5 files changed, 50 insertions, 21 deletions

diff --git a/rpkid/rpki/gctx.py b/rpkid/rpki/gctx.py
index 9f2770c4..44d47f28 100644
--- a/rpkid/rpki/gctx.py
+++ b/rpkid/rpki/gctx.py
@@ -176,7 +176,13 @@ class global_context(object):
       self.https_ta_cache = None
 
   def build_x509store(self):
-    """Build a dynamic x509store object."""
+    """Build a dynamic x509store object.
+
+    This probably should be refactored to do the real work in the
+    rpki.https module so that this module can treat the x509store as a
+    black box.  This method's jobs would then be just to identify
+    certs that need to be added and to cache an opaque object.
+    """
 
     if self.https_ta_cache is None:
 
@@ -186,7 +192,8 @@ class global_context(object):
               [c.peer_biz_glue for c in children if c.peer_biz_glue is not None] + \
               self.https_ta_irbe
       for x in certs:
-        rpki.log.debug("HTTPS dynamic trust anchor %s" % x.getSubject())
+        if rpki.https.debug_tls_certs:
+          rpki.log.debug("HTTPS dynamic trust anchor %s" % x.getSubject())
         store.addTrust(x.get_POW())
       self.https_ta_cache = store
 
diff --git a/rpkid/rpki/https.py b/rpkid/rpki/https.py
index 7fd0c5f2..f73667b2 100644
--- a/rpkid/rpki/https.py
+++ b/rpkid/rpki/https.py
@@ -30,6 +30,9 @@ import POW
 # Do not set this to True for production use!
 disable_tls_certificate_validation_exceptions = False
 
+# Chatter suppression
+debug_tls_certs = False
+
 rpki_content_type = "application/x-rpki"
 
 class Checker(tlslite.api.Checker):
@@ -43,9 +46,10 @@ class Checker(tlslite.api.Checker):
     if dynamic_x509store is None:
       self.x509store = POW.X509Store()
       for x in trust_anchors:
-        rpki.log.debug("HTTPS trust anchor %s" % x.getSubject())
+        if debug_tls_certs:
+          rpki.log.debug("HTTPS trust anchor %s" % x.getSubject())
         self.x509store.addTrust(x.get_POW())
-    else:
+    elif debug_tls_certs:
       rpki.log.debug("HTTPS dynamic trust anchors")
 
   def x509store_thunk(self):
@@ -66,8 +70,9 @@ class Checker(tlslite.api.Checker):
 
     chain = [rpki.x509.X509(tlslite = chain.x509List[i]) for i in range(chain.getNumCerts())]
 
-    for i in range(len(chain)):
-      rpki.log.debug("Received %s TLS cert[%d] %s" % (peer, i, chain[i].getSubject()))
+    if debug_tls_certs:
+      for i in range(len(chain)):
+        rpki.log.debug("Received %s TLS cert[%d] %s" % (peer, i, chain[i].getSubject()))
 
     if not self.x509store_thunk().verifyChain(chain[0].get_POW(), [x.get_POW() for x in chain[1:]]):
       if disable_tls_certificate_validation_exceptions:
@@ -107,8 +112,9 @@ def client(msg, client_key, client_certs, server_ta, url, timeout = 300):
          u.query    == "" and \
          u.fragment == ""
 
-  for client_cert in client_certs:
-    rpki.log.debug("Sending client TLS cert %s" % client_cert.getSubject())
+  if debug_tls_certs:
+    for client_cert in client_certs:
+      rpki.log.debug("Sending client TLS cert %s" % client_cert.getSubject())
 
   # We could add a "settings = foo" argument to the following call to
   # pass in a tlslite.HandshakeSettings object that would let us
diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py
index a8cd3092..3803d5f4 100644
--- a/rpkid/rpki/left_right.py
+++ b/rpkid/rpki/left_right.py
@@ -18,7 +18,7 @@
 
 import base64, lxml.etree, time, traceback, os
 import rpki.sax_utils, rpki.resource_set, rpki.x509, rpki.sql, rpki.exceptions
-import rpki.https, rpki.up_down, rpki.relaxng, rpki.sundial, rpki.log
+import rpki.https, rpki.up_down, rpki.relaxng, rpki.sundial, rpki.log, rpki.roa
 
 xmlns = "http://www.hactrn.net/uris/rpki/left-right-spec/"
 
@@ -817,10 +817,10 @@ class route_origin_elt(data_elt):
   """<route_origin/> element."""
 
   element_name = "route_origin"
-  attributes = ("action", "type", "tag", "self_id", "route_origin_id", "as_number", "ipv4", "ipv6")
+  attributes = ("action", "type", "tag", "self_id", "route_origin_id", "as_number", "exact_match", "ipv4", "ipv6")
   booleans = ("suppress_publication",)
 
-  sql_template = rpki.sql.template("route_origin", "route_origin_id", "self_id", "as_number",
+  sql_template = rpki.sql.template("route_origin", "route_origin_id", "self_id", "as_number", "exact_match",
                                    "ca_detail_id", "roa",
                                    ("cert", rpki.x509.X509))
 
