/* crypto/bf/bfspeed.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

/* 11-Sep-92 Andrew Daviel   Support for Silicon Graphics IRIX added */
/* 06-Apr-92 Luke Brennan    Support for VMS and add extra signal calls */

#if !defined(OPENSSL_SYS_MSDOS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX)
#define TIMES
#endif

#include <stdio.h>

#include <openssl/e_os2.h>
#include OPENSSL_UNISTD_IO
OPENSSL_DECLARE_EXIT

#ifndef OPENSSL_SYS_NETWARE
#include <signal.h>
#endif

#ifndef _IRIX
#include <time.h>
#endif
#ifdef TIMES
#include <sys/types.h>
#include <sys/times.h>
#endif

/* Depending on the VMS version, the tms structure is perhaps defined.
   The __TMS macro will show if it was.  If it wasn't defined, we should
   undefine TIMES, since that tells the rest of the program how things
   should be handled.				-- Richard Levitte */
#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS)
#undef TIMES
#endif

#ifndef TIMES
#include <sys/timeb.h>
#endif

#if defined(sun) || defined(__ultrix)
#define _POSIX_SOURCE
#include <limits.h>
#include <sys/param.h>
#endif

#include <openssl/blowfish.h>

/* The following if from times(3) man page.  It may need to be changed */
#ifndef HZ
#ifndef CLK_TCK
#define HZ	100.0
#else /* CLK_TCK */
#define HZ ((double)CLK_TCK)
#endif
#endif

#define BUFSIZE	((long)1024)
long run=0;

double Time_F(int s);
#ifdef SIGALRM
#if defined(__STDC__) || defined(sgi) || defined(_AIX)
#define SIGRETTYPE void
#else
#define SIGRETTYPE int
#endif

SIGRETTYPE sig_done(int sig);
SIGRETTYPE sig_done(int sig)
	{
	signal(SIGALRM,sig_done);
	run=0;
#ifdef LINT
	sig=sig;
#endif
	}
#endif

#define START	0
#define STOP	1

double Time_F(int s)
	{
	double ret;
#ifdef TIMES
	static struct tms tstart,tend;

	if (s == START)
		{
		times(&tstart);
		return(0);
		}
	else
		{
		times(&tend);
		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
		return((ret == 0.0)?1e-6:ret);
		}
#else /* !times() */
	static struct timeb tstart,tend;
	long i;

	if (s == START)
		{
		ftime(&tstart);
		return(0);
		}
	else
		{
		ftime(&tend);
		i=(long)tend.millitm-(long)tstart.millitm;
		ret=((double)(tend.time-tstart.time))+((double)i)/1e3;
		return((ret == 0.0)?1e-6:ret);
		}
#endif
	}

int main(int argc, char **argv)
	{
	long count;
	static unsigned char buf[BUFSIZE];
	static unsigned char key[] ={
			0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,
			0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10,
			};
	BF_KEY sch;
	double a,b,c,d;
#ifndef SIGALRM
	long ca,cb,cc;
#endif

#ifndef TIMES
	printf("To get the most accurate results, try to run this\n");
	printf("program when this computer is idle.\n");
#endif

#ifndef SIGALRM
	printf("First we calculate the approximate speed ...\n");
	BF_set_key(&sch,16,key);
	count=10;
	do	{
		long i;
		BF_LONG data[2];

		count*=2;
		Time_F(START);
		for (i=count; i; i--)
			BF_encrypt(data,&sch);
		d=Time_F(STOP);
		} while (d < 3.0);
	ca=count/512;
	cb=count;
	cc=count*8/BUFSIZE+1;
	printf("Doing BF_set_key %ld times\n",ca);
#define COND(d)	(count != (d))
#define COUNT(d) (d)
#else
#define COND(c)	(run)
#define COUNT(d) (count)
	signal(SIGALRM,sig_done);
	printf("Doing BF_set_key for 10 seconds\n");
	alarm(10);
#endif

	Time_F(START);
	for (count=0,run=1; COND(ca); count+=4)
		{
		BF_set_key(&sch,16,key);
		BF_set_key(&sch,16,key);
		BF_set_key(&sch,16,key);
		BF_set_key(&sch,16,key);
		}
	d=Time_F(STOP);
	printf("%ld BF_set_key's in %.2f seconds\n",count,d);
	a=((double)COUNT(ca))/d;

#ifdef SIGALRM
	printf("Doing BF_encrypt's for 10 seconds\n");
	alarm(10);
#else
	printf("Doing BF_encrypt %ld times\n",cb);
#endif
	Time_F(START);
	for (count=0,run=1; COND(cb); count+=4)
		{
		BF_LONG data[2];

		BF_encrypt(data,&sch);
		BF_encrypt(data,&sch);
		BF_encrypt(data,&sch);
		BF_encrypt(data,&sch);
		}
	d=Time_F(STOP);
	printf("%ld BF_encrypt's in %.2f second\n",count,d);
	b=((double)COUNT(cb)*8)/d;

#ifdef SIGALRM
	printf("Doing BF_cbc_encrypt on %ld byte blocks for 10 seconds\n",
		BUFSIZE);
	alarm(10);
#else
	printf("Doing BF_cbc_encrypt %ld times on %ld byte blocks\n",cc,
		BUFSIZE);
#endif
	Time_F(START);
	for (count=0,run=1; COND(cc); count++)
		BF_cbc_encrypt(buf,buf,BUFSIZE,&sch,
			&(key[0]),BF_ENCRYPT);
	d=Time_F(STOP);
	printf("%ld BF_cbc_encrypt's of %ld byte blocks in %.2f second\n",
		count,BUFSIZE,d);
	c=((double)COUNT(cc)*BUFSIZE)/d;

