10 files changed, 18 insertions, 25 deletions

diff --git a/rpkid/cronjob.py b/rpkid/cronjob.py
index 65056c40..a2ec17a1 100644
--- a/rpkid/cronjob.py
+++ b/rpkid/cronjob.py
@@ -42,6 +42,6 @@ cfg = rpki.config.parser(cfg_file, "cronjob")
 
 print rpki.https.client(client_key   = rpki.x509.RSA(Auto_file = cfg.get("https-key")),
                         client_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert")),
-                        server_ta    = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta")),
+                        server_ta    = rpki.x509.X509(Auto_file = cfg.get("https-ta")),
                         url          = cfg.get("https-url"),
                         msg          = "Please run cron now.")
diff --git a/rpkid/irbe-cli.py b/rpkid/irbe-cli.py
index 033ea1d3..786d6c98 100755
--- a/rpkid/irbe-cli.py
+++ b/rpkid/irbe-cli.py
@@ -183,7 +183,7 @@ q_cms = rpki.cms.sign(q_xml,
 
 r_cms = rpki.https.client(client_key   = rpki.x509.RSA(Auto_file = cfg.get("https-key")),
                           client_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert")),
-                          server_ta    = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta")),
+                          server_ta    = rpki.x509.X509(Auto_file = cfg.get("https-ta")),
                           url          = cfg.get("https-url"),
                           msg          = q_cms)
 
diff --git a/rpkid/irbe-setup.py b/rpkid/irbe-setup.py
index d34debbe..d3170bfa 100644
--- a/rpkid/irbe-setup.py
+++ b/rpkid/irbe-setup.py
@@ -37,7 +37,7 @@ cms_key     = rpki.x509.RSA(       Auto_file  = cfg.get(     "cms-key"))
 cms_ta      = rpki.x509.X509(      Auto_file  = cfg.get(     "cms-ta"))
 https_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert"))
 https_key   = rpki.x509.RSA(       Auto_file  = cfg.get(     "https-key"))
-https_tas   = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta"))
+https_ta    = rpki.x509.X509(      Auto_file  = cfg.get(     "https-ta"))
 https_url   = cfg.get(                                       "https-url")
 
 def call_rpkid(pdu):
@@ -55,7 +55,7 @@ def call_rpkid(pdu):
     raise
   elt = rpki.cms.xml_verify(der = rpki.https.client(client_key   = https_key,
                                                     client_certs = https_certs,
-                                                    server_ta    = https_tas,
+                                                    server_ta    = https_ta,
                                                     url          = https_url,
                                                     msg          = rpki.cms.xml_sign(elt   = elt,
                                                                                      key   = cms_key,
diff --git a/rpkid/irdbd.py b/rpkid/irdbd.py
index 5b8c72a3..09b1685e 100755
--- a/rpkid/irdbd.py
+++ b/rpkid/irdbd.py
@@ -126,7 +126,7 @@ assert u.scheme in ("", "https") and \
 
 rpki.https.server(server_key   = rpki.x509.RSA(Auto_file = cfg.get("https-key")),
                   server_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert")),
-                  client_ta    = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta")),
+                  client_ta    = rpki.x509.X509(Auto_file = cfg.get("https-ta")),
                   host         = u.hostname or "localhost",
                   port         = u.port or 443,
                   handlers     = ((u.path, handler),))
diff --git a/rpkid/rootd.py b/rpkid/rootd.py
index 9e2991ac..ba767917 100755
--- a/rpkid/rootd.py
+++ b/rpkid/rootd.py
@@ -179,9 +179,9 @@ cms_ta      = rpki.x509.X509(Auto_file = cfg.get("cms-ta"))
 cms_key     = rpki.x509.RSA(Auto_file = cfg.get("cms-key"))
 cms_certs   = rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-cert"))
 
+https_ta    = rpki.x509.X509(Auto_file = cfg.get("https-ta"))
 https_key   = rpki.x509.RSA(Auto_file = cfg.get("https-key"))
 https_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert"))
-https_ta    = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta"))
 
 https_server_host = cfg.get("server-host", "")
 https_server_port = int(cfg.get("server-port"))
diff --git a/rpkid/rpki/gctx.py b/rpkid/rpki/gctx.py
index 9be163de..d0d3d2c4 100644
--- a/rpkid/rpki/gctx.py
+++ b/rpkid/rpki/gctx.py
@@ -41,10 +41,10 @@ class global_context(object):
     self.cms_key       = rpki.x509.RSA(Auto_file = cfg.get("cms-key"))
     self.cms_certs     = rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-cert"))
 
+    self.https_ta_irdb = rpki.x509.X509(Auto_file = cfg.get("https-ta-irdb"))
+    self.https_ta_irbe = rpki.x509.X509(Auto_file = cfg.get("https-ta-irbe"))
     self.https_key     = rpki.x509.RSA(Auto_file = cfg.get("https-key"))
     self.https_certs   = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert"))
-    self.https_ta_irdb = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta-irdb"))
-    self.https_ta_irbe = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta-irbe"))
 
     self.irdb_url    = cfg.get("irdb-url")
 
