#! /bin/bash
# @(#)(CAcert) $Id: update-crls,v 1.11 2015/08/29 08:04:04 wytze Exp $
# update-crls - script to be run from cron at regular intervals

cd /usr/local/etc/ocspd/crls || exit 1
mkdir -p master && cd master || exit 2

LOG=log-`date +%Y%m`.txt

RELOAD=false
for crl in revoke class3-revoke
do
    rsync -az --log-file=${LOG} webdb.intra.cacert.org::crl/${crl}.crl .
    if [ ! -e ../${crl}.crl -o ${crl}.crl -nt ../${crl}.crl  -o \
         ! -e ../${crl}.pem -o ${crl}.crl -nt ../${crl}.pem ]
    then
	# make a copy
	cp -p ${crl}.crl ../${crl}.crlX
	# convert to PEM format
	cd ..
	if openssl crl -inform der -outform pem -in ${crl}.crlX -out ${crl}.pemX
	then
		# put new crl in place as atomic operation for each format
		mv ${crl}.crlX ${crl}.crl
		mv ${crl}.pemX ${crl}.pem
		# record the update in syslog
		logger -t "ocspd[update-crls]" -p daemon.notice \
			"Update for ${crl}.{crl,pem} installed"
		RELOAD=true
	else
		# crl did not convert properly, save a copy but do not update
		mv -f ${crl}.crlX /tmp/${crl}-`date +%Y%m%d-%H%S`.crl
		rm -f ${crl}.pemX
		# record the problem in syslog
		logger -t "ocspd[update-crls]" -p daemon.error \
			"Update for ${crl}.{crl,pem} failed"
	fi
	cd master
    fi
done
if [ ${RELOAD} = true ]
then
	# send termination signal to ocspd, leaving automatic restart to systemd
	pkill -TERM -x ocspd -o
fi