|
|
|
|
@ -65,14 +65,19 @@ my %monarr = ("Jan" => 1, "Feb" => 2, "Mar" => 3, "Apr" => 4, "May" => 5, "Jun"
|
|
|
|
|
my $password="";
|
|
|
|
|
if(open IN,"<$mysqlphp")
|
|
|
|
|
{
|
|
|
|
|
my $content="";
|
|
|
|
|
my $content="";
|
|
|
|
|
undef $/;
|
|
|
|
|
$content=<IN>;
|
|
|
|
|
$password=$1 if($content=~m/mysql_connect\("[^"]+",\s*"\w+",\s*"(\w+)"/);
|
|
|
|
|
$password=$1 if($content=~m/mysql_connect\s*\("[^"]+",\s*"\w+",\s*"(\w+)"/);
|
|
|
|
|
close IN;
|
|
|
|
|
$/="\n";
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
die "Could not read file: $!\n";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
my $dbh = DBI->connect("DBI:mysql:cacert:localhost","cacert",$password, { RaiseError => 1, AutoCommit => 1 }) || die ("Error with the database connection.\n");
|
|
|
|
|
|
|
|
|
|
@ -88,13 +93,6 @@ sub readfile($)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#mkdir "revokehashes";
|
|
|
|
|
foreach (keys %revokefile)
|
|
|
|
|
{
|
|
|
|
|
my $revokehash=sha1_hex(readfile($revokefile{$_}));
|
|
|
|
|
print "Root $_: Hash $revokefile{$_} = $revokehash\n";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#Logging functions:
|
|
|
|
|
my $lastdate = "";
|
|
|
|
|
@ -125,6 +123,15 @@ die $_[0];
|
|
|
|
|
|
|
|
|
|
my $timestamp=strftime("%Y-%m-%d %H:%M:%S",localtime);
|
|
|
|
|
|
|
|
|
|
#mkdir "revokehashes";
|
|
|
|
|
foreach (keys %revokefile)
|
|
|
|
|
{
|
|
|
|
|
next unless (-f $revokefile{$_});
|
|
|
|
|
my $revokehash=sha1_hex(readfile($revokefile{$_}));
|
|
|
|
|
SysLog "Root $_: Hash $revokefile{$_} = $revokehash";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sub mysql_query($)
|
|
|
|
|
{
|
|
|
|
|
@ -364,7 +371,7 @@ my $tries=100000;
|
|
|
|
|
while(!$blockfinished)
|
|
|
|
|
{
|
|
|
|
|
Error("Tried reading too often\n") if(($tries--)<=0);
|
|
|
|
|
print ("tries: $tries\n") if(!($tries%10));
|
|
|
|
|
# SysLog ("tries: $tries") if(!($tries%10));
|
|
|
|
|
|
|
|
|
|
$data="";
|
|
|
|
|
if(!scalar($sel->can_read(5)))
|
|
|
|
|
@ -487,10 +494,11 @@ sub X509extractExpiryDate($)
|
|
|
|
|
|
|
|
|
|
sub CRLuptodate($)
|
|
|
|
|
{
|
|
|
|
|
# TIMEZONE ?!?
|
|
|
|
|
my $data=`$opensslbin crl -in "$_[0]" -noout -lastupdate`; #inform=der ?
|
|
|
|
|
|
|
|
|
|
return 0 unless(-f $_[0]);
|
|
|
|
|
my $data=`$opensslbin crl -in "$_[0]" -noout -lastupdate -inform der`;
|
|
|
|
|
SysLog "CRL: $data";
|
|
|
|
|
#lastUpdate=Aug 8 10:26:34 2007 GMT
|
|
|
|
|
# Is the timezone handled properly?
|
|
|
|
|
if($data=~m/lastUpdate=(\w{2,4}) *(\d{1,2}) *(\d{1,2}:\d{1,2}:\d{1,2}) (\d{4}) GMT/)
|
|
|
|
|
{
|
|
|
|
|
my $date=sprintf("%04d-%02d-%02d",$4,$monarr{$1},$2);
|
|
|
|
|
@ -506,6 +514,7 @@ sub CRLuptodate($)
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sub X509extractSerialNumber($)
