📄 ca_clean.c
字号:
"delete" );
initBoundData( boundDataPtr );
setBoundDataDate( boundDataPtr, 0, ¤tTime );
status = dbmsUpdate(
"DELETE FROM certificates WHERE validTo < ?",
boundDataPtr, DBMS_UPDATE_NORMAL );
}
else
{
updateCertErrorLogMsg( dbmsInfo, status, "Certificate request "
"cleanup operation failed, performing "
"fallback straight delete" );
status = dbmsStaticUpdate(
"DELETE FROM certRequests WHERE type = "
TEXT_CERTTYPE_REQUEST_CERT );
}
if( cryptStatusError( status ) )
updateCertErrorLogMsg( dbmsInfo, status, "Fallback straight "
"delete failed" );
}
/* If it's an expiry action we've done the expired certificates, now
remove any stale CRL entries and exit. If there are no CRL entries
in the expiry period this isn't an error, so we remap the error code
if necessary */
if( action == CRYPT_CERTACTION_EXPIRE_CERT )
{
initBoundData( boundDataPtr );
setBoundDataDate( boundDataPtr, 0, ¤tTime );
status = dbmsUpdate(
"DELETE FROM CRLs WHERE expiryDate < ?",
boundDataPtr, DBMS_UPDATE_NORMAL );
if( status == CRYPT_ERROR_NOTFOUND )
{
resetErrorInfo( dbmsInfo );
return( CRYPT_OK );
}
if( cryptStatusError( status ) )
{
retExtErr( status,
( status, errorInfo, getDbmsErrorInfo( dbmsInfo ),
"Couldn't delete stale CRL entries from "
"certificate store: " ) );
}
return( CRYPT_OK );
}
/* It's a restart, process any incompletely-issued certificates in the
same manner as the expiry/cleanup is handled. Since we don't know at
what stage the issue process was interrupted we have to make a worst-
case assumption and do a full reversal as a compensating transaction
for an aborted certificate issue */
memset( prevCertData, 0, MAX_PREVCERT_DATA );
for( status = CRYPT_OK, errorCount = 0, iterationCount = 0;
status != CRYPT_ERROR_NOTFOUND && \
errorCount < FAILSAFE_ITERATIONS_SMALL && \
iterationCount < FAILSAFE_ITERATIONS_LARGE;
iterationCount++ )
{
CRYPT_CERTIFICATE iCertificate;
/* Get the next partially-issued certificate */
status = getNextPartialCert( dbmsInfo, &iCertificate,
prevCertData, MAX_PREVCERT_DATA, FALSE );
if( status == CRYPT_ERROR_DUPLICATE )
{
/* We're stuck in a loop fetching the same value over and over,
make an emergency exit */
assert( DEBUG_WARN );
break;
}
if( cryptStatusOK( status ) )
{
/* We found a certificate to revoke, complete the revocation */
status = revokeCertDirect( dbmsInfo, iCertificate,
CRYPT_CERTACTION_CERT_CREATION_REVERSE,
errorInfo );
krnlSendNotifier( iCertificate, IMESSAGE_DECREFCOUNT );
}
else
{
/* If we've processed all of the entries this isn't an error */
if( status == CRYPT_ERROR_NOTFOUND )
resetErrorInfo( dbmsInfo );
else
errorCount++;
}
}
if( errorCount >= FAILSAFE_ITERATIONS_SMALL || \
iterationCount >= FAILSAFE_ITERATIONS_LARGE )
{
/* See note with earlier code */
assert( DEBUG_WARN );
}
/* If we ran into a problem, perform a fallback general delete of
entries that caused the problem */
if( status != CRYPT_ERROR_NOTFOUND )
{
updateCertErrorLogMsg( dbmsInfo, status, "Partially-issued "
"certificate cleanup operation failed, "
"performing fallback straight delete" );
status = dbmsStaticUpdate(
"DELETE FROM certificates WHERE keyID LIKE '" KEYID_ESC1 "%'" );
if( cryptStatusError( status ) )
updateCertErrorLogMsg( dbmsInfo, status, "Fallback straight "
"delete failed" );
}
/* Now process any partially-completed renewals */
memset( prevCertData, 0, MAX_PREVCERT_DATA );
for( status = CRYPT_OK, errorCount = 0, iterationCount = 0;
status != CRYPT_ERROR_NOTFOUND && \
errorCount < FAILSAFE_ITERATIONS_SMALL && \
iterationCount < FAILSAFE_ITERATIONS_LARGE;
iterationCount++ )
{
CRYPT_CERTIFICATE iCertificate;
/* Get the next partially-completed certificate */
status = getNextPartialCert( dbmsInfo, &iCertificate,
prevCertData, MAX_PREVCERT_DATA, TRUE );
if( status == CRYPT_ERROR_DUPLICATE )
{
/* We're stuck in a loop fetching the same value over and over,
