Hi, Alex, the problem was detected some days ago.
alexandru matei schrieb: > > I am testing Openca (pre 09x.RC) with DBI (mysql). > As far as I understand, in the database the certs ar stored with > status > as VALID and REVOKED (see below). > As far I am concerned, it's ok, if we consider the expired > certificates > as valid ones, but not longer in use. > In listCerts and lists commands, there is another status involved > (EXPIRED). For my surprise, I did not found any command that put a > certificate in expired mode. So I presume that I can write two-lines > command to make such command. But I get another surprise: the expired > certs (in mysql database querry listed as valid) can not be get by > using > listItem from OPENCA DBI.pm I took a look in DBI code and I see that > for > list and update status functions it is assumed that expired=valid. This is correct. > But, > as you can see in attachement, the query made are right till some > point > (NOTAFTER<) and then some are reversed (NOTAFTE>) and the result is a > null set. > I solved this problem *very ugly* by adding some functions > (unshamessly > copied from DBI.pm) changed a little bit so now I have an DBI.pm > larger > with 30%. > > Michael, do you think there is an more elegant solution for this? > Also, do you think that in DBI.pm is the right place to update the > status to expired (as if we find a expired cert in a search and it has > valid status to change it in expired)? The simplest way is to use the DBI.pm from 0.9.1-RC5 or more actual from CVS (include a small sql-fix for mysql). This DBI.pm includes a fix for the problem that you described (NOTAFTER> --> NOTAFTER<). The problem was a wrong call of getItem and the code is not bigger than the old one :) DBI.pm doesn't change the state of a certificate. It checks only some timestamps. The only difference between an expired certificate and a valid certificate is the timestamp "notafter". The idea was to get an answer from the database which is 100% up-to-date. Best regards Michael -- ------------------------------------------------------------------- Michael Bell Email (private): [EMAIL PROTECTED] Rechenzentrum - Datacenter Email: [EMAIL PROTECTED] Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482 Unter den Linden 6 Fax: +49 (0)30-2093 2959 10099 Berlin Germany http://www.openca.org ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