	printf("Blowfish set_key       per sec = %12.3f (%9.3fuS)\n",a,1.0e6/a);
	printf("Blowfish raw ecb bytes per sec = %12.3f (%9.3fuS)\n",b,8.0e6/b);
	printf("Blowfish cbc     bytes per sec = %12.3f (%9.3fuS)\n",c,8.0e6/c);
	exit(0);
#if defined(LINT) || defined(OPENSSL_SYS_MSDOS)
	return(0);
#endif
	}
52' href='#n152'>152</a>
<a id='n153' href='#n153'>153</a>
<a id='n154' href='#n154'>154</a>
<a id='n155' href='#n155'>155</a>
<a id='n156' href='#n156'>156</a>
<a id='n157' href='#n157'>157</a>
<a id='n158' href='#n158'>158</a>
<a id='n159' href='#n159'>159</a>
<a id='n160' href='#n160'>160</a>
<a id='n161' href='#n161'>161</a>
<a id='n162' href='#n162'>162</a>
<a id='n163' href='#n163'>163</a>
<a id='n164' href='#n164'>164</a>
<a id='n165' href='#n165'>165</a>
<a id='n166' href='#n166'>166</a>
<a id='n167' href='#n167'>167</a>
<a id='n168' href='#n168'>168</a>
<a id='n169' href='#n169'>169</a>
<a id='n170' href='#n170'>170</a>
<a id='n171' href='#n171'>171</a>
<a id='n172' href='#n172'>172</a>
<a id='n173' href='#n173'>173</a>
<a id='n174' href='#n174'>174</a>
<a id='n175' href='#n175'>175</a>
<a id='n176' href='#n176'>176</a>
<a id='n177' href='#n177'>177</a>
<a id='n178' href='#n178'>178</a>
<a id='n179' href='#n179'>179</a>
<a id='n180' href='#n180'>180</a>
<a id='n181' href='#n181'>181</a>
<a id='n182' href='#n182'>182</a>
<a id='n183' href='#n183'>183</a>
<a id='n184' href='#n184'>184</a>
<a id='n185' href='#n185'>185</a>
<a id='n186' href='#n186'>186</a>
<a id='n187' href='#n187'>187</a>
<a id='n188' href='#n188'>188</a>
<a id='n189' href='#n189'>189</a>
<a id='n190' href='#n190'>190</a>
<a id='n191' href='#n191'>191</a>
<a id='n192' href='#n192'>192</a>
<a id='n193' href='#n193'>193</a>
<a id='n194' href='#n194'>194</a>
<a id='n195' href='#n195'>195</a>
<a id='n196' href='#n196'>196</a>
<a id='n197' href='#n197'>197</a>
<a id='n198' href='#n198'>198</a>
<a id='n199' href='#n199'>199</a>
<a id='n200' href='#n200'>200</a>
<a id='n201' href='#n201'>201</a>
<a id='n202' href='#n202'>202</a>
<a id='n203' href='#n203'>203</a>
<a id='n204' href='#n204'>204</a>
<a id='n205' href='#n205'>205</a>
<a id='n206' href='#n206'>206</a>
<a id='n207' href='#n207'>207</a>
<a id='n208' href='#n208'>208</a>
<a id='n209' href='#n209'>209</a>
<a id='n210' href='#n210'>210</a>
<a id='n211' href='#n211'>211</a>
<a id='n212' href='#n212'>212</a>
<a id='n213' href='#n213'>213</a>
<a id='n214' href='#n214'>214</a>
<a id='n215' href='#n215'>215</a>
<a id='n216' href='#n216'>216</a>
<a id='n217' href='#n217'>217</a>
<a id='n218' href='#n218'>218</a>
<a id='n219' href='#n219'>219</a>
<a id='n220' href='#n220'>220</a>
<a id='n221' href='#n221'>221</a>
<a id='n222' href='#n222'>222</a>
<a id='n223' href='#n223'>223</a>
<a id='n224' href='#n224'>224</a>
<a id='n225' href='#n225'>225</a>
<a id='n226' href='#n226'>226</a>
<a id='n227' href='#n227'>227</a>
<a id='n228' href='#n228'>228</a>
<a id='n229' href='#n229'>229</a>
<a id='n230' href='#n230'>230</a>
<a id='n231' href='#n231'>231</a>
<a id='n232' href='#n232'>232</a>
<a id='n233' href='#n233'>233</a>
<a id='n234' href='#n234'>234</a>
<a id='n235' href='#n235'>235</a>
<a id='n236' href='#n236'>236</a>
<a id='n237' href='#n237'>237</a>
<a id='n238' href='#n238'>238</a>
<a id='n239' href='#n239'>239</a>
<a id='n240' href='#n240'>240</a>
<a id='n241' href='#n241'>241</a>
<a id='n242' href='#n242'>242</a>
<a id='n243' href='#n243'>243</a>
<a id='n244' href='#n244'>244</a>
<a id='n245' href='#n245'>245</a>
<a id='n246' href='#n246'>246</a>
<a id='n247' href='#n247'>247</a>
<a id='n248' href='#n248'>248</a>
<a id='n249' href='#n249'>249</a>
<a id='n250' href='#n250'>250</a>
<a id='n251' href='#n251'>251</a>
<a id='n252' href='#n252'>252</a>
<a id='n253' href='#n253'>253</a>
<a id='n254' href='#n254'>254</a>
<a id='n255' href='#n255'>255</a>
<a id='n256' href='#n256'>256</a>
<a id='n257' href='#n257'>257</a>
<a id='n258' href='#n258'>258</a>
<a id='n259' href='#n259'>259</a>
<a id='n260' href='#n260'>260</a>
<a id='n261' href='#n261'>261</a>
<a id='n262' href='#n262'>262</a>
<a id='n263' href='#n263'>263</a>
<a id='n264' href='#n264'>264</a>
<a id='n265' href='#n265'>265</a>
<a id='n266' href='#n266'>266</a>
<a id='n267' href='#n267'>267</a>
<a id='n268' href='#n268'>268</a>
<a id='n269' href='#n269'>269</a>
<a id='n270' href='#n270'>270</a>
<a id='n271' href='#n271'>271</a>
<a id='n272' href='#n272'>272</a>
<a id='n273' href='#n273'>273</a>
<a id='n274' href='#n274'>274</a>
<a id='n275' href='#n275'>275</a>
<a id='n276' href='#n276'>276</a>
<a id='n277' href='#n277'>277</a>
<a id='n278' href='#n278'>278</a>
<a id='n279' href='#n279'>279</a>
<a id='n280' href='#n280'>280</a>
<a id='n281' href='#n281'>281</a>
<a id='n282' href='#n282'>282</a>
<a id='n283' href='#n283'>283</a>
<a id='n284' href='#n284'>284</a>
<a id='n285' href='#n285'>285</a>
<a id='n286' href='#n286'>286</a>
<a id='n287' href='#n287'>287</a>
<a id='n288' href='#n288'>288</a>
<a id='n289' href='#n289'>289</a>
<a id='n290' href='#n290'>290</a>
<a id='n291' href='#n291'>291</a>
<a id='n292' href='#n292'>292</a>
<a id='n293' href='#n293'>293</a>
<a id='n294' href='#n294'>294</a>
<a id='n295' href='#n295'>295</a>
<a id='n296' href='#n296'>296</a>
<a id='n297' href='#n297'>297</a>
<a id='n298' href='#n298'>298</a>
<a id='n299' href='#n299'>299</a>
<a id='n300' href='#n300'>300</a>
<a id='n301' href='#n301'>301</a>
<a id='n302' href='#n302'>302</a>
<a id='n303' href='#n303'>303</a>
<a id='n304' href='#n304'>304</a>
<a id='n305' href='#n305'>305</a>
<a id='n306' href='#n306'>306</a>
<a id='n307' href='#n307'>307</a>
<a id='n308' href='#n308'>308</a>
<a id='n309' href='#n309'>309</a>
<a id='n310' href='#n310'>310</a>
<a id='n311' href='#n311'>311</a>
<a id='n312' href='#n312'>312</a>
<a id='n313' href='#n313'>313</a>
<a id='n314' href='#n314'>314</a>
<a id='n315' href='#n315'>315</a>
<a id='n316' href='#n316'>316</a>
<a id='n317' href='#n317'>317</a>
<a id='n318' href='#n318'>318</a>
<a id='n319' href='#n319'>319</a>
<a id='n320' href='#n320'>320</a>
<a id='n321' href='#n321'>321</a>
<a id='n322' href='#n322'>322</a>
<a id='n323' href='#n323'>323</a>
<a id='n324' href='#n324'>324</a>
<a id='n325' href='#n325'>325</a>
<a id='n326' href='#n326'>326</a>
<a id='n327' href='#n327'>327</a>
<a id='n328' href='#n328'>328</a>
<a id='n329' href='#n329'>329</a>
<a id='n330' href='#n330'>330</a>
<a id='n331' href='#n331'>331</a>
<a id='n332' href='#n332'>332</a>
<a id='n333' href='#n333'>333</a>
<a id='n334' href='#n334'>334</a>
<a id='n335' href='#n335'>335</a>
<a id='n336' href='#n336'>336</a>
<a id='n337' href='#n337'>337</a>
<a id='n338' href='#n338'>338</a>
<a id='n339' href='#n339'>339</a>
<a id='n340' href='#n340'>340</a>
<a id='n341' href='#n341'>341</a>
<a id='n342' href='#n342'>342</a>
<a id='n343' href='#n343'>343</a>
<a id='n344' href='#n344'>344</a>
<a id='n345' href='#n345'>345</a>
<a id='n346' href='#n346'>346</a>
<a id='n347' href='#n347'>347</a>
<a id='n348' href='#n348'>348</a>
<a id='n349' href='#n349'>349</a>
<a id='n350' href='#n350'>350</a>
<a id='n351' href='#n351'>351</a>
<a id='n352' href='#n352'>352</a>
<a id='n353' href='#n353'>353</a>
<a id='n354' href='#n354'>354</a>
<a id='n355' href='#n355'>355</a>
<a id='n356' href='#n356'>356</a>
<a id='n357' href='#n357'>357</a>
<a id='n358' href='#n358'>358</a>
<a id='n359' href='#n359'>359</a>
<a id='n360' href='#n360'>360</a>
<a id='n361' href='#n361'>361</a>
<a id='n362' href='#n362'>362</a>
<a id='n363' href='#n363'>363</a>
<a id='n364' href='#n364'>364</a>
<a id='n365' href='#n365'>365</a>
<a id='n366' href='#n366'>366</a>
<a id='n367' href='#n367'>367</a>
<a id='n368' href='#n368'>368</a>
<a id='n369' href='#n369'>369</a>
<a id='n370' href='#n370'>370</a>
<a id='n371' href='#n371'>371</a>
<a id='n372' href='#n372'>372</a>
<a id='n373' href='#n373'>373</a>
<a id='n374' href='#n374'>374</a>
<a id='n375' href='#n375'>375</a>
<a id='n376' href='#n376'>376</a>
<a id='n377' href='#n377'>377</a>
<a id='n378' href='#n378'>378</a>
<a id='n379' href='#n379'>379</a>
<a id='n380' href='#n380'>380</a>
<a id='n381' href='#n381'>381</a>
<a id='n382' href='#n382'>382</a>
<a id='n383' href='#n383'>383</a>
<a id='n384' href='#n384'>384</a>
<a id='n385' href='#n385'>385</a>
<a id='n386' href='#n386'>386</a>
<a id='n387' href='#n387'>387</a>
<a id='n388' href='#n388'>388</a>
<a id='n389' href='#n389'>389</a>
<a id='n390' href='#n390'>390</a>
<a id='n391' href='#n391'>391</a>
<a id='n392' href='#n392'>392</a>
<a id='n393' href='#n393'>393</a>
<a id='n394' href='#n394'>394</a>
<a id='n395' href='#n395'>395</a>
<a id='n396' href='#n396'>396</a>
<a id='n397' href='#n397'>397</a>
<a id='n398' href='#n398'>398</a>
<a id='n399' href='#n399'>399</a>
<a id='n400' href='#n400'>400</a>
<a id='n401' href='#n401'>401</a>
<a id='n402' href='#n402'>402</a>
<a id='n403' href='#n403'>403</a>
<a id='n404' href='#n404'>404</a>
<a id='n405' href='#n405'>405</a>
<a id='n406' href='#n406'>406</a>
<a id='n407' href='#n407'>407</a>
<a id='n408' href='#n408'>408</a>
<a id='n409' href='#n409'>409</a>
<a id='n410' href='#n410'>410</a>
<a id='n411' href='#n411'>411</a>
<a id='n412' href='#n412'>412</a>
<a id='n413' href='#n413'>413</a>
<a id='n414' href='#n414'>414</a>
<a id='n415' href='#n415'>415</a>
<a id='n416' href='#n416'>416</a>
<a id='n417' href='#n417'>417</a>
<a id='n418' href='#n418'>418</a>
<a id='n419' href='#n419'>419</a>
<a id='n420' href='#n420'>420</a>
<a id='n421' href='#n421'>421</a>
<a id='n422' href='#n422'>422</a>
<a id='n423' href='#n423'>423</a>
<a id='n424' href='#n424'>424</a>
<a id='n425' href='#n425'>425</a>
<a id='n426' href='#n426'>426</a>
<a id='n427' href='#n427'>427</a>
<a id='n428' href='#n428'>428</a>
<a id='n429' href='#n429'>429</a>
<a id='n430' href='#n430'>430</a>
<a id='n431' href='#n431'>431</a>
<a id='n432' href='#n432'>432</a>
<a id='n433' href='#n433'>433</a>
<a id='n434' href='#n434'>434</a>
<a id='n435' href='#n435'>435</a>
<a id='n436' href='#n436'>436</a>
<a id='n437' href='#n437'>437</a>
<a id='n438' href='#n438'>438</a>
<a id='n439' href='#n439'>439</a>
<a id='n440' href='#n440'>440</a>
<a id='n441' href='#n441'>441</a>
<a id='n442' href='#n442'>442</a>
<a id='n443' href='#n443'>443</a>
<a id='n444' href='#n444'>444</a>
<a id='n445' href='#n445'>445</a>
<a id='n446' href='#n446'>446</a>
<a id='n447' href='#n447'>447</a>
<a id='n448' href='#n448'>448</a>
<a id='n449' href='#n449'>449</a>
<a id='n450' href='#n450'>450</a>
<a id='n451' href='#n451'>451</a>
<a id='n452' href='#n452'>452</a>
<a id='n453' href='#n453'>453</a>
<a id='n454' href='#n454'>454</a>
<a id='n455' href='#n455'>455</a>
<a id='n456' href='#n456'>456</a>
<a id='n457' href='#n457'>457</a>
<a id='n458' href='#n458'>458</a>
<a id='n459' href='#n459'>459</a>
<a id='n460' href='#n460'>460</a>
<a id='n461' href='#n461'>461</a>
<a id='n462' href='#n462'>462</a>
<a id='n463' href='#n463'>463</a>
<a id='n464' href='#n464'>464</a>
<a id='n465' href='#n465'>465</a>
<a id='n466' href='#n466'>466</a>
<a id='n467' href='#n467'>467</a>
<a id='n468' href='#n468'>468</a>
<a id='n469' href='#n469'>469</a>
<a id='n470' href='#n470'>470</a>
<a id='n471' href='#n471'>471</a>
<a id='n472' href='#n472'>472</a>
<a id='n473' href='#n473'>473</a>
<a id='n474' href='#n474'>474</a>
<a id='n475' href='#n475'>475</a>
<a id='n476' href='#n476'>476</a>
<a id='n477' href='#n477'>477</a>
<a id='n478' href='#n478'>478</a>
<a id='n479' href='#n479'>479</a>
<a id='n480' href='#n480'>480</a>
<a id='n481' href='#n481'>481</a>
<a id='n482' href='#n482'>482</a>
<a id='n483' href='#n483'>483</a>
<a id='n484' href='#n484'>484</a>
<a id='n485' href='#n485'>485</a>
<a id='n486' href='#n486'>486</a>
<a id='n487' href='#n487'>487</a>
<a id='n488' href='#n488'>488</a>
<a id='n489' href='#n489'>489</a>
<a id='n490' href='#n490'>490</a>
<a id='n491' href='#n491'>491</a>
<a id='n492' href='#n492'>492</a>
<a id='n493' href='#n493'>493</a>
<a id='n494' href='#n494'>494</a>
<a id='n495' href='#n495'>495</a>
<a id='n496' href='#n496'>496</a>
<a id='n497' href='#n497'>497</a>
<a id='n498' href='#n498'>498</a>
<a id='n499' href='#n499'>499</a>
<a id='n500' href='#n500'>500</a>
<a id='n501' href='#n501'>501</a>
<a id='n502' href='#n502'>502</a>
<a id='n503' href='#n503'>503</a>
<a id='n504' href='#n504'>504</a>
<a id='n505' href='#n505'>505</a>
<a id='n506' href='#n506'>506</a>
<a id='n507' href='#n507'>507</a>
<a id='n508' href='#n508'>508</a>
<a id='n509' href='#n509'>509</a>
<a id='n510' href='#n510'>510</a>
<a id='n511' href='#n511'>511</a>
<a id='n512' href='#n512'>512</a>
<a id='n513' href='#n513'>513</a>
<a id='n514' href='#n514'>514</a>
<a id='n515' href='#n515'>515</a>
<a id='n516' href='#n516'>516</a>
<a id='n517' href='#n517'>517</a>
<a id='n518' href='#n518'>518</a>
<a id='n519' href='#n519'>519</a>
<a id='n520' href='#n520'>520</a>
<a id='n521' href='#n521'>521</a>
<a id='n522' href='#n522'>522</a>
<a id='n523' href='#n523'>523</a>
<a id='n524' href='#n524'>524</a>
<a id='n525' href='#n525'>525</a>
<a id='n526' href='#n526'>526</a>
<a id='n527' href='#n527'>527</a>
<a id='n528' href='#n528'>528</a>
<a id='n529' href='#n529'>529</a>
<a id='n530' href='#n530'>530</a>
<a id='n531' href='#n531'>531</a>
<a id='n532' href='#n532'>532</a>
<a id='n533' href='#n533'>533</a>
<a id='n534' href='#n534'>534</a>
<a id='n535' href='#n535'>535</a>
<a id='n536' href='#n536'>536</a>
<a id='n537' href='#n537'>537</a>
<a id='n538' href='#n538'>538</a>
<a id='n539' href='#n539'>539</a>
<a id='n540' href='#n540'>540</a>
<a id='n541' href='#n541'>541</a>
<a id='n542' href='#n542'>542</a>
<a id='n543' href='#n543'>543</a>
<a id='n544' href='#n544'>544</a>
<a id='n545' href='#n545'>545</a>
<a id='n546' href='#n546'>546</a>
<a id='n547' href='#n547'>547</a>
<a id='n548' href='#n548'>548</a>
<a id='n549' href='#n549'>549</a>
<a id='n550' href='#n550'>550</a>
<a id='n551' href='#n551'>551</a>
<a id='n552' href='#n552'>552</a>
<a id='n553' href='#n553'>553</a>
<a id='n554' href='#n554'>554</a>
<a id='n555' href='#n555'>555</a>
<a id='n556' href='#n556'>556</a>
<a id='n557' href='#n557'>557</a>
<a id='n558' href='#n558'>558</a>
<a id='n559' href='#n559'>559</a>
<a id='n560' href='#n560'>560</a>
<a id='n561' href='#n561'>561</a>
<a id='n562' href='#n562'>562</a>
<a id='n563' href='#n563'>563</a>
<a id='n564' href='#n564'>564</a>
<a id='n565' href='#n565'>565</a>
<a id='n566' href='#n566'>566</a>
<a id='n567' href='#n567'>567</a>
<a id='n568' href='#n568'>568</a>
<a id='n569' href='#n569'>569</a>
<a id='n570' href='#n570'>570</a>
<a id='n571' href='#n571'>571</a>
<a id='n572' href='#n572'>572</a>
<a id='n573' href='#n573'>573</a>
<a id='n574' href='#n574'>574</a>
<a id='n575' href='#n575'>575</a>
<a id='n576' href='#n576'>576</a>
<a id='n577' href='#n577'>577</a>
<a id='n578' href='#n578'>578</a>
<a id='n579' href='#n579'>579</a>
<a id='n580' href='#n580'>580</a>
<a id='n581' href='#n581'>581</a>
<a id='n582' href='#n582'>582</a>
<a id='n583' href='#n583'>583</a>
<a id='n584' href='#n584'>584</a>
<a id='n585' href='#n585'>585</a>
<a id='n586' href='#n586'>586</a>
<a id='n587' href='#n587'>587</a>
<a id='n588' href='#n588'>588</a>
<a id='n589' href='#n589'>589</a>
<a id='n590' href='#n590'>590</a>
<a id='n591' href='#n591'>591</a>
<a id='n592' href='#n592'>592</a>
<a id='n593' href='#n593'>593</a>
<a id='n594' href='#n594'>594</a>
<a id='n595' href='#n595'>595</a>
<a id='n596' href='#n596'>596</a>
<a id='n597' href='#n597'>597</a>
<a id='n598' href='#n598'>598</a>
<a id='n599' href='#n599'>599</a>
<a id='n600' href='#n600'>600</a>
<a id='n601' href='#n601'>601</a>
<a id='n602' href='#n602'>602</a>
<a id='n603' href='#n603'>603</a>
<a id='n604' href='#n604'>604</a>
<a id='n605' href='#n605'>605</a>
<a id='n606' href='#n606'>606</a>
<a id='n607' href='#n607'>607</a>
<a id='n608' href='#n608'>608</a>
<a id='n609' href='#n609'>609</a>
<a id='n610' href='#n610'>610</a>
<a id='n611' href='#n611'>611</a>
<a id='n612' href='#n612'>612</a>
<a id='n613' href='#n613'>613</a>
<a id='n614' href='#n614'>614</a>
<a id='n615' href='#n615'>615</a>
<a id='n616' href='#n616'>616</a>
<a id='n617' href='#n617'>617</a>
<a id='n618' href='#n618'>618</a>
<a id='n619' href='#n619'>619</a>
<a id='n620' href='#n620'>620</a>
<a id='n621' href='#n621'>621</a>
<a id='n622' href='#n622'>622</a>
<a id='n623' href='#n623'>623</a>
<a id='n624' href='#n624'>624</a>
<a id='n625' href='#n625'>625</a>
<a id='n626' href='#n626'>626</a>
<a id='n627' href='#n627'>627</a>
<a id='n628' href='#n628'>628</a>
<a id='n629' href='#n629'>629</a>
<a id='n630' href='#n630'>630</a>
<a id='n631' href='#n631'>631</a>
<a id='n632' href='#n632'>632</a>
<a id='n633' href='#n633'>633</a>
<a id='n634' href='#n634'>634</a>
<a id='n635' href='#n635'>635</a>
<a id='n636' href='#n636'>636</a>
<a id='n637' href='#n637'>637</a>
<a id='n638' href='#n638'>638</a>
<a id='n639' href='#n639'>639</a>
<a id='n640' href='#n640'>640</a>
<a id='n641' href='#n641'>641</a>
<a id='n642' href='#n642'>642</a>
<a id='n643' href='#n643'>643</a>
<a id='n644' href='#n644'>644</a>
<a id='n645' href='#n645'>645</a>
<a id='n646' href='#n646'>646</a>
<a id='n647' href='#n647'>647</a>
<a id='n648' href='#n648'>648</a>
<a id='n649' href='#n649'>649</a>
<a id='n650' href='#n650'>650</a>
<a id='n651' href='#n651'>651</a>
<a id='n652' href='#n652'>652</a>
<a id='n653' href='#n653'>653</a>
<a id='n654' href='#n654'>654</a>
<a id='n655' href='#n655'>655</a>
<a id='n656' href='#n656'>656</a>
<a id='n657' href='#n657'>657</a>
<a id='n658' href='#n658'>658</a>
<a id='n659' href='#n659'>659</a>
<a id='n660' href='#n660'>660</a>
<a id='n661' href='#n661'>661</a>
<a id='n662' href='#n662'>662</a>
<a id='n663' href='#n663'>663</a>
<a id='n664' href='#n664'>664</a>
<a id='n665' href='#n665'>665</a>
<a id='n666' href='#n666'>666</a>
<a id='n667' href='#n667'>667</a>
<a id='n668' href='#n668'>668</a>
<a id='n669' href='#n669'>669</a>
<a id='n670' href='#n670'>670</a>
<a id='n671' href='#n671'>671</a>
<a id='n672' href='#n672'>672</a>
<a id='n673' href='#n673'>673</a>
<a id='n674' href='#n674'>674</a>
<a id='n675' href='#n675'>675</a>
<a id='n676' href='#n676'>676</a>
<a id='n677' href='#n677'>677</a>
<a id='n678' href='#n678'>678</a>
<a id='n679' href='#n679'>679</a>
<a id='n680' href='#n680'>680</a>
<a id='n681' href='#n681'>681</a>
<a id='n682' href='#n682'>682</a>
<a id='n683' href='#n683'>683</a>
<a id='n684' href='#n684'>684</a>
<a id='n685' href='#n685'>685</a>
<a id='n686' href='#n686'>686</a>
<a id='n687' href='#n687'>687</a>
<a id='n688' href='#n688'>688</a>
<a id='n689' href='#n689'>689</a>
<a id='n690' href='#n690'>690</a>
<a id='n691' href='#n691'>691</a>
<a id='n692' href='#n692'>692</a>
<a id='n693' href='#n693'>693</a>
<a id='n694' href='#n694'>694</a>
<a id='n695' href='#n695'>695</a>
<a id='n696' href='#n696'>696</a>
<a id='n697' href='#n697'>697</a>
<a id='n698' href='#n698'>698</a>
<a id='n699' href='#n699'>699</a>
<a id='n700' href='#n700'>700</a>
<a id='n701' href='#n701'>701</a>
<a id='n702' href='#n702'>702</a>
<a id='n703' href='#n703'>703</a>
<a id='n704' href='#n704'>704</a>
<a id='n705' href='#n705'>705</a>
<a id='n706' href='#n706'>706</a>
<a id='n707' href='#n707'>707</a>
<a id='n708' href='#n708'>708</a>
<a id='n709' href='#n709'>709</a>
<a id='n710' href='#n710'>710</a>
<a id='n711' href='#n711'>711</a>
<a id='n712' href='#n712'>712</a>
<a id='n713' href='#n713'>713</a>
<a id='n714' href='#n714'>714</a>
<a id='n715' href='#n715'>715</a>
<a id='n716' href='#n716'>716</a>
<a id='n717' href='#n717'>717</a>
<a id='n718' href='#n718'>718</a>
<a id='n719' href='#n719'>719</a>
<a id='n720' href='#n720'>720</a>
<a id='n721' href='#n721'>721</a>
<a id='n722' href='#n722'>722</a>
<a id='n723' href='#n723'>723</a>
<a id='n724' href='#n724'>724</a>
<a id='n725' href='#n725'>725</a>
<a id='n726' href='#n726'>726</a>
<a id='n727' href='#n727'>727</a>
<a id='n728' href='#n728'>728</a>
<a id='n729' href='#n729'>729</a>
<a id='n730' href='#n730'>730</a>
<a id='n731' href='#n731'>731</a>
<a id='n732' href='#n732'>732</a>
<a id='n733' href='#n733'>733</a>
<a id='n734' href='#n734'>734</a>
<a id='n735' href='#n735'>735</a>
<a id='n736' href='#n736'>736</a>
<a id='n737' href='#n737'>737</a>
<a id='n738' href='#n738'>738</a>
<a id='n739' href='#n739'>739</a>
<a id='n740' href='#n740'>740</a>
<a id='n741' href='#n741'>741</a>
<a id='n742' href='#n742'>742</a>
<a id='n743' href='#n743'>743</a>
<a id='n744' href='#n744'>744</a>
<a id='n745' href='#n745'>745</a>
<a id='n746' href='#n746'>746</a>
<a id='n747' href='#n747'>747</a>
<a id='n748' href='#n748'>748</a>
<a id='n749' href='#n749'>749</a>
<a id='n750' href='#n750'>750</a>
<a id='n751' href='#n751'>751</a>
<a id='n752' href='#n752'>752</a>
<a id='n753' href='#n753'>753</a>
<a id='n754' href='#n754'>754</a>
<a id='n755' href='#n755'>755</a>
<a id='n756' href='#n756'>756</a>
<a id='n757' href='#n757'>757</a>
<a id='n758' href='#n758'>758</a>
<a id='n759' href='#n759'>759</a>
<a id='n760' href='#n760'>760</a>
<a id='n761' href='#n761'>761</a>
<a id='n762' href='#n762'>762</a>
<a id='n763' href='#n763'>763</a>
<a id='n764' href='#n764'>764</a>
<a id='n765' href='#n765'>765</a>
<a id='n766' href='#n766'>766</a>
<a id='n767' href='#n767'>767</a>
<a id='n768' href='#n768'>768</a>
<a id='n769' href='#n769'>769</a>
<a id='n770' href='#n770'>770</a>
<a id='n771' href='#n771'>771</a>
<a id='n772' href='#n772'>772</a>
<a id='n773' href='#n773'>773</a>
<a id='n774' href='#n774'>774</a>
<a id='n775' href='#n775'>775</a>
<a id='n776' href='#n776'>776</a>
<a id='n777' href='#n777'>777</a>
<a id='n778' href='#n778'>778</a>
<a id='n779' href='#n779'>779</a>
<a id='n780' href='#n780'>780</a>
<a id='n781' href='#n781'>781</a>
<a id='n782' href='#n782'>782</a>
<a id='n783' href='#n783'>783</a>
<a id='n784' href='#n784'>784</a>
<a id='n785' href='#n785'>785</a>
<a id='n786' href='#n786'>786</a>
<a id='n787' href='#n787'>787</a>
<a id='n788' href='#n788'>788</a>
<a id='n789' href='#n789'>789</a>
<a id='n790' href='#n790'>790</a>
<a id='n791' href='#n791'>791</a>
<a id='n792' href='#n792'>792</a>
<a id='n793' href='#n793'>793</a>
<a id='n794' href='#n794'>794</a>
<a id='n795' href='#n795'>795</a>
<a id='n796' href='#n796'>796</a>
<a id='n797' href='#n797'>797</a>
<a id='n798' href='#n798'>798</a>
<a id='n799' href='#n799'>799</a>
<a id='n800' href='#n800'>800</a>
<a id='n801' href='#n801'>801</a>
<a id='n802' href='#n802'>802</a>
<a id='n803' href='#n803'>803</a>
<a id='n804' href='#n804'>804</a>
<a id='n805' href='#n805'>805</a>
<a id='n806' href='#n806'>806</a>
<a id='n807' href='#n807'>807</a>
<a id='n808' href='#n808'>808</a>
<a id='n809' href='#n809'>809</a>
<a id='n810' href='#n810'>810</a>
<a id='n811' href='#n811'>811</a>
<a id='n812' href='#n812'>812</a>
<a id='n813' href='#n813'>813</a>
<a id='n814' href='#n814'>814</a>
<a id='n815' href='#n815'>815</a>
<a id='n816' href='#n816'>816</a>
<a id='n817' href='#n817'>817</a>
<a id='n818' href='#n818'>818</a>
<a id='n819' href='#n819'>819</a>
<a id='n820' href='#n820'>820</a>
<a id='n821' href='#n821'>821</a>
<a id='n822' href='#n822'>822</a>
<a id='n823' href='#n823'>823</a>
<a id='n824' href='#n824'>824</a>
<a id='n825' href='#n825'>825</a>
<a id='n826' href='#n826'>826</a>
<a id='n827' href='#n827'>827</a>
<a id='n828' href='#n828'>828</a>
<a id='n829' href='#n829'>829</a>
<a id='n830' href='#n830'>830</a>
<a id='n831' href='#n831'>831</a>
<a id='n832' href='#n832'>832</a>
<a id='n833' href='#n833'>833</a>
<a id='n834' href='#n834'>834</a>
<a id='n835' href='#n835'>835</a>
<a id='n836' href='#n836'>836</a>
<a id='n837' href='#n837'>837</a>
<a id='n838' href='#n838'>838</a>
<a id='n839' href='#n839'>839</a>
<a id='n840' href='#n840'>840</a>
<a id='n841' href='#n841'>841</a>
<a id='n842' href='#n842'>842</a>
<a id='n843' href='#n843'>843</a>
<a id='n844' href='#n844'>844</a>
<a id='n845' href='#n845'>845</a>
<a id='n846' href='#n846'>846</a>
<a id='n847' href='#n847'>847</a>
<a id='n848' href='#n848'>848</a>
<a id='n849' href='#n849'>849</a>
<a id='n850' href='#n850'>850</a>
<a id='n851' href='#n851'>851</a>
<a id='n852' href='#n852'>852</a>
<a id='n853' href='#n853'>853</a>
<a id='n854' href='#n854'>854</a>
<a id='n855' href='#n855'>855</a>
<a id='n856' href='#n856'>856</a>
<a id='n857' href='#n857'>857</a>
<a id='n858' href='#n858'>858</a>
<a id='n859' href='#n859'>859</a>
<a id='n860' href='#n860'>860</a>
<a id='n861' href='#n861'>861</a>
<a id='n862' href='#n862'>862</a>
<a id='n863' href='#n863'>863</a>
<a id='n864' href='#n864'>864</a>
<a id='n865' href='#n865'>865</a>
<a id='n866' href='#n866'>866</a>
<a id='n867' href='#n867'>867</a>
<a id='n868' href='#n868'>868</a>
<a id='n869' href='#n869'>869</a>
<a id='n870' href='#n870'>870</a>
<a id='n871' href='#n871'>871</a>
<a id='n872' href='#n872'>872</a>
<a id='n873' href='#n873'>873</a>
<a id='n874' href='#n874'>874</a>
<a id='n875' href='#n875'>875</a>
<a id='n876' href='#n876'>876</a>
<a id='n877' href='#n877'>877</a>
<a id='n878' href='#n878'>878</a>
<a id='n879' href='#n879'>879</a>
<a id='n880' href='#n880'>880</a>
<a id='n881' href='#n881'>881</a>
<a id='n882' href='#n882'>882</a>
<a id='n883' href='#n883'>883</a>
<a id='n884' href='#n884'>884</a>
<a id='n885' href='#n885'>885</a>
<a id='n886' href='#n886'>886</a>
<a id='n887' href='#n887'>887</a>
<a id='n888' href='#n888'>888</a>
<a id='n889' href='#n889'>889</a>
<a id='n890' href='#n890'>890</a>
<a id='n891' href='#n891'>891</a>
<a id='n892' href='#n892'>892</a>
<a id='n893' href='#n893'>893</a>
<a id='n894' href='#n894'>894</a>
<a id='n895' href='#n895'>895</a>
<a id='n896' href='#n896'>896</a>
<a id='n897' href='#n897'>897</a>
<a id='n898' href='#n898'>898</a>
<a id='n899' href='#n899'>899</a>
<a id='n900' href='#n900'>900</a>
<a id='n901' href='#n901'>901</a>
<a id='n902' href='#n902'>902</a>
<a id='n903' href='#n903'>903</a>
<a id='n904' href='#n904'>904</a>
<a id='n905' href='#n905'>905</a>
<a id='n906' href='#n906'>906</a>
<a id='n907' href='#n907'>907</a>
<a id='n908' href='#n908'>908</a>
<a id='n909' href='#n909'>909</a>
<a id='n910' href='#n910'>910</a>
<a id='n911' href='#n911'>911</a>
<a id='n912' href='#n912'>912</a>
<a id='n913' href='#n913'>913</a>
<a id='n914' href='#n914'>914</a>
<a id='n915' href='#n915'>915</a>
<a id='n916' href='#n916'>916</a>
<a id='n917' href='#n917'>917</a>
<a id='n918' href='#n918'>918</a>
<a id='n919' href='#n919'>919</a>
<a id='n920' href='#n920'>920</a>
<a id='n921' href='#n921'>921</a>
<a id='n922' href='#n922'>922</a>
<a id='n923' href='#n923'>923</a>
<a id='n924' href='#n924'>924</a>
<a id='n925' href='#n925'>925</a>
<a id='n926' href='#n926'>926</a>
<a id='n927' href='#n927'>927</a>
<a id='n928' href='#n928'>928</a>
<a id='n929' href='#n929'>929</a>
<a id='n930' href='#n930'>930</a>
<a id='n931' href='#n931'>931</a>
<a id='n932' href='#n932'>932</a>
<a id='n933' href='#n933'>933</a>
<a id='n934' href='#n934'>934</a>
<a id='n935' href='#n935'>935</a>
<a id='n936' href='#n936'>936</a>
<a id='n937' href='#n937'>937</a>
<a id='n938' href='#n938'>938</a>
<a id='n939' href='#n939'>939</a>
<a id='n940' href='#n940'>940</a>
<a id='n941' href='#n941'>941</a>
<a id='n942' href='#n942'>942</a>
<a id='n943' href='#n943'>943</a>
<a id='n944' href='#n944'>944</a>
<a id='n945' href='#n945'>945</a>
<a id='n946' href='#n946'>946</a>
<a id='n947' href='#n947'>947</a>
<a id='n948' href='#n948'>948</a>
<a id='n949' href='#n949'>949</a>
<a id='n950' href='#n950'>950</a>
<a id='n951' href='#n951'>951</a>
<a id='n952' href='#n952'>952</a>
<a id='n953' href='#n953'>953</a>
<a id='n954' href='#n954'>954</a>
<a id='n955' href='#n955'>955</a>
<a id='n956' href='#n956'>956</a>
<a id='n957' href='#n957'>957</a>
<a id='n958' href='#n958'>958</a>
<a id='n959' href='#n959'>959</a>
<a id='n960' href='#n960'>960</a>
<a id='n961' href='#n961'>961</a>
<a id='n962' href='#n962'>962</a>
<a id='n963' href='#n963'>963</a>
<a id='n964' href='#n964'>964</a>
<a id='n965' href='#n965'>965</a>
<a id='n966' href='#n966'>966</a>
<a id='n967' href='#n967'>967</a>
<a id='n968' href='#n968'>968</a>
<a id='n969' href='#n969'>969</a>
<a id='n970' href='#n970'>970</a>
<a id='n971' href='#n971'>971</a>
<a id='n972' href='#n972'>972</a>
<a id='n973' href='#n973'>973</a>
<a id='n974' href='#n974'>974</a>
<a id='n975' href='#n975'>975</a>
<a id='n976' href='#n976'>976</a>
<a id='n977' href='#n977'>977</a>
<a id='n978' href='#n978'>978</a>
<a id='n979' href='#n979'>979</a>
<a id='n980' href='#n980'>980</a>
<a id='n981' href='#n981'>981</a>
<a id='n982' href='#n982'>982</a>
<a id='n983' href='#n983'>983</a>
<a id='n984' href='#n984'>984</a>
<a id='n985' href='#n985'>985</a>
<a id='n986' href='#n986'>986</a>
<a id='n987' href='#n987'>987</a>
<a id='n988' href='#n988'>988</a>
<a id='n989' href='#n989'>989</a>
<a id='n990' href='#n990'>990</a>
<a id='n991' href='#n991'>991</a>
<a id='n992' href='#n992'>992</a>
<a id='n993' href='#n993'>993</a>
<a id='n994' href='#n994'>994</a>
<a id='n995' href='#n995'>995</a>
<a id='n996' href='#n996'>996</a>
<a id='n997' href='#n997'>997</a>
<a id='n998' href='#n998'>998</a>
<a id='n999' href='#n999'>999</a>
<a id='n1000' href='#n1000'>1000</a>
<a id='n1001' href='#n1001'>1001</a>
<a id='n1002' href='#n1002'>1002</a>
<a id='n1003' href='#n1003'>1003</a>
<a id='n1004' href='#n1004'>1004</a>
<a id='n1005' href='#n1005'>1005</a>
<a id='n1006' href='#n1006'>1006</a>
<a id='n1007' href='#n1007'>1007</a>
<a id='n1008' href='#n1008'>1008</a>
<a id='n1009' href='#n1009'>1009</a>
<a id='n1010' href='#n1010'>1010</a>
<a id='n1011' href='#n1011'>1011</a>
<a id='n1012' href='#n1012'>1012</a>
<a id='n1013' href='#n1013'>1013</a>
<a id='n1014' href='#n1014'>1014</a>
<a id='n1015' href='#n1015'>1015</a>
<a id='n1016' href='#n1016'>1016</a>
<a id='n1017' href='#n1017'>1017</a>
<a id='n1018' href='#n1018'>1018</a>
<a id='n1019' href='#n1019'>1019</a>
<a id='n1020' href='#n1020'>1020</a>
<a id='n1021' href='#n1021'>1021</a>
<a id='n1022' href='#n1022'>1022</a>
<a id='n1023' href='#n1023'>1023</a>
<a id='n1024' href='#n1024'>1024</a>
<a id='n1025' href='#n1025'>1025</a>
<a id='n1026' href='#n1026'>1026</a>
<a id='n1027' href='#n1027'>1027</a>
<a id='n1028' href='#n1028'>1028</a>
<a id='n1029' href='#n1029'>1029</a>
<a id='n1030' href='#n1030'>1030</a>
<a id='n1031' href='#n1031'>1031</a>
<a id='n1032' href='#n1032'>1032</a>
<a id='n1033' href='#n1033'>1033</a>
<a id='n1034' href='#n1034'>1034</a>
<a id='n1035' href='#n1035'>1035</a>
<a id='n1036' href='#n1036'>1036</a>
<a id='n1037' href='#n1037'>1037</a>
<a id='n1038' href='#n1038'>1038</a>
<a id='n1039' href='#n1039'>1039</a>
<a id='n1040' href='#n1040'>1040</a>
<a id='n1041' href='#n1041'>1041</a>
<a id='n1042' href='#n1042'>1042</a>
<a id='n1043' href='#n1043'>1043</a>
<a id='n1044' href='#n1044'>1044</a>
<a id='n1045' href='#n1045'>1045</a>
<a id='n1046' href='#n1046'>1046</a>
<a id='n1047' href='#n1047'>1047</a>
<a id='n1048' href='#n1048'>1048</a>
<a id='n1049' href='#n1049'>1049</a>
<a id='n1050' href='#n1050'>1050</a>
<a id='n1051' href='#n1051'>1051</a>
<a id='n1052' href='#n1052'>1052</a>
<a id='n1053' href='#n1053'>1053</a>
<a id='n1054' href='#n1054'>1054</a>
<a id='n1055' href='#n1055'>1055</a>
<a id='n1056' href='#n1056'>1056</a>
<a id='n1057' href='#n1057'>1057</a>
<a id='n1058' href='#n1058'>1058</a>
<a id='n1059' href='#n1059'>1059</a>
<a id='n1060' href='#n1060'>1060</a>
<a id='n1061' href='#n1061'>1061</a>
<a id='n1062' href='#n1062'>1062</a>
<a id='n1063' href='#n1063'>1063</a>
<a id='n1064' href='#n1064'>1064</a>
<a id='n1065' href='#n1065'>1065</a>
<a id='n1066' href='#n1066'>1066</a>
<a id='n1067' href='#n1067'>1067</a>
<a id='n1068' href='#n1068'>1068</a>
<a id='n1069' href='#n1069'>1069</a>
<a id='n1070' href='#n1070'>1070</a>
<a id='n1071' href='#n1071'>1071</a>
<a id='n1072' href='#n1072'>1072</a>
<a id='n1073' href='#n1073'>1073</a>
<a id='n1074' href='#n1074'>1074</a>
<a id='n1075' href='#n1075'>1075</a>
<a id='n1076' href='#n1076'>1076</a>
<a id='n1077' href='#n1077'>1077</a>
<a id='n1078' href='#n1078'>1078</a>
<a id='n1079' href='#n1079'>1079</a>
<a id='n1080' href='#n1080'>1080</a>
<a id='n1081' href='#n1081'>1081</a>
<a id='n1082' href='#n1082'>1082</a>
<a id='n1083' href='#n1083'>1083</a>
<a id='n1084' href='#n1084'>1084</a>
<a id='n1085' href='#n1085'>1085</a>
<a id='n1086' href='#n1086'>1086</a>
<a id='n1087' href='#n1087'>1087</a>
<a id='n1088' href='#n1088'>1088</a>
<a id='n1089' href='#n1089'>1089</a>
<a id='n1090' href='#n1090'>1090</a>
<a id='n1091' href='#n1091'>1091</a>
<a id='n1092' href='#n1092'>1092</a>
<a id='n1093' href='#n1093'>1093</a>
<a id='n1094' href='#n1094'>1094</a>
<a id='n1095' href='#n1095'>1095</a>
<a id='n1096' href='#n1096'>1096</a>
<a id='n1097' href='#n1097'>1097</a>
<a id='n1098' href='#n1098'>1098</a>
<a id='n1099' href='#n1099'>1099</a>
<a id='n1100' href='#n1100'>1100</a>
<a id='n1101' href='#n1101'>1101</a>
<a id='n1102' href='#n1102'>1102</a>
<a id='n1103' href='#n1103'>1103</a>
<a id='n1104' href='#n1104'>1104</a>
<a id='n1105' href='#n1105'>1105</a>
<a id='n1106' href='#n1106'>1106</a>
<a id='n1107' href='#n1107'>1107</a>
<a id='n1108' href='#n1108'>1108</a>
<a id='n1109' href='#n1109'>1109</a>
<a id='n1110' href='#n1110'>1110</a>
<a id='n1111' href='#n1111'>1111</a>
<a id='n1112' href='#n1112'>1112</a>
<a id='n1113' href='#n1113'>1113</a>
<a id='n1114' href='#n1114'>1114</a>
<a id='n1115' href='#n1115'>1115</a>
<a id='n1116' href='#n1116'>1116</a>
<a id='n1117' href='#n1117'>1117</a>
<a id='n1118' href='#n1118'>1118</a>
<a id='n1119' href='#n1119'>1119</a>
<a id='n1120' href='#n1120'>1120</a>
<a id='n1121' href='#n1121'>1121</a>
<a id='n1122' href='#n1122'>1122</a>
<a id='n1123' href='#n1123'>1123</a>
<a id='n1124' href='#n1124'>1124</a>
<a id='n1125' href='#n1125'>1125</a>
<a id='n1126' href='#n1126'>1126</a>
<a id='n1127' href='#n1127'>1127</a>
<a id='n1128' href='#n1128'>1128</a>
<a id='n1129' href='#n1129'>1129</a>
<a id='n1130' href='#n1130'>1130</a>
<a id='n1131' href='#n1131'>1131</a>
<a id='n1132' href='#n1132'>1132</a>
<a id='n1133' href='#n1133'>1133</a>
<a id='n1134' href='#n1134'>1134</a>
<a id='n1135' href='#n1135'>1135</a>
<a id='n1136' href='#n1136'>1136</a>
<a id='n1137' href='#n1137'>1137</a>
<a id='n1138' href='#n1138'>1138</a>
<a id='n1139' href='#n1139'>1139</a>
<a id='n1140' href='#n1140'>1140</a>
<a id='n1141' href='#n1141'>1141</a>
<a id='n1142' href='#n1142'>1142</a>
<a id='n1143' href='#n1143'>1143</a>
<a id='n1144' href='#n1144'>1144</a>
<a id='n1145' href='#n1145'>1145</a>
<a id='n1146' href='#n1146'>1146</a>
<a id='n1147' href='#n1147'>1147</a>
<a id='n1148' href='#n1148'>1148</a>
<a id='n1149' href='#n1149'>1149</a>
<a id='n1150' href='#n1150'>1150</a>
<a id='n1151' href='#n1151'>1151</a>
<a id='n1152' href='#n1152'>1152</a>
<a id='n1153' href='#n1153'>1153</a>
<a id='n1154' href='#n1154'>1154</a>
<a id='n1155' href='#n1155'>1155</a>
<a id='n1156' href='#n1156'>1156</a>
<a id='n1157' href='#n1157'>1157</a>
<a id='n1158' href='#n1158'>1158</a>
<a id='n1159' href='#n1159'>1159</a>
<a id='n1160' href='#n1160'>1160</a>
<a id='n1161' href='#n1161'>1161</a>
<a id='n1162' href='#n1162'>1162</a>
<a id='n1163' href='#n1163'>1163</a>
<a id='n1164' href='#n1164'>1164</a>
<a id='n1165' href='#n1165'>1165</a>
<a id='n1166' href='#n1166'>1166</a>
<a id='n1167' href='#n1167'>1167</a>
<a id='n1168' href='#n1168'>1168</a>
<a id='n1169' href='#n1169'>1169</a>
<a id='n1170' href='#n1170'>1170</a>
<a id='n1171' href='#n1171'>1171</a>
<a id='n1172' href='#n1172'>1172</a>
<a id='n1173' href='#n1173'>1173</a>
<a id='n1174' href='#n1174'>1174</a>
<a id='n1175' href='#n1175'>1175</a>
<a id='n1176' href='#n1176'>1176</a>
<a id='n1177' href='#n1177'>1177</a>
<a id='n1178' href='#n1178'>1178</a>
<a id='n1179' href='#n1179'>1179</a>
<a id='n1180' href='#n1180'>1180</a>
<a id='n1181' href='#n1181'>1181</a>
<a id='n1182' href='#n1182'>1182</a>
<a id='n1183' href='#n1183'>1183</a>
<a id='n1184' href='#n1184'>1184</a>
<a id='n1185' href='#n1185'>1185</a>
<a id='n1186' href='#n1186'>1186</a>
<a id='n1187' href='#n1187'>1187</a>
<a id='n1188' href='#n1188'>1188</a>
<a id='n1189' href='#n1189'>1189</a>
<a id='n1190' href='#n1190'>1190</a>
<a id='n1191' href='#n1191'>1191</a>
<a id='n1192' href='#n1192'>1192</a>
<a id='n1193' href='#n1193'>1193</a>
<a id='n1194' href='#n1194'>1194</a>
<a id='n1195' href='#n1195'>1195</a>
<a id='n1196' href='#n1196'>1196</a>
<a id='n1197' href='#n1197'>1197</a>
<a id='n1198' href='#n1198'>1198</a>
<a id='n1199' href='#n1199'>1199</a>
<a id='n1200' href='#n1200'>1200</a>
<a id='n1201' href='#n1201'>1201</a>
<a id='n1202' href='#n1202'>1202</a>
<a id='n1203' href='#n1203'>1203</a>
<a id='n1204' href='#n1204'>1204</a>
<a id='n1205' href='#n1205'>1205</a>
<a id='n1206' href='#n1206'>1206</a>
<a id='n1207' href='#n1207'>1207</a>
<a id='n1208' href='#n1208'>1208</a>
<a id='n1209' href='#n1209'>1209</a>
<a id='n1210' href='#n1210'>1210</a>
<a id='n1211' href='#n1211'>1211</a>
<a id='n1212' href='#n1212'>1212</a>
<a id='n1213' href='#n1213'>1213</a>
<a id='n1214' href='#n1214'>1214</a>
<a id='n1215' href='#n1215'>1215</a>
<a id='n1216' href='#n1216'>1216</a>
<a id='n1217' href='#n1217'>1217</a>
<a id='n1218' href='#n1218'>1218</a>
<a id='n1219' href='#n1219'>1219</a>
<a id='n1220' href='#n1220'>1220</a>
<a id='n1221' href='#n1221'>1221</a>
<a id='n1222' href='#n1222'>1222</a>
<a id='n1223' href='#n1223'>1223</a>
<a id='n1224' href='#n1224'>1224</a>
<a id='n1225' href='#n1225'>1225</a>
<a id='n1226' href='#n1226'>1226</a>
<a id='n1227' href='#n1227'>1227</a>
<a id='n1228' href='#n1228'>1228</a>
<a id='n1229' href='#n1229'>1229</a>
<a id='n1230' href='#n1230'>1230</a>
<a id='n1231' href='#n1231'>1231</a>
<a id='n1232' href='#n1232'>1232</a>
<a id='n1233' href='#n1233'>1233</a>
<a id='n1234' href='#n1234'>1234</a>
<a id='n1235' href='#n1235'>1235</a>
<a id='n1236' href='#n1236'>1236</a>
<a id='n1237' href='#n1237'>1237</a>
<a id='n1238' href='#n1238'>1238</a>
<a id='n1239' href='#n1239'>1239</a>
<a id='n1240' href='#n1240'>1240</a>
<a id='n1241' href='#n1241'>1241</a>
<a id='n1242' href='#n1242'>1242</a>
<a id='n1243' href='#n1243'>1243</a>
<a id='n1244' href='#n1244'>1244</a>
<a id='n1245' href='#n1245'>1245</a>
<a id='n1246' href='#n1246'>1246</a>
<a id='n1247' href='#n1247'>1247</a>
<a id='n1248' href='#n1248'>1248</a>
<a id='n1249' href='#n1249'>1249</a>
<a id='n1250' href='#n1250'>1250</a>
<a id='n1251' href='#n1251'>1251</a>
<a id='n1252' href='#n1252'>1252</a>
<a id='n1253' href='#n1253'>1253</a>
<a id='n1254' href='#n1254'>1254</a>
<a id='n1255' href='#n1255'>1255</a>
<a id='n1256' href='#n1256'>1256</a>
<a id='n1257' href='#n1257'>1257</a>
<a id='n1258' href='#n1258'>1258</a>
<a id='n1259' href='#n1259'>1259</a>
<a id='n1260' href='#n1260'>1260</a>
<a id='n1261' href='#n1261'>1261</a>
<a id='n1262' href='#n1262'>1262</a>
<a id='n1263' href='#n1263'>1263</a>
<a id='n1264' href='#n1264'>1264</a>
<a id='n1265' href='#n1265'>1265</a>
<a id='n1266' href='#n1266'>1266</a>
<a id='n1267' href='#n1267'>1267</a>
<a id='n1268' href='#n1268'>1268</a>
<a id='n1269' href='#n1269'>1269</a>
<a id='n1270' href='#n1270'>1270</a>
<a id='n1271' href='#n1271'>1271</a>
<a id='n1272' href='#n1272'>1272</a>
<a id='n1273' href='#n1273'>1273</a>
<a id='n1274' href='#n1274'>1274</a>
<a id='n1275' href='#n1275'>1275</a>
<a id='n1276' href='#n1276'>1276</a>
<a id='n1277' href='#n1277'>1277</a>
<a id='n1278' href='#n1278'>1278</a>
<a id='n1279' href='#n1279'>1279</a>
<a id='n1280' href='#n1280'>1280</a>
<a id='n1281' href='#n1281'>1281</a>
<a id='n1282' href='#n1282'>1282</a>
<a id='n1283' href='#n1283'>1283</a>
<a id='n1284' href='#n1284'>1284</a>
<a id='n1285' href='#n1285'>1285</a>
<a id='n1286' href='#n1286'>1286</a>
<a id='n1287' href='#n1287'>1287</a>
<a id='n1288' href='#n1288'>1288</a>
<a id='n1289' href='#n1289'>1289</a>
<a id='n1290' href='#n1290'>1290</a>
<a id='n1291' href='#n1291'>1291</a>
<a id='n1292' href='#n1292'>1292</a>
<a id='n1293' href='#n1293'>1293</a>
<a id='n1294' href='#n1294'>1294</a>
<a id='n1295' href='#n1295'>1295</a>
<a id='n1296' href='#n1296'>1296</a>
<a id='n1297' href='#n1297'>1297</a>
<a id='n1298' href='#n1298'>1298</a>
<a id='n1299' href='#n1299'>1299</a>
<a id='n1300' href='#n1300'>1300</a>
<a id='n1301' href='#n1301'>1301</a>
<a id='n1302' href='#n1302'>1302</a>
<a id='n1303' href='#n1303'>1303</a>
<a id='n1304' href='#n1304'>1304</a>
<a id='n1305' href='#n1305'>1305</a>
<a id='n1306' href='#n1306'>1306</a>
<a id='n1307' href='#n1307'>1307</a>
<a id='n1308' href='#n1308'>1308</a>
<a id='n1309' href='#n1309'>1309</a>
<a id='n1310' href='#n1310'>1310</a>
<a id='n1311' href='#n1311'>1311</a>
<a id='n1312' href='#n1312'>1312</a>
<a id='n1313' href='#n1313'>1313</a>
<a id='n1314' href='#n1314'>1314</a>
<a id='n1315' href='#n1315'>1315</a>
<a id='n1316' href='#n1316'>1316</a>
<a id='n1317' href='#n1317'>1317</a>
<a id='n1318' href='#n1318'>1318</a>
<a id='n1319' href='#n1319'>1319</a>
<a id='n1320' href='#n1320'>1320</a>
<a id='n1321' href='#n1321'>1321</a>
<a id='n1322' href='#n1322'>1322</a>
<a id='n1323' href='#n1323'>1323</a>
<a id='n1324' href='#n1324'>1324</a>
<a id='n1325' href='#n1325'>1325</a>
<a id='n1326' href='#n1326'>1326</a>
<a id='n1327' href='#n1327'>1327</a>
<a id='n1328' href='#n1328'>1328</a>
<a id='n1329' href='#n1329'>1329</a>
<a id='n1330' href='#n1330'>1330</a>
<a id='n1331' href='#n1331'>1331</a>
<a id='n1332' href='#n1332'>1332</a>
<a id='n1333' href='#n1333'>1333</a>
<a id='n1334' href='#n1334'>1334</a>
<a id='n1335' href='#n1335'>1335</a>
<a id='n1336' href='#n1336'>1336</a>
<a id='n1337' href='#n1337'>1337</a>
<a id='n1338' href='#n1338'>1338</a>
<a id='n1339' href='#n1339'>1339</a>
</pre></td>
<td class='lines'><pre><code><style>pre { line-height: 125%; }
td.linenos .normal { color: inherit; background-color: transparent; padding-left: 5px; padding-right: 5px; }
span.linenos { color: inherit; background-color: transparent; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #000000; background-color: #ffffc0; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #000000; background-color: #ffffc0; padding-left: 5px; padding-right: 5px; }
.highlight .hll { background-color: #ffffcc }
.highlight .c { color: #888888 } /* Comment */
.highlight .err { color: #a61717; background-color: #e3d2d2 } /* Error */
.highlight .k { color: #008800; font-weight: bold } /* Keyword */
.highlight .ch { color: #888888 } /* Comment.Hashbang */
.highlight .cm { color: #888888 } /* Comment.Multiline */
.highlight .cp { color: #cc0000; font-weight: bold } /* Comment.Preproc */
.highlight .cpf { color: #888888 } /* Comment.PreprocFile */
.highlight .c1 { color: #888888 } /* Comment.Single */
.highlight .cs { color: #cc0000; font-weight: bold; background-color: #fff0f0 } /* Comment.Special */
.highlight .gd { color: #000000; background-color: #ffdddd } /* Generic.Deleted */
.highlight .ge { font-style: italic } /* Generic.Emph */
.highlight .ges { font-weight: bold; font-style: italic } /* Generic.EmphStrong */
.highlight .gr { color: #aa0000 } /* Generic.Error */
.highlight .gh { color: #333333 } /* Generic.Heading */
.highlight .gi { color: #000000; background-color: #ddffdd } /* Generic.Inserted */
.highlight .go { color: #888888 } /* Generic.Output */
.highlight .gp { color: #555555 } /* Generic.Prompt */
.highlight .gs { font-weight: bold } /* Generic.Strong */
.highlight .gu { color: #666666 } /* Generic.Subheading */
.highlight .gt { color: #aa0000 } /* Generic.Traceback */
.highlight .kc { color: #008800; font-weight: bold } /* Keyword.Constant */
.highlight .kd { color: #008800; font-weight: bold } /* Keyword.Declaration */
.highlight .kn { color: #008800; font-weight: bold } /* Keyword.Namespace */
.highlight .kp { color: #008800 } /* Keyword.Pseudo */
.highlight .kr { color: #008800; font-weight: bold } /* Keyword.Reserved */
.highlight .kt { color: #888888; font-weight: bold } /* Keyword.Type */
.highlight .m { color: #0000DD; font-weight: bold } /* Literal.Number */
.highlight .s { color: #dd2200; background-color: #fff0f0 } /* Literal.String */
.highlight .na { color: #336699 } /* Name.Attribute */
.highlight .nb { color: #003388 } /* Name.Builtin */
.highlight .nc { color: #bb0066; font-weight: bold } /* Name.Class */
.highlight .no { color: #003366; font-weight: bold } /* Name.Constant */
.highlight .nd { color: #555555 } /* Name.Decorator */
.highlight .ne { color: #bb0066; font-weight: bold } /* Name.Exception */
.highlight .nf { color: #0066bb; font-weight: bold } /* Name.Function */
.highlight .nl { color: #336699; font-style: italic } /* Name.Label */
.highlight .nn { color: #bb0066; font-weight: bold } /* Name.Namespace */
.highlight .py { color: #336699; font-weight: bold } /* Name.Property */
.highlight .nt { color: #bb0066; font-weight: bold } /* Name.Tag */
.highlight .nv { color: #336699 } /* Name.Variable */
.highlight .ow { color: #008800 } /* Operator.Word */
.highlight .w { color: #bbbbbb } /* Text.Whitespace */
.highlight .mb { color: #0000DD; font-weight: bold } /* Literal.Number.Bin */
.highlight .mf { color: #0000DD; font-weight: bold } /* Literal.Number.Float */
.highlight .mh { color: #0000DD; font-weight: bold } /* Literal.Number.Hex */
.highlight .mi { color: #0000DD; font-weight: bold } /* Literal.Number.Integer */
.highlight .mo { color: #0000DD; font-weight: bold } /* Literal.Number.Oct */
.highlight .sa { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Affix */
.highlight .sb { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Backtick */
.highlight .sc { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Char */
.highlight .dl { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Delimiter */
.highlight .sd { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Doc */
.highlight .s2 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Double */
.highlight .se { color: #0044dd; background-color: #fff0f0 } /* Literal.String.Escape */
.highlight .sh { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Heredoc */
.highlight .si { color: #3333bb; background-color: #fff0f0 } /* Literal.String.Interpol */
.highlight .sx { color: #22bb22; background-color: #f0fff0 } /* Literal.String.Other */
.highlight .sr { color: #008800; background-color: #fff0ff } /* Literal.String.Regex */
.highlight .s1 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Single */
.highlight .ss { color: #aa6600; background-color: #fff0f0 } /* Literal.String.Symbol */
.highlight .bp { color: #003388 } /* Name.Builtin.Pseudo */
.highlight .fm { color: #0066bb; font-weight: bold } /* Name.Function.Magic */
.highlight .vc { color: #336699 } /* Name.Variable.Class */
.highlight .vg { color: #dd7700 } /* Name.Variable.Global */
.highlight .vi { color: #3333bb } /* Name.Variable.Instance */
.highlight .vm { color: #336699 } /* Name.Variable.Magic */
.highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */</style><div class="highlight"><pre><span></span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">Global context for rpkid.</span>

