2 files changed, 45 insertions, 6 deletions

diff --git a/rpkid/rpki/rootd.py b/rpkid/rpki/rootd.py
index 09b792ea..7cfcb957 100644
--- a/rpkid/rpki/rootd.py
+++ b/rpkid/rpki/rootd.py
@@ -75,8 +75,13 @@ class revoke_pdu(rpki.up_down.revoke_pdu):
   def serve_pdu(self, q_msg, r_msg, ignored, callback, errback):
     rpki.log.debug("Revocation requested for SKI %s" % self.ski)
     subject_cert = rootd.get_subject_cert()
-    if subject_cert is None or subject_cert.gSKI() != self.ski:
+    if subject_cert is None:
+      rpki.log.debug("No subject certificate, nothing to revoke")
       raise rpki.exceptions.NotInDatabase
+    if subject_cert.gSKI() != self.ski:
+      rpki.log.debug("Subject certificate has different SKI %s, not revoking" % subject_cert.gSKI())
+      raise rpki.exceptions.NotInDatabase
+    rpki.log.debug("Revoking certificate %s" % self.ski)
     now = rpki.sundial.now()
     rootd.revoke_subject_cert(now)
     rootd.del_subject_cert()
@@ -87,6 +92,11 @@ class revoke_pdu(rpki.up_down.revoke_pdu):
     r_msg.payload.ski = self.ski
     callback()
 
+class error_response_pdu(rpki.up_down.error_response_pdu):
+  exceptions = rpki.up_down.error_response_pdu.exceptions.copy()
+  exceptions[rpki.exceptions.ClassNameUnknown, revoke_pdu] = 1301
+  exceptions[rpki.exceptions.NotInDatabase,    revoke_pdu] = 1302
+
 class message_pdu(rpki.up_down.message_pdu):
 
   name2type = {
@@ -96,10 +106,12 @@ class message_pdu(rpki.up_down.message_pdu):
     "issue_response"  : rpki.up_down.issue_response_pdu,
     "revoke"          : revoke_pdu,
     "revoke_response" : rpki.up_down.revoke_response_pdu,
-    "error_response"  : rpki.up_down.error_response_pdu }
+    "error_response"  : error_response_pdu }
 
   type2name = dict((v, k) for k, v in name2type.items())
 
+  error_pdu_type = error_response_pdu
+
   def log_query(self, child):
     """
     Log query we're handling.
@@ -171,12 +183,15 @@ class main(object):
       self.set_subject_pkcs10(new_pkcs10)
       if subject_cert is not None:
         rpki.log.debug("PKCS #10 changed, regenerating subject certificate")
+        self.revoke_subject_cert(now)
         subject_cert = None
     if subject_cert is not None and subject_cert.getNotAfter() <= now + self.rpki_subject_regen:
       rpki.log.debug("Subject certificate has reached expiration threshold, regenerating")
+      self.revoke_subject_cert(now)
       subject_cert = None
     if subject_cert is not None and self.root_newer_than_subject():
       rpki.log.debug("Root certificate has changed, regenerating subject")
+      self.revoke_subject_cert(now)
       subject_cert = None
     self.get_root_cert()
     if subject_cert is not None:
@@ -209,6 +224,8 @@ class main(object):
     subject_cert = self.get_subject_cert()
     self.next_serial_number()
     self.next_crl_number()
+    while self.revoked and self.revoked[0][1] + 2 * self.rpki_subject_regen < now:
+      del self.revoked[0]
     crl = rpki.x509.CRL.generate(
       keypair             = self.rpki_root_key,
       issuer              = self.rpki_root_cert,
diff --git a/rpkid/rpki/up_down.py b/rpkid/rpki/up_down.py
index c9a54702..02ef66e4 100644
--- a/rpkid/rpki/up_down.py
+++ b/rpkid/rpki/up_down.py
@@ -539,16 +539,36 @@ class error_response_pdu(base_elt):
     2001 : "Internal Server Error - Request not performed" }
 
   exceptions = {
-    rpki.exceptions.NoActiveCA : 1202 }
+    rpki.exceptions.NoActiveCA                          : 1202,
+    (rpki.exceptions.ClassNameUnknown, revoke_pdu)      : 1301,
+    rpki.exceptions.ClassNameUnknown                    : 1201,
+    (rpki.exceptions.NotInDatabase, revoke_pdu)         : 1302 }
 
-  def __init__(self, exception = None):
+  def __init__(self, exception = None, request_payload = None):
     """
     Initialize an error_response PDU from an exception object.
     """
     base_elt.__init__(self)
     if exception is not None:
-      self.status = self.exceptions.get(type(exception), 2001)
+      rpki.log.debug("Constructing up-down error response from exception %s" % exception)
+      exception_type = type(exception)
+      request_type = None if request_payload is None else type(request_payload)
+      rpki.log.debug("Constructing up-down error response: exception_type %s, request_type %s" % (
+        exception_type, request_type))
+      if False:
+        self.status = self.exceptions.get((exception_type, request_type),
+                                          self.exceptions.get(exception_type,
+                                                              2001))
+      else:
+        self.status = self.exceptions.get((exception_type, request_type))
+        if self.status is None:
+          rpki.log.debug("No request-type-specific match, trying exception match")
+          self.status = self.exceptions.get(exception_type)
+        if self.status is None:
+          rpki.log.debug("No exception match either, defaulting")
+          self.status = 2001
       self.description = str(exception)
+      rpki.log.debug("Chosen status code: %s" % self.status)
 
   def endElement(self, stack, name, text):
     """
@@ -606,6 +626,8 @@ class message_pdu(base_elt):
 
   type2name = dict((v, k) for k, v in name2type.items())
 
+  error_pdu_type = error_response_pdu
+
   def toXML(self):
     """
     Generate payload of message PDU.
@@ -674,7 +696,7 @@ class message_pdu(base_elt):
     r_msg = message_pdu()
     r_msg.sender = self.recipient
     r_msg.recipient = self.sender
-    r_msg.payload = error_response_pdu(exception)
+    r_msg.payload = self.error_pdu_type(exception, self.payload)
     r_msg.type = self.type2name[type(r_msg.payload)]
     return r_msg