From dbcbde10cae5bafacd78631e482ef12a2b1d816b Mon Sep 17 00:00:00 2001 From: Kaarle Ritvanen Date: Wed, 1 Aug 2018 14:45:00 +0300 Subject: CRL caching --- dmvpn-ca | 40 ++++++++++++++++++++++++++-------------- dmvpn-ca.conf | 1 + syntax.txt | 2 +- 3 files changed, 28 insertions(+), 15 deletions(-) diff --git a/dmvpn-ca b/dmvpn-ca index a0bb8f0..23e5cb5 100755 --- a/dmvpn-ca +++ b/dmvpn-ca @@ -642,18 +642,18 @@ function generate_crl() local crl = x509crl.new() crl:setVersion(2) - local filter = {name='next-crl-number'} - local serial = select_one('value', 'counter', filter) - update('counter', {value=serial + 1}, filter) + local old_serial = select_one('serial', 'crl') + local new_serial = (old_serial or 0) + 1 crl:addExtension( x509ext.new( - 'crlNumber', 'DER', rfc5280.CRLNumber.encode(serial) + 'crlNumber', 'DER', rfc5280.CRLNumber.encode(new_serial) ) ) local timestamp = crl:getLastUpdate() - crl:setNextUpdate(timestamp + config.crl.lifetime) + local expires = timestamp + config.crl.lifetime + crl:setNextUpdate(expires) for cert in select_certs() do if cert.expires > timestamp and cert.revoked then @@ -663,9 +663,17 @@ function generate_crl() sign(crl, config.crl['hash-alg']) + insert('crl', {serial=new_serial, expires=expires, data=tostring(crl)}) + if old_serial then delete('crl', {serial=old_serial}) end + return crl end +function get_crl() + local row = select_one('expires, data', 'crl', nil, 'n') + return row and row[1] > now and x509crl.new(row[2]) or generate_crl() +end + function print_table(tbl) local colwidth = {} @@ -955,13 +963,6 @@ output = scan_choice( os.remove(config.db.file) for _, statement in ipairs( { - [[ - CREATE TABLE counter ( - name VARCHAR(16) NOT NULL PRIMARY KEY, - value INTEGER NOT NULL DEFAULT 1 - ) - ]], - "INSERT INTO counter (name) VALUES ('next-crl-number')", [[ CREATE TABLE site ( code VARCHAR(16) NOT NULL PRIMARY KEY, @@ -1011,6 +1012,13 @@ output = scan_choice( data TEXT NOT NULL, FOREIGN KEY(site, vpnc) REFERENCES vpnc(site, id) ) + ]], + [[ + CREATE TABLE crl ( + serial INTEGER NOT NULL PRIMARY KEY, + expires DATETIME NOT NULL, + data TEXT NOT NULL + ) ]] } ) do execute(statement) end @@ -1280,13 +1288,17 @@ output = scan_choice( end }, crl={ + generate=function() + scan_finished() + io.write(tostring(generate_crl())) + end, show=function() scan_finished() - io.write(generate_crl():text()) + io.write(get_crl():text()) end, export=function() scan_finished() - io.write(tostring(generate_crl())) + io.write(tostring(get_crl())) end }, password={ diff --git a/dmvpn-ca.conf b/dmvpn-ca.conf index 0b879b7..ed9a08b 100644 --- a/dmvpn-ca.conf +++ b/dmvpn-ca.conf @@ -17,3 +17,4 @@ hub: crl: dist-point: 'http://example.com/dmvpn-ca.crl' + lifetime: 60 diff --git a/syntax.txt b/syntax.txt index e8345d4..f946404 100644 --- a/syntax.txt +++ b/syntax.txt @@ -30,6 +30,6 @@ dmvpn-ca cert generate [hubs|hub |site [vpnc ]] dmvpn-ca cert {list|show|revoke} [serial |hubs|hub |site [vpnc ]] dmvpn-ca cert export serial -dmvpn-ca crl {show|export} +dmvpn-ca crl {generate|show|export} dmvpn-ca password set -- cgit v1.2.3