<span class="sd">$Id$</span>

<span class="sd">Copyright (C) 2009  Internet Systems Consortium (&quot;ISC&quot;)</span>

<span class="sd">Permission to use, copy, modify, and distribute this software for any</span>
<span class="sd">purpose with or without fee is hereby granted, provided that the above</span>
<span class="sd">copyright notice and this permission notice appear in all copies.</span>

<span class="sd">THE SOFTWARE IS PROVIDED &quot;AS IS&quot; AND ISC DISCLAIMS ALL WARRANTIES WITH</span>
<span class="sd">REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY</span>
<span class="sd">AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,</span>
<span class="sd">INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM</span>
<span class="sd">LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE</span>
<span class="sd">OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR</span>
<span class="sd">PERFORMANCE OF THIS SOFTWARE.</span>

<span class="sd">Portions copyright (C) 2007--2008  American Registry for Internet Numbers (&quot;ARIN&quot;)</span>

<span class="sd">Permission to use, copy, modify, and distribute this software for any</span>
<span class="sd">purpose with or without fee is hereby granted, provided that the above</span>
<span class="sd">copyright notice and this permission notice appear in all copies.</span>

<span class="sd">THE SOFTWARE IS PROVIDED &quot;AS IS&quot; AND ARIN DISCLAIMS ALL WARRANTIES WITH</span>
<span class="sd">REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY</span>
<span class="sd">AND FITNESS.  IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,</span>
<span class="sd">INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM</span>
<span class="sd">LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE</span>
<span class="sd">OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR</span>
<span class="sd">PERFORMANCE OF THIS SOFTWARE.</span>
<span class="sd">&quot;&quot;&quot;</span>

<span class="kn">import</span> <span class="nn">lxml.etree</span><span class="o">,</span> <span class="nn">re</span><span class="o">,</span> <span class="nn">random</span>
<span class="kn">import</span> <span class="nn">rpki.resource_set</span><span class="o">,</span> <span class="nn">rpki.up_down</span><span class="o">,</span> <span class="nn">rpki.left_right</span><span class="o">,</span> <span class="nn">rpki.x509</span><span class="o">,</span> <span class="nn">rpki.sql</span>
<span class="kn">import</span> <span class="nn">rpki.https</span><span class="o">,</span> <span class="nn">rpki.config</span><span class="o">,</span> <span class="nn">rpki.exceptions</span><span class="o">,</span> <span class="nn">rpki.relaxng</span><span class="o">,</span> <span class="nn">rpki.log</span><span class="o">,</span> <span class="nn">rpki.async</span>

<span class="k">class</span> <span class="nc">rpkid_context</span><span class="p">(</span><span class="nb">object</span><span class="p">):</span>
<span class="w">  </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">  A container for various global rpkid parameters.</span>
<span class="sd">  &quot;&quot;&quot;</span>

  <span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">cfg</span><span class="p">):</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">sql</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">session</span><span class="p">(</span><span class="n">cfg</span><span class="p">)</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">bpki_ta</span>    <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">X509</span><span class="p">(</span><span class="n">Auto_file</span> <span class="o">=</span> <span class="n">cfg</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">&quot;bpki-ta&quot;</span><span class="p">))</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">irdb_cert</span>  <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">X509</span><span class="p">(</span><span class="n">Auto_file</span> <span class="o">=</span> <span class="n">cfg</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">&quot;irdb-cert&quot;</span><span class="p">))</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">irbe_cert</span>  <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">X509</span><span class="p">(</span><span class="n">Auto_file</span> <span class="o">=</span> <span class="n">cfg</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">&quot;irbe-cert&quot;</span><span class="p">))</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">rpkid_cert</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">X509</span><span class="p">(</span><span class="n">Auto_file</span> <span class="o">=</span> <span class="n">cfg</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">&quot;rpkid-cert&quot;</span><span class="p">))</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">rpkid_key</span>  <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">RSA</span><span class="p">(</span> <span class="n">Auto_file</span> <span class="o">=</span> <span class="n">cfg</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">&quot;rpkid-key&quot;</span><span class="p">))</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">irdb_url</span>   <span class="o">=</span> <span class="n">cfg</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">&quot;irdb-url&quot;</span><span class="p">)</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">https_server_host</span> <span class="o">=</span> <span class="n">cfg</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">&quot;server-host&quot;</span><span class="p">,</span> <span class="s2">&quot;&quot;</span><span class="p">)</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">https_server_port</span> <span class="o">=</span> <span class="n">cfg</span><span class="o">.</span><span class="n">getint</span><span class="p">(</span><span class="s2">&quot;server-port&quot;</span><span class="p">,</span> <span class="mi">4433</span><span class="p">)</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">publication_kludge_base</span> <span class="o">=</span> <span class="n">cfg</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">&quot;publication-kludge-base&quot;</span><span class="p">,</span> <span class="s2">&quot;publication/&quot;</span><span class="p">)</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">use_internal_cron</span> <span class="o">=</span> <span class="n">cfg</span><span class="o">.</span><span class="n">getboolean</span><span class="p">(</span><span class="s2">&quot;use-internal-cron&quot;</span><span class="p">,</span> <span class="kc">True</span><span class="p">)</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">initial_delay</span> <span class="o">=</span> <span class="n">random</span><span class="o">.</span><span class="n">randint</span><span class="p">(</span><span class="n">cfg</span><span class="o">.</span><span class="n">getint</span><span class="p">(</span><span class="s2">&quot;initial-delay-min&quot;</span><span class="p">,</span> <span class="mi">10</span><span class="p">),</span>
                                        <span class="n">cfg</span><span class="o">.</span><span class="n">getint</span><span class="p">(</span><span class="s2">&quot;initial-delay-max&quot;</span><span class="p">,</span> <span class="mi">120</span><span class="p">))</span>
    
