4 files changed, 39 insertions, 48 deletions

diff --git a/scripts/rpki/left_right.py b/scripts/rpki/left_right.py
index a8813927..b512d94e 100644
--- a/scripts/rpki/left_right.py
+++ b/scripts/rpki/left_right.py
@@ -264,33 +264,38 @@ class self_elt(data_elt):
   
   def serve_pre_save_hook(self, gctx, q_pdu, r_pdu):
     """Extra server actions for self_elt -- handle extension preferences."""
+    rpki.log.trace()
     if self is not q_pdu:
       if q_pdu.clear_extension_preferences:
         self.prefs = []
-      self.prefs.extend(pdu.prefs)
+      self.prefs.extend(q_pdu.prefs)
 
   def serve_post_save_hook(self, gctx, q_pdu, r_pdu):
     """Extra server actions for self_elt."""
-    if self.rekey:
+    rpki.log.trace()
+    if q_pdu.rekey:
       self.serve_rekey(gctx)
-    if self.reissue:
+    if q_pdu.reissue:
       self.serve_reissue(gctx)
-    if self.revoke:
+    if q_pdu.revoke:
       self.serve_revoke(gctx)
     self.unimplemented_control("run_now", "publish_world_now")
 
   def serve_rekey(self, gctx):
     """Handle a left-right rekey action for this self."""
+    rpki.log.trace()
     for parent in self.parents(gctx):
       parent.serve_rekey(gctx)
 
   def serve_revoke(self, gctx):
     """Handle a left-right revoke action for this self."""
+    rpki.log.trace()
     for parent in self.parents(gctx):
       parent.serve_revoke(gctx)
 
   def serve_reissue(self, gctx):
     """Handle a left-right reissue action for this self."""
+    rpki.log.trace()
     for parent in self.parents(gctx):
       parent.serve_reissue(gctx)
 
@@ -537,11 +542,11 @@ class parent_elt(data_elt):
 
   def serve_post_save_hook(self, gctx, q_pdu, r_pdu):
     """Extra server actions for parent_elt."""
-    if self.rekey:
+    if q_pdu.rekey:
       self.serve_rekey(gctx)
-    if self.reissue:
+    if q_pdu.reissue:
       self.serve_reissue(gctx)
-    if self.revoke:
+    if q_pdu.revoke:
       self.serve_revoke(gctx)
 
   def serve_rekey(self, gctx):
diff --git a/scripts/rpki/log.py b/scripts/rpki/log.py
index aeb0e0d2..1f85f667 100644
--- a/scripts/rpki/log.py
+++ b/scripts/rpki/log.py
@@ -21,14 +21,17 @@ import syslog, traceback
 
 enable_trace = False
 
-def init(ident = "rpki", flags = syslog.LOG_PID | syslog.LOG_PERROR, facility = syslog.LOG_DAEMON, trace = False):
+def init(ident = "rpki", flags = syslog.LOG_PID | syslog.LOG_PERROR, facility = syslog.LOG_DAEMON):
   """Initialize logging system."""
 
+  return syslog.openlog(ident, flags, facility)
+
+def set_trace(trace):
+  """Enable or disable call tracing."""
+
   global enable_trace
   enable_trace = trace
 
-  return syslog.openlog(ident, flags, facility)
-
 class logger(object):
   """Closure for logging."""
 
@@ -38,11 +41,11 @@ class logger(object):
   def __call__(self, message):
     return syslog.syslog(self.priority, message)
 
-error   = logger(syslog.LOG_ERR)
-warning = logger(syslog.LOG_WARNING)
-notice  = logger(syslog.LOG_NOTICE)
-info    = logger(syslog.LOG_INFO)
-debug   = logger(syslog.LOG_DEBUG)
+error = logger(syslog.LOG_ERR)
+warn  = logger(syslog.LOG_WARNING)
+note  = logger(syslog.LOG_NOTICE)
+info  = logger(syslog.LOG_INFO)
+debug = logger(syslog.LOG_DEBUG)
 
 def trace():
   """Execution trace -- where are we now, and whence came we here?"""
diff --git a/scripts/rpki/sql.py b/scripts/rpki/sql.py
index de18e1f1..92b4c48b 100644
--- a/scripts/rpki/sql.py
+++ b/scripts/rpki/sql.py
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-import MySQLdb, time, traceback
+import MySQLdb, time
 import rpki.x509, rpki.resource_set, rpki.sundial
 
 def connect(cfg):
@@ -284,7 +284,7 @@ class ca_obj(sql_persistant):
     rc_resources = rc.to_resource_bag()
     cert_map = dict((c.cert.get_SKI(), c) for c in rc.certs)
 
-    for ca_detail in ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s AND latest_ca_cert IS NOT NULL", (self.ca_id,)):
+    for ca_detail in ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s AND latest_ca_cert IS NOT NULL AND state != 'revoked'", (self.ca_id,)):
       ski = ca_detail.latest_ca_cert.get_SKI()
       if ca_detail.state in ("pending", "active"):
         current_resources = ca_detail.latest_ca_cert.get_3779resources()
@@ -361,12 +361,6 @@ class ca_obj(sql_persistant):
   def rekey(self, gctx):
     """Initiate a rekey operation for this ca.
 
