I should try goofing up the IRDB expiration date more often, all sorts

of intersting things blew up when I did that by accident.

svn path=/rpkid/rpki/exceptions.py; revision=2000

4 files changed, 15 insertions, 8 deletions

diff --git a/rpkid/rpki/exceptions.py b/rpkid/rpki/exceptions.py
index 9c02c623..4c1183be 100644
--- a/rpkid/rpki/exceptions.py
+++ b/rpkid/rpki/exceptions.py
@@ -127,3 +127,6 @@ class CMSCRLNotSet(RPKI_Exception):
 
 class ServerShuttingDown(RPKI_Exception):
   """Server is shutting down."""
+
+class NoActiveCA(RPKI_Exception):
+  """No active ca_detail for specified class."""
diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py
index 2b42ad85..d4c051f1 100644
--- a/rpkid/rpki/left_right.py
+++ b/rpkid/rpki/left_right.py
@@ -222,7 +222,7 @@ class self_elt(data_elt):
           if now > ca_detail.latest_crl.getNextUpdate():
             ca_detail.delete(ca, repository)
         ca_detail = ca.fetch_active()
-        if now > ca_detail.latest_crl.getNextUpdate():
+        if ca_detail is not None and now > ca_detail.latest_crl.getNextUpdate():
           ca_detail.generate_crl()
           ca_detail.generate_manifest()
 
diff --git a/rpkid/rpki/rpki_engine.py b/rpkid/rpki/rpki_engine.py
index 935ddc17..73593418 100644
--- a/rpkid/rpki/rpki_engine.py
+++ b/rpkid/rpki/rpki_engine.py
@@ -230,6 +230,11 @@ class ca_obj(rpki.sql.sql_persistant):
 
       ski = ca_detail.latest_ca_cert.get_SKI()
 
+      if ski not in cert_map:
+        rpki.log.warn("Certificate in database missing from list_response, SKI %s, this should never happen" % ":".join(("%02X" % ord(i) for i in ski)))
+        ca_detail.delete(self, parent.repository())
+        continue
+
       if ca_detail.state in ("pending", "active"):
         current_resources = ca_detail.latest_ca_cert.get_3779resources()
         if sia_uri_changed or \
@@ -243,10 +248,7 @@ class ca_obj(rpki.sql.sql_persistant):
             sia_uri_changed  = sia_uri_changed,
             old_resources    = current_resources)
 
-      if ski in cert_map:
-        del cert_map[ski]
-      else:
-        rpki.log.warn("Certificate in database missing from list_response, SKI %s, this should never happen" % ":".join(("%02X" % ord(i) for i in ski)))
+      del cert_map[ski]
 
     if cert_map:
       rpki.log.warn("Certificates in list_response missing from our database, SKIs %s" % ", ".join(c.cert.hSKI() for c in cert_map.values()))
@@ -286,7 +288,7 @@ class ca_obj(rpki.sql.sql_persistant):
 
     repository = parent.repository()
     for ca_detail in self.ca_details():
-      ca_detail.delete(ca, repository)
+      ca_detail.delete(self, repository)
     self.sql_delete()
 
   def next_serial_number(self):
@@ -421,7 +423,7 @@ class ca_detail_obj(rpki.sql.sql_persistant):
     for route_origin in self.route_origins():
       route_origin.withdraw_roa()
     repository.withdraw(self.latest_manifest, self.manifest_uri(ca))
-    repository.withdraw(self.latest_crl, self.crl_uri())
+    repository.withdraw(self.latest_crl, self.crl_uri(ca))
     self.sql_delete()
 
   def revoke(self):
diff --git a/rpkid/rpki/up_down.py b/rpkid/rpki/up_down.py
index e5c2718d..660c5ce8 100644
--- a/rpkid/rpki/up_down.py
+++ b/rpkid/rpki/up_down.py
@@ -277,9 +277,11 @@ class issue_pdu(base_elt):
       raise rpki.exceptions.NotImplementedYet, "req_* attributes not implemented yet, sorry"
 
     # Check the request
+    self.pkcs10.check_valid_rpki()
     ca = child.ca_from_class_name(self.class_name)
     ca_detail = ca.fetch_active()
-    self.pkcs10.check_valid_rpki()
+    if ca_detail is None:
+      raise rpki.exceptions.NoActiveCA, "No active CA for class %s" % self.class_name
 
     # Check current cert, if any