    <span class="bp">self</span><span class="o">.</span><span class="n">cron_period</span> <span class="o">=</span> <span class="n">cfg</span><span class="o">.</span><span class="n">getint</span><span class="p">(</span><span class="s2">&quot;cron-period&quot;</span><span class="p">,</span> <span class="mi">120</span><span class="p">)</span> <span class="c1"># Should be much longer in production</span>

  <span class="k">def</span> <span class="nf">start_cron</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Start clock for rpkid&#39;s internal cron process.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">use_internal_cron</span><span class="p">:</span>
      <span class="n">when</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sundial</span><span class="o">.</span><span class="n">now</span><span class="p">()</span> <span class="o">+</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sundial</span><span class="o">.</span><span class="n">timedelta</span><span class="p">(</span><span class="n">seconds</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">initial_delay</span><span class="p">)</span>
      <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;Scheduling initial cron pass at </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="n">when</span><span class="p">)</span>
      <span class="n">rpki</span><span class="o">.</span><span class="k">async</span><span class="o">.</span><span class="n">timer</span><span class="p">(</span><span class="n">handler</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">cron</span><span class="p">)</span><span class="o">.</span><span class="n">set</span><span class="p">(</span><span class="n">when</span><span class="p">)</span>
    <span class="k">else</span><span class="p">:</span>
      <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;Not using internal clock, start_cron() call ignored&quot;</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">irdb_query</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">q_pdu</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="n">errback</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Perform an IRDB callback query.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">trace</span><span class="p">()</span>

    <span class="n">q_msg</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">left_right</span><span class="o">.</span><span class="n">msg</span><span class="o">.</span><span class="n">query</span><span class="p">()</span>
    <span class="n">q_msg</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">q_pdu</span><span class="p">)</span>
    <span class="n">q_cms</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">left_right</span><span class="o">.</span><span class="n">cms_msg</span><span class="o">.</span><span class="n">wrap</span><span class="p">(</span><span class="n">q_msg</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">rpkid_key</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">rpkid_cert</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">unwrap</span><span class="p">(</span><span class="n">der</span><span class="p">):</span>
      <span class="n">r_msg</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">left_right</span><span class="o">.</span><span class="n">cms_msg</span><span class="o">.</span><span class="n">unwrap</span><span class="p">(</span><span class="n">der</span><span class="p">,</span> <span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">bpki_ta</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">irdb_cert</span><span class="p">))</span>
      <span class="k">if</span> <span class="ow">not</span> <span class="n">r_msg</span><span class="o">.</span><span class="n">is_reply</span><span class="p">()</span> <span class="ow">or</span> <span class="p">[</span><span class="n">r_pdu</span> <span class="k">for</span> <span class="n">r_pdu</span> <span class="ow">in</span> <span class="n">r_msg</span> <span class="k">if</span> <span class="nb">type</span><span class="p">(</span><span class="n">r_pdu</span><span class="p">)</span> <span class="ow">is</span> <span class="ow">not</span> <span class="nb">type</span><span class="p">(</span><span class="n">q_pdu</span><span class="p">)]:</span>
        <span class="k">raise</span> <span class="n">rpki</span><span class="o">.</span><span class="n">exceptions</span><span class="o">.</span><span class="n">BadIRDBReply</span><span class="p">,</span> <span class="s2">&quot;Unexpected response to IRDB query: </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="n">lxml</span><span class="o">.</span><span class="n">etree</span><span class="o">.</span><span class="n">tostring</span><span class="p">(</span><span class="n">r_msg</span><span class="o">.</span><span class="n">toXML</span><span class="p">(),</span> <span class="n">pretty_print</span> <span class="o">=</span> <span class="kc">True</span><span class="p">,</span> <span class="n">encoding</span> <span class="o">=</span> <span class="s2">&quot;us-ascii&quot;</span><span class="p">)</span>
      <span class="n">callback</span><span class="p">(</span><span class="n">r_msg</span><span class="p">)</span>

    <span class="n">rpki</span><span class="o">.</span><span class="n">https</span><span class="o">.</span><span class="n">client</span><span class="p">(</span>
      <span class="n">server_ta</span>    <span class="o">=</span> <span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">bpki_ta</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">irdb_cert</span><span class="p">),</span>
      <span class="n">client_key</span>   <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">rpkid_key</span><span class="p">,</span>
      <span class="n">client_cert</span>  <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">rpkid_cert</span><span class="p">,</span>
      <span class="n">url</span>          <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">irdb_url</span><span class="p">,</span>
      <span class="n">msg</span>          <span class="o">=</span> <span class="n">q_cms</span><span class="p">,</span>
      <span class="n">callback</span>     <span class="o">=</span> <span class="n">unwrap</span><span class="p">,</span>
      <span class="n">errback</span>      <span class="o">=</span> <span class="n">errback</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">irdb_query_child_resources</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">self_handle</span><span class="p">,</span> <span class="n">child_handle</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="n">errback</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Ask IRDB about a child&#39;s resources.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">trace</span><span class="p">()</span>

    <span class="n">q_pdu</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">left_right</span><span class="o">.</span><span class="n">list_resources_elt</span><span class="p">()</span>
    <span class="n">q_pdu</span><span class="o">.</span><span class="n">self_handle</span> <span class="o">=</span> <span class="n">self_handle</span>
    <span class="n">q_pdu</span><span class="o">.</span><span class="n">child_handle</span> <span class="o">=</span> <span class="n">child_handle</span>

    <span class="k">def</span> <span class="nf">done</span><span class="p">(</span><span class="n">r_msg</span><span class="p">):</span>
      <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">r_msg</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">1</span><span class="p">:</span>
        <span class="k">raise</span> <span class="n">rpki</span><span class="o">.</span><span class="n">exceptions</span><span class="o">.</span><span class="n">BadIRDBReply</span><span class="p">,</span> <span class="s2">&quot;Expected exactly one PDU from IRDB: </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="n">lxml</span><span class="o">.</span><span class="n">etree</span><span class="o">.</span><span class="n">tostring</span><span class="p">(</span><span class="n">r_msg</span><span class="o">.</span><span class="n">toXML</span><span class="p">(),</span> <span class="n">pretty_print</span> <span class="o">=</span> <span class="kc">True</span><span class="p">,</span> <span class="n">encoding</span> <span class="o">=</span> <span class="s2">&quot;us-ascii&quot;</span><span class="p">)</span>
      <span class="n">callback</span><span class="p">(</span><span class="n">rpki</span><span class="o">.</span><span class="n">resource_set</span><span class="o">.</span><span class="n">resource_bag</span><span class="p">(</span>
        <span class="n">asn</span>         <span class="o">=</span> <span class="n">r_msg</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">asn</span><span class="p">,</span>
        <span class="n">v4</span>          <span class="o">=</span> <span class="n">r_msg</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">ipv4</span><span class="p">,</span>
        <span class="n">v6</span>          <span class="o">=</span> <span class="n">r_msg</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">ipv6</span><span class="p">,</span>
        <span class="n">valid_until</span> <span class="o">=</span> <span class="n">r_msg</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">valid_until</span><span class="p">))</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">irdb_query</span><span class="p">(</span><span class="n">q_pdu</span><span class="p">,</span> <span class="n">done</span><span class="p">,</span> <span class="n">errback</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">irdb_query_roa_requests</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">self_handle</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="n">errback</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Ask IRDB about self&#39;s ROA requests.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">trace</span><span class="p">()</span>

    <span class="n">q_pdu</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">left_right</span><span class="o">.</span><span class="n">list_roa_requests_elt</span><span class="p">()</span>
    <span class="n">q_pdu</span><span class="o">.</span><span class="n">self_handle</span> <span class="o">=</span> <span class="n">self_handle</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">irdb_query</span><span class="p">(</span><span class="n">q_pdu</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="n">errback</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">left_right_handler</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">query</span><span class="p">,</span> <span class="n">path</span><span class="p">,</span> <span class="n">cb</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Process one left-right PDU.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">trace</span><span class="p">()</span>

    <span class="k">def</span> <span class="nf">done</span><span class="p">(</span><span class="n">r_msg</span><span class="p">):</span>
      <span class="n">reply</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">left_right</span><span class="o">.</span><span class="n">cms_msg</span><span class="o">.</span><span class="n">wrap</span><span class="p">(</span><span class="n">r_msg</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">rpkid_key</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">rpkid_cert</span><span class="p">)</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">sweep</span><span class="p">()</span>
      <span class="n">cb</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="n">reply</span><span class="p">)</span>

    <span class="k">try</span><span class="p">:</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">ping</span><span class="p">()</span>
      <span class="n">q_msg</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">left_right</span><span class="o">.</span><span class="n">cms_msg</span><span class="o">.</span><span class="n">unwrap</span><span class="p">(</span><span class="n">query</span><span class="p">,</span> <span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">bpki_ta</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">irbe_cert</span><span class="p">))</span>
      <span class="k">if</span> <span class="ow">not</span> <span class="n">q_msg</span><span class="o">.</span><span class="n">is_query</span><span class="p">():</span>
        <span class="k">raise</span> <span class="n">rpki</span><span class="o">.</span><span class="n">exceptions</span><span class="o">.</span><span class="n">BadQuery</span><span class="p">,</span> <span class="s2">&quot;Message type is not query&quot;</span>
      <span class="n">q_msg</span><span class="o">.</span><span class="n">serve_top_level</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">done</span><span class="p">)</span>
    <span class="k">except</span> <span class="p">(</span><span class="n">rpki</span><span class="o">.</span><span class="k">async</span><span class="o">.</span><span class="n">ExitNow</span><span class="p">,</span> <span class="ne">SystemExit</span><span class="p">):</span>
      <span class="k">raise</span>
    <span class="k">except</span> <span class="ne">Exception</span><span class="p">,</span> <span class="n">data</span><span class="p">:</span>
      <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">traceback</span><span class="p">()</span>
      <span class="n">cb</span><span class="p">(</span><span class="mi">500</span><span class="p">,</span> <span class="s2">&quot;Unhandled exception </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="n">data</span><span class="p">)</span>

  <span class="n">up_down_url_regexp</span> <span class="o">=</span> <span class="n">re</span><span class="o">.</span><span class="n">compile</span><span class="p">(</span><span class="s2">&quot;/up-down/([-A-Z0-9_]+)/([-A-Z0-9_]+)$&quot;</span><span class="p">,</span> <span class="n">re</span><span class="o">.</span><span class="n">I</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">up_down_handler</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">query</span><span class="p">,</span> <span class="n">path</span><span class="p">,</span> <span class="n">cb</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Process one up-down PDU.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">trace</span><span class="p">()</span>

    <span class="k">def</span> <span class="nf">done</span><span class="p">(</span><span class="n">reply</span><span class="p">):</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">sweep</span><span class="p">()</span>
      <span class="n">cb</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="n">reply</span><span class="p">)</span>

    <span class="k">try</span><span class="p">:</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">ping</span><span class="p">()</span>
      <span class="n">match</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">up_down_url_regexp</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="n">path</span><span class="p">)</span>
      <span class="k">if</span> <span class="n">match</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
        <span class="k">raise</span> <span class="n">rpki</span><span class="o">.</span><span class="n">exceptions</span><span class="o">.</span><span class="n">BadContactURL</span><span class="p">,</span> <span class="s2">&quot;Bad path: </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="n">path</span>
      <span class="n">self_handle</span><span class="p">,</span> <span class="n">child_handle</span> <span class="o">=</span> <span class="n">match</span><span class="o">.</span><span class="n">groups</span><span class="p">()</span>
      <span class="n">child</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">left_right</span><span class="o">.</span><span class="n">child_elt</span><span class="o">.</span><span class="n">sql_fetch_where1</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="s2">&quot;self.self_handle = </span><span class="si">%s</span><span class="s2"> AND child.child_handle = </span><span class="si">%s</span><span class="s2"> AND child.self_id = self.self_id&quot;</span><span class="p">,</span>
                                                         <span class="p">(</span><span class="n">self_handle</span><span class="p">,</span> <span class="n">child_handle</span><span class="p">),</span> <span class="s2">&quot;self&quot;</span><span class="p">)</span>
      <span class="k">if</span> <span class="n">child</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
        <span class="k">raise</span> <span class="n">rpki</span><span class="o">.</span><span class="n">exceptions</span><span class="o">.</span><span class="n">ChildNotFound</span><span class="p">,</span> <span class="s2">&quot;Could not find child </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="n">child_handle</span>
      <span class="n">child</span><span class="o">.</span><span class="n">serve_up_down</span><span class="p">(</span><span class="n">query</span><span class="p">,</span> <span class="n">done</span><span class="p">)</span>
    <span class="k">except</span> <span class="p">(</span><span class="n">rpki</span><span class="o">.</span><span class="k">async</span><span class="o">.</span><span class="n">ExitNow</span><span class="p">,</span> <span class="ne">SystemExit</span><span class="p">):</span>
      <span class="k">raise</span>
    <span class="k">except</span> <span class="ne">Exception</span><span class="p">,</span> <span class="n">data</span><span class="p">:</span>
      <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">traceback</span><span class="p">()</span>
      <span class="n">cb</span><span class="p">(</span><span class="mi">400</span><span class="p">,</span> <span class="s2">&quot;Could not process PDU: </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="n">data</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">cron</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">cb</span> <span class="o">=</span> <span class="kc">None</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Periodic tasks.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">trace</span><span class="p">()</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">ping</span><span class="p">()</span>

    <span class="k">def</span> <span class="nf">loop</span><span class="p">(</span><span class="n">iterator</span><span class="p">,</span> <span class="n">s</span><span class="p">):</span>

      <span class="k">def</span> <span class="nf">one</span><span class="p">():</span>
        <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;Self </span><span class="si">%s</span><span class="s2">[</span><span class="si">%d</span><span class="s2">] polling parents&quot;</span> <span class="o">%</span> <span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">self_handle</span><span class="p">,</span> <span class="n">s</span><span class="o">.</span><span class="n">self_id</span><span class="p">))</span>
        <span class="n">s</span><span class="o">.</span><span class="n">client_poll</span><span class="p">(</span><span class="n">two</span><span class="p">)</span>

      <span class="k">def</span> <span class="nf">two</span><span class="p">():</span>
        <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;Self </span><span class="si">%s</span><span class="s2">[</span><span class="si">%d</span><span class="s2">] updating children&quot;</span> <span class="o">%</span> <span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">self_handle</span><span class="p">,</span> <span class="n">s</span><span class="o">.</span><span class="n">self_id</span><span class="p">))</span>
        <span class="n">s</span><span class="o">.</span><span class="n">update_children</span><span class="p">(</span><span class="n">three</span><span class="p">)</span>

      <span class="k">def</span> <span class="nf">three</span><span class="p">():</span>
        <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;Self </span><span class="si">%s</span><span class="s2">[</span><span class="si">%d</span><span class="s2">] updating ROAs&quot;</span> <span class="o">%</span> <span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">self_handle</span><span class="p">,</span> <span class="n">s</span><span class="o">.</span><span class="n">self_id</span><span class="p">))</span>
        <span class="n">s</span><span class="o">.</span><span class="n">update_roas</span><span class="p">(</span><span class="n">four</span><span class="p">)</span>

      <span class="k">def</span> <span class="nf">four</span><span class="p">():</span>
        <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;Self </span><span class="si">%s</span><span class="s2">[</span><span class="si">%d</span><span class="s2">] regenerating CRLs and manifests&quot;</span> <span class="o">%</span> <span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">self_handle</span><span class="p">,</span> <span class="n">s</span><span class="o">.</span><span class="n">self_id</span><span class="p">))</span>
        <span class="n">s</span><span class="o">.</span><span class="n">regenerate_crls_and_manifests</span><span class="p">(</span><span class="n">iterator</span><span class="p">)</span>

      <span class="n">one</span><span class="p">()</span>

    <span class="k">def</span> <span class="nf">sched</span><span class="p">():</span>
      <span class="n">when</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sundial</span><span class="o">.</span><span class="n">now</span><span class="p">()</span> <span class="o">+</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sundial</span><span class="o">.</span><span class="n">timedelta</span><span class="p">(</span><span class="n">seconds</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">cron_period</span><span class="p">)</span>
      <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;Scheduling next cron run at </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="n">when</span><span class="p">)</span>
      <span class="n">rpki</span><span class="o">.</span><span class="k">async</span><span class="o">.</span><span class="n">timer</span><span class="p">(</span><span class="n">handler</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">cron</span><span class="p">)</span><span class="o">.</span><span class="n">set</span><span class="p">(</span><span class="n">when</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">done</span><span class="p">():</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">sweep</span><span class="p">()</span>
      <span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">use_internal_cron</span><span class="p">:</span>
        <span class="n">sched</span><span class="p">()</span>
      <span class="k">else</span><span class="p">:</span>
        <span class="n">cb</span><span class="p">()</span>

    <span class="k">try</span><span class="p">:</span>
      <span class="n">rpki</span><span class="o">.</span><span class="k">async</span><span class="o">.</span><span class="n">iterator</span><span class="p">(</span><span class="n">rpki</span><span class="o">.</span><span class="n">left_right</span><span class="o">.</span><span class="n">self_elt</span><span class="o">.</span><span class="n">sql_fetch_all</span><span class="p">(</span><span class="bp">self</span><span class="p">),</span> <span class="n">loop</span><span class="p">,</span> <span class="n">done</span><span class="p">)</span>
    <span class="k">except</span> <span class="p">(</span><span class="n">rpki</span><span class="o">.</span><span class="k">async</span><span class="o">.</span><span class="n">ExitNow</span><span class="p">,</span> <span class="ne">SystemExit</span><span class="p">):</span>
      <span class="k">raise</span>
    <span class="k">except</span> <span class="ne">Exception</span><span class="p">,</span> <span class="n">data</span><span class="p">:</span>
      <span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">use_internal_cron</span><span class="p">:</span>
        <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">traceback</span><span class="p">()</span>
        <span class="n">sched</span><span class="p">()</span>
      <span class="k">else</span><span class="p">:</span>
        <span class="k">raise</span>

  <span class="k">def</span> <span class="nf">cronjob_handler</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">query</span><span class="p">,</span> <span class="n">path</span><span class="p">,</span> <span class="n">cb</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    External trigger for periodic tasks.  This is somewhat obsolete</span>
<span class="sd">    now that we have internal timers, but the test framework still</span>
<span class="sd">    uses it.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">use_internal_cron</span><span class="p">:</span>
      <span class="n">cb</span><span class="p">(</span><span class="mi">500</span><span class="p">,</span> <span class="s2">&quot;Running cron internally&quot;</span><span class="p">)</span>
    <span class="k">else</span><span class="p">:</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">cron</span><span class="p">(</span><span class="k">lambda</span><span class="p">:</span> <span class="n">cb</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="s2">&quot;OK&quot;</span><span class="p">))</span>

  <span class="c1">## @var https_ta_cache</span>
  <span class="c1"># HTTPS trust anchor cache, to avoid regenerating it for every TLS connection.</span>
  <span class="n">https_ta_cache</span> <span class="o">=</span> <span class="kc">None</span>

  <span class="k">def</span> <span class="nf">clear_https_ta_cache</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Clear dynamic TLS trust anchors.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">https_ta_cache</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span><span class="p">:</span>
      <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;Clearing HTTPS trusted cert cache&quot;</span><span class="p">)</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">https_ta_cache</span> <span class="o">=</span> <span class="kc">None</span>

  <span class="k">def</span> <span class="nf">build_https_ta_cache</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Build dynamic TLS trust anchors.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">https_ta_cache</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>

      <span class="n">selves</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">left_right</span><span class="o">.</span><span class="n">self_elt</span><span class="o">.</span><span class="n">sql_fetch_all</span><span class="p">(</span><span class="bp">self</span><span class="p">)</span>
      <span class="n">children</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">left_right</span><span class="o">.</span><span class="n">child_elt</span><span class="o">.</span><span class="n">sql_fetch_all</span><span class="p">(</span><span class="bp">self</span><span class="p">)</span>

      <span class="bp">self</span><span class="o">.</span><span class="n">https_ta_cache</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">https</span><span class="o">.</span><span class="n">build_https_ta_cache</span><span class="p">(</span>
        <span class="p">[</span><span class="n">c</span><span class="o">.</span><span class="n">bpki_cert</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">children</span> <span class="k">if</span> <span class="n">c</span><span class="o">.</span><span class="n">bpki_cert</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span><span class="p">]</span> <span class="o">+</span>
        <span class="p">[</span><span class="n">c</span><span class="o">.</span><span class="n">bpki_glue</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">children</span> <span class="k">if</span> <span class="n">c</span><span class="o">.</span><span class="n">bpki_glue</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span><span class="p">]</span> <span class="o">+</span>
        <span class="p">[</span><span class="n">s</span><span class="o">.</span><span class="n">bpki_cert</span> <span class="k">for</span> <span class="n">s</span> <span class="ow">in</span> <span class="n">selves</span> <span class="k">if</span> <span class="n">s</span><span class="o">.</span><span class="n">bpki_cert</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span><span class="p">]</span> <span class="o">+</span>
        <span class="p">[</span><span class="n">s</span><span class="o">.</span><span class="n">bpki_glue</span> <span class="k">for</span> <span class="n">s</span> <span class="ow">in</span> <span class="n">selves</span> <span class="k">if</span> <span class="n">s</span><span class="o">.</span><span class="n">bpki_glue</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span><span class="p">]</span> <span class="o">+</span>
        <span class="p">[</span><span class="bp">self</span><span class="o">.</span><span class="n">irbe_cert</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">irdb_cert</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">bpki_ta</span><span class="p">])</span>

    <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">https_ta_cache</span>


<span class="k">class</span> <span class="nc">ca_obj</span><span class="p">(</span><span class="n">rpki</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">sql_persistent</span><span class="p">):</span>
<span class="w">  </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">  Internal CA object.</span>
<span class="sd">  &quot;&quot;&quot;</span>

  <span class="n">sql_template</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">template</span><span class="p">(</span>
    <span class="s2">&quot;ca&quot;</span><span class="p">,</span>
    <span class="s2">&quot;ca_id&quot;</span><span class="p">,</span>
    <span class="s2">&quot;last_crl_sn&quot;</span><span class="p">,</span>
    <span class="p">(</span><span class="s2">&quot;next_crl_update&quot;</span><span class="p">,</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sundial</span><span class="o">.</span><span class="n">datetime</span><span class="p">),</span>
    <span class="s2">&quot;last_issued_sn&quot;</span><span class="p">,</span> <span class="s2">&quot;last_manifest_sn&quot;</span><span class="p">,</span>
    <span class="p">(</span><span class="s2">&quot;next_manifest_update&quot;</span><span class="p">,</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sundial</span><span class="o">.</span><span class="n">datetime</span><span class="p">),</span>
    <span class="s2">&quot;sia_uri&quot;</span><span class="p">,</span> <span class="s2">&quot;parent_id&quot;</span><span class="p">,</span> <span class="s2">&quot;parent_resource_class&quot;</span><span class="p">)</span>

  <span class="n">last_crl_sn</span> <span class="o">=</span> <span class="mi">0</span>
  <span class="n">last_issued_sn</span> <span class="o">=</span> <span class="mi">0</span>
  <span class="n">last_manifest_sn</span> <span class="o">=</span> <span class="mi">0</span>

  <span class="k">def</span> <span class="nf">parent</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Fetch parent object to which this CA object links.&quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="n">rpki</span><span class="o">.</span><span class="n">left_right</span><span class="o">.</span><span class="n">parent_elt</span><span class="o">.</span><span class="n">sql_fetch</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">parent_id</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">ca_details</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Fetch all ca_detail objects that link to this CA object.&quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="n">ca_detail_obj</span><span class="o">.</span><span class="n">sql_fetch_where</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="p">,</span> <span class="s2">&quot;ca_id = </span><span class="si">%s</span><span class="s2">&quot;</span><span class="p">,</span> <span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">ca_id</span><span class="p">,))</span>

  <span class="k">def</span> <span class="nf">fetch_pending</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Fetch the pending ca_details for this CA, if any.&quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="n">ca_detail_obj</span><span class="o">.</span><span class="n">sql_fetch_where</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="p">,</span> <span class="s2">&quot;ca_id = </span><span class="si">%s</span><span class="s2"> AND state = &#39;pending&#39;&quot;</span><span class="p">,</span> <span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">ca_id</span><span class="p">,))</span>

  <span class="k">def</span> <span class="nf">fetch_active</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Fetch the active ca_detail for this CA, if any.&quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="n">ca_detail_obj</span><span class="o">.</span><span class="n">sql_fetch_where1</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="p">,</span> <span class="s2">&quot;ca_id = </span><span class="si">%s</span><span class="s2"> AND state = &#39;active&#39;&quot;</span><span class="p">,</span> <span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">ca_id</span><span class="p">,))</span>

  <span class="k">def</span> <span class="nf">fetch_deprecated</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Fetch deprecated ca_details for this CA, if any.&quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="n">ca_detail_obj</span><span class="o">.</span><span class="n">sql_fetch_where</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="p">,</span> <span class="s2">&quot;ca_id = </span><span class="si">%s</span><span class="s2"> AND state = &#39;deprecated&#39;&quot;</span><span class="p">,</span> <span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">ca_id</span><span class="p">,))</span>

  <span class="k">def</span> <span class="nf">fetch_revoked</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Fetch revoked ca_details for this CA, if any.&quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="n">ca_detail_obj</span><span class="o">.</span><span class="n">sql_fetch_where</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="p">,</span> <span class="s2">&quot;ca_id = </span><span class="si">%s</span><span class="s2"> AND state = &#39;revoked&#39;&quot;</span><span class="p">,</span> <span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">ca_id</span><span class="p">,))</span>

  <span class="k">def</span> <span class="nf">construct_sia_uri</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">parent</span><span class="p">,</span> <span class="n">rc</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Construct the sia_uri value for this CA given configured</span>
<span class="sd">    information and the parent&#39;s up-down protocol list_response PDU.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">sia_uri</span> <span class="o">=</span> <span class="n">rc</span><span class="o">.</span><span class="n">suggested_sia_head</span> <span class="ow">and</span> <span class="n">rc</span><span class="o">.</span><span class="n">suggested_sia_head</span><span class="o">.</span><span class="n">rsync</span><span class="p">()</span>
    <span class="k">if</span> <span class="ow">not</span> <span class="n">sia_uri</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">sia_uri</span><span class="o">.</span><span class="n">startswith</span><span class="p">(</span><span class="n">parent</span><span class="o">.</span><span class="n">sia_base</span><span class="p">):</span>
      <span class="n">sia_uri</span> <span class="o">=</span> <span class="n">parent</span><span class="o">.</span><span class="n">sia_base</span>
    <span class="k">if</span> <span class="ow">not</span> <span class="n">sia_uri</span><span class="o">.</span><span class="n">endswith</span><span class="p">(</span><span class="s2">&quot;/&quot;</span><span class="p">):</span>
      <span class="k">raise</span> <span class="n">rpki</span><span class="o">.</span><span class="n">exceptions</span><span class="o">.</span><span class="n">BadURISyntax</span><span class="p">,</span> <span class="s2">&quot;SIA URI must end with a slash: </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="n">sia_uri</span>
    <span class="k">return</span> <span class="n">sia_uri</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">ca_id</span><span class="p">)</span> <span class="o">+</span> <span class="s2">&quot;/&quot;</span>

  <span class="k">def</span> <span class="nf">check_for_updates</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">parent</span><span class="p">,</span> <span class="n">rc</span><span class="p">,</span> <span class="n">cb</span><span class="p">,</span> <span class="n">eb</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Parent has signaled continued existance of a resource class we</span>
<span class="sd">    already knew about, so we need to check for an updated</span>
<span class="sd">    certificate, changes in resource coverage, revocation and reissue</span>
<span class="sd">    with the same key, etc.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">sia_uri</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">construct_sia_uri</span><span class="p">(</span><span class="n">parent</span><span class="p">,</span> <span class="n">rc</span><span class="p">)</span>
    <span class="n">sia_uri_changed</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">sia_uri</span> <span class="o">!=</span> <span class="n">sia_uri</span>
    <span class="k">if</span> <span class="n">sia_uri_changed</span><span class="p">:</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">sia_uri</span> <span class="o">=</span> <span class="n">sia_uri</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">sql_mark_dirty</span><span class="p">()</span>

    <span class="n">rc_resources</span> <span class="o">=</span> <span class="n">rc</span><span class="o">.</span><span class="n">to_resource_bag</span><span class="p">()</span>
    <span class="n">cert_map</span> <span class="o">=</span> <span class="nb">dict</span><span class="p">((</span><span class="n">c</span><span class="o">.</span><span class="n">cert</span><span class="o">.</span><span class="n">get_SKI</span><span class="p">(),</span> <span class="n">c</span><span class="p">)</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">rc</span><span class="o">.</span><span class="n">certs</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">loop</span><span class="p">(</span><span class="n">iterator</span><span class="p">,</span> <span class="n">ca_detail</span><span class="p">):</span>

      <span class="n">ski</span> <span class="o">=</span> <span class="n">ca_detail</span><span class="o">.</span><span class="n">latest_ca_cert</span><span class="o">.</span><span class="n">get_SKI</span><span class="p">()</span>

      <span class="k">if</span> <span class="n">ski</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">cert_map</span><span class="p">:</span>
        <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">warn</span><span class="p">(</span><span class="s2">&quot;Certificate in database missing from list_response, class </span><span class="si">%s</span><span class="s2">, SKI </span><span class="si">%s</span><span class="s2">, maybe parent certificate went away?&quot;</span>
                      <span class="o">%</span> <span class="p">(</span><span class="nb">repr</span><span class="p">(</span><span class="n">rc</span><span class="o">.</span><span class="n">class_name</span><span class="p">),</span> <span class="n">ca_detail</span><span class="o">.</span><span class="n">latest_ca_cert</span><span class="o">.</span><span class="n">gSKI</span><span class="p">()))</span>
        <span class="n">ca_detail</span><span class="o">.</span><span class="n">delete</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">parent</span><span class="o">.</span><span class="n">repository</span><span class="p">(),</span> <span class="n">iterator</span><span class="p">,</span> <span class="n">eb</span><span class="p">)</span>
        <span class="k">return</span>

      <span class="k">def</span> <span class="nf">cleanup</span><span class="p">():</span>
        <span class="k">del</span> <span class="n">cert_map</span><span class="p">[</span><span class="n">ski</span><span class="p">]</span>
        <span class="n">iterator</span><span class="p">()</span>

      <span class="k">if</span> <span class="n">ca_detail</span><span class="o">.</span><span class="n">state</span> <span class="ow">in</span> <span class="p">(</span><span class="s2">&quot;pending&quot;</span><span class="p">,</span> <span class="s2">&quot;active&quot;</span><span class="p">):</span>
        <span class="n">current_resources</span> <span class="o">=</span> <span class="n">ca_detail</span><span class="o">.</span><span class="n">latest_ca_cert</span><span class="o">.</span><span class="n">get_3779resources</span><span class="p">()</span>
        <span class="k">if</span> <span class="p">(</span><span class="n">sia_uri_changed</span> <span class="ow">or</span>
            <span class="n">ca_detail</span><span class="o">.</span><span class="n">latest_ca_cert</span> <span class="o">!=</span> <span class="n">cert_map</span><span class="p">[</span><span class="n">ski</span><span class="p">]</span><span class="o">.</span><span class="n">cert</span> <span class="ow">or</span>
            <span class="n">current_resources</span><span class="o">.</span><span class="n">undersized</span><span class="p">(</span><span class="n">rc_resources</span><span class="p">)</span> <span class="ow">or</span>
            <span class="n">current_resources</span><span class="o">.</span><span class="n">oversized</span><span class="p">(</span><span class="n">rc_resources</span><span class="p">)):</span>
          <span class="n">ca_detail</span><span class="o">.</span><span class="n">update</span><span class="p">(</span>
            <span class="n">parent</span>           <span class="o">=</span> <span class="n">parent</span><span class="p">,</span>
            <span class="n">ca</span>               <span class="o">=</span> <span class="bp">self</span><span class="p">,</span>
            <span class="n">rc</span>               <span class="o">=</span> <span class="n">rc</span><span class="p">,</span>
            <span class="n">sia_uri_changed</span>  <span class="o">=</span> <span class="n">sia_uri_changed</span><span class="p">,</span>
            <span class="n">old_resources</span>    <span class="o">=</span> <span class="n">current_resources</span><span class="p">,</span>
            <span class="n">callback</span>         <span class="o">=</span> <span class="n">cleanup</span><span class="p">,</span>
            <span class="n">errback</span>          <span class="o">=</span> <span class="n">eb</span><span class="p">)</span>
          <span class="k">return</span>

      <span class="n">cleanup</span><span class="p">()</span>

    <span class="k">def</span> <span class="nf">done</span><span class="p">():</span>
      <span class="k">if</span> <span class="n">cert_map</span><span class="p">:</span>
        <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">warn</span><span class="p">(</span><span class="s2">&quot;Certificates in list_response missing from our database, class </span><span class="si">%s</span><span class="s2">, SKIs </span><span class="si">%s</span><span class="s2">&quot;</span>
                      <span class="o">%</span> <span class="p">(</span><span class="nb">repr</span><span class="p">(</span><span class="n">rc</span><span class="o">.</span><span class="n">class_name</span><span class="p">),</span> <span class="s2">&quot;, &quot;</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">c</span><span class="o">.</span><span class="n">cert</span><span class="o">.</span><span class="n">gSKI</span><span class="p">()</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">cert_map</span><span class="o">.</span><span class="n">values</span><span class="p">())))</span>
      <span class="n">cb</span><span class="p">()</span>

    <span class="n">rpki</span><span class="o">.</span><span class="k">async</span><span class="o">.</span><span class="n">iterator</span><span class="p">(</span><span class="n">ca_detail_obj</span><span class="o">.</span><span class="n">sql_fetch_where</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="p">,</span> <span class="s2">&quot;ca_id = </span><span class="si">%s</span><span class="s2"> AND latest_ca_cert IS NOT NULL AND state != &#39;revoked&#39;&quot;</span><span class="p">,</span> <span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">ca_id</span><span class="p">,)),</span> <span class="n">loop</span><span class="p">,</span> <span class="n">done</span><span class="p">)</span>

  <span class="nd">@classmethod</span>
  <span class="k">def</span> <span class="nf">create</span><span class="p">(</span><span class="bp">cls</span><span class="p">,</span> <span class="n">parent</span><span class="p">,</span> <span class="n">rc</span><span class="p">,</span> <span class="n">cb</span><span class="p">,</span> <span class="n">eb</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Parent has signaled existance of a new resource class, so we need</span>
<span class="sd">    to create and set up a corresponding CA object.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="bp">self</span> <span class="o">=</span> <span class="bp">cls</span><span class="p">()</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">gctx</span> <span class="o">=</span> <span class="n">parent</span><span class="o">.</span><span class="n">gctx</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">parent_id</span> <span class="o">=</span> <span class="n">parent</span><span class="o">.</span><span class="n">parent_id</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">parent_resource_class</span> <span class="o">=</span> <span class="n">rc</span><span class="o">.</span><span class="n">class_name</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">sql_store</span><span class="p">()</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">sia_uri</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">construct_sia_uri</span><span class="p">(</span><span class="n">parent</span><span class="p">,</span> <span class="n">rc</span><span class="p">)</span>
    <span class="n">ca_detail</span> <span class="o">=</span> <span class="n">ca_detail_obj</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="bp">self</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">done</span><span class="p">(</span><span class="n">issue_response</span><span class="p">):</span>
      <span class="n">ca_detail</span><span class="o">.</span><span class="n">activate</span><span class="p">(</span>
        <span class="n">ca</span>       <span class="o">=</span> <span class="bp">self</span><span class="p">,</span>
        <span class="n">cert</span>     <span class="o">=</span> <span class="n">issue_response</span><span class="o">.</span><span class="n">payload</span><span class="o">.</span><span class="n">classes</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">certs</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">cert</span><span class="p">,</span>
        <span class="n">uri</span>      <span class="o">=</span> <span class="n">issue_response</span><span class="o">.</span><span class="n">payload</span><span class="o">.</span><span class="n">classes</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">certs</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">cert_url</span><span class="p">,</span>
        <span class="n">callback</span> <span class="o">=</span> <span class="n">cb</span><span class="p">,</span>
        <span class="n">errback</span>  <span class="o">=</span> <span class="n">eb</span><span class="p">)</span>

    <span class="n">rpki</span><span class="o">.</span><span class="n">up_down</span><span class="o">.</span><span class="n">issue_pdu</span><span class="o">.</span><span class="n">query</span><span class="p">(</span><span class="n">parent</span><span class="p">,</span> <span class="bp">self</span><span class="p">,</span> <span class="n">ca_detail</span><span class="p">,</span> <span class="n">done</span><span class="p">,</span> <span class="n">eb</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">delete</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">parent</span><span class="p">,</span> <span class="n">callback</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    The list of current resource classes received from parent does not</span>
<span class="sd">    include the class corresponding to this CA, so we need to delete</span>
<span class="sd">    it (and its little dog too...).</span>

<span class="sd">    All certs published by this CA are now invalid, so need to</span>
<span class="sd">    withdraw them, the CRL, and the manifest from the repository,</span>
<span class="sd">    delete all child_cert and ca_detail records associated with this</span>
<span class="sd">    CA, then finally delete this CA itself.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="k">def</span> <span class="nf">fail</span><span class="p">(</span><span class="n">e</span><span class="p">):</span>
      <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">traceback</span><span class="p">()</span>
      <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">warn</span><span class="p">(</span><span class="s2">&quot;Could not delete CA </span><span class="si">%r</span><span class="s2">, skipping: </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span>
      <span class="n">callback</span><span class="p">()</span>

    <span class="k">def</span> <span class="nf">done</span><span class="p">():</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">sql_delete</span><span class="p">()</span>      
      <span class="n">callback</span><span class="p">()</span>

    <span class="n">repository</span> <span class="o">=</span> <span class="n">parent</span><span class="o">.</span><span class="n">repository</span><span class="p">()</span>

    <span class="k">def</span> <span class="nf">loop</span><span class="p">(</span><span class="n">iterator</span><span class="p">,</span> <span class="n">ca_detail</span><span class="p">):</span>
      <span class="n">ca_detail</span><span class="o">.</span><span class="n">delete</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">repository</span><span class="p">,</span> <span class="n">iterator</span><span class="p">,</span> <span class="n">fail</span><span class="p">)</span>

    <span class="n">rpki</span><span class="o">.</span><span class="k">async</span><span class="o">.</span><span class="n">iterator</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">ca_details</span><span class="p">(),</span> <span class="n">loop</span><span class="p">,</span> <span class="n">done</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">next_serial_number</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Allocate a certificate serial number.</span>
<span class="sd">    &quot;&quot;&quot;</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">last_issued_sn</span> <span class="o">+=</span> <span class="mi">1</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">sql_mark_dirty</span><span class="p">()</span>
    <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">last_issued_sn</span>

  <span class="k">def</span> <span class="nf">next_manifest_number</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Allocate a manifest serial number.</span>
<span class="sd">    &quot;&quot;&quot;</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">last_manifest_sn</span> <span class="o">+=</span> <span class="mi">1</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">sql_mark_dirty</span><span class="p">()</span>
    <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">last_manifest_sn</span>

  <span class="k">def</span> <span class="nf">next_crl_number</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Allocate a CRL serial number.</span>
<span class="sd">    &quot;&quot;&quot;</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">last_crl_sn</span> <span class="o">+=</span> <span class="mi">1</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">sql_mark_dirty</span><span class="p">()</span>
    <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">last_crl_sn</span>

  <span class="k">def</span> <span class="nf">rekey</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">cb</span><span class="p">,</span> <span class="n">eb</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Initiate a rekey operation for this ca.  Generate a new keypair.</span>
<span class="sd">    Request cert from parent using new keypair.  Mark result as our</span>
<span class="sd">    active ca_detail.  Reissue all child certs issued by this ca using</span>
<span class="sd">    the new ca_detail.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">trace</span><span class="p">()</span>

    <span class="n">parent</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">parent</span><span class="p">()</span>
    <span class="n">old_detail</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">fetch_active</span><span class="p">()</span>
    <span class="n">new_detail</span> <span class="o">=</span> <span class="n">ca_detail_obj</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="bp">self</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">done</span><span class="p">(</span><span class="n">issue_response</span><span class="p">):</span>
      <span class="n">new_detail</span><span class="o">.</span><span class="n">activate</span><span class="p">(</span>
        <span class="n">ca</span>          <span class="o">=</span> <span class="bp">self</span><span class="p">,</span>
        <span class="n">cert</span>        <span class="o">=</span> <span class="n">issue_response</span><span class="o">.</span><span class="n">payload</span><span class="o">.</span><span class="n">classes</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">certs</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">cert</span><span class="p">,</span>
        <span class="n">uri</span>         <span class="o">=</span> <span class="n">issue_response</span><span class="o">.</span><span class="n">payload</span><span class="o">.</span><span class="n">classes</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">certs</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">cert_url</span><span class="p">,</span>
        <span class="n">predecessor</span> <span class="o">=</span> <span class="n">old_detail</span><span class="p">,</span>
        <span class="n">callback</span>    <span class="o">=</span> <span class="n">cb</span><span class="p">,</span>
        <span class="n">errback</span>     <span class="o">=</span> <span class="n">eb</span><span class="p">)</span>

    <span class="n">rpki</span><span class="o">.</span><span class="n">up_down</span><span class="o">.</span><span class="n">issue_pdu</span><span class="o">.</span><span class="n">query</span><span class="p">(</span><span class="n">parent</span><span class="p">,</span> <span class="bp">self</span><span class="p">,</span> <span class="n">new_detail</span><span class="p">,</span> <span class="n">done</span><span class="p">,</span> <span class="n">eb</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">revoke</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">cb</span><span class="p">,</span> <span class="n">eb</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Revoke deprecated ca_detail objects associated with this ca.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">trace</span><span class="p">()</span>

    <span class="k">def</span> <span class="nf">loop</span><span class="p">(</span><span class="n">iterator</span><span class="p">,</span> <span class="n">ca_detail</span><span class="p">):</span>
      <span class="n">ca_detail</span><span class="o">.</span><span class="n">revoke</span><span class="p">(</span><span class="n">iterator</span><span class="p">,</span> <span class="n">eb</span><span class="p">)</span>

    <span class="n">rpki</span><span class="o">.</span><span class="k">async</span><span class="o">.</span><span class="n">iterator</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">fetch_deprecated</span><span class="p">(),</span> <span class="n">loop</span><span class="p">,</span> <span class="n">cb</span><span class="p">)</span>

<span class="k">class</span> <span class="nc">ca_detail_obj</span><span class="p">(</span><span class="n">rpki</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">sql_persistent</span><span class="p">):</span>
<span class="w">  </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">  Internal CA detail object.</span>
<span class="sd">  &quot;&quot;&quot;</span>

  <span class="n">sql_template</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">template</span><span class="p">(</span>
    <span class="s2">&quot;ca_detail&quot;</span><span class="p">,</span>
    <span class="s2">&quot;ca_detail_id&quot;</span><span class="p">,</span>
    <span class="p">(</span><span class="s2">&quot;private_key_id&quot;</span><span class="p">,</span>          <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">RSA</span><span class="p">),</span>
    <span class="p">(</span><span class="s2">&quot;public_key&quot;</span><span class="p">,</span>              <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">RSApublic</span><span class="p">),</span>
    <span class="p">(</span><span class="s2">&quot;latest_ca_cert&quot;</span><span class="p">,</span>          <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">X509</span><span class="p">),</span>
    <span class="p">(</span><span class="s2">&quot;manifest_private_key_id&quot;</span><span class="p">,</span> <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">RSA</span><span class="p">),</span>
    <span class="p">(</span><span class="s2">&quot;manifest_public_key&quot;</span><span class="p">,</span>     <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">RSApublic</span><span class="p">),</span>
    <span class="p">(</span><span class="s2">&quot;latest_manifest_cert&quot;</span><span class="p">,</span>    <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">X509</span><span class="p">),</span>
    <span class="p">(</span><span class="s2">&quot;latest_manifest&quot;</span><span class="p">,</span>         <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">SignedManifest</span><span class="p">),</span>
    <span class="p">(</span><span class="s2">&quot;latest_crl&quot;</span><span class="p">,</span>              <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">CRL</span><span class="p">),</span>
    <span class="s2">&quot;state&quot;</span><span class="p">,</span>
    <span class="s2">&quot;ca_cert_uri&quot;</span><span class="p">,</span>
    <span class="s2">&quot;ca_id&quot;</span><span class="p">)</span>
  
  <span class="k">def</span> <span class="nf">sql_decode</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">vals</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Extra assertions for SQL decode of a ca_detail_obj.</span>
<span class="sd">    &quot;&quot;&quot;</span>
    <span class="n">rpki</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">sql_persistent</span><span class="o">.</span><span class="n">sql_decode</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">vals</span><span class="p">)</span>
    <span class="k">assert</span> <span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">public_key</span> <span class="ow">is</span> <span class="kc">None</span> <span class="ow">and</span> <span class="bp">self</span><span class="o">.</span><span class="n">private_key_id</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">)</span> <span class="ow">or</span> \
           <span class="bp">self</span><span class="o">.</span><span class="n">public_key</span><span class="o">.</span><span class="n">get_DER</span><span class="p">()</span> <span class="o">==</span> <span class="bp">self</span><span class="o">.</span><span class="n">private_key_id</span><span class="o">.</span><span class="n">get_public_DER</span><span class="p">()</span>
    <span class="k">assert</span> <span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">manifest_public_key</span> <span class="ow">is</span> <span class="kc">None</span> <span class="ow">and</span> <span class="bp">self</span><span class="o">.</span><span class="n">manifest_private_key_id</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">)</span> <span class="ow">or</span> \
           <span class="bp">self</span><span class="o">.</span><span class="n">manifest_public_key</span><span class="o">.</span><span class="n">get_DER</span><span class="p">()</span> <span class="o">==</span> <span class="bp">self</span><span class="o">.</span><span class="n">manifest_private_key_id</span><span class="o">.</span><span class="n">get_public_DER</span><span class="p">()</span>

  <span class="k">def</span> <span class="nf">ca</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Fetch CA object to which this ca_detail links.&quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="n">ca_obj</span><span class="o">.</span><span class="n">sql_fetch</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca_id</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">child_certs</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">child</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="n">ski</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="n">unique</span> <span class="o">=</span> <span class="kc">False</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Fetch all child_cert objects that link to this ca_detail.&quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="n">rpki</span><span class="o">.</span><span class="n">rpki_engine</span><span class="o">.</span><span class="n">child_cert_obj</span><span class="o">.</span><span class="n">fetch</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="p">,</span> <span class="n">child</span><span class="p">,</span> <span class="bp">self</span><span class="p">,</span> <span class="n">ski</span><span class="p">,</span> <span class="n">unique</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">revoked_certs</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Fetch all revoked_cert objects that link to this ca_detail.&quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="n">revoked_cert_obj</span><span class="o">.</span><span class="n">sql_fetch_where</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="p">,</span> <span class="s2">&quot;ca_detail_id = </span><span class="si">%s</span><span class="s2">&quot;</span><span class="p">,</span> <span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">ca_detail_id</span><span class="p">,))</span>

  <span class="k">def</span> <span class="nf">roas</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Fetch all ROA objects that link to this ca_detail.&quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="n">rpki</span><span class="o">.</span><span class="n">rpki_engine</span><span class="o">.</span><span class="n">roa_obj</span><span class="o">.</span><span class="n">sql_fetch_where</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="p">,</span> <span class="s2">&quot;ca_detail_id = </span><span class="si">%s</span><span class="s2">&quot;</span><span class="p">,</span> <span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">ca_detail_id</span><span class="p">,))</span>

  <span class="k">def</span> <span class="nf">crl_uri</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">ca</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Return publication URI for this ca_detail&#39;s CRL.&quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="n">ca</span><span class="o">.</span><span class="n">sia_uri</span> <span class="o">+</span> <span class="bp">self</span><span class="o">.</span><span class="n">crl_uri_tail</span><span class="p">()</span>

  <span class="k">def</span> <span class="nf">crl_uri_tail</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Return tail (filename portion) of publication URI for this ca_detail&#39;s CRL.&quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">public_key</span><span class="o">.</span><span class="n">gSKI</span><span class="p">()</span> <span class="o">+</span> <span class="s2">&quot;.crl&quot;</span>

  <span class="k">def</span> <span class="nf">manifest_uri</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">ca</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Return publication URI for this ca_detail&#39;s manifest.&quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="n">ca</span><span class="o">.</span><span class="n">sia_uri</span> <span class="o">+</span> <span class="bp">self</span><span class="o">.</span><span class="n">public_key</span><span class="o">.</span><span class="n">gSKI</span><span class="p">()</span> <span class="o">+</span> <span class="s2">&quot;.mnf&quot;</span>