|
|
|
|
|
{
|
|
|
|
|
# TIMEZONE ?!?
|
|
|
|
|
@ -697,7 +706,9 @@ sub sendmail($$$$$$$)
|
|
|
|
|
{
|
|
|
|
|
print $smtp "Content-Type: text/plain; charset=\"utf-8\"\r\n";
|
|
|
|
|
print $smtp "Content-Transfer-Encoding: 8bit\r\n";
|
|
|
|
|
} else {
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
print $smtp "Content-Type: text/plain; charset=\"iso-8859-1\"\r\n";
|
|
|
|
|
print $smtp "Content-Transfer-Encoding: quoted-printable\r\n";
|
|
|
|
|
print $smtp "Content-Disposition: inline\r\n";
|
|
|
|
|
@ -882,8 +893,9 @@ sub HandleCerts($$)
|
|
|
|
|
$body .= "Root cert fingerprint = 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33\n\n";
|
|
|
|
|
$body .= _("Best regards")."\n"._("CAcert.org Support!")."\n\n";
|
|
|
|
|
sendmail($user{email}, "[CAcert.org] "._("Your certificate"), $body, "support\@cacert.org", "", "", "CAcert Support");
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
SysLog("Could not find the issued certificate. $crtname ".$row{"id"}."\n");
|
|
|
|
|
$dbh->do("update `$table` set warning=warning+1 where `id`='".$row{'id'}."'");
|
|
|
|
|
}
|
|
|
|
|
@ -891,6 +903,75 @@ sub HandleCerts($$)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sub DoCRL($$)
|
|
|
|
|
{
|
|
|
|
|
my $crl=$_[0];
|
|
|
|
|
my $crlname=$_[1];
|
|
|
|
|
|
|
|
|
|
if(length($crl))
|
|
|
|
|
{
|
|
|
|
|
if($crl=~m/^-----BEGIN X509 CRL-----/)
|
|
|
|
|
{
|
|
|
|
|
open OUT,">$crlname.pem";
|
|
|
|
|
print OUT $crl;
|
|
|
|
|
close OUT;
|
|
|
|
|
system "$opensslbin crl -in $crlname.pem -outform der -out $crlname.tmp";
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
open OUT,">$crlname.patch";
|
|
|
|
|
print OUT $crl;
|
|
|
|
|
close OUT;
|
|
|
|
|
my $res=system "xdelta patch $crlname.patch $crlname $crlname.tmp";
|
|
|
|
|
#print "xdelta res: $res\n";
|
|
|
|
|
if($res==512)
|
|
|
|
|
{
|
|
|
|
|
open OUT,">$crlname.tmp";
|
|
|
|
|
print OUT $crl;
|
|
|
|
|
close OUT;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
my $res=`openssl crl -verify -in $crlname.tmp -inform der -noout 2>&1`;
|
|
|
|
|
SysLog "verify: $res";
|
|
|
|
|
if($res=~m/verify OK/)
|
|
|
|
|
{
|
|
|
|
|
rename "$crlname.tmp","$crlname";
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
SysLog "VERIFICATION OF NEW CRL DID NOT SUCCEED! PLEASE REPAIR!";
|
|
|
|
|
SysLog "Broken CRL is available as $crlname.tmp\n";
|
|
|
|
|
#Override for testing:
|
|
|
|
|
rename "$crlname.tmp","$crlname";
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
SysLog("RECEIVED AN EMPTY CRL!\n");
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sub RefreshCRLs()
|
|
|
|
|
{
|
|
|
|
|
foreach my $rootcert (keys %revokefile)
|
|
|
|
|
{
|
|
|
|
|
if(!CRLuptodate($revokefile{$rootcert}))
|
|
|
|
|
{
|
|
|
|
|
SysLog "Update of the CRL $rootcert is necessary!\n";
|
|
|
|
|
my $crlname = $revokefile{$rootcert};
|
|
|
|
|
my $revokehash=sha1_hex(readfile($crlname));
|
|
|
|
|
my $crl=Request($ver,2,1,$rootcert-1,0,0,365,0,"","",$revokehash);
|
|
|
|
|
#print "Received ".length($crl)." ".hexdump($crl)."\n";
|
|
|
|
|
DoCRL($crl,$crlname);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sub RevokeCerts($$)
|
|
|
|
|
{
|
|
|
|
|
my $org=$_[0]?"org":"";
|
|
|
|
|
@ -931,38 +1012,9 @@ sub RevokeCerts($$)
|
|
|
|
|
my $revokehash=sha1_hex(readfile($crlname));
|
|
|
|
|
|
|
|
|
|
my $crl=Request($ver,2,1,$row{'rootcert'}-1,0,0,365,0,$content,"",$revokehash);
|
|
|
|
|
if(length($crl))
|
|
|
|
|
{
|
|
|
|
|
if(1)
|
|
|
|
|
{
|
|
|
|
|
open OUT,">$crlname.patch";
|
|
|
|
|
print OUT $crl;
|
|
|
|
|
close OUT;
|
|
|
|
|
system "xdelta patch $crlname.patch $crlname $crlname.tmp";
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
#if($crl=~m/^-----BEGIN X509 CRL-----/)
|
|
|
|
|
#{
|
|
|
|
|
# open OUT,">$crlname.pem";
|
|
|
|
|
# print OUT $crl;
|
|
|
|
|
# close OUT;
|
|
|
|
|
# system "$opensslbin crl -in $crlname.pem -outform der -out $crlname.tmp";
|
|
|
|
|
#}
|
|
|
|
|
#else
|
|
|
|
|
#{
|
|
|
|
|
# open OUT,">$crlname.tmp";
|
|
|
|
|
# print OUT $crl;
|
|
|
|
|
# close OUT;
|
|
|
|
|
#}
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
#!!! We should verify the CRL format and validity here, before we rename it.
|
|
|
|
|
#
|
|
|
|
|
rename "$crlname.tmp","$crlname";
|
|
|
|
|
my $result=DoCRL($crl,$crlname);
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(-s $crlname)
|
|
|
|
|
if($result)
|
|
|
|
|
{
|
|
|
|
|
setUsersLanguage($row{memid});
|
|
|
|
|
|
|
|
|
|
@ -990,7 +1042,6 @@ sub RevokeCerts($$)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sub HandleGPG()
|
|
|
|
|
{
|
|
|
|
|
my $sth = $dbh->prepare("select * from gpg where crt='' and csr!='' ");
|
|
|
|
|
@ -1082,6 +1133,8 @@ while(1)
|
|
|
|
|
RevokeCerts(1,0); #org client certs
|
|
|
|
|
RevokeCerts(1,1); #org server certs
|
|
|
|
|
|
|
|
|
|
RefreshCRLs();
|
|
|
|
|
|
|
|
|
|
#print "Sign Request X.509, Root0\n";
|
|
|
|
|
#my $reqcontent="";
|
|
|
|
|
#Request($ver,1,1,0,5,2,365,0,$reqcontent,"","/CN=supertest.cacert.at");
|
|
|
|
|
|
Philipp Dunkel
15 years ago