make an emergency exit */
assert( DEBUG_WARN );
break;
}
if( cryptStatusOK( status ) )
{
/* We found a partially-completed certificate, complete the
renewal */
status = completeCertRenewal( dbmsInfo, iCertificate,
errorInfo );
krnlSendNotifier( iCertificate, IMESSAGE_DECREFCOUNT );
}
else
{
/* If we've processed all of the entries this isn't an error */
if( status == CRYPT_ERROR_NOTFOUND )
resetErrorInfo( dbmsInfo );
else
errorCount++;
}
}
if( errorCount >= FAILSAFE_ITERATIONS_SMALL || \
iterationCount >= FAILSAFE_ITERATIONS_LARGE )
{
/* See note with earlier code */
assert( DEBUG_WARN );
}
/* Finally, process any pending revocations */
memset( prevCertData, 0, MAX_PREVCERT_DATA );
for( status = CRYPT_OK, errorCount = 0, iterationCount = 0;
status != CRYPT_ERROR_NOTFOUND && \
errorCount < FAILSAFE_ITERATIONS_SMALL && \
iterationCount < FAILSAFE_ITERATIONS_LARGE;
iterationCount++ )
{
CRYPT_CERTIFICATE iCertRequest;
int dummy;
/* Find the next revocation request and import it. This is slightly
ugly since we could grab it directly by fetching the data based on
the request type field, but there's no way to easily get to the
low-level import functions from here so we have to first fetch the
certificate ID and then pass that down to the lower-level
functions to fetch the actual request */
status = dbmsQuery(
"SELECT certID FROM certRequests WHERE type = "
TEXT_CERTTYPE_REQUEST_REVOCATION,
certID, MAX_QUERY_RESULT_SIZE, &certIDlength,
NULL, DBMS_CACHEDQUERY_NONE,
DBMS_QUERY_NORMAL );
if( cryptStatusError( status ) )
{
/* If we've processed all of the entries this isn't an error */
if( status == CRYPT_ERROR_NOTFOUND )
resetErrorInfo( dbmsInfo );
else
errorCount++;
continue;
}
if( certIDlength > MAX_PREVCERT_DATA )
{
assert( DEBUG_WARN );
certIDlength = MAX_PREVCERT_DATA;
}
if( !memcmp( prevCertData, certID, certIDlength ) )
{
/* We're stuck in a loop fetching the same value over and over,
make an emergency exit */
assert( DEBUG_WARN );
break;
}
memcpy( prevCertData, certID, certIDlength );
status = getItemData( dbmsInfo, &iCertRequest, &dummy,
KEYMGMT_ITEM_REQUEST, CRYPT_IKEYID_CERTID,
certID, certIDlength, KEYMGMT_FLAG_NONE,
errorInfo );
if( cryptStatusError( status ) )
{
errorCount++;
continue;
}
/* Complete the revocation */
status = caRevokeCert( dbmsInfo, iCertRequest, CRYPT_UNUSED,
CRYPT_CERTACTION_RESTART_REVOKE_CERT,
errorInfo );
if( status == CRYPT_ERROR_NOTFOUND )
{
/* This is an allowable error type since the certificate may
have expired or been otherwise removed after the revocation
request was received, just delete the entry */
initBoundData( boundDataPtr );
setBoundData( boundDataPtr, 0, certID, certIDlength );
status = dbmsUpdate(
"DELETE FROM certRequests WHERE certID = ?",
boundDataPtr, DBMS_UPDATE_NORMAL );
updateCertErrorLog( dbmsInfo, status, "Deleted revocation "
"request for non-present certificate",
NULL, 0, NULL, 0, certID, certIDlength,
NULL, 0 );
}
krnlSendNotifier( iCertRequest, IMESSAGE_DECREFCOUNT );
}
if( errorCount >= FAILSAFE_ITERATIONS_SMALL || \
iterationCount >= FAILSAFE_ITERATIONS_LARGE )
{
/* See note with earlier code */
assert( DEBUG_WARN );
}
/* If we ran into a problem, perform a fallback general delete of
entries that caused the problem */
if( status != CRYPT_ERROR_NOTFOUND )
{
updateCertErrorLogMsg( dbmsInfo, status, "Revocation request "
"cleanup operation failed, performing "
"fallback straight delete" );
status = dbmsStaticUpdate(
"DELETE FROM certRequests WHERE type = "
TEXT_CERTTYPE_REQUEST_REVOCATION );
if( cryptStatusError( status ) )
{
updateCertErrorLogMsg( dbmsInfo, status, "Fallback straight "
"delete failed" );
retExtErr( status,
( status, errorInfo, getDbmsErrorInfo( dbmsInfo ),
"Revocation request cleanup operation failed: " ) );
}
}
return( resetErrorInfo( dbmsInfo ) );
}
#endif /* USE_DBMS */
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -