2 files changed, 11 insertions, 9 deletions

diff --git a/scripts/rpki/sql.py b/scripts/rpki/sql.py
index 6fabc88d..228960f6 100644
--- a/scripts/rpki/sql.py
+++ b/scripts/rpki/sql.py
@@ -508,7 +508,9 @@ class child_cert_obj(sql_persistant):
 
   def revoke(self):
     """Mark a child cert as revoked."""
-    self.revoked = True
+    if not self.revoked:
+      self.revoked = True
+      self.sql_mark_dirty()
 
   def reissue(self, gctx, ca_detail, resources, sia):
     """Reissue an existing cert, reusing the public key.  If the cert
diff --git a/scripts/rpki/up_down.py b/scripts/rpki/up_down.py
index 82852bac..777743cf 100644
--- a/scripts/rpki/up_down.py
+++ b/scripts/rpki/up_down.py
@@ -341,14 +341,14 @@ class revoke_pdu(revoke_syntax):
     if not self.class_name.isdigit():
       raise rpki.exceptions.BadClassNameSyntax, "Bad class name %s" % self.class_name
     ca_id = long(self.class_name)
-    ca = rpki.sql.ca_obj.sql_fetch(gctx, ca_id)
-    ca_detail = rpki.sql.ca_detail_obj.sql_fetch_active(gctx, ca_id)
-    if ca is None or ca_detail is None:
-      raise rpki.exceptions.NotInDatabase
-    for c in rpki.sql.child_cert_obj.sql_fetch_where(gctx, """
-                child_id = %s AND ca_detail_id = %s AND ski = "%s"
-                """ % (child.child_id, ca_detail.ca_detail_id, self.get_SKI())):
-      c.sql_delete()
+    ski = self.get_SKI()
+    for ca_detail in rpki.sql.ca_detail_obj.sql_fetch_where(gctx, """
+                ca_id = %s AND state != 'revoked'""" % ca_id):
+      for child_cert in rpki.sql.child_cert_obj.sql_fetch_where(gctx, """
+                child_id = %s AND ca_detail_id = %s AND ski = '%s'
+                """ % (child.child_id, ca_detail.ca_detail_id, ski)):
+        child_cert.revoke()
+    rpki.sql.sql_sweep(gctx)
     r_msg.payload = revoke_response_pdu()
     r_msg.payload.class_name = self.class_name
     r_msg.payload.ski = self.ski