4 files changed, 16 insertions, 9 deletions

diff --git a/rpkid/rootd.py b/rpkid/rootd.py
index 8944d7f2..1922a4c9 100755
--- a/rpkid/rootd.py
+++ b/rpkid/rootd.py
@@ -138,13 +138,13 @@ def up_down_handler(query, path):
     return 400, "Could not process PDU: %s" % data
   try:
     r_msg = q_msg.serve_top_level(None)
-    r_cms = cms_msg.wrap(r_msg, rootd_bpki_key, rootd_bpki_cert)
+    r_cms = cms_msg.wrap(r_msg, rootd_bpki_key, rootd_bpki_cert, rootd_bpki_crl)
     return 200, r_cms
   except Exception, data:
     rpki.log.error(traceback.format_exc())
     try:
       r_msg = q_msg.serve_error(data)
-      r_cms = cms_msg.wrap(r_msg, rootd_bpki_key, rootd_bpki_cert)
+      r_cms = cms_msg.wrap(r_msg, rootd_bpki_key, rootd_bpki_cert, rootd_bpki_crl)
       return 200, r_cms
     except Exception, data:
       rpki.log.error(traceback.format_exc())
@@ -172,6 +172,7 @@ cfg = rpki.config.parser(cfg_file, "rootd")
 bpki_ta         = rpki.x509.X509(Auto_file = cfg.get("bpki-ta"))
 rootd_bpki_key  = rpki.x509.RSA( Auto_file = cfg.get("rootd-bpki-key"))
 rootd_bpki_cert = rpki.x509.X509(Auto_file = cfg.get("rootd-bpki-cert"))
+rootd_bpki_crl  = rpki.x509.CRL( Auto_file = cfg.get("rootd-bpki-crl"))
 child_bpki_cert = rpki.x509.X509(Auto_file = cfg.get("child-bpki-cert"))
 
 https_server_host = cfg.get("server-host", "")
diff --git a/rpkid/rpki/gctx.py b/rpkid/rpki/gctx.py
index 995dede1..ad5c7c86 100644
--- a/rpkid/rpki/gctx.py
+++ b/rpkid/rpki/gctx.py
@@ -108,7 +108,7 @@ class global_context(object):
     """Process one left-right PDU."""
     rpki.log.trace()
     try:
-      q_msg = rpki.left_right.cms_msg.unwrap(query, self.bpki_ta)
+      q_msg = rpki.left_right.cms_msg.unwrap(query, (self.bpki_ta, self.irbe_cert))
       r_msg = q_msg.serve_top_level(self)
       reply = rpki.left_right.cms_msg.wrap(r_msg, self.rpkid_key, self.rpkid_cert)
       self.sql_sweep()
diff --git a/rpkid/testbed.py b/rpkid/testbed.py
index 4fa1150f..242472c4 100644
--- a/rpkid/testbed.py
+++ b/rpkid/testbed.py
@@ -477,9 +477,10 @@ class allocation(object):
       setup_bpki_cert_chain(self.name, ee = ("RPKI",))
     else:
       setup_bpki_cert_chain(self.name, ee = ("RPKI", "IRDB", "IRBE"), ca = ("SELF-1",))
-      self.rpkid_ta  = rpki.x509.X509(PEM_file = self.name + "-TA.cer")
-      self.irbe_key  = rpki.x509.RSA( PEM_file = self.name + "-IRBE.key")
-      self.irbe_cert = rpki.x509.X509(PEM_file = self.name + "-IRBE.cer")
+      self.rpkid_ta   = rpki.x509.X509(PEM_file = self.name + "-TA.cer")
+      self.irbe_key   = rpki.x509.RSA( PEM_file = self.name + "-IRBE.key")
+      self.irbe_cert  = rpki.x509.X509(PEM_file = self.name + "-IRBE.cer")
+      self.rpkid_cert = rpki.x509.X509(PEM_file = self.name + "-RPKI.cer")
 
   def setup_conf_file(self):
     """Write config files for this entity."""
@@ -559,7 +560,8 @@ class allocation(object):
     rpki.log.info("Calling rpkid for %s" % self.name)
     pdu.type = "query"
     msg = rpki.left_right.msg((pdu,))
-    cms, xml = rpki.left_right.cms_msg.wrap(msg, self.irbe_key, self.irbe_cert, pretty_print = True)
+    cms, xml = rpki.left_right.cms_msg.wrap(msg, self.irbe_key, self.irbe_cert,
+                                            pretty_print = True)
     rpki.log.debug(xml)
     url = "https://localhost:%d/left-right" % self.rpki_port
     rpki.log.debug("Attempting to connect to %s" % url)
@@ -569,7 +571,8 @@ class allocation(object):
       server_ta    = self.rpkid_ta,
       url          = url,
       msg          = cms)
-    msg, xml = rpki.left_right.cms_msg.unwrap(der, self.rpkid_ta, pretty_print = True)
+    msg, xml = rpki.left_right.cms_msg.unwrap(der, (self.rpkid_ta, self.rpkid_cert),
+                                              pretty_print = True)
     rpki.log.debug(xml)
     pdu = msg[0]
     assert pdu.type == "reply" and not isinstance(pdu, rpki.left_right.report_error_elt)
@@ -878,6 +881,7 @@ sender-id:              "%(my_name)s"
 cms-cert-file:          %(my_name)s-RPKI.cer
 cms-key-file:           %(my_name)s-RPKI.key
 cms-ca-cert-file:       %(my_name)s-TA.cer
+cms-crl-file:           %(my_name)s-TA.crl
 cms-ca-certs-file:
   -                     %(my_name)s-TA-%(parent_name)s-TA.cer
   -                     %(my_name)s-TA-%(parent_name)s-SELF-1.cer
@@ -955,6 +959,7 @@ rootd_fmt_1 = '''\
 bpki-ta                 = %(rootd_name)s-TA.cer
 rootd-bpki-cert         = %(rootd_name)s-RPKI.cer
 rootd-bpki-key          = %(rootd_name)s-RPKI.key
+rootd-bpki-crl          = %(rootd_name)s-TA.crl
 child-bpki-cert         = %(rootd_name)s-%(rpkid_name)s.cer
 
 server-port             = %(rootd_port)s
diff --git a/rpkid/testpoke.py b/rpkid/testpoke.py
index c6fea441..2648fcd0 100644
--- a/rpkid/testpoke.py
+++ b/rpkid/testpoke.py
@@ -89,7 +89,7 @@ def query_up_down(q_pdu):
     payload = q_pdu,
     sender = yaml_data["sender-id"],
     recipient = yaml_data["recipient-id"])
-  q_cms = rpki.up_down.cms_msg.wrap(q_msg, cms_key, cms_certs)
+  q_cms = rpki.up_down.cms_msg.wrap(q_msg, cms_key, cms_certs, cms_crl)
   der = rpki.https.client(
     server_ta    = [https_ta] + https_ca_certs,
     client_key   = https_key,
@@ -123,6 +123,7 @@ dispatch = { "list" : do_list, "issue" : do_issue, "revoke" : do_revoke }
 cms_ta         = get_PEM("cms-ca-cert", rpki.x509.X509)
 cms_cert       = get_PEM("cms-cert", rpki.x509.X509)
 cms_key        = get_PEM("cms-key", rpki.x509.RSA)
+cms_crl        = get_PEM("cms-crl", rpki.x509.CRL)
 cms_certs      = get_PEM_chain("cms-cert-chain", cms_cert)
 cms_ca_certs   = get_PEM_chain("cms-ca-certs")