Fix implementation of up-down "revoke"

svn path=/docs/rpki-db-schema.sql; revision=1295

4 files changed, 30 insertions, 24 deletions

diff --git a/docs/rpki-db-schema.sql b/docs/rpki-db-schema.sql
index bdad6f96..b50633cd 100644
--- a/docs/rpki-db-schema.sql
+++ b/docs/rpki-db-schema.sql
@@ -47,7 +47,7 @@ CREATE TABLE repository (
        repository_id        SERIAL NOT NULL,
        peer_contact_uri     TEXT,
        cms_ta               LONGBLOB,
-       https_ta		    LONGBLOB,
+       https_ta             LONGBLOB,
        bsc_id               BIGINT unsigned NOT NULL,
        self_id              BIGINT unsigned NOT NULL,
        PRIMARY KEY          (repository_id),
@@ -75,17 +75,17 @@ CREATE TABLE parent (
 DROP TABLE IF EXISTS ca;
 
 CREATE TABLE ca (
-       ca_id			SERIAL NOT NULL,
-       last_crl_sn		BIGINT unsigned NOT NULL,
-       last_manifest_sn		BIGINT unsigned NOT NULL,
-       next_manifest_update	DATETIME,
-       next_crl_update		DATETIME,
-       last_issued_sn		BIGINT unsigned NOT NULL,
-       sia_uri			TEXT,
-       parent_resource_class	TEXT,
-       parent_id		BIGINT unsigned,
-       PRIMARY KEY		(ca_id),
-       FOREIGN KEY		(parent_id) REFERENCES parent
+       ca_id                    SERIAL NOT NULL,
+       last_crl_sn              BIGINT unsigned NOT NULL,
+       last_manifest_sn         BIGINT unsigned NOT NULL,
+       next_manifest_update     DATETIME,
+       next_crl_update          DATETIME,
+       last_issued_sn           BIGINT unsigned NOT NULL,
+       sia_uri                  TEXT,
+       parent_resource_class    TEXT,
+       parent_id                BIGINT unsigned,
+       PRIMARY KEY              (ca_id),
+       FOREIGN KEY              (parent_id) REFERENCES parent
 );
 
 DROP TABLE IF EXISTS ca_detail;
@@ -100,8 +100,8 @@ CREATE TABLE ca_detail (
        manifest_public_key      LONGBLOB,
        latest_manifest_cert     LONGBLOB,
        latest_manifest          LONGBLOB,
-       state                    ENUM ('active', 'deprecated', 'pending', 'revoked') NOT NULL,
-       state_timer		DATETIME,
+       state                    ENUM ('pending', 'active', 'deprecated', 'revoked') NOT NULL,
+       state_timer              DATETIME,
        ca_cert_uri              TEXT,
        ca_id                    BIGINT unsigned NOT NULL,
        PRIMARY KEY              (ca_detail_id),
@@ -156,3 +156,7 @@ CREATE TABLE route_origin_range (
        PRIMARY KEY          (route_origin_id, start_ip, end_ip),
        FOREIGN KEY          (route_origin_id) REFERENCES route_origin
 );
+
+-- Local Variables:
+-- indent-tab-mode: nil
+-- End:
diff --git a/scripts/biz-certs/Bob-CA.srl b/scripts/biz-certs/Bob-CA.srl
index 148d9644..5e3fd115 100644
--- a/scripts/biz-certs/Bob-CA.srl
+++ b/scripts/biz-certs/Bob-CA.srl
@@ -1 +1 @@
-90801F1ED19454AF
+90801F1ED19454B1
diff --git a/scripts/rpki/sql.py b/scripts/rpki/sql.py
index 6fabc88d..228960f6 100644
--- a/scripts/rpki/sql.py
+++ b/scripts/rpki/sql.py
@@ -508,7 +508,9 @@ class child_cert_obj(sql_persistant):
 
   def revoke(self):
     """Mark a child cert as revoked."""
-    self.revoked = True
+    if not self.revoked:
+      self.revoked = True
+      self.sql_mark_dirty()
 
   def reissue(self, gctx, ca_detail, resources, sia):
     """Reissue an existing cert, reusing the public key.  If the cert
diff --git a/scripts/rpki/up_down.py b/scripts/rpki/up_down.py
index 82852bac..777743cf 100644
--- a/scripts/rpki/up_down.py
+++ b/scripts/rpki/up_down.py
@@ -341,14 +341,14 @@ class revoke_pdu(revoke_syntax):
     if not self.class_name.isdigit():
       raise rpki.exceptions.BadClassNameSyntax, "Bad class name %s" % self.class_name
     ca_id = long(self.class_name)
-    ca = rpki.sql.ca_obj.sql_fetch(gctx, ca_id)
-    ca_detail = rpki.sql.ca_detail_obj.sql_fetch_active(gctx, ca_id)
-    if ca is None or ca_detail is None:
-      raise rpki.exceptions.NotInDatabase
-    for c in rpki.sql.child_cert_obj.sql_fetch_where(gctx, """
-                child_id = %s AND ca_detail_id = %s AND ski = "%s"
-                """ % (child.child_id, ca_detail.ca_detail_id, self.get_SKI())):
-      c.sql_delete()
+    ski = self.get_SKI()
+    for ca_detail in rpki.sql.ca_detail_obj.sql_fetch_where(gctx, """
+                ca_id = %s AND state != 'revoked'""" % ca_id):
+      for child_cert in rpki.sql.child_cert_obj.sql_fetch_where(gctx, """
+                child_id = %s AND ca_detail_id = %s AND ski = '%s'
+                """ % (child.child_id, ca_detail.ca_detail_id, ski)):
+        child_cert.revoke()
+    rpki.sql.sql_sweep(gctx)
     r_msg.payload = revoke_response_pdu()
     r_msg.payload.class_name = self.class_name
     r_msg.payload.ski = self.ski