@@ -190,7 +190,7 @@ class global_context(object):
       children = rpki.left_right.child_elt.sql_fetch_all(self)
       certs = [c.peer_biz_cert for c in children if c.peer_biz_cert is not None] + \
               [c.peer_biz_glue for c in children if c.peer_biz_glue is not None] + \
-              self.https_ta_irbe
+              [ self.https_ta_irbe ]
       for x in certs:
         if rpki.https.debug_tls_certs:
           rpki.log.debug("HTTPS dynamic trust anchor %s" % x.getSubject())
diff --git a/rpkid/rpki/https.py b/rpkid/rpki/https.py
index f73667b2..db94e721 100644
--- a/rpkid/rpki/https.py
+++ b/rpkid/rpki/https.py
@@ -38,17 +38,16 @@ rpki_content_type = "application/x-rpki"
 class Checker(tlslite.api.Checker):
   """Derived class to handle X.509 client certificate checking."""
 
-  def __init__(self, trust_anchors = None, dynamic_x509store = None):
+  def __init__(self, trust_anchor = None, dynamic_x509store = None):
     """Initialize our modified certificate checker."""
 
     self.dynamic_x509store = dynamic_x509store
 
     if dynamic_x509store is None:
       self.x509store = POW.X509Store()
-      for x in trust_anchors:
-        if debug_tls_certs:
-          rpki.log.debug("HTTPS trust anchor %s" % x.getSubject())
-        self.x509store.addTrust(x.get_POW())
+      if debug_tls_certs:
+        rpki.log.debug("HTTPS trust anchor %s" % trust_anchor.getSubject())
+      self.x509store.addTrust(trust_anchor.get_POW())
     elif debug_tls_certs:
       rpki.log.debug("HTTPS dynamic trust anchors")
 
@@ -92,7 +91,7 @@ class httpsClient(tlslite.api.HTTPTLSConnection):
       self, host = host, port = port, settings = settings,
       certChain = client_certs, privateKey = client_key)
 
-    self.checker = Checker(trust_anchors = server_ta)
+    self.checker = Checker(trust_anchor = server_ta)
 
 def client(msg, client_key, client_certs, server_ta, url, timeout = 300):
   """Open client HTTPS connection, send a message, wait for response.
@@ -220,6 +219,6 @@ def server(handlers, server_key, server_certs, port = 4433, host = "", client_ta
   httpd.rpki_server_key   = server_key.get_tlslite()
   httpd.rpki_server_certs = server_certs.tlslite_certChain()
   httpd.rpki_sessionCache = tlslite.api.SessionCache()
-  httpd.rpki_checker      = Checker(trust_anchors = client_ta, dynamic_x509store = dynamic_x509store)
+  httpd.rpki_checker      = Checker(trust_anchor = client_ta, dynamic_x509store = dynamic_x509store)
 
   httpd.serve_forever()
diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py
index 4aec4417..5a3ae255 100644
--- a/rpkid/rpki/left_right.py
+++ b/rpkid/rpki/left_right.py
@@ -617,7 +617,7 @@ class parent_elt(data_elt):
       raise
     q_cms = rpki.cms.xml_sign(q_elt, bsc.private_key_id, bsc.signing_cert, encoding = "UTF-8")
 
-    r_cms = rpki.https.client(server_ta    = rpki.x509.X509_chain(self.peer_biz_cert),
+    r_cms = rpki.https.client(server_ta    = self.peer_biz_cert,
                               client_key   = bsc.private_key_id,
                               client_certs = bsc.signing_cert,
                               msg          = q_cms,
diff --git a/rpkid/testbed.py b/rpkid/testbed.py
index 7de56bb0..3534b24f 100644
--- a/rpkid/testbed.py
+++ b/rpkid/testbed.py
@@ -578,7 +578,7 @@ class allocation(object):
     cms = rpki.https.client(
       client_key   = testbed_key,
       client_certs = testbed_certs,
-      server_ta    = rpki.x509.X509_chain(self.rpkid_ta),
+      server_ta    = self.rpkid_ta,
       url          = url,
       msg          = cms)
     elt = rpki.cms.xml_verify(der = cms, ta = self.rpkid_ta)
@@ -681,7 +681,7 @@ class allocation(object):
     rpki.log.info("Running cron for %s" % self.name)
     rpki.https.client(client_key   = testbed_key,
                       client_certs = testbed_certs,
-                      server_ta    = rpki.x509.X509_chain(self.rpkid_ta),
+                      server_ta    = self.rpkid_ta,
                       url          = "https://localhost:%d/cronjob" % self.rpki_port,
                       msg          = "Run cron now, please")
 
diff --git a/rpkid/testpoke.py b/rpkid/testpoke.py
index d964b72c..b2908bd9 100644
--- a/rpkid/testpoke.py
+++ b/rpkid/testpoke.py
@@ -133,10 +133,4 @@ https_key   = get_PEM("ssl-key", rpki.x509.RSA)
 https_cert  = get_PEM("ssl-cert", rpki.x509.X509)
 https_certs = get_PEM_chain("ssl-cert-chain", https_cert)
 
-ta = https_ta
-https_ta    = rpki.x509.X509_chain()
-if ta is not None:
-  https_ta.append(ta)
-del ta
-
 dispatch[yaml_req["type"]]()