diff options
| author | Rob Austein <sra@hactrn.net> | 2013-04-20 06:27:30 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2013-04-20 06:27:30 +0000 |
| commit | e338132561626b412edea0903cde0d6f13f1ff30 (patch) | |
| tree | 7f2a3c29fca726433c0560b7fa6d53e697eb7784 | |
| parent | 05eaca3a52b1049ec69b7788deb4872df1c0d7c5 (diff) | |
Force new manifest EE certificate, manifest, and CRL when parent
reissues our CA certificate. Fixes #519.
svn path=/trunk/; revision=5303
| -rw-r--r-- | rpkid/rpki/rpkid.py | 54 | ||||
| -rw-r--r-- | rpkid/rpki/up_down.py | 16 |
2 files changed, 45 insertions, 25 deletions
diff --git a/rpkid/rpki/rpkid.py b/rpkid/rpki/rpkid.py index 8c193c31..33a0d942 100644 --- a/rpkid/rpki/rpkid.py +++ b/rpkid/rpki/rpkid.py @@ -565,6 +565,7 @@ class ca_obj(rpki.sql.sql_persistent): if (ca_detail.state == "pending" or sia_uri_changed or ca_detail.latest_ca_cert != rc_cert.cert or + ca_detail.latest_ca_cert.getNotAfter() != rc_resources.valid_until or current_resources.undersized(rc_resources) or current_resources.oversized(rc_resources)): return ca_detail.update( @@ -632,10 +633,12 @@ class ca_obj(rpki.sql.sql_persistent): ca_detail = ca_detail_obj.create(self) def done(issue_response): + c = issue_response.payload.classes[0].certs[0] + rpki.log.debug("CA %r received certificate %s" % (self, c.cert_url)) ca_detail.activate( ca = self, - cert = issue_response.payload.classes[0].certs[0].cert, - uri = issue_response.payload.classes[0].certs[0].cert_url, + cert = c.cert, + uri = c.cert_url, callback = cb, errback = eb) @@ -708,10 +711,12 @@ class ca_obj(rpki.sql.sql_persistent): new_detail = ca_detail_obj.create(self) def done(issue_response): + c = issue_response.payload.classes[0].certs[0] + rpki.log.debug("CA %r received certificate %s" % (self, c.cert_url)) new_detail.activate( ca = self, - cert = issue_response.payload.classes[0].certs[0].cert, - uri = issue_response.payload.classes[0].certs[0].cert_url, + cert = c.cert, + uri = c.cert_url, predecessor = old_detail, callback = cb, errback = eb) @@ -1031,20 +1036,27 @@ class ca_detail_obj(rpki.sql.sql_persistent): """ def issued(issue_response): + c = issue_response.payload.classes[0].certs[0] + rpki.log.debug("CA %r received certificate %s" % (self, c.cert_url)) + if self.state == "pending": return self.activate( ca = ca, - cert = issue_response.payload.classes[0].certs[0].cert, - uri = issue_response.payload.classes[0].certs[0].cert_url, + cert = c.cert, + uri = c.cert_url, callback = callback, errback = errback) - new_ca_cert = issue_response.payload.classes[0].certs[0].cert - if self.latest_ca_cert != new_ca_cert: - self.latest_ca_cert = new_ca_cert + publisher = publication_queue() + + if self.latest_ca_cert != c.cert: + self.latest_ca_cert = c.cert self.sql_mark_dirty() + self.generate_manifest_cert() + self.generate_crl(publisher = publisher) + self.generate_manifest(publisher = publisher) + new_resources = self.latest_ca_cert.get_3779resources() - publisher = publication_queue() if sia_uri_changed or old_resources.oversized(new_resources): for child_cert in self.child_certs: @@ -1055,6 +1067,12 @@ class ca_detail_obj(rpki.sql.sql_persistent): resources = child_resources & new_resources, publisher = publisher) + # And why, exactly, are we not whacking other things issued by + # this ca_detail? Oversight? Fiendish cleverness I should have + # documented? Faith that normal cron cycle will regenerate + # anything that needs it quickly enough? Faith that nothing + # else needs regeneration at this point? + publisher.call_pubd(callback, errback) rpki.log.debug("Sending issue request to %r from %r" % (parent, self.update)) @@ -1469,16 +1487,20 @@ class child_cert_obj(rpki.sql.sql_persistent): assert resources.valid_until is not None and old_resources.valid_until is not None - if resources != old_resources: - rpki.log.debug("Resources changed for %r" % self) + if resources.asn != old_resources.asn or resources.v4 != old_resources.v4 or resources.v6 != old_resources.v6: + rpki.log.debug("Resources changed for %r: old %s new %s" % (self, old_resources, resources)) + needed = True + + if resources.valid_until != old_resources.valid_until: + rpki.log.debug("Validity changed for %r: old %s new %s" % (self, old_resources.valid_until, resources.valid_until)) needed = True if sia != old_sia: - rpki.log.debug("SIA changed for %r" % self) + rpki.log.debug("SIA changed for %r: old %r new %r" % (self, old_sia, sia)) needed = True if ca_detail != old_ca_detail: - rpki.log.debug("Issuer changed for %r %s" % (self, self.uri)) + rpki.log.debug("Issuer changed for %r %s: old %r new %r" % (self, self.uri, old_ca_detail, ca_detail)) needed = True must_revoke = old_resources.oversized(resources) or old_resources.valid_until > resources.valid_until @@ -1486,10 +1508,6 @@ class child_cert_obj(rpki.sql.sql_persistent): rpki.log.debug("Must revoke any existing cert(s) for %r" % self) needed = True - if resources.valid_until != old_resources.valid_until: - rpki.log.debug("Validity changed for %r: %s %s" % (self, old_resources.valid_until, resources.valid_until)) - needed = True - if not needed and force: rpki.log.debug("No change needed for %r, forcing reissuance anyway" % self) needed = True diff --git a/rpkid/rpki/up_down.py b/rpkid/rpki/up_down.py index cea4e27f..c9a54702 100644 --- a/rpkid/rpki/up_down.py +++ b/rpkid/rpki/up_down.py @@ -86,7 +86,7 @@ class base_elt(object): """ Default PDU handler to catch unexpected types. """ - raise rpki.exceptions.BadQuery, "Unexpected query type %s" % q_msg.type + raise rpki.exceptions.BadQuery("Unexpected query type %s" % q_msg.type) def check_response(self): """ @@ -110,7 +110,7 @@ class multi_uri(list): self[:] = ini.split(",") for s in self: if s.strip() != s or "://" not in s: - raise rpki.exceptions.BadURISyntax, "Bad URI \"%s\"" % s + raise rpki.exceptions.BadURISyntax("Bad URI \"%s\"" % s) else: raise TypeError @@ -368,23 +368,25 @@ class issue_pdu(base_elt): if self.req_resource_set_as or \ self.req_resource_set_ipv4 or \ self.req_resource_set_ipv6: - raise rpki.exceptions.NotImplementedYet, "req_* attributes not implemented yet, sorry" + raise rpki.exceptions.NotImplementedYet("req_* attributes not implemented yet, sorry") # Check the request self.pkcs10.check_valid_rpki() ca = child.ca_from_class_name(self.class_name) ca_detail = ca.active_ca_detail if ca_detail is None: - raise rpki.exceptions.NoActiveCA, "No active CA for class %r" % self.class_name + raise rpki.exceptions.NoActiveCA("No active CA for class %r" % self.class_name) # Check current cert, if any def got_resources(irdb_resources): if irdb_resources.valid_until < rpki.sundial.now(): - raise rpki.exceptions.IRDBExpired, "IRDB entry for child %s expired %s" % (child.child_handle, irdb_resources.valid_until) + raise rpki.exceptions.IRDBExpired("IRDB entry for child %s expired %s" % ( + child.child_handle, irdb_resources.valid_until)) resources = irdb_resources & ca_detail.latest_ca_cert.get_3779resources() + resources.valid_until = irdb_resources.valid_until req_key = self.pkcs10.getPublicKey() req_sia = self.pkcs10.get_SIA() child_cert = child.fetch_child_certs(ca_detail = ca_detail, ski = req_key.get_SKI(), unique = True) @@ -555,7 +557,7 @@ class error_response_pdu(base_elt): if name == "status": code = int(text) if code not in self.codes: - raise rpki.exceptions.BadStatusCode, "%s is not a known status code" % code + raise rpki.exceptions.BadStatusCode("%s is not a known status code" % code) self.status = code elif name == "description": self.description = text @@ -584,7 +586,7 @@ class error_response_pdu(base_elt): Handle an error response. For now, just raise an exception, perhaps figure out something more clever to do later. """ - raise rpki.exceptions.UpstreamError, self.codes[self.status] + raise rpki.exceptions.UpstreamError(self.codes[self.status]) class message_pdu(base_elt): """ |