2 files changed, 21 insertions, 6 deletions

diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py
index d3e51685..7d34887b 100644
--- a/rpkid/rpki/left_right.py
+++ b/rpkid/rpki/left_right.py
@@ -863,9 +863,23 @@ class route_origin_elt(data_elt):
     content.exactMatch.set(self.exact_match)
     content.ipAddrBlocks.set((a.to_roa_tuple() for a in (self.v4, self.v6) if a))
 
-    # Ok, if I've remembered the ASN.1 encoder voodoo correctly,
-    # content.toString() is now the eContent value for the CMS wrapper.
-    # Next task is to figure out what cert is signing this....
+    # Current ROA spec urges one-off EE certs, so we need to generate
+    # a new keypair, issue an EE cert using our ca_detail, and use
+    # that cert to sign the CMS.  See
+    # ca_detail_obj.generate_manifest() for details, may want to
+    # refactor it to share code.
+
+    keypair = rpki.x509.RSA()
+    keypair.generate()
+
+    # ... and then a miracle occurs ...
+
+    self.roa = rpki.cms.sign(content.toString(), keypair, cert)
+    self.sql_mark_dirty()
+
+    # Publish the ROA somewhere around here.  If we implemented the
+    # suppress_publication attribute and it were set, we'd skip this
+    # step, but we don't, so we don't.
 
     raise rpki.exceptions.NotImplementedYet
 
diff --git a/rpkid/rpki/sql.py b/rpkid/rpki/sql.py
index 022e4dd5..1fafadad 100644
--- a/rpkid/rpki/sql.py
+++ b/rpkid/rpki/sql.py
@@ -572,7 +572,7 @@ class ca_detail_obj(sql_persistant):
     self.latest_manifest_cert = self.latest_ca_cert.issue(
       keypair     = self.private_key_id,
       subject_key = self.manifest_public_key,
-      serial      = ca.next_manifest_number(),
+      serial      = ca.next_serial_number(),
       sia         = None,
       aia         = self.ca_cert_uri,
       crldp       = self.crl_uri(ca),
@@ -665,14 +665,15 @@ class ca_detail_obj(sql_persistant):
     if nextUpdate is None:
       nextUpdate = now + crl_interval
 
-    certs = self.child_certs(gctx)
+    certs = [(c.uri_tail(), c.cert) for c in self.child_certs(gctx)]
+    roas = [(r.uri_tail(), r.roa) for r in self.route_origins(gctx) if r is not None]
 
     m = rpki.x509.SignedManifest()
     m.build(
       serial         = ca.next_manifest_number(),
       thisUpdate     = now,
       nextUpdate     = nextUpdate,
-      names_and_objs = [(c.uri_tail(), c.cert) for c in certs],
+      names_and_objs = certs + roas,
       keypair        = self.manifest_private_key_id,
       certs          = rpki.x509.X509_chain(self.latest_manifest_cert))
     self.latest_manifest = m