CRLIssuingPoint: reinit from LDAP when re-enabled

base/ca/src/com/netscape/ca/CRLIssuingPoint.java

@@ -326,7 +326,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
     /**
      * whether issuing point has been initialized.
      */
-    private int mInitialized = CRL_IP_NOT_INITIALIZED;
+    private CRLIssuingPointStatus mInitialized =
+        CRLIssuingPointStatus.NotInitialized;
 
     /**
      * number of entries in the CRL
@@ -371,9 +372,20 @@ public boolean isCRLIssuingPointEnabled() {
     }
 
     public void enableCRLIssuingPoint(boolean enable) {
-        if ((!enable) && (mEnable ^ enable)) {
+        if (!enable && mEnable) {
             clearCRLCache();
             updateCRLCacheRepository();
+        } else if (enable && !mEnable) {
+            // Mark the CRLIP as NotInitialized so that the CRL
+            // entry will be read afresh when it is reinitialised.
+            // This ensures monotonicity of the CRL number, if some
+            // other clone was issuing CRLs in the meantime.
+            //
+            // See also:
+            //   https://pagure.io/dogtagpki/issue/3085
+            //   https://pagure.io/freeipa/issue/7815
+            //
+            mInitialized = CRLIssuingPointStatus.NotInitialized;
         }
         mEnable = enable;
         setAutoUpdates();
@@ -403,8 +415,8 @@ public ICMSCRLExtensions getCRLExtensions() {
         return mCMSCRLExtensions;
     }
 
-    public int isCRLIssuingPointInitialized() {
-        return mInitialized;
+    public boolean isCRLIssuingPointInitialized() {
+        return mInitialized == CRLIssuingPointStatus.Initialized;
     }
 
     public boolean isManualUpdateSet() {
@@ -804,7 +816,7 @@ private void initCRL() throws EBaseException {
             crlRecord = mCRLRepository.readCRLIssuingPointRecord(mId);
         } catch (EDBNotAvailException e) {
             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_INST_CRL", e.toString()));
-            mInitialized = CRL_IP_INITIALIZATION_FAILED;
+            mInitialized = CRLIssuingPointStatus.InitializationFailed;
             return;
         } catch (EBaseException e) {
             // CRL was never set.
@@ -873,7 +885,7 @@ private void initCRL() throws EBaseException {
                         } catch (OutOfMemoryError e) {
                             clearCRLCache();
                             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_DECODE_CRL", e.toString()));
-                            mInitialized = CRL_IP_INITIALIZATION_FAILED;
+                            mInitialized = CRLIssuingPointStatus.InitializationFailed;
                             return;
                         }
                     }
@@ -903,7 +915,7 @@ private void initCRL() throws EBaseException {
                             } else {
                                 mCRLCacheIsCleared = false;
                             }
-                            mInitialized = CRL_IP_INITIALIZED;
+                            mInitialized = CRLIssuingPointStatus.Initialized;
                         }
                         if (mPublishOnStart) {
                             try {
@@ -968,17 +980,17 @@ private void initCRL() throws EBaseException {
                     if ((mDoManualUpdate == false) &&
                             (mEnableCRLCache || mAlwaysUpdate ||
                             (mEnableUpdateFreq && mAutoUpdateInterval > 0))) {
-                        mInitialized = CRL_IP_INITIALIZED;
+                        mInitialized = CRLIssuingPointStatus.Initialized;
                         setManualUpdate(null);
                     }
                 }
             } catch (EBaseException ex) {
                 log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_CREATE_CRL", ex.toString()));
-                mInitialized = CRL_IP_INITIALIZATION_FAILED;
+                mInitialized = CRLIssuingPointStatus.InitializationFailed;
                 return;
             }
         }
-        mInitialized = CRL_IP_INITIALIZED;
+        mInitialized = CRLIssuingPointStatus.Initialized;
     }
 
     private Object configMonitor = new Object();
@@ -1494,15 +1506,15 @@ private synchronized void setAutoUpdates() {
                 ((mEnableDailyUpdates && mDailyUpdates != null &&
                         mTimeListSize > 0) ||
                         (mEnableUpdateFreq && mAutoUpdateInterval > 0) ||
-                        (mInitialized == CRL_IP_NOT_INITIALIZED) ||
+                        (mInitialized == CRLIssuingPointStatus.NotInitialized) ||
                         mDoLastAutoUpdate || mDoManualUpdate)))) {
             mUpdateThread = new Thread(this, "CRLIssuingPoint-" + mId);
             log(ILogger.LL_INFO, CMS.getLogMessage("CMSCORE_CA_ISSUING_START_CRL", mId));
             mUpdateThread.setDaemon(true);
             mUpdateThread.start();
         }
 
