PKI_RWLOCK_release_write ( &conf->crl_lock );
return(-1);
}
if( conf->verbose )
PKI_log( PKI_LOG_INFO, "INFO::CRL successfully reloaded [ %s ]",
a->ca_id );
/* Let's get the CRLs entries, if any */
if( ocspd_build_crl_entries_list ( a, a->crl ) == NULL ) {
if( conf->verbose )
PKI_log(PKI_LOG_INFO, "INFO::No Entries for CRL [ %s ]",
a->ca_id );
};
if(conf->verbose)
PKI_log( PKI_LOG_INFO, "INFO::CRL loaded successfully [ %s ]",
a->ca_id );
/* If previous values are there, then we clear them up */
if ( a->lastUpdate ) ASN1_TIME_free(a->lastUpdate);
if ( a->nextUpdate ) ASN1_TIME_free(a->nextUpdate);
/* Get new values from the recently loaded CRL */
a->lastUpdate = M_ASN1_TIME_dup (
PKI_X509_CRL_get_data ( a->crl, PKI_X509_DATA_LASTUPDATE ));
a->nextUpdate = M_ASN1_TIME_dup (
PKI_X509_CRL_get_data ( a->crl, PKI_X509_DATA_NEXTUPDATE ));
if(conf->debug) PKI_log_debug("RELEASING LOCK (CRL RELOAD)");
PKI_RWLOCK_release_write ( &conf->crl_lock );
// pthread_rwlock_unlock ( &crl_lock );
if(conf->debug) PKI_log_debug ( "LOCK RELEASED --END--");
/* Now check the CRL validity */
a->crl_status = check_crl_validity( a, conf );
if( a->crl_status == CRL_OK ) {
PKI_log(PKI_LOG_ALWAYS, "%s's CRL reloaded (OK)", a->ca_id);
}
return(0);
}
