diff --git a/CommModule/client.pl b/CommModule/client.pl index 9545aec..2416ba0 100755 --- a/CommModule/client.pl +++ b/CommModule/client.pl @@ -65,14 +65,19 @@ my %monarr = ("Jan" => 1, "Feb" => 2, "Mar" => 3, "Apr" => 4, "May" => 5, "Jun" my $password=""; if(open IN,"<$mysqlphp") { -my $content=""; + my $content=""; undef $/; $content=; -$password=$1 if($content=~m/mysql_connect\("[^"]+",\s*"\w+",\s*"(\w+)"/); +$password=$1 if($content=~m/mysql_connect\s*\("[^"]+",\s*"\w+",\s*"(\w+)"/); close IN; $/="\n"; } +else +{ + die "Could not read file: $!\n"; +} + my $dbh = DBI->connect("DBI:mysql:cacert:localhost","cacert",$password, { RaiseError => 1, AutoCommit => 1 }) || die ("Error with the database connection.\n"); @@ -88,13 +93,6 @@ sub readfile($) } -#mkdir "revokehashes"; -foreach (keys %revokefile) -{ - my $revokehash=sha1_hex(readfile($revokefile{$_})); - print "Root $_: Hash $revokefile{$_} = $revokehash\n"; -} - #Logging functions: my $lastdate = ""; @@ -125,6 +123,15 @@ die $_[0]; my $timestamp=strftime("%Y-%m-%d %H:%M:%S",localtime); +#mkdir "revokehashes"; +foreach (keys %revokefile) +{ + next unless (-f $revokefile{$_}); + my $revokehash=sha1_hex(readfile($revokefile{$_})); + SysLog "Root $_: Hash $revokefile{$_} = $revokehash"; +} + + sub mysql_query($) { @@ -364,7 +371,7 @@ my $tries=100000; while(!$blockfinished) { Error("Tried reading too often\n") if(($tries--)<=0); -print ("tries: $tries\n") if(!($tries%10)); +# SysLog ("tries: $tries") if(!($tries%10)); $data=""; if(!scalar($sel->can_read(5))) @@ -487,10 +494,11 @@ sub X509extractExpiryDate($) sub CRLuptodate($) { - # TIMEZONE ?!? - my $data=`$opensslbin crl -in "$_[0]" -noout -lastupdate`; #inform=der ? - + return 0 unless(-f $_[0]); + my $data=`$opensslbin crl -in "$_[0]" -noout -lastupdate -inform der`; + SysLog "CRL: $data"; #lastUpdate=Aug 8 10:26:34 2007 GMT + # Is the timezone handled properly? if($data=~m/lastUpdate=(\w{2,4}) *(\d{1,2}) *(\d{1,2}:\d{1,2}:\d{1,2}) (\d{4}) GMT/) { my $date=sprintf("%04d-%02d-%02d",$4,$monarr{$1},$2); @@ -506,6 +514,7 @@ sub CRLuptodate($) return 0; } + sub X509extractSerialNumber($) { # TIMEZONE ?!? @@ -697,7 +706,9 @@ sub sendmail($$$$$$$) { print $smtp "Content-Type: text/plain; charset=\"utf-8\"\r\n"; print $smtp "Content-Transfer-Encoding: 8bit\r\n"; - } else { + } + else + { print $smtp "Content-Type: text/plain; charset=\"iso-8859-1\"\r\n"; print $smtp "Content-Transfer-Encoding: quoted-printable\r\n"; print $smtp "Content-Disposition: inline\r\n"; @@ -882,8 +893,9 @@ sub HandleCerts($$) $body .= "Root cert fingerprint = 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33\n\n"; $body .= _("Best regards")."\n"._("CAcert.org Support!")."\n\n"; sendmail($user{email}, "[CAcert.org] "._("Your certificate"), $body, "support\@cacert.org", "", "", "CAcert Support"); - } else { - + } + else + { SysLog("Could not find the issued certificate. $crtname ".