-        if ((mInitialized == CRL_IP_INITIALIZED) && (((mNextUpdate != null) ^
+        if (isCRLIssuingPointInitialized() && (((mNextUpdate != null) ^
                 ((mEnableDailyUpdates && mDailyUpdates != null && mTimeListSize > 0) ||
                 (mEnableUpdateFreq && mAutoUpdateInterval > 0))) ||
                 (!mEnableCRLUpdates && mNextUpdate != null))) {
@@ -1773,7 +1785,7 @@ public void run() {
 
         try {
             while (mEnable && ((mEnableCRLCache && mCacheUpdateInterval > 0) ||
-                    (mInitialized == CRL_IP_NOT_INITIALIZED) ||
+                    (mInitialized == CRLIssuingPointStatus.NotInitialized) ||
                     mDoLastAutoUpdate || (mEnableCRLUpdates &&
                     ((mEnableDailyUpdates && mDailyUpdates != null &&
                             mTimeListSize > 0) ||
@@ -1789,12 +1801,9 @@ public void run() {
                             mTimeListSize > 0) ||
                             (mEnableUpdateFreq && mAutoUpdateInterval > 0));
 
-                    if (mInitialized == CRL_IP_NOT_INITIALIZED)
+                    if (mInitialized == CRLIssuingPointStatus.NotInitialized)
                         initCRL();
 
-                    if (mInitialized == CRL_IP_INITIALIZED && (!mEnable))
-                        break;
-
                     if ((mEnableCRLUpdates && mDoManualUpdate) || mDoLastAutoUpdate) {
                         delay = 0;
                     } else if (scheduledUpdates) {
@@ -1900,25 +1909,8 @@ public void run() {
 
     /**
      * Updates CRL and publishes it.
-     * If time elapsed since last CRL update is less than
-     * minUpdateInterval silently returns.
-     * Otherwise determines nextUpdate by adding autoUpdateInterval or
-     * minUpdateInterval to the current time. If neither of the
-     * intervals are defined nextUpdate will be null.
-     * Then using specified configuration parameters it formulates new
-     * CRL, signs it, updates CRLIssuingPointRecord in the database
-     * and publishes CRL in the directory.
-     * <P>
      */
     private void updateCRL() throws EBaseException {
-        /*
-        if (mEnableUpdateFreq && mAutoUpdateInterval > 0 &&
-            (System.currentTimeMillis() - mLastUpdate.getTime() <
-                mMinUpdateInterval)) {
-            // log or alternatively throw an Exception
-            return;
-        }
-        */
         if (mDoManualUpdate && mSignatureAlgorithmForManualUpdate != null) {
             updateCRLNow(mSignatureAlgorithmForManualUpdate);
         } else {

base/common/src/com/netscape/certsrv/ca/ICRLIssuingPoint.java

@@ -67,9 +67,8 @@ public interface ICRLIssuingPoint {
     public static final int CRL_UPDATE_STARTED = 1;
     public static final int CRL_PUBLISHING_STARTED = 2;
 
-    public static final int CRL_IP_NOT_INITIALIZED = 0;
-    public static final int CRL_IP_INITIALIZED = 1;
-    public static final int CRL_IP_INITIALIZATION_FAILED = -1;
+    public enum CRLIssuingPointStatus {
+        NotInitialized, Initialized, InitializationFailed };
 
     /**
      * Returns true if CRL issuing point is enabled.
@@ -123,9 +122,10 @@ public interface ICRLIssuingPoint {
     /**
      * Returns CRL issuing point initialization status.
      *
-     * @return status of CRL issuing point initialization
+     * @return true if CRL issuing point hsa been successfully
+     *         initialized, otherwise false.
      */
-    public int isCRLIssuingPointInitialized();
+    public boolean isCRLIssuingPointInitialized();
 
     /**
      * Checks if manual update is set.

base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java

@@ -344,8 +344,7 @@ private void process(CMSTemplateParams argSet, IArgBlock header,
         if (clearCache != null && clearCache.equals("true") &&
                 crlIssuingPoint.isCRLGenerationEnabled() &&
                 crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE &&
-                crlIssuingPoint.isCRLIssuingPointInitialized()
-                            == ICRLIssuingPoint.CRL_IP_INITIALIZED) {
+                crlIssuingPoint.isCRLIssuingPointInitialized()) {
 
             CMS.debug("UpdateCRL: clearing CRL cache");
             crlIssuingPoint.clearCRLCache();
@@ -354,10 +353,9 @@ private void process(CMSTemplateParams argSet, IArgBlock header,
         if (!(waitForUpdate != null && waitForUpdate.equals("true") &&
                 crlIssuingPoint.isCRLGenerationEnabled() &&
                 crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE &&
-                crlIssuingPoint.isCRLIssuingPointInitialized()
-                            == ICRLIssuingPoint.CRL_IP_INITIALIZED)) {
+                crlIssuingPoint.isCRLIssuingPointInitialized())) {
 
-            if (crlIssuingPoint.isCRLIssuingPointInitialized() != ICRLIssuingPoint.CRL_IP_INITIALIZED) {
+            if (!crlIssuingPoint.isCRLIssuingPointInitialized()) {
 
                 CMS.debug("UpdateCRL: CRL issuing point not initialized");
                 header.addStringValue("crlUpdate", "notInitialized");