4 files changed, 42 insertions, 33 deletions

diff --git a/scripts/rpki/sql.py b/scripts/rpki/sql.py
index be16b24e..784e5b01 100644
--- a/scripts/rpki/sql.py
+++ b/scripts/rpki/sql.py
@@ -1,6 +1,7 @@
 # $Id$
 
-import MySQLdb, rpki.x509
+import MySQLdb, time
+import rpki.x509
 
 def connect(cfg, section="sql"):
   """Connect to a MySQL database using connection parameters from an
@@ -195,6 +196,10 @@ class ca_obj(sql_persistant):
                           "last_manifest_sn", "next_manifest_update", "sia_uri", "parent_id",
                           "parent_resource_class")
 
+  last_crl_sn = 0
+  last_issued_sn = 0
+  last_manifest_sn = 0
+
   def construct_sia_uri(self, gctx, parent, rc):
     """Construct the sia_uri value for this CA given configured
     information and the parent's up-down protocol list_response PDU.
@@ -375,13 +380,18 @@ class ca_detail_obj(sql_persistant):
   @classmethod
   def create(cls, gctx, ca):
     """Create a new ca_detail object for a specified CA."""
-    keypair = rpki.x509.RSA()
-    keypair.generate()
     self = cls()
     self.ca_id = ca.ca_id
-    self.private_key_id = keypair
-    self.public_key = keypair.get_RSApublic()
     self.state = "pending"
+
+    self.private_key_id = rpki.x509.RSA()
+    self.private_key_id.generate()
+    self.public_key = self.private_key_id.get_RSApublic()
+
+    self.manifest_private_key_id = rpki.x509.RSA()
+    self.manifest_private_key_id.generate()
+    self.manifest_public_key = self.manifest_private_key_id.get_RSApublic()
+
     self.sql_store(gctx)
     return self
 
@@ -405,11 +415,11 @@ class ca_detail_obj(sql_persistant):
                                      aia = self.ca_cert_uri,
                                      crldp = ca.sia_uri + self.latest_ca_cert.gSKI() + ".crl",
                                      sia = sia,
-                                     as = rc_as,
-                                     v4 = rc_v4,
-                                     v6 = rc_v6)
+                                     as = as,
+                                     v4 = v4,
+                                     v6 = v6)
 
-    manifest = self.generate_manifest()
+    manifest = self.generate_manifest(gctx)
     
     repository = rpki.left_right.repository_elt.sql_fetch_where1(gctx, """
                 repository.repository_id = parent.repository_id AND
@@ -467,17 +477,15 @@ class ca_detail_obj(sql_persistant):
     """Generate a new manifest for this ca_detail."""
 
     ca = ca_obj.sql_fetch(gctx, self.ca_id)
-    self_obj = rpki.left_right.self_elt.sql_fetch_where1(gctx, """
-                self.self_id = parent.self_id AND
-                parent.parent_id = %s
-      """ % ca.parent_id)
+    parent = rpki.left_right.parent_elt.sql_fetch(gctx, ca.parent_id)
+    self_obj = rpki.left_right.self_elt.sql_fetch(gctx, parent.self_id)
     certs = child_cert_obj.sql_fetch_where(gctx, """
                 child_cert.ca_detail_id = %s AND
                 child_cert.revoked IS NULL
       """ % self.ca_detail_id)
 
     m = rpki.x509.SignedManifest()
-    m.build(serial = ca.next_manifest(),
+    m.build(serial = ca.next_manifest_number(),
             nextUpdate = time.time() + self_obj.crl_interval,
             names_and_objs = [(c.gSKI() + ".cer", c) for c in certs])
     m.sign(keypair = self.manifest_private_key_id,
diff --git a/scripts/rpki/up_down.py b/scripts/rpki/up_down.py
index c0c1b9e4..9dd92b7d 100644
--- a/scripts/rpki/up_down.py
+++ b/scripts/rpki/up_down.py
@@ -263,21 +263,21 @@ class issue_pdu(base_elt):
     rc_as, rc_v4, rc_v6 = ca_detail.latest_ca_cert.get_3779resources(*irdb_resources)
     req_key = self.pkcs10.getPublicKey()
     req_sia = self.pkcs10.get_SIA()
-    req_ski = self.pkcs10.get_SKI()
     child_cert = rpki.sql.child_cert_obj.sql_fetch_where1(gctx, """
-                child_id = %s AND ca_detail_id = %s AND ski = %s
-                """ % (child.child_id, ca_detail.ca_detail_id, req_ski))
+                child_id = %s AND ca_detail_id = %s AND ski = "%s"
+                """ % (child.child_id, ca_detail.ca_detail_id, req_key.get_SKI()))
 
