diff options
author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2018-08-01 14:45:00 +0300 |
---|---|---|
committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2018-08-01 14:49:11 +0300 |
commit | dbcbde10cae5bafacd78631e482ef12a2b1d816b (patch) | |
tree | 9af5e5e1bb3f21cecc810c2b7c435f78b3e08e2f | |
parent | bfe7abd13fc07149386421e2f327780f4699936b (diff) | |
download | dmvpn-tools-dbcbde10cae5bafacd78631e482ef12a2b1d816b.tar.bz2 dmvpn-tools-dbcbde10cae5bafacd78631e482ef12a2b1d816b.tar.xz |
CRL caching
-rwxr-xr-x | dmvpn-ca | 40 | ||||
-rw-r--r-- | dmvpn-ca.conf | 1 | ||||
-rw-r--r-- | syntax.txt | 2 |
3 files changed, 28 insertions, 15 deletions
@@ -642,18 +642,18 @@ function generate_crl() local crl = x509crl.new() crl:setVersion(2) - local filter = {name='next-crl-number'} - local serial = select_one('value', 'counter', filter) - update('counter', {value=serial + 1}, filter) + local old_serial = select_one('serial', 'crl') + local new_serial = (old_serial or 0) + 1 crl:addExtension( x509ext.new( - 'crlNumber', 'DER', rfc5280.CRLNumber.encode(serial) + 'crlNumber', 'DER', rfc5280.CRLNumber.encode(new_serial) ) ) local timestamp = crl:getLastUpdate() - crl:setNextUpdate(timestamp + config.crl.lifetime) + local expires = timestamp + config.crl.lifetime + crl:setNextUpdate(expires) for cert in select_certs() do if cert.expires > timestamp and cert.revoked then @@ -663,9 +663,17 @@ function generate_crl() sign(crl, config.crl['hash-alg']) + insert('crl', {serial=new_serial, expires=expires, data=tostring(crl)}) + if old_serial then delete('crl', {serial=old_serial}) end + return crl end +function get_crl() + local row = select_one('expires, data', 'crl', nil, 'n') + return row and row[1] > now and x509crl.new(row[2]) or generate_crl() +end + function print_table(tbl) local colwidth = {} @@ -956,13 +964,6 @@ output = scan_choice( for _, statement in ipairs( { [[ - CREATE TABLE counter ( - name VARCHAR(16) NOT NULL PRIMARY KEY, - value INTEGER NOT NULL DEFAULT 1 - ) - ]], - "INSERT INTO counter (name) VALUES ('next-crl-number')", - [[ CREATE TABLE site ( code VARCHAR(16) NOT NULL PRIMARY KEY, asn INTEGER NOT NULL, @@ -1011,6 +1012,13 @@ output = scan_choice( data TEXT NOT NULL, FOREIGN KEY(site, vpnc) REFERENCES vpnc(site, id) ) + ]], + [[ + CREATE TABLE crl ( + serial INTEGER NOT NULL PRIMARY KEY, + expires DATETIME NOT NULL, + data TEXT NOT NULL + ) ]] } ) do execute(statement) end @@ -1280,13 +1288,17 @@ output = scan_choice( end }, crl={ + generate=function() + scan_finished() + io.write(tostring(generate_crl())) + end, show=function() scan_finished() - io.write(generate_crl():text()) + io.write(get_crl():text()) end, export=function() scan_finished() - io.write(tostring(generate_crl())) + io.write(tostring(get_crl())) end }, password={ diff --git a/dmvpn-ca.conf b/dmvpn-ca.conf index 0b879b7..ed9a08b 100644 --- a/dmvpn-ca.conf +++ b/dmvpn-ca.conf @@ -17,3 +17,4 @@ hub: crl: dist-point: 'http://example.com/dmvpn-ca.crl' + lifetime: 60 @@ -30,6 +30,6 @@ dmvpn-ca cert generate [hubs|hub <id>|site <abbr> [vpnc <id>]] dmvpn-ca cert {list|show|revoke} [serial <num>|hubs|hub <id>|site <abbr> [vpnc <id>]] dmvpn-ca cert export serial <num> -dmvpn-ca crl {show|export} +dmvpn-ca crl {generate|show|export} dmvpn-ca password set |