diff --git a/app/models/certificate.rb b/app/models/certificate.rb index 600a66710..59ccd1089 100644 --- a/app/models/certificate.rb +++ b/app/models/certificate.rb @@ -1,3 +1,5 @@ +require 'open3' + class Certificate < ActiveRecord::Base include Versions @@ -33,7 +35,7 @@ class Certificate < ActiveRecord::Base @cached_status = EXPIRED end - crl = OpenSSL::X509::CRL.new(File.open(ENV['crl_path']).read) + crl = OpenSSL::X509::CRL.new(File.open("#{ENV['crl_dir']}/crl.pem").read) return @cached_status unless crl.revoked.map(&:serial).include?(parsed_crt.serial) @cached_status = REVOKED @@ -89,8 +91,68 @@ class Certificate < ActiveRecord::Base return false end - _out, _err, _st = Open3.capture3("openssl ca -config #{ENV['openssl_config_path']} -keyfile #{ENV['ca_key_path']} \ - -cert #{ENV['ca_cert_path']} \ - -gencrl -out #{ENV['crl_path']} -key '#{ENV['ca_key_password']}' -batch") + self.class.update_registry_crl + self.class.reload_apache + end + + class << self + def update_crl + update_id_crl + update_registry_crl + reload_apache + end + + def update_id_crl + %x( + mkdir -p #{ENV['crl_dir']}/crl-id-temp + cd #{ENV['crl_dir']}/crl-id-temp + + wget https://sk.ee/crls/esteid/esteid2007.crl + wget https://sk.ee/crls/juur/crl.crl + wget https://sk.ee/crls/eeccrca/eeccrca.crl + wget https://sk.ee/repository/crls/esteid2011.crl + + + # convert to PEM + openssl crl -in esteid2007.crl -out esteid2007.crl -inform DER + openssl crl -in crl.crl -out crl.crl -inform DER + openssl crl -in eeccrca.crl -out eeccrca.crl -inform DER + openssl crl -in esteid2011.crl -out esteid2011.crl -inform DER + + ln -s crl.crl `openssl crl -hash -noout -in crl.crl`.r0 + ln -s esteid2007.crl `openssl crl -hash -noout -in esteid2007.crl`.r0 + ln -s eeccrca.crl `openssl crl -hash -noout -in eeccrca.crl`.r0 + ln -s esteid2011.crl `openssl crl -hash -noout -in esteid2011.crl`.r0 + + rm -rf #{ENV['crl_dir']}/*.crl #{ENV['crl_dir']}/*.r0 + + mv #{ENV['crl_dir']}/crl-id-temp/* #{ENV['crl_dir']} + + rm -rf #{ENV['crl_dir']}/crl-id-temp + ) + end + + def update_registry_crl + %x( + mkdir -p #{ENV['crl_dir']}/crl-temp + cd #{ENV['crl_dir']}/crl-temp + + openssl ca -config #{ENV['openssl_config_path']} -keyfile #{ENV['ca_key_path']} -cert \ + #{ENV['ca_cert_path']} -gencrl -out #{ENV['crl_dir']}/crl-temp/crl.pem -key \ + '#{ENV['ca_key_password']}' -batch + + ln -s crl.pem `openssl crl -hash -noout -in crl.pem`.r1 + + rm -rf #{ENV['crl_dir']}/*.pem #{ENV['crl_dir']}/*.r1 + + mv #{ENV['crl_dir']}/crl-temp/* #{ENV['crl_dir']} + + rm -rf #{ENV['crl_dir']}/crl-temp + ) + end + + def reload_apache + `/etc/init.d/apache2 reload` + end end end diff --git a/config/initializers/env_required.rb b/config/initializers/env_required.rb index 96f3bb47a..3df22e811 100644 --- a/config/initializers/env_required.rb +++ b/config/initializers/env_required.rb @@ -3,7 +3,7 @@ required = %w( zonefile_export_dir secret_key_base devise_secret - crl_path + crl_dir ca_cert_path ca_key_path ca_key_password diff --git a/config/schedule.rb b/config/schedule.rb index da60af86e..7c5052c31 100644 --- a/config/schedule.rb +++ b/config/schedule.rb @@ -23,3 +23,7 @@ end every :day, at: '12:10pm' do runner 'Invoice.cancel_overdue_invoices' end + +every 6.hours do + runner 'Certificate.update_crl' +end