     # Generate new cert or regenerate old one if necessary
 
     if child_cert is None:
-      child_cert = rpki.sql.ca_detail_obj.issue(ca = ca,
-                                                child = child,
-                                                subject_key = req_key,
-                                                sia = req_sia,
-                                                as = rc_as,
-                                                v4 = rc_v4,
-                                                v6 = rc_v6)
+      child_cert = ca_detail.issue(gctx = gctx,
+                                   ca = ca,
+                                   child = child,
+                                   subject_key = req_key,
+                                   sia = req_sia,
+                                   as = rc_as,
+                                   v4 = rc_v4,
+                                   v6 = rc_v6)
     elif (child_cert is not None and ((rc_as, rc_v4, rc_v6) != child_cert.cert.get_3779resources())) or \
          (child_cert is not None and child_cert.cert.get_SIA() != req_sia):
       child_cert.reissue(gctx = gctx,
@@ -351,7 +351,7 @@ class revoke_pdu(revoke_syntax):
     if ca is None or ca_detail is None:
       raise rpki.exceptions.NotInDatabase
     for c in rpki.sql.child_cert_obj.sql_fetch_where(gctx, """
-                child_id = %s AND ca_detail_id = %s AND ski = %s
+                child_id = %s AND ca_detail_id = %s AND ski = "%s"
                 """ % (child.child_id, ca_detail.ca_detail_id, self.get_SKI())):
       c.sql_delete()
     r_msg.payload = revoke_response_pdu()
diff --git a/scripts/testroot.py b/scripts/testroot.py
index aac8ebc7..6f959c3f 100755
--- a/scripts/testroot.py
+++ b/scripts/testroot.py
@@ -64,7 +64,6 @@ class issue_pdu(rpki.up_down.issue_pdu):
       as, v4, v6 = rpki_issuer.get_3779resources()
       req_key = self.pkcs10.getPublicKey()
       req_sia = self.pkcs10.get_SIA()
-      req_ski = self.pkcs10.get_SKI()
       crldp = root_base + rpki_issuer.gSKI() + ".crl"
       set_subject_cert(rpki_issuer.issue(keypair = rpki_key,
                                          subject_key = req_key,
diff --git a/scripts/testroot.sh b/scripts/testroot.sh
index 15d5f516..52ee1425 100644
--- a/scripts/testroot.sh
+++ b/scripts/testroot.sh
@@ -10,6 +10,10 @@
 
 openssl=../openssl/openssl/apps/openssl
 
+# Halt on first error
+
+set -e
+
 # Generate new key and cert for testroot.py if needed
 
 if test ! -r testroot.cer -o ! -r testroot.key
@@ -23,13 +27,15 @@ fi
 
 mysql -u rpki -p`awk '$1 == "sql-password" {print $3}' rpkid.conf` rpki <../docs/rpki-db-schema.sql
 
-# Start rpkid so we can configure it
+# Start rpkid so we can configure it, make sure we shut it down on exit
 
-python rpkid.py & rpkid=$!
+python rpkid.py &
+rpkid=$!
+trap "kill $rpkid" 0
 
 # Create a self instance
 
-python irbe-cli.py self --action create
+python irbe-cli.py self --action create --crl_interval 84600
 
 # Create a business signing context, issue the necessary business cert, and set up the cert chain
 
@@ -58,7 +64,3 @@ python irbe-cli.py child --self_id 1 --action create --bsc_id 1 --cms_ta biz-cer
 # Need to link irdb to created child.  For now, just do this manually in MySQL CLI:
 #
 #   UPDATE registrant SET rpki_self_id = 1, rpki_child_id = 1 WHERE subject_name = "Epilogue Technology Corporation"
-
-# Shut down rpkid
-
-kill $rpkid