diff options
| -rw-r--r-- | rpkid/rpki/rpkid.py | 14 | ||||
| -rw-r--r-- | rpkid/rpki/rpkid_tasks.py | 10 |
2 files changed, 20 insertions, 4 deletions
diff --git a/rpkid/rpki/rpkid.py b/rpkid/rpki/rpkid.py index c9e5bee2..d4f8aeef 100644 --- a/rpkid/rpki/rpkid.py +++ b/rpkid/rpki/rpkid.py @@ -540,6 +540,7 @@ class ca_obj(rpki.sql.sql_persistent): sia_uri = self.construct_sia_uri(parent, rc) sia_uri_changed = self.sia_uri != sia_uri if sia_uri_changed: + rpki.log.debug("SIA changed: was %s now %s" % (self.sia_uri, sia_uri)) self.sia_uri = sia_uri self.sql_mark_dirty() @@ -584,6 +585,11 @@ class ca_obj(rpki.sql.sql_persistent): callback = iterator, errback = eb) + if ca_detail.state == "active" and ca_detail.ca_cert_uri != rc.cert_url.rsync(): + rpki.log.debug("AIA changed: was %s now %s" % (ca_detail.ca_cert_uri, rc.cert_url.rsync())) + ca_detail.ca_cert_uri = rc.cert_url.rsync() + ca_detail.sql_mark_dirty() + iterator() def done(): @@ -1526,6 +1532,7 @@ class child_cert_obj(rpki.sql.sql_persistent): old_resources = self.cert.get_3779resources() old_sia = self.cert.get_SIA() + old_aia = self.cert.get_AIA() old_ca_detail = self.ca_detail needed = False @@ -1543,7 +1550,8 @@ class child_cert_obj(rpki.sql.sql_persistent): needed = True if resources.valid_until != old_resources.valid_until: - rpki.log.debug("Validity changed for %r: old %s new %s" % (self, old_resources.valid_until, resources.valid_until)) + rpki.log.debug("Validity changed for %r: old %s new %s" % ( + self, old_resources.valid_until, resources.valid_until)) needed = True if sia != old_sia: @@ -1554,6 +1562,10 @@ class child_cert_obj(rpki.sql.sql_persistent): rpki.log.debug("Issuer changed for %r %s: old %r new %r" % (self, self.uri, old_ca_detail, ca_detail)) needed = True + if ca_detail.ca_cert_uri != old_aia: + rpki.log.debug("AIA changed for %r %s: old %r new %r" % (self, self.uri, old_aia, ca_detail.ca_cert_uri)) + needed = True + must_revoke = old_resources.oversized(resources) or old_resources.valid_until > resources.valid_until if must_revoke: rpki.log.debug("Must revoke any existing cert(s) for %r" % self) diff --git a/rpkid/rpki/rpkid_tasks.py b/rpkid/rpki/rpkid_tasks.py index 1811967b..8c8f4d84 100644 --- a/rpkid/rpki/rpkid_tasks.py +++ b/rpkid/rpki/rpkid_tasks.py @@ -274,6 +274,8 @@ class UpdateChildrenTask(AbstractTask): if ca_detail.state == "active": old_resources = child_cert.cert.get_3779resources() new_resources = old_resources & irdb_resources & ca_detail.latest_ca_cert.get_3779resources() + old_aia = child_cert.cert.get_AIA() + new_aia = ca_detail.ca_cert_uri if new_resources.empty(): rpki.log.debug("Resources shrank to the null set, " @@ -283,9 +285,11 @@ class UpdateChildrenTask(AbstractTask): ca_detail.generate_crl(publisher = self.publisher) ca_detail.generate_manifest(publisher = self.publisher) - elif old_resources != new_resources or (old_resources.valid_until < self.rsn and - irdb_resources.valid_until > self.now and - old_resources.valid_until != irdb_resources.valid_until): + elif (old_resources != new_resources or + old_aia != new_aia or + (old_resources.valid_until < self.rsn and + irdb_resources.valid_until > self.now and + old_resources.valid_until != irdb_resources.valid_until)): rpki.log.debug("Need to reissue child %s certificate SKI %s" % ( self.child.child_handle, child_cert.cert.gSKI())) |