http.manage: Do not prune expired certificates from ca table.

Because this is not the job of an import/export tool.

http.manage: Do not prune expired certificates from ca table.
Because this is not the job of an import/export tool.
3f04238d · Vincent Pelletier · 7a7d0383 · 3f04238d · 3f04238d
Commit 3f04238d authored Feb 02, 2021 by Vincent Pelletier
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 9 deletions

caucase/http.py caucase/http.py +2 -2

caucase/storage.py caucase/storage.py +8 -7

No files found.
--- a/caucase/http.py
+++ b/caucase/http.py
@@ -1114,7 +1114,7 @@ def manage(argv=None, stdout=sys.stdout):
    db = SQLite3Storage(db_path, table_prefix='cas')
    trusted_ca_crt_set = [
      utils.load_ca_certificate(x['crt_pem'])
-      for x in db.getCAKeyPairList()
+      for x in db.getCAKeyPairList(prune=False)
    ]
    latest_ca_not_after = max(
      x.not_valid_after
@@ -1159,7 +1159,7 @@ def manage(argv=None, stdout=sys.stdout):
      for key_pair in SQLite3Storage(
        db_path,
        table_prefix='cas',
-      ).getCAKeyPairList():
+      ).getCAKeyPairList(prune=False):
        write(
          key_pair['crt_pem'] + serialization.load_pem_private_key(
            key_pair['key_pem'],

--- a/caucase/storage.py
+++ b/caucase/storage.py
@@ -215,19 +215,20 @@ class SQLite3Storage(local):
    except sqlite3.IntegrityError:
      pass

-  def getCAKeyPairList(self):
+  def getCAKeyPairList(self, prune=True):
    """
    Return the chronologically sorted (oldest in [0], newest in [-1])
    certificate authority key pairs.
    """
    with self._db as db:
      c = db.cursor()
-      c.execute(
-        'DELETE FROM %sca WHERE expiration_date < ?' % (
-          self._table_prefix,
-        ),
-        (time(), ),
-      )
+      if prune:
+        c.execute(
+          'DELETE FROM %sca WHERE expiration_date < ?' % (
+            self._table_prefix,
+          ),
+          (time(), ),
+        )
      return [
        {
          'crt_pem': toBytes(x['crt']),