Hi to all, the procedure for reconstruct the index.txt file starting from
DB, missed reason codes for revoked certificates. I changed the
export_openssl_db in crypto-utils.lib in order to do this. Note that I've
included only "standard" reasons and not the "free text" ones. So, after the
patch, in the index.txt the reason code will appear after the second date
(DATE_2,REASON) as OpenSSL does it normally.
Moreover I removed the CA certificates handling because it doesn't work and
it is not so useful.
Hope it helps
--
Diego
################################################
## recover index.txt and serial from database ##
################################################
## begin of recovery code ##
################################################
sub export_openssl_db {
our ($errno, $errval, $cryptoShell, $db);
my $keys = { @_ };
## $keys->{DB};
## $keys->{SERIAL};
## $keys->{OCSP};
## if defined and (Y|ON) then SUSPENDED will be interpreted like REVOKED
my @index = ();
my $max = 0;
my @list;
## all entries are hashes with the following format
## STATUS V,E,R
## DATE_1
## DATE_2
## SERIAL
## DN
## OPENSSL_SUBJECT
print addLogSection (gettext ("Loading the Objects ..."));
## get all valid_certificates
@list = $db->searchItems ( DATATYPE => "VALID_CERTIFICATE" );
foreach my $value (@list) {
my %hash;
$hash {STATUS} = "V";
$hash {DATE_1} = $cryptoShell->getOpenSSLDate ($value->getParsed
()->{NOTBEFORE});
$hash {DATE_2} = "";
$hash {SERIAL} = sprintf ("%lX", $value->getSerial());
$hash {SERIAL} = "0".$hash {SERIAL} if (length ($hash {SERIAL}) % 2);
$hash {DN} = $value->getParsed ()->{DN};
$hash {OPENSSL_SUBJECT} = $value->getParsed ()->{OPENSSL_SUBJECT};
print addPreLogLine (i18nGettext ("VALID_CERTIFICATE: __CERT_SERIAL__",
"__CERT_SERIAL__", $hash{SERIAL}));
$index [$value->getSerial()] = \%hash;
$max = $value->getSerial() if ($value->getSerial() > $max);
}
## get all expired_certificates
@list = $db->searchItems ( DATATYPE => "EXPIRED_CERTIFICATE" );
foreach my $value (@list) {
my %hash;
$hash {STATUS} = "E";
$hash {DATE_1} = $cryptoShell->getOpenSSLDate ($value->getParsed
()->{NOTBEFORE});
$hash {DATE_2} = "";
$hash {SERIAL} = sprintf ("%lX", $value->getSerial());
$hash {SERIAL} = "0".$hash {SERIAL} if (length ($hash {SERIAL}) % 2);
$hash {DN} = $value->getParsed ()->{DN};
$hash {OPENSSL_SUBJECT} = $value->getParsed ()->{OPENSSL_SUBJECT};
print addPreLogLine (i18nGettext ("EXPIRED_CERTIFICATE: __CERT_SERIAL__",
"__CERT_SERIAL__", $hash{SERIAL}));
$index [$value->getSerial()] = \%hash;
$max = $value->getSerial() if ($value->getSerial() > $max);
}
## get all suspended_certificates
@list = $db->searchItems ( DATATYPE => "SUSPENDED_CERTIFICATE" );
foreach my $value (@list) {
my %hash;
if (defined $keys->{OCSP} and ($keys->{OCSP} =~ /Y|ON/i)) {
$hash {STATUS} = "R";
} else {
$hash {STATUS} = "V";
}
$hash {DATE_1} = $cryptoShell->getOpenSSLDate ($value->getParsed
()->{NOTBEFORE});
$hash {DATE_2} = "";
$hash {SERIAL} = sprintf ("%lX", $value->getSerial());
$hash {SERIAL} = "0".$hash {SERIAL} if (length ($hash {SERIAL}) % 2);
$hash {DN} = $value->getParsed ()->{DN};
$hash {OPENSSL_SUBJECT} = $value->getParsed ()->{OPENSSL_SUBJECT};
print addPreLogLine (i18nGettext ("SUSPENDED_CERTIFICATE: __CERT_SERIAL__",
"__CERT_SERIAL__", $hash{SERIAL}));
$index [$value->getSerial()] = \%hash;
$max = $value->getSerial() if ($value->getSerial() > $max);
}
## get all revoked_certificates
@list = $db->searchItems ( DATATYPE => "REVOKED_CERTIFICATE" );
foreach my $value (@list) {
my %hash;
$hash {STATUS} = "R";
$hash {DATE_1} = $cryptoShell->getOpenSSLDate ($value->getParsed
()->{NOTBEFORE});
my $serial = $value->getSerial();
$hash {SERIAL} = sprintf ("%lX", $serial);
$hash {SERIAL} = "0".$hash {SERIAL} if (length ($hash {SERIAL}) % 2);
$hash {DN} = $value->getParsed ()->{DN};
$hash {OPENSSL_SUBJECT} = $value->getParsed ()->{OPENSSL_SUBJECT};
my @result = $db->searchItems ( DATATYPE => "ARCHIVED_CRR",
REVOKE_CERTIFICATE_SERIAL => $serial );
