From 728003c8934207a87e7c32a0aa2caecccf3ff8c1 Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Wed, 11 May 2011 16:10:08 -0400
Subject: Various CRL fixes, handle empty internal CRLs better.

---
 etc/inc/certs.inc | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

(limited to 'etc/inc/certs.inc')

diff --git a/etc/inc/certs.inc b/etc/inc/certs.inc
index c6cd787..e62719c 100644
--- a/etc/inc/certs.inc
+++ b/etc/inc/certs.inc
@@ -479,7 +479,7 @@ function crl_update(& $crl) {
 	if (!$ca)
 		return false;
 	// If we have text but no certs, it was imported and cannot be updated.
-	if (!empty($crl['text']) && empty($crl['cert']))
+	if (($crl["method"] != "internal") && (!empty($crl['text']) && empty($crl['cert'])))
 		return false;
 	$crl['serial']++;
 	$ca_str_crt = base64_decode($ca['crt']);
@@ -514,9 +514,12 @@ function cert_unrevoke($cert, & $crl) {
 	foreach ($crl['cert'] as $id => $rcert) {
 		if (($rcert['refid'] == $cert['refid']) || ($rcert['descr'] == $cert['descr'])) {
 			unset($crl['cert'][$id]);
-			if (count($crl['cert']) == 0)
-				unset($crl['text']);
-			else
+			if (count($crl['cert']) == 0) {
+				// Protect against accidentally switching the type to imported, for older CRLs
+				if (!isset($crl['method']))
+					$crl['method'] = "internal";
+				crl_update($crl);
+			} else
 				crl_update($crl);
 			return true;
 		}
@@ -567,7 +570,7 @@ function crl_in_use($crlref) {
 }
 
 function is_crl_internal($crl) {
-	return !(!empty($crl['text']) && empty($crl['cert']));
+	return (!(!empty($crl['text']) && empty($crl['cert'])) || ($crl["method"] == "internal"));
 }
 
 ?>
-- 
cgit v1.1