-    Noone who was at the meeting in Prague 2007 quite remembers why we
-    used this name for this operation, but discussion months later
-    concluded that it corresponds to the rollover operations in
-    Geoff's "Common Management Tasks" document, so that's what this
-    code does, with minor variations.
-
     Tasks:
 
     - Generate a new keypair.
@@ -376,27 +370,10 @@ class ca_obj(sql_persistant):
     - Mark result as our active ca_detail.
 
     - Reissue all child certs issued by this ca using the new ca_detail.
-
-    - Schedule old ca_detail for removal.  Geoff specifies a
-      timer-based method, opinions vary on whether this is ok or we
-      should instead just mark the old ca_detail as deprecated and
-      leave it that way until we receive an explicit trigger from the
-      IRBE.
-
-    - Request revocation of old keypair by parent.
-
-    - Revoke all certs (children, internal use certs like manifest,
-      whatever) issued by the old keypair.
-
-    - Generate a final CRL, signed with the old keypair, listing all
-      the revoked certs, with a next CRL time after the last cert or
-      CRL signed by the old keypair will have expired.
-
-    - Destroy old keypair.
-
-    - Leave final CRL in place until its next CRL time has passed.
     """
 
+    rpki.log.trace()
+
     parent = self.parent(gctx)
     old_detail = self.fetch_active(gctx)
     new_detail = ca_detail_obj.create(gctx, self)
@@ -414,6 +391,8 @@ class ca_obj(sql_persistant):
   def revoke(self, gctx):
     """Revoke deprecated ca_detail objects associated with this ca."""
 
+    rpki.log.trace()
+
     for ca_detail in self.fetch_deprecated(gctx):
       ca_detail.revoke(gctx)
 
@@ -516,6 +495,10 @@ class ca_detail_obj(sql_persistant):
     if r_msg.payload.ski != self.latest_ca_cert.gSKI():
       raise rpki.exceptions.SKIMismatch
 
+    ca = self.ca(gctx)
+    parent = ca.parent(gctx)
+    crl_interval = rpki.sundial.timedelta(seconds = parent.self(gctx).crl_interval)
+
     nextUpdate = rpki.sundial.datetime.utcnow()
 
     if self.latest_manifest is not None:
@@ -524,14 +507,14 @@ class ca_detail_obj(sql_persistant):
     if self.latest_crl is not None:
       nextUpdate = nextUpdate.later(self.latest_crl.getNextUpdate())
 
-    for child_cert in self.chidl_certs(gctx):
+    for child_cert in self.child_certs(gctx):
       nextUpdate = nextUpdate.later(child_cert.cert.getNotAfter())
       child_cert.revoke()
 
-    nextUpdate += rpki.sundial.timedelta(seconds = parent.self(gctx).crl_interval)
+    nextUpdate += crl_interval
 
-    generate_crl(gctx, nextUpdate)
-    generate_manifest(gctx, nextUpdate)
+    self.generate_crl(gctx, nextUpdate)
+    self.generate_manifest(gctx, nextUpdate)
 
     self.private_key_id = None
     self.manifest_private_key_id = None
diff --git a/scripts/rpki/x509.py b/scripts/rpki/x509.py
index 4d902351..c029e5f3 100644
--- a/scripts/rpki/x509.py
+++ b/scripts/rpki/x509.py
@@ -610,11 +610,11 @@ class SignedManifest(DER_object):
 
   def getThisUpdate(self):
     """Get thisUpdate value from this manifest."""
-    return rpki.sundial.datetime.fromGeneralizedTime(self.get_content())
+    return rpki.sundial.datetime.fromGeneralizedTime(self.get_content().thisUpdate.get())
 
   def getNextUpdate(self):
     """Get nextUpdate value from this manifest."""
-    return rpki.sundial.datetime.fromGeneralizedTime(self.get_content())
+    return rpki.sundial.datetime.fromGeneralizedTime(self.get_content().nextUpdate.get())
 
   def verify(self, ta):
     """Verify this manifest."""