$row{"id"}."\n"); $dbh->do("update `$table` set warning=warning+1 where `id`='".$row{'id'}."'"); } @@ -891,6 +903,75 @@ sub HandleCerts($$) } +sub DoCRL($$) +{ + my $crl=$_[0]; + my $crlname=$_[1]; + + if(length($crl)) + { + if($crl=~m/^-----BEGIN X509 CRL-----/) + { + open OUT,">$crlname.pem"; + print OUT $crl; + close OUT; + system "$opensslbin crl -in $crlname.pem -outform der -out $crlname.tmp"; + } + else + { + open OUT,">$crlname.patch"; + print OUT $crl; + close OUT; + my $res=system "xdelta patch $crlname.patch $crlname $crlname.tmp"; + #print "xdelta res: $res\n"; + if($res==512) + { + open OUT,">$crlname.tmp"; + print OUT $crl; + close OUT; + } + } + + my $res=`openssl crl -verify -in $crlname.tmp -inform der -noout 2>&1`; + SysLog "verify: $res"; + if($res=~m/verify OK/) + { + rename "$crlname.tmp","$crlname"; + } + else + { + SysLog "VERIFICATION OF NEW CRL DID NOT SUCCEED! PLEASE REPAIR!"; + SysLog "Broken CRL is available as $crlname.tmp\n"; + #Override for testing: + rename "$crlname.tmp","$crlname"; + } + return 1; + } + else + { + SysLog("RECEIVED AN EMPTY CRL!\n"); + } + return 0; +} + + +sub RefreshCRLs() +{ + foreach my $rootcert (keys %revokefile) + { + if(!CRLuptodate($revokefile{$rootcert})) + { + SysLog "Update of the CRL $rootcert is necessary!\n"; + my $crlname = $revokefile{$rootcert}; + my $revokehash=sha1_hex(readfile($crlname)); + my $crl=Request($ver,2,1,$rootcert-1,0,0,365,0,"","",$revokehash); + #print "Received ".length($crl)." ".hexdump($crl)."\n"; + DoCRL($crl,$crlname); + } + } +} + + sub RevokeCerts($$) { my $org=$_[0]?"org":""; @@ -931,38 +1012,9 @@ sub RevokeCerts($$) my $revokehash=sha1_hex(readfile($crlname)); my $crl=Request($ver,2,1,$row{'rootcert'}-1,0,0,365,0,$content,"",$revokehash); - if(length($crl)) - { - if(1) - { - open OUT,">$crlname.patch"; - print OUT $crl; - close OUT; - system "xdelta patch $crlname.patch $crlname $crlname.tmp"; - - } - #if($crl=~m/^-----BEGIN X509 CRL-----/) - #{ - # open OUT,">$crlname.pem"; - # print OUT $crl; - # close OUT; - # system "$opensslbin crl -in $crlname.pem -outform der -out $crlname.tmp"; - #} - #else - #{ - # open OUT,">$crlname.tmp"; - # print OUT $crl; - # close OUT; - #} - # - # - #!!! We should verify the CRL format and validity here, before we rename it. - # - rename "$crlname.tmp","$crlname"; + my $result=DoCRL($crl,$crlname); - } - - if(-s $crlname) + if($result) { setUsersLanguage($row{memid}); @@ -990,7 +1042,6 @@ sub RevokeCerts($$) - sub HandleGPG() { my $sth = $dbh->prepare("select * from gpg where crt='' and csr!='' "); @@ -1082,6 +1133,8 @@ while(1) RevokeCerts(1,0); #org client certs RevokeCerts(1,1); #org server certs + RefreshCRLs(); + #print "Sign Request X.509, Root0\n"; #my $reqcontent=""; #Request($ver,1,1,0,5,2,365,0,$reqcontent,"","/CN=supertest.cacert.at");