diff options
| author | Rob Austein <sra@hactrn.net> | 2008-04-10 14:21:14 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2008-04-10 14:21:14 +0000 |
| commit | b72c54712ffb2a04031bd336c08240196174be2e (patch) | |
| tree | 3f71b534549c7a1aaa266b66362aed6ed2469c5d | |
| parent | afd86b7de01a93340bf50cbab548c215938deb4b (diff) | |
Crude version of HTTPS trust anchor cache
svn path=/rpkid/rpki/gctx.py; revision=1648
| -rw-r--r-- | rpkid/rpki/gctx.py | 39 | ||||
| -rw-r--r-- | rpkid/rpki/left_right.py | 6 |
2 files changed, 29 insertions, 16 deletions
diff --git a/rpkid/rpki/gctx.py b/rpkid/rpki/gctx.py index 203e8519..fa61ac27 100644 --- a/rpkid/rpki/gctx.py +++ b/rpkid/rpki/gctx.py @@ -163,23 +163,30 @@ class global_context(object): self.sql_sweep() return 200, "OK" - def build_x509store(self): - """Build a dynamic x509store object. This is horribly - inefficient, so will require some kind of caching scheme - eventually, but the task at hand is just to confirm that this - method will work at all. - """ + ## @var https_ta_cache + # HTTPS trust anchor cache, to avoid regenerating it for every TLS connection. + https_ta_cache = None + + def clear_https_ta_cache(self): + """Clear cached HTTPS trust anchor X509Store.""" - store = POW.X509Store() + if self.https_ta_cache is not None: + rpki.log.debug("Clearing HTTPS trust anchor cache") + self.https_ta_cache = None + + def build_x509store(self): + """Build a dynamic x509store object.""" - children = rpki.left_right.child_elt.sql_fetch_all(self) + if self.https_ta_cache is None: - certs = [c.peer_biz_cert for c in children if c.peer_biz_cert is not None] + \ - [c.peer_biz_glue for c in children if c.peer_biz_glue is not None] + \ - self.https_ta_irbe + store = POW.X509Store() + children = rpki.left_right.child_elt.sql_fetch_all(self) + certs = [c.peer_biz_cert for c in children if c.peer_biz_cert is not None] + \ + [c.peer_biz_glue for c in children if c.peer_biz_glue is not None] + \ + self.https_ta_irbe + for x in certs: + rpki.log.debug("HTTPS dynamic trust anchor %s" % x.getSubject()) + store.addTrust(x.get_POW()) + self.https_ta_cache = store - for x in certs: - rpki.log.debug("HTTPS dynamic trust anchor %s" % x.getSubject()) - store.addTrust(x.get_POW()) - - return store + return self.https_ta_cache diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py index 041415e0..e3c4c5e9 100644 --- a/rpkid/rpki/left_right.py +++ b/rpkid/rpki/left_right.py @@ -633,6 +633,7 @@ class child_elt(data_elt): peer_biz_cert = None peer_biz_glue = None + clear_https_ta_cache = False def child_certs(self, ca_detail = None, ski = None, unique = False): """Fetch all child_cert objects that link to this child object.""" @@ -655,6 +656,9 @@ class child_elt(data_elt): def serve_post_save_hook(self, q_pdu, r_pdu): """Extra server actions for child_elt.""" self.unimplemented_control("reissue") + if self.clear_https_ta_cache: + self.gctx.clear_https_ta_cache() + self.clear_https_ta_cache = False def startElement(self, stack, name, attrs): """Handle <child/> element.""" @@ -666,8 +670,10 @@ class child_elt(data_elt): """Handle <child/> element.""" if name == "peer_biz_cert": self.peer_biz_cert = rpki.x509.X509(Base64 = text) + self.clear_https_ta_cache = True elif name == "peer_biz_glue": self.peer_biz_glue = rpki.x509.X509(Base64 = text) + self.clear_https_ta_cache = True else: assert name == "child", "Unexpected name %s, stack %s" % (name, stack) stack.pop() |