$hash {DATE_2} = "991231235959Z";
my $h = 99991231235959;
foreach my $value (@result) {
my $submitdate = $cryptoShell->getNumericDate ($value->getParsed
()->{SUBMIT_DATE});
if ($h > $cryptoShell->getNumericDate ($value->getParsed
()->{SUBMIT_DATE})) {
$h = $cryptoShell->getNumericDate ($value->getParsed ()->{SUBMIT_DATE});
$hash {DATE_2} = $cryptoShell->getOpenSSLDate ($value->getParsed
()->{SUBMIT_DATE});
$hash {REASON} = $value->getParsed ()->{REVOKE_REASON};
}
}
print addPreLogLine (i18nGettext ("REVOKED_CERTIFICATE: __CERT_SERIAL__",
"__CERT_SERIAL__", $hash{SERIAL}));
print addPreLogLine ( "Reason:" . $hash {REASON});
$index [$value->getSerial()] = \%hash;
$max = $value->getSerial() if ($value->getSerial() > $max);
}
print closeLogSection ();
## write index database of openssl
if (defined $keys->{OCSP} and ($keys->{OCSP} =~ /Y|ON/i)) {
print addLogSection (i18nGettext ("Writing index.txt for the OCSP daemon
(__FILE__) ...",
"__FILE__", $keys->{DB}));
} else {
print addLogSection (i18nGettext ("Writing index.txt (__FILE__) ...",
"__FILE__", $keys->{DB}));
}
if (not open( FD, ">$keys->{DB}" )) {
$errno = 6401;
$errval = i18nGettext ("Cannot open databasefile __FILE__ of OpenSSL
for writing.",
"__FILE__", $keys->{DB});
print addLogSection ( "\n" . $errno . " " . $errval);
print closeLogSection ();
return undef;
}
my $i;
foreach $i (@index) {
next if (not $i);
$i->{OPENSSL_SUBJECT} =~ s/, *(?=[A-Za-z0-9\-]+=)/\//g;
$i->{OPENSSL_SUBJECT} = "/".$i->{OPENSSL_SUBJECT};
if( $i->{REASON} ne "unspecified" and
$i->{REASON} ne "keyCompromise" and
$i->{REASON} ne "CACompromise" and
$i->{REASON} ne "affiliationChanged" and
$i->{REASON} ne "superseded" and
$i->{REASON} ne "cessationOfOperation" and
$i->{REASON} ne "certificateHold" and
$i->{REASON} ne "removeFromCRL" and
$i->{REASON} ne "holdInstruction" and
$i->{REASON} ne "keyTime" and
$i->{REASON} ne "CAkeyTime" ) {
print FD $i->{STATUS}."\t".
$i->{DATE_1}."\t".
$i->{DATE_2}."\t".
$i->{SERIAL}."\tunknown\t".
$i->{OPENSSL_SUBJECT}."\n";
print addPreLogLine ( $i->{STATUS}." ".
$i->{DATE_1}." ".
$i->{DATE_2}." ".
$i->{SERIAL}." unknown ".
$i->{OPENSSL_SUBJECT} );
}
else {
print FD $i->{STATUS}."\t".
$i->{DATE_1}."\t".
$i->{DATE_2}.",".$i->{REASON}."\t".
$i->{SERIAL}."\tunknown\t".
$i->{OPENSSL_SUBJECT}."\n";
print addPreLogLine ( $i->{STATUS}." ".
$i->{DATE_1}." ".
$i->{DATE_2}.",".$i->{REASON}." ".
$i->{SERIAL}." unknown ".
$i->{OPENSSL_SUBJECT} );
}
}
close(FD);
print closeLogSection ();
if (not (defined $keys->{OCSP} and ($keys->{OCSP} =~ /Y|ON/i))) {
## write serial
print addLogSection ( i18nGettext ("Writing serial __CERT_SERIAL__ ...",
"__CERT_SERIAL__", $keys->{SERIAL}));
if (not open( FD, ">$keys->{SERIAL}" )) {
$errno = 6402;
$errval = i18nGettext ("Cannot open file __FILE__ with the next serial
of OpenSSL for writing.",
"__FILE__", $keys->{SERIAL});
return undef;
}
$max++;
$max = sprintf ("%lX", $max);
$max = "0".$max if (length ($max) % 2);
print FD $max;
close(FD);
print addLogLine (gettext($max));
print closeLogSection ();
## recreate CRL number
if (exists $keys->{CRLNUMBER}) {
print addLogSection ( i18nGettext ("Writing crlnumber file
__CRLNUMBER__ ...", "__CRLNUMBER__", $keys->{CRLNUMBER}));
if (not open( FD, ">$keys->{CRLNUMBER}" )) {
$errno = 6403;
$errval = i18nGettext ("Cannot open file __FILE__ with the next
crlnumber of OpenSSL for writing.",
"__FILE__", $keys->{CRLNUMBER});
return undef;
}
my $crlnumber = $db->elements( DATATYPE => 'CRL' ) + 1;
$crlnumber = sprintf ("%lX", $crlnumber);
$crlnumber = "0".$crlnumber if (length ($crlnumber) % 2);
print FD $crlnumber;
close(FD);
print addLogLine (gettext($crlnumber));
print closeLogSection ();
}
}
return 1;
}
################################################
## recover index.txt and serial from database ##
################################################
## end of recovery code ##
################################################
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel
