diff options
| -rw-r--r-- | rpkid/rpki/rpkid.py | 43 |
1 files changed, 29 insertions, 14 deletions
diff --git a/rpkid/rpki/rpkid.py b/rpkid/rpki/rpkid.py index 01f58b86..76b3c81a 100644 --- a/rpkid/rpki/rpkid.py +++ b/rpkid/rpki/rpkid.py @@ -768,17 +768,23 @@ class ca_detail_obj(rpki.sql.sql_persistent): self.state = "active" self.generate_crl(publisher = publisher) self.generate_manifest(publisher = publisher) - self.sql_mark_dirty() + self.sql_store() if predecessor is not None: predecessor.state = "deprecated" - predecessor.sql_mark_dirty() + predecessor.sql_store() for child_cert in predecessor.child_certs: child_cert.reissue(ca_detail = self, publisher = publisher) for roa in predecessor.roas: roa.regenerate(publisher = publisher) # Need to do something to regenerate ghostbusters here? + # Yes, I suspect so, since presumably we want the ghostbuster to + # be issued by the new ca_detail at this point. But check code. + + if predecessor.ghostbusters: + rpki.log.warn("Probably should be regenerating Ghostbusters %r here" % ghostbuster) + publisher.call_pubd(callback, errback) @@ -847,6 +853,8 @@ class ca_detail_obj(rpki.sql.sql_persistent): if r_msg.payload.ski != self.latest_ca_cert.gSKI(): raise rpki.exceptions.SKIMismatch + rpki.log.debug("Parent revoked %s, starting cleanup" % self.latest_ca_cert.gSKI()) + crl_interval = rpki.sundial.timedelta(seconds = parent.self.crl_interval) nextUpdate = rpki.sundial.now() @@ -886,6 +894,7 @@ class ca_detail_obj(rpki.sql.sql_persistent): self.sql_mark_dirty() publisher.call_pubd(cb, eb) + rpki.log.debug("Asking parent to revoke CA certificate %s" % self.latest_ca_cert.gSKI()) rpki.up_down.revoke_pdu.query(ca, self.latest_ca_cert.gSKI(), parent_revoked, eb) def update(self, parent, ca, rc, sia_uri_changed, old_resources, callback, errback): @@ -968,8 +977,7 @@ class ca_detail_obj(rpki.sql.sql_persistent): containing the newly issued cert. """ - assert child_cert is None or (child_cert.child_id == child.child_id and - child_cert.ca_detail_id == self.ca_detail_id) + assert child_cert is None or child_cert.child_id == child.child_id cert = self.latest_ca_cert.issue( keypair = self.private_key_id, @@ -990,6 +998,7 @@ class ca_detail_obj(rpki.sql.sql_persistent): rpki.log.debug("Created new child_cert %r" % child_cert) else: child_cert.cert = cert + child_cert.ca_detail_id = self.ca_detail_id rpki.log.debug("Reusing existing child_cert %r" % child_cert) child_cert.ski = cert.get_SKI() @@ -1212,7 +1221,7 @@ class child_cert_obj(rpki.sql.sql_persistent): needed = True if ca_detail != old_ca_detail: - rpki.log.debug("Issuer changed for %r" % self) + rpki.log.debug("Issuer changed for %r %s" % (self, self.uri)) needed = True must_revoke = old_resources.oversized(resources) or old_resources.valid_until > resources.valid_until @@ -1220,11 +1229,6 @@ class child_cert_obj(rpki.sql.sql_persistent): rpki.log.debug("Must revoke any existing cert(s) for %r" % self) needed = True - new_issuer = ca_detail != old_ca_detail - if new_issuer: - rpki.log.debug("Issuer changed for %r" % self) - needed = True - if resources.valid_until != old_resources.valid_until: rpki.log.debug("Validity changed for %r: %s %s" % (self, old_resources.valid_until, resources.valid_until)) needed = True @@ -1250,7 +1254,7 @@ class child_cert_obj(rpki.sql.sql_persistent): subject_key = self.cert.getPublicKey(), sia = sia, resources = resources, - child_cert = None if must_revoke or new_issuer else self, + child_cert = None if must_revoke else self, publisher = publisher) rpki.log.debug("New child_cert %r uri %s" % (child_cert, child_cert.uri)) @@ -1501,10 +1505,12 @@ class roa_obj(rpki.sql.sql_persistent): ca_detail = self.ca_detail if ca_detail is None or ca_detail.state != "active" or ca_detail.has_expired(): + rpki.log.debug("Searching for new ca_detail for ROA %r" % self) ca_detail = None for parent in self.self.parents: for ca in parent.cas: ca_detail = ca.active_ca_detail + assert ca_detail is None or ca_detail.state == "active" if ca_detail is not None and not ca_detail.has_expired(): resources = ca_detail.latest_ca_cert.get_3779resources() if v4.issubset(resources.v4) and v6.issubset(resources.v6): @@ -1512,10 +1518,15 @@ class roa_obj(rpki.sql.sql_persistent): ca_detail = None if ca_detail is not None: break + else: + rpki.log.debug("Keeping old ca_detail for ROA %r" % self) if ca_detail is None: raise rpki.exceptions.NoCoveringCertForROA, "Could not find a certificate covering %r" % self + rpki.log.debug("Using new ca_detail %r for ROA %r, ca_detail_state %s" % ( + ca_detail, self, ca_detail.state)) + ca = ca_detail.ca resources = rpki.resource_set.resource_bag(v4 = v4, v6 = v6) keypair = rpki.x509.RSA.generate() @@ -1535,6 +1546,7 @@ class roa_obj(rpki.sql.sql_persistent): if not fast: ca_detail.generate_manifest(publisher = publisher) + def published_callback(self, pdu): """ Check publication result. @@ -1564,8 +1576,8 @@ class roa_obj(rpki.sql.sql_persistent): roa = self.roa uri = self.uri - if ca_detail.state != 'active': - self.ca_detail_id = None + rpki.log.debug("Regenerating ROA %r, ca_detail %r state is %s" % ( + self, ca_detail, ca_detail.state)) if regenerate: self.generate(publisher = publisher, fast = fast) @@ -1574,7 +1586,10 @@ class roa_obj(rpki.sql.sql_persistent): rpki.rpkid.revoked_cert_obj.revoke(cert = cert, ca_detail = ca_detail) publisher.withdraw(cls = rpki.publication.roa_elt, uri = uri, obj = roa, repository = ca_detail.ca.parent.repository, handler = False if allow_failure else None) - self.sql_mark_deleted() + + if not regenerate: + self.sql_mark_deleted() + if not fast: ca_detail.generate_crl(publisher = publisher) ca_detail.generate_manifest(publisher = publisher) |