1 files changed, 13 insertions, 5 deletions

diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc
index 2b192c1..357ac05 100644
--- a/etc/inc/certs.inc
+++ b/etc/inc/certs.inc
@@ -479,14 +479,16 @@ function crl_update(& $crl) {
 	if (!$ca)
 		return false;
 	// If we have text but no certs, it was imported and cannot be updated.
-	if (!empty($crl['text']) && empty($crl['cert']))
+	if (($crl["method"] != "internal") && (!empty($crl['text']) && empty($crl['cert'])))
 		return false;
 	$crl['serial']++;
 	$ca_str_crt = base64_decode($ca['crt']);
 	$ca_str_key = base64_decode($ca['prv']);
 	$crl_res = openssl_crl_new($ca_str_crt, $crl['serial'], $crl['lifetime']);
-	foreach ($crl['cert'] as $cert) {
-		openssl_crl_revoke_cert($crl_res, base64_decode($cert["crt"]), $cert["revoke_time"], $cert["reason"]);
+	if (is_array($crl['cert']) && (count($crl['cert']) > 0)) {
+		foreach ($crl['cert'] as $cert) {
+			openssl_crl_revoke_cert($crl_res, base64_decode($cert["crt"]), $cert["revoke_time"], $cert["reason"]);
+		}
 	}
 	openssl_crl_export($crl_res, $crl_text, $ca_str_key);
 	$crl['text'] = base64_encode($crl_text);
@@ -514,7 +516,13 @@ function cert_unrevoke($cert, & $crl) {
 	foreach ($crl['cert'] as $id => $rcert) {
 		if (($rcert['refid'] == $cert['refid']) || ($rcert['descr'] == $cert['descr'])) {
 			unset($crl['cert'][$id]);
-			crl_update($crl);
+			if (count($crl['cert']) == 0) {
+				// Protect against accidentally switching the type to imported, for older CRLs
+				if (!isset($crl['method']))
+					$crl['method'] = "internal";
+				crl_update($crl);
+			} else
+				crl_update($crl);
 			return true;
 		}
 	}
@@ -564,7 +572,7 @@ function crl_in_use($crlref) {
 }
 
 function is_crl_internal($crl) {
-	return !(!empty($crl['text']) && empty($crl['cert']));
+	return (!(!empty($crl['text']) && empty($crl['cert'])) || ($crl["method"] == "internal"));
 }
 
 ?>