Update CRL scripts

app/models/certificate.rb

@@ -1,3 +1,5 @@
+require 'open3'
+
 class Certificate < ActiveRecord::Base
   include Versions
 
@@ -33,7 +35,7 @@ class Certificate < ActiveRecord::Base
       @cached_status = EXPIRED
     end
 
-    crl = OpenSSL::X509::CRL.new(File.open(ENV['crl_path']).read)
+    crl = OpenSSL::X509::CRL.new(File.open("#{ENV['crl_dir']}/crl.pem").read)
     return @cached_status unless crl.revoked.map(&:serial).include?(parsed_crt.serial)
 
     @cached_status = REVOKED
@@ -89,8 +91,68 @@ class Certificate < ActiveRecord::Base
       return false
     end
 
-    _out, _err, _st = Open3.capture3("openssl ca -config #{ENV['openssl_config_path']} -keyfile #{ENV['ca_key_path']} \
+    self.class.update_registry_crl
-      -cert #{ENV['ca_cert_path']} \
+    self.class.reload_apache
-      -gencrl -out #{ENV['crl_path']} -key '#{ENV['ca_key_password']}' -batch")
+  end
+
+  class << self
+    def update_crl
+      update_id_crl
+      update_registry_crl
+      reload_apache
+    end
+
+    def update_id_crl
+      %x(
+        mkdir -p #{ENV['crl_dir']}/crl-id-temp
+        cd #{ENV['crl_dir']}/crl-id-temp
+
+        wget https://sk.ee/crls/esteid/esteid2007.crl
+        wget https://sk.ee/crls/juur/crl.crl
+        wget https://sk.ee/crls/eeccrca/eeccrca.crl
+        wget https://sk.ee/repository/crls/esteid2011.crl
+
+
+        # convert to PEM
+        openssl crl -in esteid2007.crl -out esteid2007.crl -inform DER
+        openssl crl -in crl.crl -out crl.crl -inform DER
+        openssl crl -in eeccrca.crl -out eeccrca.crl -inform DER
+        openssl crl -in esteid2011.crl -out esteid2011.crl -inform DER
+
+        ln -s crl.crl `openssl crl -hash -noout -in crl.crl`.r0
+        ln -s esteid2007.crl `openssl crl -hash -noout -in esteid2007.crl`.r0
+        ln -s eeccrca.crl `openssl crl -hash -noout -in eeccrca.crl`.r0
+        ln -s esteid2011.crl `openssl crl -hash -noout -in esteid2011.crl`.r0
+
+        rm -rf #{ENV['crl_dir']}/*.crl #{ENV['crl_dir']}/*.r0
+
+        mv #{ENV['crl_dir']}/crl-id-temp/* #{ENV['crl_dir']}
+
+        rm -rf #{ENV['crl_dir']}/crl-id-temp
+      )
+    end
+
+    def update_registry_crl
+      %x(
+        mkdir -p #{ENV['crl_dir']}/crl-temp
+        cd #{ENV['crl_dir']}/crl-temp
+
+        openssl ca -config #{ENV['openssl_config_path']} -keyfile #{ENV['ca_key_path']} -cert \
+        #{ENV['ca_cert_path']} -gencrl -out #{ENV['crl_dir']}/crl-temp/crl.pem -key \
+        '#{ENV['ca_key_password']}' -batch
+
+        ln -s crl.pem `openssl crl -hash -noout -in crl.pem`.r1
+
+        rm -rf #{ENV['crl_dir']}/*.pem #{ENV['crl_dir']}/*.r1
+
+        mv #{ENV['crl_dir']}/crl-temp/* #{ENV['crl_dir']}
+
+        rm -rf #{ENV['crl_dir']}/crl-temp
+      )
+    end
+
+    def reload_apache
+      `/etc/init.d/apache2 reload`
+    end
   end
 end

config/initializers/env_required.rb

@@ -3,7 +3,7 @@ required = %w(
   zonefile_export_dir
   secret_key_base
   devise_secret
-  crl_path
+  crl_dir
   ca_cert_path
   ca_key_path
   ca_key_password

config/schedule.rb

@@ -23,3 +23,7 @@ end
 every :day, at: '12:10pm' do
   runner 'Invoice.cancel_overdue_invoices'
 end
+
+every 6.hours do
+  runner 'Certificate.update_crl'
+end