2 files changed, 46 insertions, 4 deletions

diff --git a/scripts/rpki/sql.py b/scripts/rpki/sql.py
index 891c7662..8dee06f9 100644
--- a/scripts/rpki/sql.py
+++ b/scripts/rpki/sql.py
@@ -420,20 +420,53 @@ class ca_detail_obj(sql_persistant):
       child_cert.cert = cert
       return child_cert
 
-  def generate_crl(self):
+  def generate_crl(self, gctx):
     """Generate a new CRL for this ca_detail.  At the moment this is
     unconditional, that is, it is up to the caller to decide whether a
     new CRL is needed.
     """
 
+    ca = ca_obj.sql_fetch(gctx, self.ca_id)
+    self_obj = rpki.left_right.self_elt.sql_fetch_where1(gctx, """
+                self.self_id = parent.self_id AND
+                parent.parent_id = %s
+      """ % ca.parent_id)
+    now = time.time()
+    then = now + self_obj.crl_interval
+    certs = []
+    for cert in child_cert_obj.sql_fetch_where(gctx, """
+                        child_cert.ca_detail_id = %s AND
+                        child_cert.revoked IS NOT NULL
+                    """ % self.ca_detail_id):
+      raise rpki.exceptions.NotImplementedYet
+      # Extract expiration time, figure out whether we still need to list this cert.
+      # If not, delete it from child_cert table.  Otherwise, we need to include this
+      # cert, so: extract serial and revocation time, convert date to format
+      # POW.pkix wants, and add to serial and revocation time to certs[] list.
+      # Tuple of the form (serial, ("generalTime", timestamp), ())
+
+    # Sort certs[] into serial order?  Not sure it's necessary, but should be simple and harmless.
+
+    # Stuff result into crl structure
+
+    crl = rpki.x509.CRL()
+
+    # Sign crl
+
     raise rpki.exceptions.NotImplementedYet
 
   def generate_manifest(self, gctx):
     """Generate a new manifest for this ca_detail."""
 
     ca = ca_obj.sql_fetch(gctx, self.ca_id)
-    self_obj = rpki.left_right.self_elt.sql_fetch_where1(gctx, "self.self_id = parent.self_id AND parent.parent_id = %s" % ca.parent_id)
-    certs = child_cert_obj.sql_fetch_where(gctx, "child_cert.ca_detail_id = %s AND NOT child_cert.revoked" % self.ca_detail_id)
+    self_obj = rpki.left_right.self_elt.sql_fetch_where1(gctx, """
+                self.self_id = parent.self_id AND
+                parent.parent_id = %s
+      """ % ca.parent_id)
+    certs = child_cert_obj.sql_fetch_where(gctx, """
+                child_cert.ca_detail_id = %s AND
+                child_cert.revoked IS NULL
+      """ % self.ca_detail_id)
 
     m = rpki.x509.SignedManifest()
     m.build(serial = ca.next_manifest(),
@@ -455,7 +488,7 @@ class child_cert_obj(sql_persistant):
     self.child_id = child_id
     self.ca_detail_id = ca_detail_id
     self.cert = cert
-    self.revoked = False
+    self.revoked = None
     if child_id or ca_detail_id or cert:
       self.sql_mark_dirty()
 
diff --git a/scripts/rpki/x509.py b/scripts/rpki/x509.py
index a663cdca..4c32c7fd 100644
--- a/scripts/rpki/x509.py
+++ b/scripts/rpki/x509.py
@@ -243,6 +243,10 @@ class X509(DER_object):
     """Get the expiration time of this certificate."""
     return POW.pkix.utc2time(self.get_POW().getNotAfter())
 
+  def getSerial(self):
+    """Get the serial number of this certificate."""
+    return self.get_POW().getSerial()
+
   def getPublicKey(self):
     """Extract the public key from this certificate."""
     return RSApublic(DER = self.get_POWpkix().tbs.subjectPublicKeyInfo.toString())
@@ -639,3 +643,8 @@ class CRL(DER_object):
       crl.fromString(self.get_DER())
       self.POWpkix = crl
     return self.POWpkix
+
+  def build(self, serial, nextUpdate, names_and_objs, version = 0):
+    crl = POW.pkix.CertificateList()
+    raise rpki.exceptions.NotImplementedYet
+    self.set(POWpkix = crl)