  <span class="k">def</span> <span class="nf">activate</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">ca</span><span class="p">,</span> <span class="n">cert</span><span class="p">,</span> <span class="n">uri</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="n">errback</span><span class="p">,</span> <span class="n">predecessor</span> <span class="o">=</span> <span class="kc">None</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Activate this ca_detail.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">latest_ca_cert</span> <span class="o">=</span> <span class="n">cert</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">ca_cert_uri</span> <span class="o">=</span> <span class="n">uri</span><span class="o">.</span><span class="n">rsync</span><span class="p">()</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">generate_manifest_cert</span><span class="p">(</span><span class="n">ca</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">did_crl</span><span class="p">():</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">generate_manifest</span><span class="p">(</span><span class="n">callback</span> <span class="o">=</span> <span class="n">did_manifest</span><span class="p">,</span> <span class="n">errback</span> <span class="o">=</span> <span class="n">errback</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">did_manifest</span><span class="p">():</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">state</span> <span class="o">=</span> <span class="s2">&quot;active&quot;</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">sql_mark_dirty</span><span class="p">()</span>
      <span class="k">if</span> <span class="n">predecessor</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
        <span class="n">callback</span><span class="p">()</span>
      <span class="k">else</span><span class="p">:</span>
        <span class="n">predecessor</span><span class="o">.</span><span class="n">state</span> <span class="o">=</span> <span class="s2">&quot;deprecated&quot;</span>
        <span class="n">predecessor</span><span class="o">.</span><span class="n">sql_mark_dirty</span><span class="p">()</span>
        <span class="n">rpki</span><span class="o">.</span><span class="k">async</span><span class="o">.</span><span class="n">iterator</span><span class="p">(</span><span class="n">predecessor</span><span class="o">.</span><span class="n">child_certs</span><span class="p">(),</span> <span class="n">do_one_child_cert</span><span class="p">,</span> <span class="n">done_child_certs</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">do_one_child_cert</span><span class="p">(</span><span class="n">iterator</span><span class="p">,</span> <span class="n">child_cert</span><span class="p">):</span>
      <span class="n">child_cert</span><span class="o">.</span><span class="n">reissue</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">iterator</span><span class="o">.</span><span class="n">ignore</span><span class="p">,</span> <span class="n">errback</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">done_child_certs</span><span class="p">():</span>
      <span class="n">rpki</span><span class="o">.</span><span class="k">async</span><span class="o">.</span><span class="n">iterator</span><span class="p">(</span><span class="n">predecessor</span><span class="o">.</span><span class="n">roas</span><span class="p">(),</span> <span class="n">do_one_roa</span><span class="p">,</span> <span class="n">callback</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">do_one_roa</span><span class="p">(</span><span class="n">iterator</span><span class="p">,</span> <span class="n">roa</span><span class="p">):</span>
      <span class="n">roa</span><span class="o">.</span><span class="n">regenerate_roa</span><span class="p">(</span><span class="n">iterator</span><span class="p">,</span> <span class="n">errback</span><span class="p">)</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">generate_crl</span><span class="p">(</span><span class="n">callback</span> <span class="o">=</span> <span class="n">did_crl</span><span class="p">,</span> <span class="n">errback</span> <span class="o">=</span> <span class="n">errback</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">delete</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">ca</span><span class="p">,</span> <span class="n">repository</span><span class="p">,</span> <span class="n">cb</span><span class="p">,</span> <span class="n">eb</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Delete this ca_detail and all of the certs it issued.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="k">def</span> <span class="nf">withdraw_one_child</span><span class="p">(</span><span class="n">iterator</span><span class="p">,</span> <span class="n">child_cert</span><span class="p">):</span>
      <span class="n">repository</span><span class="o">.</span><span class="n">withdraw</span><span class="p">(</span><span class="n">child_cert</span><span class="o">.</span><span class="n">cert</span><span class="p">,</span> <span class="n">child_cert</span><span class="o">.</span><span class="n">uri</span><span class="p">(</span><span class="n">ca</span><span class="p">),</span> <span class="n">iterator</span><span class="p">,</span> <span class="n">eb</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">child_certs_done</span><span class="p">():</span>
      <span class="n">rpki</span><span class="o">.</span><span class="k">async</span><span class="o">.</span><span class="n">iterator</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">roas</span><span class="p">(),</span> <span class="n">withdraw_one_roa</span><span class="p">,</span> <span class="n">withdraw_manifest</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">withdraw_one_roa</span><span class="p">(</span><span class="n">iterator</span><span class="p">,</span> <span class="n">roa</span><span class="p">):</span>
      <span class="n">roa</span><span class="o">.</span><span class="n">withdraw_roa</span><span class="p">(</span><span class="n">iterator</span><span class="p">,</span> <span class="n">eb</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">withdraw_manifest</span><span class="p">():</span>
      <span class="n">repository</span><span class="o">.</span><span class="n">withdraw</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">latest_manifest</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">manifest_uri</span><span class="p">(</span><span class="n">ca</span><span class="p">),</span> <span class="n">withdraw_crl</span><span class="p">,</span> <span class="n">eb</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">withdraw_crl</span><span class="p">():</span>
      <span class="n">repository</span><span class="o">.</span><span class="n">withdraw</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">latest_crl</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">crl_uri</span><span class="p">(</span><span class="n">ca</span><span class="p">),</span> <span class="n">done</span><span class="p">,</span> <span class="n">eb</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">done</span><span class="p">():</span>
      <span class="k">for</span> <span class="n">cert</span> <span class="ow">in</span> <span class="bp">self</span><span class="o">.</span><span class="n">child_certs</span><span class="p">()</span> <span class="o">+</span> <span class="bp">self</span><span class="o">.</span><span class="n">revoked_certs</span><span class="p">():</span>
        <span class="n">cert</span><span class="o">.</span><span class="n">sql_delete</span><span class="p">()</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">sql_delete</span><span class="p">()</span>
      <span class="n">cb</span><span class="p">()</span>

    <span class="n">rpki</span><span class="o">.</span><span class="k">async</span><span class="o">.</span><span class="n">iterator</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">child_certs</span><span class="p">(),</span> <span class="n">withdraw_one_child</span><span class="p">,</span> <span class="n">child_certs_done</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">revoke</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">cb</span><span class="p">,</span> <span class="n">eb</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Request revocation of all certificates whose SKI matches the key</span>
<span class="sd">    for this ca_detail.</span>

<span class="sd">    Tasks:</span>

<span class="sd">    - Request revocation of old keypair by parent.</span>

<span class="sd">    - Revoke all child certs issued by the old keypair.</span>

<span class="sd">    - Generate a final CRL, signed with the old keypair, listing all</span>
<span class="sd">      the revoked certs, with a next CRL time after the last cert or</span>
<span class="sd">      CRL signed by the old keypair will have expired.</span>

<span class="sd">    - Generate a corresponding final manifest.</span>

<span class="sd">    - Destroy old keypairs.</span>

<span class="sd">    - Leave final CRL and manifest in place until their nextupdate</span>
<span class="sd">      time has passed.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="k">def</span> <span class="nf">parent_revoked</span><span class="p">(</span><span class="n">r_msg</span><span class="p">):</span>

      <span class="k">if</span> <span class="n">r_msg</span><span class="o">.</span><span class="n">payload</span><span class="o">.</span><span class="n">ski</span> <span class="o">!=</span> <span class="bp">self</span><span class="o">.</span><span class="n">latest_ca_cert</span><span class="o">.</span><span class="n">gSKI</span><span class="p">():</span>
        <span class="k">raise</span> <span class="n">rpki</span><span class="o">.</span><span class="n">exceptions</span><span class="o">.</span><span class="n">SKIMismatch</span>

      <span class="n">ca</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca</span><span class="p">()</span>
      <span class="n">parent</span> <span class="o">=</span> <span class="n">ca</span><span class="o">.</span><span class="n">parent</span><span class="p">()</span>
      <span class="n">crl_interval</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sundial</span><span class="o">.</span><span class="n">timedelta</span><span class="p">(</span><span class="n">seconds</span> <span class="o">=</span> <span class="n">parent</span><span class="o">.</span><span class="n">self</span><span class="p">()</span><span class="o">.</span><span class="n">crl_interval</span><span class="p">)</span>

      <span class="bp">self</span><span class="o">.</span><span class="n">nextUpdate</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sundial</span><span class="o">.</span><span class="n">now</span><span class="p">()</span>

      <span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">latest_manifest</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span><span class="p">:</span>
        <span class="bp">self</span><span class="o">.</span><span class="n">nextUpdate</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">nextUpdate</span><span class="o">.</span><span class="n">later</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">latest_manifest</span><span class="o">.</span><span class="n">getNextUpdate</span><span class="p">())</span>

      <span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">latest_crl</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span><span class="p">:</span>
        <span class="bp">self</span><span class="o">.</span><span class="n">nextUpdate</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">nextUpdate</span><span class="o">.</span><span class="n">later</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">latest_crl</span><span class="o">.</span><span class="n">getNextUpdate</span><span class="p">())</span>

      <span class="k">def</span> <span class="nf">revoke_one_child</span><span class="p">(</span><span class="n">iterator</span><span class="p">,</span> <span class="n">child_cert</span><span class="p">):</span>
        <span class="bp">self</span><span class="o">.</span><span class="n">nextUpdate</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">nextUpdate</span><span class="o">.</span><span class="n">later</span><span class="p">(</span><span class="n">child_cert</span><span class="o">.</span><span class="n">cert</span><span class="o">.</span><span class="n">getNotAfter</span><span class="p">())</span>
        <span class="n">child_cert</span><span class="o">.</span><span class="n">revoke</span><span class="p">(</span><span class="n">iterator</span><span class="p">,</span> <span class="n">eb</span><span class="p">)</span>

      <span class="k">def</span> <span class="nf">final_crl</span><span class="p">():</span>
        <span class="bp">self</span><span class="o">.</span><span class="n">nextUpdate</span> <span class="o">+=</span> <span class="n">crl_interval</span>
        <span class="bp">self</span><span class="o">.</span><span class="n">generate_crl</span><span class="p">(</span><span class="n">callback</span> <span class="o">=</span> <span class="n">final_manifest</span><span class="p">,</span> <span class="n">errback</span> <span class="o">=</span> <span class="n">eb</span><span class="p">,</span> <span class="n">nextUpdate</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">nextUpdate</span><span class="p">)</span>

      <span class="k">def</span> <span class="nf">final_manifest</span><span class="p">():</span>
        <span class="bp">self</span><span class="o">.</span><span class="n">generate_manifest</span><span class="p">(</span><span class="n">callback</span> <span class="o">=</span> <span class="n">done</span><span class="p">,</span> <span class="n">errback</span> <span class="o">=</span> <span class="n">eb</span><span class="p">,</span> <span class="n">nextUpdate</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">nextUpdate</span><span class="p">)</span>

      <span class="k">def</span> <span class="nf">done</span><span class="p">():</span>
        <span class="bp">self</span><span class="o">.</span><span class="n">private_key_id</span> <span class="o">=</span> <span class="kc">None</span>
        <span class="bp">self</span><span class="o">.</span><span class="n">manifest_private_key_id</span> <span class="o">=</span> <span class="kc">None</span>
        <span class="bp">self</span><span class="o">.</span><span class="n">manifest_public_key</span> <span class="o">=</span> <span class="kc">None</span>
        <span class="bp">self</span><span class="o">.</span><span class="n">latest_manifest_cert</span> <span class="o">=</span> <span class="kc">None</span>
        <span class="bp">self</span><span class="o">.</span><span class="n">state</span> <span class="o">=</span> <span class="s2">&quot;revoked&quot;</span>
        <span class="bp">self</span><span class="o">.</span><span class="n">sql_mark_dirty</span><span class="p">()</span>
        <span class="n">cb</span><span class="p">()</span>

      <span class="n">rpki</span><span class="o">.</span><span class="k">async</span><span class="o">.</span><span class="n">iterator</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">child_certs</span><span class="p">(),</span> <span class="n">revoke_one_child</span><span class="p">,</span> <span class="n">final_crl</span><span class="p">)</span>

    <span class="n">rpki</span><span class="o">.</span><span class="n">up_down</span><span class="o">.</span><span class="n">revoke_pdu</span><span class="o">.</span><span class="n">query</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">parent_revoked</span><span class="p">,</span> <span class="n">eb</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">update</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">parent</span><span class="p">,</span> <span class="n">ca</span><span class="p">,</span> <span class="n">rc</span><span class="p">,</span> <span class="n">sia_uri_changed</span><span class="p">,</span> <span class="n">old_resources</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="n">errback</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Need to get a new certificate for this ca_detail and perhaps frob</span>
<span class="sd">    children of this ca_detail.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="k">def</span> <span class="nf">issued</span><span class="p">(</span><span class="n">issue_response</span><span class="p">):</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">latest_ca_cert</span> <span class="o">=</span> <span class="n">issue_response</span><span class="o">.</span><span class="n">payload</span><span class="o">.</span><span class="n">classes</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">certs</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">cert</span>
      <span class="n">new_resources</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">latest_ca_cert</span><span class="o">.</span><span class="n">get_3779resources</span><span class="p">()</span>

      <span class="k">def</span> <span class="nf">loop</span><span class="p">(</span><span class="n">iterator</span><span class="p">,</span> <span class="n">child_cert</span><span class="p">):</span>
        <span class="n">child_resources</span> <span class="o">=</span> <span class="n">child_cert</span><span class="o">.</span><span class="n">cert</span><span class="o">.</span><span class="n">get_3779resources</span><span class="p">()</span>
        <span class="k">if</span> <span class="n">sia_uri_changed</span> <span class="ow">or</span> <span class="n">child_resources</span><span class="o">.</span><span class="n">oversized</span><span class="p">(</span><span class="n">new_resources</span><span class="p">):</span>
          <span class="n">child_cert</span><span class="o">.</span><span class="n">reissue</span><span class="p">(</span>
            <span class="n">ca_detail</span> <span class="o">=</span> <span class="bp">self</span><span class="p">,</span>
            <span class="n">resources</span> <span class="o">=</span> <span class="n">child_resources</span><span class="o">.</span><span class="n">intersection</span><span class="p">(</span><span class="n">new_resources</span><span class="p">),</span>
            <span class="n">callback</span>  <span class="o">=</span> <span class="n">iterator</span><span class="o">.</span><span class="n">ignore</span><span class="p">,</span>
            <span class="n">errback</span>   <span class="o">=</span> <span class="n">errback</span><span class="p">)</span>
        <span class="k">else</span><span class="p">:</span>
          <span class="n">iterator</span><span class="p">()</span>

      <span class="k">if</span> <span class="n">sia_uri_changed</span> <span class="ow">or</span> <span class="n">old_resources</span><span class="o">.</span><span class="n">oversized</span><span class="p">(</span><span class="n">new_resources</span><span class="p">):</span>
        <span class="n">rpki</span><span class="o">.</span><span class="k">async</span><span class="o">.</span><span class="n">iterator</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">child_certs</span><span class="p">(),</span> <span class="n">loop</span><span class="p">,</span> <span class="n">callback</span><span class="p">)</span>
      <span class="k">else</span><span class="p">:</span>
        <span class="n">callback</span><span class="p">()</span>

    <span class="n">rpki</span><span class="o">.</span><span class="n">up_down</span><span class="o">.</span><span class="n">issue_pdu</span><span class="o">.</span><span class="n">query</span><span class="p">(</span><span class="n">parent</span><span class="p">,</span> <span class="n">ca</span><span class="p">,</span> <span class="bp">self</span><span class="p">,</span> <span class="n">issued</span><span class="p">,</span> <span class="n">errback</span><span class="p">)</span>

  <span class="nd">@classmethod</span>
  <span class="k">def</span> <span class="nf">create</span><span class="p">(</span><span class="bp">cls</span><span class="p">,</span> <span class="n">ca</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Create a new ca_detail object for a specified CA.</span>
<span class="sd">    &quot;&quot;&quot;</span>
    <span class="bp">self</span> <span class="o">=</span> <span class="bp">cls</span><span class="p">()</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">gctx</span> <span class="o">=</span> <span class="n">ca</span><span class="o">.</span><span class="n">gctx</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">ca_id</span> <span class="o">=</span> <span class="n">ca</span><span class="o">.</span><span class="n">ca_id</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">state</span> <span class="o">=</span> <span class="s2">&quot;pending&quot;</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">private_key_id</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">RSA</span><span class="o">.</span><span class="n">generate</span><span class="p">()</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">public_key</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">private_key_id</span><span class="o">.</span><span class="n">get_RSApublic</span><span class="p">()</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">manifest_private_key_id</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">RSA</span><span class="o">.</span><span class="n">generate</span><span class="p">()</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">manifest_public_key</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">manifest_private_key_id</span><span class="o">.</span><span class="n">get_RSApublic</span><span class="p">()</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">sql_store</span><span class="p">()</span>
    <span class="k">return</span> <span class="bp">self</span>

  <span class="k">def</span> <span class="nf">issue_ee</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">ca</span><span class="p">,</span> <span class="n">resources</span><span class="p">,</span> <span class="n">subject_key</span><span class="p">,</span> <span class="n">sia</span> <span class="o">=</span> <span class="kc">None</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Issue a new EE certificate.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">latest_ca_cert</span><span class="o">.</span><span class="n">issue</span><span class="p">(</span>
      <span class="n">keypair</span>     <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">private_key_id</span><span class="p">,</span>
      <span class="n">subject_key</span> <span class="o">=</span> <span class="n">subject_key</span><span class="p">,</span>
      <span class="n">serial</span>      <span class="o">=</span> <span class="n">ca</span><span class="o">.</span><span class="n">next_serial_number</span><span class="p">(),</span>
      <span class="n">sia</span>         <span class="o">=</span> <span class="n">sia</span><span class="p">,</span>
      <span class="n">aia</span>         <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca_cert_uri</span><span class="p">,</span>
      <span class="n">crldp</span>       <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">crl_uri</span><span class="p">(</span><span class="n">ca</span><span class="p">),</span>
      <span class="n">resources</span>   <span class="o">=</span> <span class="n">resources</span><span class="p">,</span>
      <span class="n">notAfter</span>    <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">latest_ca_cert</span><span class="o">.</span><span class="n">getNotAfter</span><span class="p">(),</span>
      <span class="n">is_ca</span>       <span class="o">=</span> <span class="kc">False</span><span class="p">)</span>


  <span class="k">def</span> <span class="nf">generate_manifest_cert</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">ca</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Generate a new manifest certificate for this ca_detail.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">resources</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">resource_set</span><span class="o">.</span><span class="n">resource_bag</span><span class="p">(</span>
      <span class="n">asn</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">resource_set</span><span class="o">.</span><span class="n">resource_set_as</span><span class="p">(</span><span class="s2">&quot;&lt;inherit&gt;&quot;</span><span class="p">),</span>
      <span class="n">v4</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">resource_set</span><span class="o">.</span><span class="n">resource_set_ipv4</span><span class="p">(</span><span class="s2">&quot;&lt;inherit&gt;&quot;</span><span class="p">),</span>
      <span class="n">v6</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">resource_set</span><span class="o">.</span><span class="n">resource_set_ipv6</span><span class="p">(</span><span class="s2">&quot;&lt;inherit&gt;&quot;</span><span class="p">))</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">latest_manifest_cert</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">issue_ee</span><span class="p">(</span><span class="n">ca</span><span class="p">,</span> <span class="n">resources</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">manifest_public_key</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">issue</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">ca</span><span class="p">,</span> <span class="n">child</span><span class="p">,</span> <span class="n">subject_key</span><span class="p">,</span> <span class="n">sia</span><span class="p">,</span> <span class="n">resources</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="n">errback</span><span class="p">,</span> <span class="n">child_cert</span> <span class="o">=</span> <span class="kc">None</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Issue a new certificate to a child.  Optional child_cert argument</span>
<span class="sd">    specifies an existing child_cert object to update in place; if not</span>
<span class="sd">    specified, we create a new one.  Returns the child_cert object</span>
<span class="sd">    containing the newly issued cert.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="k">assert</span> <span class="n">child_cert</span> <span class="ow">is</span> <span class="kc">None</span> <span class="ow">or</span> <span class="p">(</span><span class="n">child_cert</span><span class="o">.</span><span class="n">child_id</span> <span class="o">==</span> <span class="n">child</span><span class="o">.</span><span class="n">child_id</span> <span class="ow">and</span>
                                  <span class="n">child_cert</span><span class="o">.</span><span class="n">ca_detail_id</span> <span class="o">==</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca_detail_id</span><span class="p">)</span>

    <span class="n">cert</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">latest_ca_cert</span><span class="o">.</span><span class="n">issue</span><span class="p">(</span>
      <span class="n">keypair</span>     <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">private_key_id</span><span class="p">,</span>
      <span class="n">subject_key</span> <span class="o">=</span> <span class="n">subject_key</span><span class="p">,</span>
      <span class="n">serial</span>      <span class="o">=</span> <span class="n">ca</span><span class="o">.</span><span class="n">next_serial_number</span><span class="p">(),</span>
      <span class="n">aia</span>         <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca_cert_uri</span><span class="p">,</span>
      <span class="n">crldp</span>       <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">crl_uri</span><span class="p">(</span><span class="n">ca</span><span class="p">),</span>
      <span class="n">sia</span>         <span class="o">=</span> <span class="n">sia</span><span class="p">,</span>
      <span class="n">resources</span>   <span class="o">=</span> <span class="n">resources</span><span class="p">,</span>
      <span class="n">notAfter</span>    <span class="o">=</span> <span class="n">resources</span><span class="o">.</span><span class="n">valid_until</span><span class="p">)</span>

    <span class="k">if</span> <span class="n">child_cert</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
      <span class="n">child_cert</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">rpki_engine</span><span class="o">.</span><span class="n">child_cert_obj</span><span class="p">(</span>
        <span class="n">gctx</span>         <span class="o">=</span> <span class="n">child</span><span class="o">.</span><span class="n">gctx</span><span class="p">,</span>
        <span class="n">child_id</span>     <span class="o">=</span> <span class="n">child</span><span class="o">.</span><span class="n">child_id</span><span class="p">,</span>
        <span class="n">ca_detail_id</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca_detail_id</span><span class="p">,</span>
        <span class="n">cert</span>         <span class="o">=</span> <span class="n">cert</span><span class="p">)</span>
      <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;Created new child_cert </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="nb">repr</span><span class="p">(</span><span class="n">child_cert</span><span class="p">))</span>
    <span class="k">else</span><span class="p">:</span>
      <span class="n">child_cert</span><span class="o">.</span><span class="n">cert</span> <span class="o">=</span> <span class="n">cert</span>
      <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;Reusing existing child_cert </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="nb">repr</span><span class="p">(</span><span class="n">child_cert</span><span class="p">))</span>

    <span class="n">child_cert</span><span class="o">.</span><span class="n">ski</span> <span class="o">=</span> <span class="n">cert</span><span class="o">.</span><span class="n">get_SKI</span><span class="p">()</span>

    <span class="n">child_cert</span><span class="o">.</span><span class="n">sql_store</span><span class="p">()</span>

    <span class="k">def</span> <span class="nf">published</span><span class="p">():</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">generate_manifest</span><span class="p">(</span><span class="n">done</span><span class="p">,</span> <span class="n">errback</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">done</span><span class="p">():</span>
      <span class="n">callback</span><span class="p">(</span><span class="n">child_cert</span><span class="p">)</span>
      
    <span class="n">ca</span><span class="o">.</span><span class="n">parent</span><span class="p">()</span><span class="o">.</span><span class="n">repository</span><span class="p">()</span><span class="o">.</span><span class="n">publish</span><span class="p">(</span><span class="n">child_cert</span><span class="o">.</span><span class="n">cert</span><span class="p">,</span> <span class="n">child_cert</span><span class="o">.</span><span class="n">uri</span><span class="p">(</span><span class="n">ca</span><span class="p">),</span> <span class="n">published</span><span class="p">,</span> <span class="n">errback</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">generate_crl</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="n">errback</span><span class="p">,</span> <span class="n">nextUpdate</span> <span class="o">=</span> <span class="kc">None</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Generate a new CRL for this ca_detail.  At the moment this is</span>
<span class="sd">    unconditional, that is, it is up to the caller to decide whether a</span>
<span class="sd">    new CRL is needed.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">ca</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca</span><span class="p">()</span>
    <span class="n">parent</span> <span class="o">=</span> <span class="n">ca</span><span class="o">.</span><span class="n">parent</span><span class="p">()</span>
    <span class="n">repository</span> <span class="o">=</span> <span class="n">parent</span><span class="o">.</span><span class="n">repository</span><span class="p">()</span>
    <span class="n">crl_interval</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sundial</span><span class="o">.</span><span class="n">timedelta</span><span class="p">(</span><span class="n">seconds</span> <span class="o">=</span> <span class="n">parent</span><span class="o">.</span><span class="n">self</span><span class="p">()</span><span class="o">.</span><span class="n">crl_interval</span><span class="p">)</span>
    <span class="n">now</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sundial</span><span class="o">.</span><span class="n">now</span><span class="p">()</span>