@@ -841,11 +841,12 @@ class route_origin_elt(data_elt):
 
   def sql_insert_hook(self):
     """Extra SQL insert actions for route_origin_elt -- handle address ranges."""
-    if self.ipv4 + self.ipv6:
+    if self.ipv4 or self.ipv6:
       self.gctx.cur.executemany("""
                 INSERT route_origin_range (route_origin_id, start_ip, end_ip)
                 VALUES (%s, %s, %s)""",
-                           ((self.route_origin_id, x.min, x.max) for x in self.ipv4 + self.ipv6))
+                           ((self.route_origin_id, x.min, x.max)
+                            for x in (self.ipv4 or []) + (self.ipv6 or [])))
   
   def sql_delete_hook(self):
     """Extra SQL delete actions for route_origin_elt -- handle address ranges."""
@@ -855,6 +856,11 @@ class route_origin_elt(data_elt):
     """Fetch all ca_detail objects that link to this route_origin object."""
     return rpki.sql.ca_detail_obj.sql_fetch(self.gctx, self.ca_detail_id)
 
+  def serve_pre_save_hook(self, q_pdu, r_pdu):
+    """Extra server actions for route_origin_elt -- normalize exact_match."""
+    if self.exact_match is None:
+      self.exact_match = False
+
   def serve_post_save_hook(self, q_pdu, r_pdu):
     """Extra server actions for route_origin_elt."""
     self.unimplemented_control("suppress_publication")
@@ -899,6 +905,10 @@ class route_origin_elt(data_elt):
     /dev/random, but there is not much we can do about that.
     """
 
+    if self.ipv4 is None and self.ipv6 is None:
+      rpki.log.warn("Can't generate ROA for empty address list")
+      return
+
     # Ugly and expensive search for covering ca_detail, there has to
     # be a better way.
     #
@@ -911,7 +921,8 @@ class route_origin_elt(data_elt):
         ca_detail = ca.fetch_active()
         if ca_detail is not None:
           resources = ca_detail.latest_ca_cert.get_3779resources()
-          if self.v4.issubset(resources.v4) and self.v6.issubset(resources.v6):
+          if ((self.ipv4 is None or self.ipv4.issubset(resources.v4)) and
+              (self.ipv6 is None or self.ipv6.issubset(resources.v6))):
             break
           ca_detail = None
       if ca_detail is not None:
@@ -921,20 +932,20 @@ class route_origin_elt(data_elt):
       rpki.log.warn("generate_roa() could not find a covering certificate")
       return
 
-    resources = rpki.resource_set.resource_bag(v4 = self.v4, v6 = self.v6)
+    resources = rpki.resource_set.resource_bag(v4 = self.ipv4, v6 = self.ipv6)
 
     payload = rpki.roa.RouteOriginAttestation()
     payload.version.set(0)
     payload.asID.set(self.as_number)
     payload.exactMatch.set(self.exact_match)
-    payload.ipAddrBlocks.set((a.to_roa_tuple() for a in (self.v4, self.v6) if a))
+    payload.ipAddrBlocks.set((a.to_roa_tuple() for a in (self.ipv4, self.ipv6) if a))
 
     keypair = rpki.x509.RSA()
     keypair.generate()
 
     sia = ((rpki.oids.name2oid["id-ad-signedObject"], ("uri", self.roa_uri(ca, keypair))),)
 
-    self.cert = ca_detail.issue_ee(ca, resources, sia)
+    self.cert = ca_detail.issue_ee(ca, resources, keypair.get_RSApublic(), sia = sia)
     self.roa = rpki.cms.sign(payload.toString(), keypair, (self.cert,))
     self.ca_detail_id = ca_detail.ca_detail_id
     self.sql_store()
diff --git a/rpkid/rpki/relaxng.py b/rpkid/rpki/relaxng.py
index 03bfc2b5..755e42d0 100644
--- a/rpkid/rpki/relaxng.py
+++ b/rpkid/rpki/relaxng.py
@@ -6,7 +6,7 @@ import lxml.etree
 ## Parsed RelaxNG left_right schema
 left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encoding="UTF-8"?>
 <!--
-  $Id: left-right-schema.rng 1640 2008-04-09 02:26:30Z sra $
+  $Id: left-right-schema.rnc 1640 2008-04-09 02:26:30Z sra $
   
   RelaxNG (Compact Syntax) Schema for RPKI left-right protocol.
   
@@ -790,6 +790,11 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc
       </attribute>
     </optional>
     <optional>
+      <attribute name="exact_match">
+        <data type="boolean"/>
+      </attribute>
+    </optional>
+    <optional>
       <attribute name="ipv4">
         <data type="token">
           <param name="maxLength">1024</param>
diff --git a/rpkid/rpki/sql.py b/rpkid/rpki/sql.py
index fe6c0f0a..dad37606 100644
--- a/rpkid/rpki/sql.py
+++ b/rpkid/rpki/sql.py
@@ -555,12 +555,12 @@ class ca_detail_obj(sql_persistant):
     self.sql_store()
     return self
 
-  def issue_ee(self, ca, resources, sia = None):
+  def issue_ee(self, ca, resources, subject_key, sia = None):
     """Issue a new EE certificate."""
 
     return self.latest_ca_cert.issue(
       keypair     = self.private_key_id,
-      subject_key = self.manifest_public_key,
+      subject_key = subject_key,
       serial      = ca.next_serial_number(),
       sia         = sia,
       aia         = self.ca_cert_uri,
@@ -578,7 +578,7 @@ class ca_detail_obj(sql_persistant):
       v4 = rpki.resource_set.resource_set_ipv4("<inherit>"),
       v6 = rpki.resource_set.resource_set_ipv6("<inherit>"))
 
-    self.latest_manifest_cert = self.issue_ee(ca, resources)
+    self.latest_manifest_cert = self.issue_ee(ca, resources, self.manifest_public_key)
 
   def issue(self, ca, child, subject_key, sia, resources, child_cert = None):
     """Issue a new certificate to a child.  Optional child_cert