3 files changed, 14 insertions, 1 deletions

diff --git a/rpkid/rpki/exceptions.py b/rpkid/rpki/exceptions.py
index f055cb53..0a8e597a 100644
--- a/rpkid/rpki/exceptions.py
+++ b/rpkid/rpki/exceptions.py
@@ -298,3 +298,11 @@ class NoObjectAtURI(RPKI_Exception):
   """
   No object published at specified URI.
   """
+
+class CMSContentNotSet(RPKI_Exception):
+  """
+  Inner content of a CMS_object has not been set.  If object is known
+  to be valid, the .extract() method should be able to set the
+  content; otherwise, only the .verify() method (which checks
+  signatures) is safe.
+  """
diff --git a/rpkid/rpki/rpki_engine.py b/rpkid/rpki/rpki_engine.py
index 4beb19a3..8c16c886 100644
--- a/rpkid/rpki/rpki_engine.py
+++ b/rpkid/rpki/rpki_engine.py
@@ -691,6 +691,10 @@ class ca_detail_obj(rpki.sql.sql_persistent):
       self.nextUpdate = rpki.sundial.now()
 
       if self.latest_manifest is not None:
+        try:
+          self.latest_manifest.get_content()
+        except rpki.exceptions.CMSContentNotSet:
+          self.latest_manifest.extract()
         self.nextUpdate = self.nextUpdate.later(self.latest_manifest.getNextUpdate())
 
       if self.latest_crl is not None:
diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py
index d4871011..d609a3b7 100644
--- a/rpkid/rpki/x509.py
+++ b/rpkid/rpki/x509.py
@@ -764,7 +764,8 @@ class CMS_object(DER_object):
     """
     Get the inner content of this CMS_object.
     """
-    assert self.content is not None
+    if self.content is None:
+      raise rpki.exceptions.CMSContentNotSet, "Inner content of CMS object %r is not set" % self
     return self.content
 
   def set_content(self, content):