    <span class="k">if</span> <span class="n">nextUpdate</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
      <span class="n">nextUpdate</span> <span class="o">=</span> <span class="n">now</span> <span class="o">+</span> <span class="n">crl_interval</span>

    <span class="n">certlist</span> <span class="o">=</span> <span class="p">[]</span>
    <span class="k">for</span> <span class="n">revoked_cert</span> <span class="ow">in</span> <span class="bp">self</span><span class="o">.</span><span class="n">revoked_certs</span><span class="p">():</span>
      <span class="k">if</span> <span class="n">now</span> <span class="o">&gt;</span> <span class="n">revoked_cert</span><span class="o">.</span><span class="n">expires</span> <span class="o">+</span> <span class="n">crl_interval</span><span class="p">:</span>
        <span class="n">revoked_cert</span><span class="o">.</span><span class="n">sql_delete</span><span class="p">()</span>
      <span class="k">else</span><span class="p">:</span>
        <span class="n">certlist</span><span class="o">.</span><span class="n">append</span><span class="p">((</span><span class="n">revoked_cert</span><span class="o">.</span><span class="n">serial</span><span class="p">,</span> <span class="n">revoked_cert</span><span class="o">.</span><span class="n">revoked</span><span class="o">.</span><span class="n">toASN1tuple</span><span class="p">(),</span> <span class="p">()))</span>
    <span class="n">certlist</span><span class="o">.</span><span class="n">sort</span><span class="p">()</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">latest_crl</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">CRL</span><span class="o">.</span><span class="n">generate</span><span class="p">(</span>
      <span class="n">keypair</span>             <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">private_key_id</span><span class="p">,</span>
      <span class="n">issuer</span>              <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">latest_ca_cert</span><span class="p">,</span>
      <span class="n">serial</span>              <span class="o">=</span> <span class="n">ca</span><span class="o">.</span><span class="n">next_crl_number</span><span class="p">(),</span>
      <span class="n">thisUpdate</span>          <span class="o">=</span> <span class="n">now</span><span class="p">,</span>
      <span class="n">nextUpdate</span>          <span class="o">=</span> <span class="n">nextUpdate</span><span class="p">,</span>
      <span class="n">revokedCertificates</span> <span class="o">=</span> <span class="n">certlist</span><span class="p">)</span>

    <span class="n">repository</span><span class="o">.</span><span class="n">publish</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">latest_crl</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">crl_uri</span><span class="p">(</span><span class="n">ca</span><span class="p">),</span> <span class="n">callback</span> <span class="o">=</span> <span class="n">callback</span><span class="p">,</span> <span class="n">errback</span> <span class="o">=</span> <span class="n">errback</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">generate_manifest</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="n">errback</span><span class="p">,</span> <span class="n">nextUpdate</span> <span class="o">=</span> <span class="kc">None</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Generate a new manifest for this ca_detail.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">ca</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca</span><span class="p">()</span>
    <span class="n">parent</span> <span class="o">=</span> <span class="n">ca</span><span class="o">.</span><span class="n">parent</span><span class="p">()</span>
    <span class="n">repository</span> <span class="o">=</span> <span class="n">parent</span><span class="o">.</span><span class="n">repository</span><span class="p">()</span>
    <span class="n">crl_interval</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sundial</span><span class="o">.</span><span class="n">timedelta</span><span class="p">(</span><span class="n">seconds</span> <span class="o">=</span> <span class="n">parent</span><span class="o">.</span><span class="n">self</span><span class="p">()</span><span class="o">.</span><span class="n">crl_interval</span><span class="p">)</span>
    <span class="n">now</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sundial</span><span class="o">.</span><span class="n">now</span><span class="p">()</span>

    <span class="k">if</span> <span class="n">nextUpdate</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
      <span class="n">nextUpdate</span> <span class="o">=</span> <span class="n">now</span> <span class="o">+</span> <span class="n">crl_interval</span>

    <span class="n">roas</span> <span class="o">=</span> <span class="p">[</span><span class="n">r</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="bp">self</span><span class="o">.</span><span class="n">roas</span><span class="p">()</span> <span class="k">if</span> <span class="n">r</span><span class="o">.</span><span class="n">cert</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span> <span class="ow">and</span> <span class="n">r</span><span class="o">.</span><span class="n">roa</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span><span class="p">]</span>

    <span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">latest_manifest_cert</span> <span class="ow">is</span> <span class="kc">None</span> <span class="ow">or</span> <span class="bp">self</span><span class="o">.</span><span class="n">latest_manifest_cert</span><span class="o">.</span><span class="n">getNotAfter</span><span class="p">()</span> <span class="o">&lt;</span> <span class="n">nextUpdate</span><span class="p">:</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">generate_manifest_cert</span><span class="p">(</span><span class="n">ca</span><span class="p">)</span>

    <span class="n">certs</span> <span class="o">=</span> <span class="p">[(</span><span class="n">c</span><span class="o">.</span><span class="n">uri_tail</span><span class="p">(),</span> <span class="n">c</span><span class="o">.</span><span class="n">cert</span><span class="p">)</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="bp">self</span><span class="o">.</span><span class="n">child_certs</span><span class="p">()]</span> <span class="o">+</span> \
            <span class="p">[(</span><span class="n">r</span><span class="o">.</span><span class="n">roa_uri_tail</span><span class="p">(),</span> <span class="n">r</span><span class="o">.</span><span class="n">roa</span><span class="p">)</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">roas</span><span class="p">]</span> <span class="o">+</span> \
            <span class="p">[(</span><span class="bp">self</span><span class="o">.</span><span class="n">crl_uri_tail</span><span class="p">(),</span> <span class="bp">self</span><span class="o">.</span><span class="n">latest_crl</span><span class="p">)]</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">latest_manifest</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">SignedManifest</span><span class="o">.</span><span class="n">build</span><span class="p">(</span>
      <span class="n">serial</span>         <span class="o">=</span> <span class="n">ca</span><span class="o">.</span><span class="n">next_manifest_number</span><span class="p">(),</span>
      <span class="n">thisUpdate</span>     <span class="o">=</span> <span class="n">now</span><span class="p">,</span>
      <span class="n">nextUpdate</span>     <span class="o">=</span> <span class="n">nextUpdate</span><span class="p">,</span>
      <span class="n">names_and_objs</span> <span class="o">=</span> <span class="n">certs</span><span class="p">,</span>
      <span class="n">keypair</span>        <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">manifest_private_key_id</span><span class="p">,</span>
      <span class="n">certs</span>          <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">latest_manifest_cert</span><span class="p">)</span>

    <span class="n">repository</span><span class="o">.</span><span class="n">publish</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">latest_manifest</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">manifest_uri</span><span class="p">(</span><span class="n">ca</span><span class="p">),</span> <span class="n">callback</span> <span class="o">=</span> <span class="n">callback</span><span class="p">,</span> <span class="n">errback</span> <span class="o">=</span> <span class="n">errback</span><span class="p">)</span>

<span class="k">class</span> <span class="nc">child_cert_obj</span><span class="p">(</span><span class="n">rpki</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">sql_persistent</span><span class="p">):</span>
<span class="w">  </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">  Certificate that has been issued to a child.</span>
<span class="sd">  &quot;&quot;&quot;</span>

  <span class="n">sql_template</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">template</span><span class="p">(</span>
    <span class="s2">&quot;child_cert&quot;</span><span class="p">,</span>
    <span class="s2">&quot;child_cert_id&quot;</span><span class="p">,</span>
    <span class="p">(</span><span class="s2">&quot;cert&quot;</span><span class="p">,</span> <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">X509</span><span class="p">),</span>
    <span class="s2">&quot;child_id&quot;</span><span class="p">,</span>
    <span class="s2">&quot;ca_detail_id&quot;</span><span class="p">,</span>
    <span class="s2">&quot;ski&quot;</span><span class="p">)</span>

  <span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">gctx</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="n">child_id</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="n">ca_detail_id</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="n">cert</span> <span class="o">=</span> <span class="kc">None</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Initialize a child_cert_obj.</span>
<span class="sd">    &quot;&quot;&quot;</span>
    <span class="n">rpki</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">sql_persistent</span><span class="o">.</span><span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">)</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">gctx</span> <span class="o">=</span> <span class="n">gctx</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">child_id</span> <span class="o">=</span> <span class="n">child_id</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">ca_detail_id</span> <span class="o">=</span> <span class="n">ca_detail_id</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">cert</span> <span class="o">=</span> <span class="n">cert</span>
    <span class="k">if</span> <span class="n">child_id</span> <span class="ow">or</span> <span class="n">ca_detail_id</span> <span class="ow">or</span> <span class="n">cert</span><span class="p">:</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">sql_mark_dirty</span><span class="p">()</span>

  <span class="k">def</span> <span class="nf">child</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Fetch child object to which this child_cert object links.&quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="n">rpki</span><span class="o">.</span><span class="n">left_right</span><span class="o">.</span><span class="n">child_elt</span><span class="o">.</span><span class="n">sql_fetch</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">child_id</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">ca_detail</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Fetch ca_detail object to which this child_cert object links.&quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="n">ca_detail_obj</span><span class="o">.</span><span class="n">sql_fetch</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca_detail_id</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">uri_tail</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Return the tail (filename) portion of the URI for this child_cert.&quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">cert</span><span class="o">.</span><span class="n">gSKI</span><span class="p">()</span> <span class="o">+</span> <span class="s2">&quot;.cer&quot;</span>

  <span class="k">def</span> <span class="nf">uri</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">ca</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Return the publication URI for this child_cert.&quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="n">ca</span><span class="o">.</span><span class="n">sia_uri</span> <span class="o">+</span> <span class="bp">self</span><span class="o">.</span><span class="n">uri_tail</span><span class="p">()</span>

  <span class="k">def</span> <span class="nf">revoke</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="n">errback</span><span class="p">,</span> <span class="n">withdraw</span> <span class="o">=</span> <span class="kc">True</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Revoke a child cert.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;Revoking </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="nb">repr</span><span class="p">(</span><span class="bp">self</span><span class="p">))</span>
    <span class="n">ca_detail</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca_detail</span><span class="p">()</span>
    <span class="n">ca</span> <span class="o">=</span> <span class="n">ca_detail</span><span class="o">.</span><span class="n">ca</span><span class="p">()</span>
    <span class="n">revoked_cert_obj</span><span class="o">.</span><span class="n">revoke</span><span class="p">(</span><span class="n">cert</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">cert</span><span class="p">,</span> <span class="n">ca_detail</span> <span class="o">=</span> <span class="n">ca_detail</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">done</span><span class="p">():</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">sweep</span><span class="p">()</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">sql_delete</span><span class="p">()</span>
      <span class="n">callback</span><span class="p">()</span>

    <span class="k">if</span> <span class="n">withdraw</span><span class="p">:</span>
      <span class="n">ca</span><span class="o">.</span><span class="n">parent</span><span class="p">()</span><span class="o">.</span><span class="n">repository</span><span class="p">()</span><span class="o">.</span><span class="n">withdraw</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">cert</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">uri</span><span class="p">(</span><span class="n">ca</span><span class="p">),</span> <span class="n">done</span><span class="p">,</span> <span class="n">errback</span><span class="p">)</span>
    <span class="k">else</span><span class="p">:</span>
      <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="s2">&quot;Suppressing withdrawal of </span><span class="si">%r</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="bp">self</span><span class="o">.</span><span class="n">cert</span><span class="p">)</span>
      <span class="n">done</span><span class="p">()</span>

  <span class="k">def</span> <span class="nf">reissue</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">ca_detail</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="n">errback</span><span class="p">,</span> <span class="n">resources</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="n">sia</span> <span class="o">=</span> <span class="kc">None</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Reissue an existing cert, reusing the public key.  If the cert we</span>
<span class="sd">    would generate is identical to the one we already have, we just</span>
<span class="sd">    return the one we already have.  If we have to revoke the old</span>
<span class="sd">    certificate when generating the new one, we have to generate a new</span>
<span class="sd">    child_cert_obj, so calling code that needs the updated</span>
<span class="sd">    child_cert_obj must use the return value from this method.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">ca</span> <span class="o">=</span> <span class="n">ca_detail</span><span class="o">.</span><span class="n">ca</span><span class="p">()</span>
    <span class="n">child</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">child</span><span class="p">()</span>

    <span class="n">old_resources</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">cert</span><span class="o">.</span><span class="n">get_3779resources</span><span class="p">()</span>
    <span class="n">old_sia</span>       <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">cert</span><span class="o">.</span><span class="n">get_SIA</span><span class="p">()</span>
    <span class="n">old_ca_detail</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca_detail</span><span class="p">()</span>

    <span class="k">if</span> <span class="n">resources</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
      <span class="n">resources</span> <span class="o">=</span> <span class="n">old_resources</span>

    <span class="k">if</span> <span class="n">sia</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
      <span class="n">sia</span> <span class="o">=</span> <span class="n">old_sia</span>

    <span class="k">assert</span> <span class="n">resources</span><span class="o">.</span><span class="n">valid_until</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span> <span class="ow">and</span> <span class="n">old_resources</span><span class="o">.</span><span class="n">valid_until</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span>

    <span class="k">if</span> <span class="n">resources</span> <span class="o">==</span> <span class="n">old_resources</span> <span class="ow">and</span> <span class="n">sia</span> <span class="o">==</span> <span class="n">old_sia</span> <span class="ow">and</span> <span class="n">ca_detail</span> <span class="o">==</span> <span class="n">old_ca_detail</span><span class="p">:</span>
      <span class="k">return</span> <span class="n">callback</span><span class="p">(</span><span class="bp">self</span><span class="p">)</span>

    <span class="n">must_revoke</span> <span class="o">=</span> <span class="n">old_resources</span><span class="o">.</span><span class="n">oversized</span><span class="p">(</span><span class="n">resources</span><span class="p">)</span> <span class="ow">or</span> <span class="n">old_resources</span><span class="o">.</span><span class="n">valid_until</span> <span class="o">&gt;</span> <span class="n">resources</span><span class="o">.</span><span class="n">valid_until</span>
    <span class="n">new_issuer</span>  <span class="o">=</span> <span class="n">ca_detail</span> <span class="o">!=</span> <span class="n">old_ca_detail</span>

    <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;Reissuing </span><span class="si">%r</span><span class="s2">, must_revoke </span><span class="si">%s</span><span class="s2">, new_issuer </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">must_revoke</span><span class="p">,</span> <span class="n">new_issuer</span><span class="p">))</span>

    <span class="k">if</span> <span class="n">resources</span><span class="o">.</span><span class="n">valid_until</span> <span class="o">!=</span> <span class="n">old_resources</span><span class="o">.</span><span class="n">valid_until</span><span class="p">:</span>
      <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;Validity changed: </span><span class="si">%s</span><span class="s2"> </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="p">(</span> <span class="n">old_resources</span><span class="o">.</span><span class="n">valid_until</span><span class="p">,</span> <span class="n">resources</span><span class="o">.</span><span class="n">valid_until</span><span class="p">))</span>

    <span class="k">def</span> <span class="nf">revoke</span><span class="p">(</span><span class="n">child_cert</span><span class="p">):</span>

      <span class="n">uri</span> <span class="o">=</span> <span class="n">child_cert</span><span class="o">.</span><span class="n">uri</span><span class="p">(</span><span class="n">ca</span><span class="p">)</span>
      <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;New child_cert </span><span class="si">%r</span><span class="s2"> uri </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="p">(</span><span class="n">child_cert</span><span class="p">,</span> <span class="n">uri</span><span class="p">))</span>

      <span class="k">def</span> <span class="nf">loop</span><span class="p">(</span><span class="n">iterator</span><span class="p">,</span> <span class="n">x</span><span class="p">):</span>
        <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;Revoking child_cert </span><span class="si">%r</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="n">x</span><span class="p">)</span>
        <span class="n">x</span><span class="o">.</span><span class="n">revoke</span><span class="p">(</span><span class="n">iterator</span><span class="p">,</span> <span class="n">errback</span><span class="p">,</span> <span class="n">withdraw</span> <span class="o">=</span> <span class="n">x</span><span class="o">.</span><span class="n">uri</span><span class="p">(</span><span class="n">ca</span><span class="p">)</span> <span class="o">!=</span> <span class="n">uri</span><span class="p">)</span>

      <span class="k">def</span> <span class="nf">manifest</span><span class="p">():</span>
        <span class="n">ca_detail</span><span class="o">.</span><span class="n">generate_manifest</span><span class="p">(</span><span class="n">done</span><span class="p">,</span> <span class="n">errback</span><span class="p">)</span>

      <span class="k">def</span> <span class="nf">done</span><span class="p">():</span>
        <span class="n">callback</span><span class="p">(</span><span class="n">child_cert</span><span class="p">)</span>        

      <span class="n">certs_to_revoke</span> <span class="o">=</span> <span class="p">[</span><span class="n">x</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">child</span><span class="o">.</span><span class="n">child_certs</span><span class="p">(</span><span class="n">ca_detail</span> <span class="o">=</span> <span class="n">ca_detail</span><span class="p">,</span> <span class="n">ski</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ski</span><span class="p">)</span> <span class="k">if</span> <span class="n">x</span> <span class="ow">is</span> <span class="ow">not</span> <span class="n">child_cert</span><span class="p">]</span>

      <span class="k">if</span> <span class="n">certs_to_revoke</span><span class="p">:</span>
        <span class="n">rpki</span><span class="o">.</span><span class="k">async</span><span class="o">.</span><span class="n">iterator</span><span class="p">(</span><span class="n">certs_to_revoke</span><span class="p">,</span> <span class="n">loop</span><span class="p">,</span> <span class="n">manifest</span><span class="p">)</span>
      <span class="k">else</span><span class="p">:</span>
        <span class="n">done</span><span class="p">()</span>

    <span class="n">ca_detail</span><span class="o">.</span><span class="n">issue</span><span class="p">(</span>
      <span class="n">ca</span>          <span class="o">=</span> <span class="n">ca</span><span class="p">,</span>
      <span class="n">child</span>       <span class="o">=</span> <span class="n">child</span><span class="p">,</span>
      <span class="n">subject_key</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">cert</span><span class="o">.</span><span class="n">getPublicKey</span><span class="p">(),</span>
      <span class="n">sia</span>         <span class="o">=</span> <span class="n">sia</span><span class="p">,</span>
      <span class="n">resources</span>   <span class="o">=</span> <span class="n">resources</span><span class="p">,</span>
      <span class="n">child_cert</span>  <span class="o">=</span> <span class="kc">None</span> <span class="k">if</span> <span class="n">must_revoke</span> <span class="ow">or</span> <span class="n">new_issuer</span> <span class="k">else</span> <span class="bp">self</span><span class="p">,</span>
      <span class="n">callback</span>    <span class="o">=</span> <span class="n">revoke</span> <span class="k">if</span> <span class="n">must_revoke</span> <span class="k">else</span> <span class="n">callback</span><span class="p">,</span>
      <span class="n">errback</span>     <span class="o">=</span> <span class="n">errback</span><span class="p">)</span>

  <span class="nd">@classmethod</span>
  <span class="k">def</span> <span class="nf">fetch</span><span class="p">(</span><span class="bp">cls</span><span class="p">,</span> <span class="n">gctx</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="n">child</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="n">ca_detail</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="n">ski</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="n">unique</span> <span class="o">=</span> <span class="kc">False</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Fetch all child_cert objects matching a particular set of</span>
<span class="sd">    parameters.  This is a wrapper to consolidate various queries that</span>
<span class="sd">    would otherwise be inline SQL WHERE expressions.  In most cases</span>
<span class="sd">    code calls this indirectly, through methods in other classes.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">args</span> <span class="o">=</span> <span class="p">[]</span>
    <span class="n">where</span> <span class="o">=</span> <span class="p">[]</span>

    <span class="k">if</span> <span class="n">child</span><span class="p">:</span>
      <span class="n">where</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="s2">&quot;child_id = </span><span class="si">%s</span><span class="s2">&quot;</span><span class="p">)</span>
      <span class="n">args</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">child</span><span class="o">.</span><span class="n">child_id</span><span class="p">)</span>

    <span class="k">if</span> <span class="n">ca_detail</span><span class="p">:</span>
      <span class="n">where</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="s2">&quot;ca_detail_id = </span><span class="si">%s</span><span class="s2">&quot;</span><span class="p">)</span>
      <span class="n">args</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">ca_detail</span><span class="o">.</span><span class="n">ca_detail_id</span><span class="p">)</span>

    <span class="k">if</span> <span class="n">ski</span><span class="p">:</span>
      <span class="n">where</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="s2">&quot;ski = </span><span class="si">%s</span><span class="s2">&quot;</span><span class="p">)</span>
      <span class="n">args</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">ski</span><span class="p">)</span>

    <span class="n">where</span> <span class="o">=</span> <span class="s2">&quot; AND &quot;</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">where</span><span class="p">)</span>

    <span class="n">gctx</span> <span class="o">=</span> <span class="n">gctx</span> <span class="ow">or</span> <span class="p">(</span><span class="n">child</span> <span class="ow">and</span> <span class="n">child</span><span class="o">.</span><span class="n">gctx</span><span class="p">)</span> <span class="ow">or</span> <span class="p">(</span><span class="n">ca_detail</span> <span class="ow">and</span> <span class="n">ca_detail</span><span class="o">.</span><span class="n">gctx</span><span class="p">)</span> <span class="ow">or</span> <span class="kc">None</span>

    <span class="k">if</span> <span class="n">unique</span><span class="p">:</span>
      <span class="k">return</span> <span class="bp">cls</span><span class="o">.</span><span class="n">sql_fetch_where1</span><span class="p">(</span><span class="n">gctx</span><span class="p">,</span> <span class="n">where</span><span class="p">,</span> <span class="n">args</span><span class="p">)</span>
    <span class="k">else</span><span class="p">:</span>
      <span class="k">return</span> <span class="bp">cls</span><span class="o">.</span><span class="n">sql_fetch_where</span><span class="p">(</span><span class="n">gctx</span><span class="p">,</span> <span class="n">where</span><span class="p">,</span> <span class="n">args</span><span class="p">)</span>

<span class="k">class</span> <span class="nc">revoked_cert_obj</span><span class="p">(</span><span class="n">rpki</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">sql_persistent</span><span class="p">):</span>
<span class="w">  </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">  Tombstone for a revoked certificate.</span>
<span class="sd">  &quot;&quot;&quot;</span>

  <span class="n">sql_template</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">template</span><span class="p">(</span>
    <span class="s2">&quot;revoked_cert&quot;</span><span class="p">,</span>
    <span class="s2">&quot;revoked_cert_id&quot;</span><span class="p">,</span>
    <span class="s2">&quot;serial&quot;</span><span class="p">,</span>
    <span class="s2">&quot;ca_detail_id&quot;</span><span class="p">,</span>
    <span class="p">(</span><span class="s2">&quot;revoked&quot;</span><span class="p">,</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sundial</span><span class="o">.</span><span class="n">datetime</span><span class="p">),</span>
    <span class="p">(</span><span class="s2">&quot;expires&quot;</span><span class="p">,</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sundial</span><span class="o">.</span><span class="n">datetime</span><span class="p">))</span>

  <span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">gctx</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="n">serial</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="n">revoked</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="n">expires</span> <span class="o">=</span> <span class="kc">None</span><span class="p">,</span> <span class="n">ca_detail_id</span> <span class="o">=</span> <span class="kc">None</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Initialize a revoked_cert_obj.&quot;&quot;&quot;</span>
    <span class="n">rpki</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">sql_persistent</span><span class="o">.</span><span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">)</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">gctx</span> <span class="o">=</span> <span class="n">gctx</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">serial</span> <span class="o">=</span> <span class="n">serial</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">revoked</span> <span class="o">=</span> <span class="n">revoked</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">expires</span> <span class="o">=</span> <span class="n">expires</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">ca_detail_id</span> <span class="o">=</span> <span class="n">ca_detail_id</span>
    <span class="k">if</span> <span class="n">serial</span> <span class="ow">or</span> <span class="n">revoked</span> <span class="ow">or</span> <span class="n">expires</span> <span class="ow">or</span> <span class="n">ca_detail_id</span><span class="p">:</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">sql_mark_dirty</span><span class="p">()</span>

  <span class="k">def</span> <span class="nf">ca_detail</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;Fetch ca_detail object to which this revoked_cert_obj links.&quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="n">ca_detail_obj</span><span class="o">.</span><span class="n">sql_fetch</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca_detail_id</span><span class="p">)</span>

