2 files changed, 29 insertions, 20 deletions

diff --git a/rpkid/rpki/https.py b/rpkid/rpki/https.py
index 60f50909..9bf79474 100644
--- a/rpkid/rpki/https.py
+++ b/rpkid/rpki/https.py
@@ -353,6 +353,10 @@ class http_stream(asynchat.async_chat):
       except POW.WantWriteError:
         self.retry_write = self.close
 
+  def log_cert(self, tag, x):
+    if debug_tls_certs:
+      self.log("HTTPS %s cert %r issuer %s [%s] subject %s [%s]" % (tag, x, x.getIssuer(), x.hAKI(), x.getSubject(), x.hSKI()))
+
 class http_server(http_stream):
 
   parse_type = http_request
@@ -366,8 +370,7 @@ class http_server(http_stream):
     self.log("cert %r key %r ta %r dynamic_ta %r" % (cert, key, ta, dynamic_ta))
 
     self.tls = POW.Ssl(POW.TLSV1_SERVER_METHOD)
-    if debug_tls_certs:
-      self.log("HTTPS server cert issuer %s [%s] subject %s [%s]" % (cert.getIssuer(), cert.hAKI(), cert.getSubject(), cert.hSKI()))
+    self.log_cert("server", cert)
     self.tls.useCertificate(cert.get_POW())
     self.tls.useKey(key.get_POW())
     ta = set(dynamic_ta() if dynamic_ta else ta)
@@ -375,9 +378,8 @@ class http_server(http_stream):
     if not ta:
       raise RuntimeError, "No trust anchor(s) specified, this is unlikely to work"
     for x in ta:
-      if debug_tls_certs:
-        self.log("HTTPS trusted cert issuer %s [%s] subject %s [%s]" % (x.getIssuer(), x.hAKI(), x.getSubject(), x.hSKI()))
-      self.tls.trustCertificate(x.get_POW())
+      self.log_cert("trusted", x)
+      self.tls.addTrust(x.get_POW())
     self.tls.setVerifyMode(POW.SSL_VERIFY_PEER | POW.SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
 
     self.tls.setFd(self.fileno())
@@ -514,16 +516,14 @@ class http_client(http_stream):
     self.set_state("idle")
 
     self.tls = POW.Ssl(POW.TLSV1_CLIENT_METHOD)
-    if debug_tls_certs:
-      self.log("HTTPS client cert issuer %s [%s] subject %s [%s]" % (self.cert.getIssuer(), self.cert.hAKI(), self.cert.getSubject(), self.cert.hSKI()))
+    self.log_cert("client", self.cert)
     self.tls.useCertificate(self.cert.get_POW())
     self.tls.useKey(self.key.get_POW())
     if not self.ta:
       raise RuntimeError, "No trust anchor(s) specified, this is unlikely to work"
     for x in self.ta:
-      if debug_tls_certs:
-        self.log("HTTPS trusted cert issuer %s [%s] subject %s [%s]" % (x.getIssuer(), x.hAKI(), x.getSubject(), x.hSKI()))
-      self.tls.trustCertificate(x.get_POW())
+      self.log_cert("trusted", x)
+      self.tls.addTrust(x.get_POW())
     self.tls.setVerifyMode(POW.SSL_VERIFY_PEER | POW.SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
 
     self.tls.setFd(self.fileno())
diff --git a/rpkid/testbed.py b/rpkid/testbed.py
index 2451a5a7..728ac607 100644
--- a/rpkid/testbed.py
+++ b/rpkid/testbed.py
@@ -809,7 +809,9 @@ class allocation(object):
     else:
       subprocess.check_call(cmd)
 
-    return rpki.x509.X509(Auto_file = certfile)
+    x = rpki.x509.X509(Auto_file = certfile)
+    rpki.log.debug("Cross certified (%s) issuer %s [%s] subject %s [%s]" % (certfile, x.getIssuer(), x.hAKI(), x.getSubject(), x.hSKI()))
+    return x
 
   def create_rpki_objects(self, cb):
     """
@@ -977,18 +979,25 @@ class allocation(object):
 
         if s.is_root():
           rootd_cert = s.cross_certify(rootd_name + "-TA")
-          pdus.append(rpki.left_right.parent_elt.make_pdu(action = "create", tag = str(i), self_id = s.self_id, bsc_id = s.bsc_id,
-                                                          repository_id = s.repository_id, sia_base = s.sia_base,
-                                                          bpki_cms_cert = rootd_cert, bpki_https_cert = rootd_cert, sender_name = s.name, recipient_name = "Walrus",
-                                                          peer_contact_uri = "https://localhost:%s/" % rootd_port))
+          pdus.append(rpki.left_right.parent_elt.make_pdu(
+            action = "create", tag = str(i), self_id = s.self_id, bsc_id = s.bsc_id, repository_id = s.repository_id,
+            sia_base = s.sia_base,
+            bpki_cms_cert = rootd_cert,
+            bpki_https_cert = rootd_cert,
+            sender_name = s.name,
+            recipient_name = "Walrus",
+            peer_contact_uri = "https://localhost:%s/" % rootd_port))
         else:
           parent_cms_cert = s.cross_certify(s.parent.name + "-SELF")
           parent_https_cert = s.cross_certify(s.parent.name + "-TA")
-          pdus.append(rpki.left_right.parent_elt.make_pdu(action = "create", tag = str(i), self_id = s.self_id, bsc_id = s.bsc_id,
-                                                          repository_id = s.repository_id, sia_base = s.sia_base,
-                                                          bpki_cms_cert = parent_cms_cert, bpki_https_cert = parent_https_cert,
-                                                          sender_name = s.name, recipient_name = s.parent.name,
-                                                          peer_contact_uri = "https://localhost:%s/up-down/%s" % (s.parent.get_rpki_port(), s.child_id)))
+          pdus.append(rpki.left_right.parent_elt.make_pdu(
+            action = "create", tag = str(i), self_id = s.self_id, bsc_id = s.bsc_id, repository_id = s.repository_id,
+            sia_base = s.sia_base,
+            bpki_cms_cert = parent_cms_cert,
+            bpki_https_cert = parent_https_cert,
+            sender_name = s.name,
+            recipient_name = s.parent.name,
+            peer_contact_uri = "https://localhost:%s/up-down/%s" % (s.parent.get_rpki_port(), s.child_id)))
 
       assert pdus, "%s has no parents, something is whacked" % self.name