CRL caching

3 files changed, 28 insertions, 15 deletions

diff --git a/dmvpn-ca b/dmvpn-ca
index a0bb8f0..23e5cb5 100755
--- a/dmvpn-ca
+++ b/dmvpn-ca
@@ -642,18 +642,18 @@ function generate_crl()
 	local crl = x509crl.new()
 	crl:setVersion(2)
 
-	local filter = {name='next-crl-number'}
-	local serial = select_one('value', 'counter', filter)
-	update('counter', {value=serial + 1}, filter)
+	local old_serial = select_one('serial', 'crl')
+	local new_serial = (old_serial or 0) + 1
 
 	crl:addExtension(
 		x509ext.new(
-			'crlNumber', 'DER', rfc5280.CRLNumber.encode(serial)
+			'crlNumber', 'DER', rfc5280.CRLNumber.encode(new_serial)
 		)
 	)
 
 	local timestamp = crl:getLastUpdate()
-	crl:setNextUpdate(timestamp + config.crl.lifetime)
+	local expires = timestamp + config.crl.lifetime
+	crl:setNextUpdate(expires)
 
 	for cert in select_certs() do
 		if cert.expires > timestamp and cert.revoked then
@@ -663,9 +663,17 @@ function generate_crl()
 
 	sign(crl, config.crl['hash-alg'])
 
+	insert('crl', {serial=new_serial, expires=expires, data=tostring(crl)})
+	if old_serial then delete('crl', {serial=old_serial}) end
+
 	return crl
 end
 
+function get_crl()
+	local row = select_one('expires, data', 'crl', nil, 'n')
+	return row and row[1] > now and x509crl.new(row[2]) or generate_crl()
+end
+
 
 function print_table(tbl)
 	local colwidth = {}
@@ -956,13 +964,6 @@ output = scan_choice(
 					for _, statement in ipairs(
 						{
 							[[
-								CREATE TABLE counter (
-									name VARCHAR(16) NOT NULL PRIMARY KEY,
-									value INTEGER NOT NULL DEFAULT 1
-								)
-							]],
-							"INSERT INTO counter (name) VALUES ('next-crl-number')",
-							[[
 								CREATE TABLE site (
 									code VARCHAR(16) NOT NULL PRIMARY KEY,
 									asn INTEGER NOT NULL,
@@ -1011,6 +1012,13 @@ output = scan_choice(
 									data TEXT NOT NULL,
 									FOREIGN KEY(site, vpnc) REFERENCES vpnc(site, id)
 								)
+							]],
+							[[
+								CREATE TABLE crl (
+									serial INTEGER NOT NULL PRIMARY KEY,
+									expires DATETIME NOT NULL,
+									data TEXT NOT NULL
+								)
 							]]
 						}
 					) do execute(statement) end
@@ -1280,13 +1288,17 @@ output = scan_choice(
 				end
 			},
 			crl={
+				generate=function()
+					scan_finished()
+					io.write(tostring(generate_crl()))
+				end,
 				show=function()
 					scan_finished()
-					io.write(generate_crl():text())
+					io.write(get_crl():text())
 				end,
 				export=function()
 					scan_finished()
-					io.write(tostring(generate_crl()))
+					io.write(tostring(get_crl()))
 				end
 			},
 			password={
diff --git a/dmvpn-ca.conf b/dmvpn-ca.conf
index 0b879b7..ed9a08b 100644
--- a/dmvpn-ca.conf
+++ b/dmvpn-ca.conf
@@ -17,3 +17,4 @@ hub:
 
 crl:
   dist-point: 'http://example.com/dmvpn-ca.crl'
+  lifetime: 60
diff --git a/syntax.txt b/syntax.txt
index e8345d4..f946404 100644
--- a/syntax.txt
+++ b/syntax.txt
@@ -30,6 +30,6 @@ dmvpn-ca cert generate [hubs|hub <id>|site <abbr> [vpnc <id>]]
 dmvpn-ca cert {list|show|revoke} [serial <num>|hubs|hub <id>|site <abbr> [vpnc <id>]]
 dmvpn-ca cert export serial <num>
 
-dmvpn-ca crl {show|export}
+dmvpn-ca crl {generate|show|export}
 
 dmvpn-ca password set