  <span class="nd">@classmethod</span>
  <span class="k">def</span> <span class="nf">revoke</span><span class="p">(</span><span class="bp">cls</span><span class="p">,</span> <span class="n">cert</span><span class="p">,</span> <span class="n">ca_detail</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Revoke a certificate.</span>
<span class="sd">    &quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="bp">cls</span><span class="p">(</span>
      <span class="n">serial</span>       <span class="o">=</span> <span class="n">cert</span><span class="o">.</span><span class="n">getSerial</span><span class="p">(),</span>
      <span class="n">expires</span>      <span class="o">=</span> <span class="n">cert</span><span class="o">.</span><span class="n">getNotAfter</span><span class="p">(),</span>
      <span class="n">revoked</span>      <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sundial</span><span class="o">.</span><span class="n">now</span><span class="p">(),</span>
      <span class="n">gctx</span>         <span class="o">=</span> <span class="n">ca_detail</span><span class="o">.</span><span class="n">gctx</span><span class="p">,</span>
      <span class="n">ca_detail_id</span> <span class="o">=</span> <span class="n">ca_detail</span><span class="o">.</span><span class="n">ca_detail_id</span><span class="p">)</span>

<span class="k">class</span> <span class="nc">roa_obj</span><span class="p">(</span><span class="n">rpki</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">sql_persistent</span><span class="p">):</span>
<span class="w">  </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">  Route Origin Authorization.</span>
<span class="sd">  &quot;&quot;&quot;</span>

  <span class="n">sql_template</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">template</span><span class="p">(</span>
    <span class="s2">&quot;roa&quot;</span><span class="p">,</span>
    <span class="s2">&quot;roa_id&quot;</span><span class="p">,</span>
    <span class="s2">&quot;ca_detail_id&quot;</span><span class="p">,</span>
    <span class="s2">&quot;self_id&quot;</span><span class="p">,</span>
    <span class="s2">&quot;asn&quot;</span><span class="p">,</span>
    <span class="p">(</span><span class="s2">&quot;roa&quot;</span><span class="p">,</span> <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">ROA</span><span class="p">),</span>
    <span class="p">(</span><span class="s2">&quot;cert&quot;</span><span class="p">,</span> <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">X509</span><span class="p">))</span>

  <span class="n">ca_detail_id</span> <span class="o">=</span> <span class="kc">None</span>
  <span class="n">cert</span> <span class="o">=</span> <span class="kc">None</span>
  <span class="n">roa</span> <span class="o">=</span> <span class="kc">None</span>

  <span class="k">def</span> <span class="nf">self</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Fetch self object to which this roa_obj links.</span>
<span class="sd">    &quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="n">rpki</span><span class="o">.</span><span class="n">left_right</span><span class="o">.</span><span class="n">self_elt</span><span class="o">.</span><span class="n">sql_fetch</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">self_id</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">sql_fetch_hook</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Extra SQL fetch actions for roa_obj -- handle prefix lists.</span>
<span class="sd">    &quot;&quot;&quot;</span>
    <span class="k">for</span> <span class="n">version</span><span class="p">,</span> <span class="n">datatype</span><span class="p">,</span> <span class="n">attribute</span> <span class="ow">in</span> <span class="p">((</span><span class="mi">4</span><span class="p">,</span> <span class="n">rpki</span><span class="o">.</span><span class="n">resource_set</span><span class="o">.</span><span class="n">roa_prefix_set_ipv4</span><span class="p">,</span> <span class="s2">&quot;ipv4&quot;</span><span class="p">),</span>
                                         <span class="p">(</span><span class="mi">6</span><span class="p">,</span> <span class="n">rpki</span><span class="o">.</span><span class="n">resource_set</span><span class="o">.</span><span class="n">roa_prefix_set_ipv6</span><span class="p">,</span> <span class="s2">&quot;ipv6&quot;</span><span class="p">)):</span>
      <span class="nb">setattr</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">attribute</span><span class="p">,</span> <span class="n">datatype</span><span class="o">.</span><span class="n">from_sql</span><span class="p">(</span>
        <span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="o">.</span><span class="n">sql</span><span class="p">,</span>
<span class="w">        </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">            SELECT prefix, prefixlen, max_prefixlen FROM roa_prefix</span>
<span class="sd">            WHERE roa_id = %s AND version = %s</span>
<span class="sd">        &quot;&quot;&quot;</span><span class="p">,</span>
        <span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">roa_id</span><span class="p">,</span> <span class="n">version</span><span class="p">)))</span>

  <span class="k">def</span> <span class="nf">sql_insert_hook</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Extra SQL insert actions for roa_obj -- handle prefix lists.</span>
<span class="sd">    &quot;&quot;&quot;</span>
    <span class="k">for</span> <span class="n">version</span><span class="p">,</span> <span class="n">prefix_set</span> <span class="ow">in</span> <span class="p">((</span><span class="mi">4</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">ipv4</span><span class="p">),</span> <span class="p">(</span><span class="mi">6</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">ipv6</span><span class="p">)):</span>
      <span class="k">if</span> <span class="n">prefix_set</span><span class="p">:</span>
        <span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">executemany</span><span class="p">(</span>
<span class="w">          </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">            INSERT roa_prefix (roa_id, prefix, prefixlen, max_prefixlen, version)</span>
<span class="sd">            VALUES (%s, %s, %s, %s, %s)</span>
<span class="sd">          &quot;&quot;&quot;</span><span class="p">,</span>
          <span class="p">((</span><span class="bp">self</span><span class="o">.</span><span class="n">roa_id</span><span class="p">,</span> <span class="n">x</span><span class="o">.</span><span class="n">prefix</span><span class="p">,</span> <span class="n">x</span><span class="o">.</span><span class="n">prefixlen</span><span class="p">,</span> <span class="n">x</span><span class="o">.</span><span class="n">max_prefixlen</span><span class="p">,</span> <span class="n">version</span><span class="p">)</span>
           <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">prefix_set</span><span class="p">))</span>

  <span class="k">def</span> <span class="nf">sql_delete_hook</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Extra SQL delete actions for roa_obj -- handle prefix lists.</span>
<span class="sd">    &quot;&quot;&quot;</span>
    <span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&quot;DELETE FROM roa_prefix WHERE roa_id = </span><span class="si">%s</span><span class="s2">&quot;</span><span class="p">,</span> <span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">roa_id</span><span class="p">,))</span>

  <span class="k">def</span> <span class="nf">ca_detail</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Fetch all ca_detail objects that link to this roa_obj.</span>
<span class="sd">    &quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="n">rpki</span><span class="o">.</span><span class="n">rpki_engine</span><span class="o">.</span><span class="n">ca_detail_obj</span><span class="o">.</span><span class="n">sql_fetch</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca_detail_id</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">update_roa</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">callback</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Bring this roa_obj&#39;s ROA up to date if necesssary.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="k">def</span> <span class="nf">lose</span><span class="p">(</span><span class="n">e</span><span class="p">):</span>
      <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">traceback</span><span class="p">()</span>
      <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">warn</span><span class="p">(</span><span class="s2">&quot;Could not update ROA </span><span class="si">%r</span><span class="s2">, skipping: </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span>
      <span class="n">callback</span><span class="p">()</span>
      <span class="k">return</span>

    <span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">roa</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">generate_roa</span><span class="p">(</span><span class="n">callback</span><span class="p">,</span> <span class="n">lose</span><span class="p">)</span>
      <span class="k">return</span>

    <span class="n">ca_detail</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca_detail</span><span class="p">()</span>

    <span class="k">if</span> <span class="n">ca_detail</span> <span class="ow">is</span> <span class="kc">None</span> <span class="ow">or</span> <span class="n">ca_detail</span><span class="o">.</span><span class="n">state</span> <span class="o">!=</span> <span class="s2">&quot;active&quot;</span><span class="p">:</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">regenerate_roa</span><span class="p">(</span><span class="n">callback</span><span class="p">,</span> <span class="n">lose</span><span class="p">)</span>
      <span class="k">return</span>

    <span class="n">regen_margin</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sundial</span><span class="o">.</span><span class="n">timedelta</span><span class="p">(</span><span class="n">seconds</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">self</span><span class="p">()</span><span class="o">.</span><span class="n">regen_margin</span><span class="p">)</span>

    <span class="k">if</span> <span class="n">rpki</span><span class="o">.</span><span class="n">sundial</span><span class="o">.</span><span class="n">now</span><span class="p">()</span> <span class="o">+</span> <span class="n">regen_margin</span> <span class="o">&gt;</span> <span class="bp">self</span><span class="o">.</span><span class="n">cert</span><span class="o">.</span><span class="n">getNotAfter</span><span class="p">():</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">regenerate_roa</span><span class="p">(</span><span class="n">callback</span><span class="p">,</span> <span class="n">lose</span><span class="p">)</span>
      <span class="k">return</span>

    <span class="n">ca_resources</span> <span class="o">=</span> <span class="n">ca_detail</span><span class="o">.</span><span class="n">latest_ca_cert</span><span class="o">.</span><span class="n">get_3779resources</span><span class="p">()</span>
    <span class="n">ee_resources</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">cert</span><span class="o">.</span><span class="n">get_3779resources</span><span class="p">()</span>

    <span class="k">if</span> <span class="n">ee_resources</span><span class="o">.</span><span class="n">oversized</span><span class="p">(</span><span class="n">ca_resources</span><span class="p">):</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">regenerate_roa</span><span class="p">(</span><span class="n">callback</span><span class="p">,</span> <span class="n">lose</span><span class="p">)</span>
      <span class="k">return</span>

    <span class="n">v4</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ipv4</span><span class="o">.</span><span class="n">to_resource_set</span><span class="p">()</span> <span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">ipv4</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span> <span class="k">else</span> <span class="n">rpki</span><span class="o">.</span><span class="n">resource_set</span><span class="o">.</span><span class="n">resource_set_ipv4</span><span class="p">()</span>
    <span class="n">v6</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ipv6</span><span class="o">.</span><span class="n">to_resource_set</span><span class="p">()</span> <span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">ipv6</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span> <span class="k">else</span> <span class="n">rpki</span><span class="o">.</span><span class="n">resource_set</span><span class="o">.</span><span class="n">resource_set_ipv6</span><span class="p">()</span>

    <span class="k">if</span> <span class="n">ee_resources</span><span class="o">.</span><span class="n">v4</span> <span class="o">!=</span> <span class="n">v4</span> <span class="ow">or</span> <span class="n">ee_resources</span><span class="o">.</span><span class="n">v6</span> <span class="o">!=</span> <span class="n">v6</span><span class="p">:</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">regenerate_roa</span><span class="p">(</span><span class="n">callback</span><span class="p">,</span> <span class="n">lose</span><span class="p">)</span>
      <span class="k">return</span>

    <span class="n">callback</span><span class="p">()</span>

  <span class="k">def</span> <span class="nf">generate_roa</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="n">errback</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Generate a ROA.</span>

<span class="sd">    At present this does not support ROAs with multiple signatures</span>
<span class="sd">    (neither does the current CMS code).</span>

<span class="sd">    At present we have no way of performing a direct lookup from a</span>
<span class="sd">    desired set of resources to a covering certificate, so we have to</span>
<span class="sd">    search.  This could be quite slow if we have a lot of active</span>
<span class="sd">    ca_detail objects.  Punt on the issue for now, revisit if</span>
<span class="sd">    profiling shows this as a hotspot.</span>

<span class="sd">    Once we have the right covering certificate, we generate the ROA</span>
<span class="sd">    payload, generate a new EE certificate, use the EE certificate to</span>
<span class="sd">    sign the ROA payload, publish the result, then throw away the</span>
<span class="sd">    private key for the EE cert, all per the ROA specification.  This</span>
<span class="sd">    implies that generating a lot of ROAs will tend to thrash</span>
<span class="sd">    /dev/random, but there is not much we can do about that.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">ipv4</span> <span class="ow">is</span> <span class="kc">None</span> <span class="ow">and</span> <span class="bp">self</span><span class="o">.</span><span class="n">ipv6</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
      <span class="k">raise</span> <span class="n">rpki</span><span class="o">.</span><span class="n">exceptions</span><span class="o">.</span><span class="n">EmptyROAPrefixList</span>

    <span class="c1"># Ugly and expensive search for covering ca_detail, there has to</span>
    <span class="c1"># be a better way, but it would require the ability to test for</span>
    <span class="c1"># resource subsets in SQL.</span>

    <span class="n">v4</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ipv4</span><span class="o">.</span><span class="n">to_resource_set</span><span class="p">()</span> <span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">ipv4</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span> <span class="k">else</span> <span class="n">rpki</span><span class="o">.</span><span class="n">resource_set</span><span class="o">.</span><span class="n">resource_set_ipv4</span><span class="p">()</span>
    <span class="n">v6</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ipv6</span><span class="o">.</span><span class="n">to_resource_set</span><span class="p">()</span> <span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">ipv6</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span> <span class="k">else</span> <span class="n">rpki</span><span class="o">.</span><span class="n">resource_set</span><span class="o">.</span><span class="n">resource_set_ipv6</span><span class="p">()</span>

    <span class="n">ca_detail</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca_detail</span><span class="p">()</span>
    <span class="k">if</span> <span class="n">ca_detail</span> <span class="ow">is</span> <span class="kc">None</span> <span class="ow">or</span> <span class="n">ca_detail</span><span class="o">.</span><span class="n">state</span> <span class="o">!=</span> <span class="s2">&quot;active&quot;</span><span class="p">:</span>
      <span class="n">ca_detail</span> <span class="o">=</span> <span class="kc">None</span>
      <span class="k">for</span> <span class="n">parent</span> <span class="ow">in</span> <span class="bp">self</span><span class="o">.</span><span class="n">self</span><span class="p">()</span><span class="o">.</span><span class="n">parents</span><span class="p">():</span>
        <span class="k">for</span> <span class="n">ca</span> <span class="ow">in</span> <span class="n">parent</span><span class="o">.</span><span class="n">cas</span><span class="p">():</span>
          <span class="n">ca_detail</span> <span class="o">=</span> <span class="n">ca</span><span class="o">.</span><span class="n">fetch_active</span><span class="p">()</span>
          <span class="k">if</span> <span class="n">ca_detail</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span><span class="p">:</span>
            <span class="n">resources</span> <span class="o">=</span> <span class="n">ca_detail</span><span class="o">.</span><span class="n">latest_ca_cert</span><span class="o">.</span><span class="n">get_3779resources</span><span class="p">()</span>
            <span class="k">if</span> <span class="n">v4</span><span class="o">.</span><span class="n">issubset</span><span class="p">(</span><span class="n">resources</span><span class="o">.</span><span class="n">v4</span><span class="p">)</span> <span class="ow">and</span> <span class="n">v6</span><span class="o">.</span><span class="n">issubset</span><span class="p">(</span><span class="n">resources</span><span class="o">.</span><span class="n">v6</span><span class="p">):</span>
              <span class="k">break</span>
            <span class="n">ca_detail</span> <span class="o">=</span> <span class="kc">None</span>
        <span class="k">if</span> <span class="n">ca_detail</span> <span class="ow">is</span> <span class="ow">not</span> <span class="kc">None</span><span class="p">:</span>
          <span class="k">break</span>

    <span class="k">if</span> <span class="n">ca_detail</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
      <span class="k">raise</span> <span class="n">rpki</span><span class="o">.</span><span class="n">exceptions</span><span class="o">.</span><span class="n">NoCoveringCertForROA</span><span class="p">,</span> <span class="s2">&quot;generate_roa() could not find a certificate covering </span><span class="si">%s</span><span class="s2"> </span><span class="si">%s</span><span class="s2">&quot;</span> <span class="o">%</span> <span class="p">(</span><span class="n">v4</span><span class="p">,</span> <span class="n">v6</span><span class="p">)</span>

    <span class="n">ca</span> <span class="o">=</span> <span class="n">ca_detail</span><span class="o">.</span><span class="n">ca</span><span class="p">()</span>

    <span class="n">resources</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">resource_set</span><span class="o">.</span><span class="n">resource_bag</span><span class="p">(</span><span class="n">v4</span> <span class="o">=</span> <span class="n">v4</span><span class="p">,</span> <span class="n">v6</span> <span class="o">=</span> <span class="n">v6</span><span class="p">)</span>

    <span class="n">keypair</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">RSA</span><span class="o">.</span><span class="n">generate</span><span class="p">()</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">ca_detail_id</span> <span class="o">=</span> <span class="n">ca_detail</span><span class="o">.</span><span class="n">ca_detail_id</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">cert</span> <span class="o">=</span> <span class="n">ca_detail</span><span class="o">.</span><span class="n">issue_ee</span><span class="p">(</span><span class="n">ca</span><span class="p">,</span> <span class="n">resources</span><span class="p">,</span> <span class="n">keypair</span><span class="o">.</span><span class="n">get_RSApublic</span><span class="p">(),</span>
                                   <span class="n">sia</span> <span class="o">=</span> <span class="p">((</span><span class="n">rpki</span><span class="o">.</span><span class="n">oids</span><span class="o">.</span><span class="n">name2oid</span><span class="p">[</span><span class="s2">&quot;id-ad-signedObject&quot;</span><span class="p">],</span>
                                           <span class="p">(</span><span class="s2">&quot;uri&quot;</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">roa_uri</span><span class="p">(</span><span class="n">keypair</span><span class="p">))),))</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">roa</span> <span class="o">=</span> <span class="n">rpki</span><span class="o">.</span><span class="n">x509</span><span class="o">.</span><span class="n">ROA</span><span class="o">.</span><span class="n">build</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">asn</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">ipv4</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">ipv6</span><span class="p">,</span> <span class="n">keypair</span><span class="p">,</span> <span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">cert</span><span class="p">,))</span>

    <span class="bp">self</span><span class="o">.</span><span class="n">sql_store</span><span class="p">()</span>

    <span class="k">def</span> <span class="nf">done</span><span class="p">():</span>
      <span class="n">ca_detail</span><span class="o">.</span><span class="n">generate_manifest</span><span class="p">(</span><span class="n">callback</span><span class="p">,</span> <span class="n">errback</span><span class="p">)</span>

    <span class="n">ca</span><span class="o">.</span><span class="n">parent</span><span class="p">()</span><span class="o">.</span><span class="n">repository</span><span class="p">()</span><span class="o">.</span><span class="n">publish</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">roa</span><span class="p">,</span> <span class="bp">self</span><span class="o">.</span><span class="n">roa_uri</span><span class="p">(),</span> <span class="n">done</span><span class="p">,</span> <span class="n">errback</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">withdraw_roa</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="n">errback</span><span class="p">,</span> <span class="n">regenerate</span> <span class="o">=</span> <span class="kc">False</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Withdraw ROA associated with this roa_obj.</span>

<span class="sd">    In order to preserve make-before-break properties without</span>
<span class="sd">    duplicating code, this method also handles generating a</span>
<span class="sd">    replacement ROA when requested.</span>
<span class="sd">    &quot;&quot;&quot;</span>

    <span class="n">ca_detail</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca_detail</span><span class="p">()</span>
    <span class="n">cert</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">cert</span>
    <span class="n">roa</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">roa</span>
    <span class="n">roa_uri</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">roa_uri</span><span class="p">()</span>
    <span class="n">ee_uri</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">ee_uri</span><span class="p">()</span>

    <span class="k">if</span> <span class="n">ca_detail</span><span class="o">.</span><span class="n">state</span> <span class="o">!=</span> <span class="s1">&#39;active&#39;</span><span class="p">:</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">ca_detail_id</span> <span class="o">=</span> <span class="kc">None</span>

    <span class="k">def</span> <span class="nf">one</span><span class="p">():</span>
      <span class="n">rpki</span><span class="o">.</span><span class="n">log</span><span class="o">.</span><span class="n">debug</span><span class="p">(</span><span class="s2">&quot;Withdrawing ROA and revoking its EE cert&quot;</span><span class="p">)</span>
      <span class="n">rpki</span><span class="o">.</span><span class="n">rpki_engine</span><span class="o">.</span><span class="n">revoked_cert_obj</span><span class="o">.</span><span class="n">revoke</span><span class="p">(</span><span class="n">cert</span> <span class="o">=</span> <span class="n">cert</span><span class="p">,</span> <span class="n">ca_detail</span> <span class="o">=</span> <span class="n">ca_detail</span><span class="p">)</span>
      <span class="n">ca_detail</span><span class="o">.</span><span class="n">ca</span><span class="p">()</span><span class="o">.</span><span class="n">parent</span><span class="p">()</span><span class="o">.</span><span class="n">repository</span><span class="p">()</span><span class="o">.</span><span class="n">withdraw</span><span class="p">(</span><span class="n">roa</span><span class="p">,</span> <span class="n">roa_uri</span><span class="p">,</span> <span class="n">two</span><span class="p">,</span> <span class="n">errback</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">two</span><span class="p">():</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">gctx</span><span class="o">.</span><span class="n">sql</span><span class="o">.</span><span class="n">sweep</span><span class="p">()</span>
      <span class="n">ca_detail</span><span class="o">.</span><span class="n">generate_crl</span><span class="p">(</span><span class="n">three</span><span class="p">,</span> <span class="n">errback</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">three</span><span class="p">():</span>
      <span class="n">ca_detail</span><span class="o">.</span><span class="n">generate_manifest</span><span class="p">(</span><span class="n">four</span><span class="p">,</span> <span class="n">errback</span><span class="p">)</span>

    <span class="k">def</span> <span class="nf">four</span><span class="p">():</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">sql_delete</span><span class="p">()</span>
      <span class="n">callback</span><span class="p">()</span>

    <span class="k">if</span> <span class="n">regenerate</span><span class="p">:</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">generate_roa</span><span class="p">(</span><span class="n">one</span><span class="p">,</span> <span class="n">errback</span><span class="p">)</span>
    <span class="k">else</span><span class="p">:</span>
      <span class="n">one</span><span class="p">()</span>

  <span class="k">def</span> <span class="nf">regenerate_roa</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="n">errback</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Reissue ROA associated with this roa_obj.</span>
<span class="sd">    &quot;&quot;&quot;</span>
    <span class="k">if</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca_detail</span><span class="p">()</span> <span class="ow">is</span> <span class="kc">None</span><span class="p">:</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">generate_roa</span><span class="p">(</span><span class="n">callback</span><span class="p">,</span> <span class="n">errback</span><span class="p">)</span>
    <span class="k">else</span><span class="p">:</span>
      <span class="bp">self</span><span class="o">.</span><span class="n">withdraw_roa</span><span class="p">(</span><span class="n">callback</span><span class="p">,</span> <span class="n">errback</span><span class="p">,</span> <span class="n">regenerate</span> <span class="o">=</span> <span class="kc">True</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">roa_uri</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">key</span> <span class="o">=</span> <span class="kc">None</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Return the publication URI for this roa_obj&#39;s ROA.</span>
<span class="sd">    &quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca_detail</span><span class="p">()</span><span class="o">.</span><span class="n">ca</span><span class="p">()</span><span class="o">.</span><span class="n">sia_uri</span> <span class="o">+</span> <span class="bp">self</span><span class="o">.</span><span class="n">roa_uri_tail</span><span class="p">(</span><span class="n">key</span><span class="p">)</span>

  <span class="k">def</span> <span class="nf">roa_uri_tail</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">key</span> <span class="o">=</span> <span class="kc">None</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Return the tail (filename portion) of the publication URI for this</span>
<span class="sd">    roa_obj&#39;s ROA.</span>
<span class="sd">    &quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="p">(</span><span class="n">key</span> <span class="ow">or</span> <span class="bp">self</span><span class="o">.</span><span class="n">cert</span><span class="p">)</span><span class="o">.</span><span class="n">gSKI</span><span class="p">()</span> <span class="o">+</span> <span class="s2">&quot;.roa&quot;</span>

  <span class="k">def</span> <span class="nf">ee_uri_tail</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Return the tail (filename) portion of the URI for this roa_obj&#39;s</span>
<span class="sd">    ROA&#39;s EE certificate.</span>
<span class="sd">    &quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">cert</span><span class="o">.</span><span class="n">gSKI</span><span class="p">()</span> <span class="o">+</span> <span class="s2">&quot;.cer&quot;</span>

  <span class="k">def</span> <span class="nf">ee_uri</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="w">    </span><span class="sd">&quot;&quot;&quot;</span>
<span class="sd">    Return the publication URI for this roa_obj&#39;s ROA&#39;s EE</span>
<span class="sd">    certificate.</span>
<span class="sd">    &quot;&quot;&quot;</span>
    <span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">ca_detail</span><span class="p">()</span><span class="o">.</span><span class="n">ca</span><span class="p">()</span><span class="o">.</span><span class="n">sia_uri</span> <span class="o">+</span> <span class="bp">self</span><span class="o">.</span><span class="n">ee_uri_tail</span><span class="p">()</span>
</pre></div>