Merge pull request #108 from NLnetLabs/rta-01

Creation and Validation of Resource Tagged Attestations.

.github/workflows/ci.yml

@@ -7,7 +7,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macOS-latest]
-        rust: [1.40.0, stable, beta, nightly]
+        rust: [1.42.0, stable, beta, nightly]
     steps:
     - name: Checkout repository
       uses: actions/checkout@v1

Changelog.md

@@ -4,6 +4,8 @@
 
 Breaking
 
+* The minimum required Rust version is now 1.42. ([#108])
+
 Bug Fixes
 
 * Don’t refuse a rpkiNotify SIA in EE certificates in strict validation mode. 
@@ -13,9 +15,20 @@ Bug Fixes
 
 New
 
+* Module `rta` for handling Resource Tagged Assertions.  ([#108])
+* `crypto::DigestAlgorithm::digest_file` allows calculating the digest
+  value of an entire file.  ([#108])
+* `IpBlock` can now be displayed via helper types to select IPv4 or IPv6.
+  ([#108])
+* `SignedObject::process` to validate generic signed objects and return
+  their content on success. ([#108])
+* The various steps in certificate validation are now available as
+  separate methods. ([#108])
+
 Dependencies
 
 [#105]: https://github.com/NLnetLabs/rpki-rs/pull/105
+[#108]: https://github.com/NLnetLabs/rpki-rs/pull/108
 [#109]: https://github.com/NLnetLabs/rpki-rs/pull/109
 
 

src/cert/builder.rs

@@ -10,7 +10,7 @@ use crate::resources::{
 };
 use crate::uri;
 use crate::x509::Name;
-use super::Validity;
+use super::{Overclaim, Validity};
 
 
 #[derive(Clone, Debug)]
@@ -138,10 +138,10 @@ pub struct CertBuilder {
     /// Subject Information Access of type `id-ad-rpkiNotify`
     rpki_notify: Option<uri::Https>,
 
-    //  Certificate Policies
-    //
-    //  This contains a single policy, id-cp-ipAddr-asNumber, without any
-    //  qualifiers.
+    /// Certificate Policies
+    ///
+    /// This is chosen via the value of the overclaim mode,
+    overclaim: Overclaim,
 
     /// IPv4 Resources
     ///
@@ -182,6 +182,7 @@ impl CertBuilder {
             rpki_manifest: None,
             signed_object: None,
             rpki_notify: None,
+            overclaim: Overclaim::Refuse,
             v4_resources: IpResourcesBuilder::new(),
             v6_resources: IpResourcesBuilder::new(),
             as_resources: AsResourcesBuilder::new(),
@@ -230,6 +231,11 @@ impl CertBuilder {
         self
     }
 
+    pub fn overclaim(&mut self, overclaim: Overclaim) -> &mut Self {
+        self.overclaim = overclaim;
+        self
+    }
+
     pub fn inherit_v4(&mut self) -> &mut Self {
         self.v4_resources.inherit();
         self
@@ -241,7 +247,7 @@ impl CertBuilder {
     }
 
     pub fn inherit_as(&mut self) -> &mut Self {
-        self.as_resources.inhert();
+        self.as_resources.inherit();
         self
     }
 
@@ -418,17 +424,16 @@ impl CertBuilder {
                 ),
 
                 // IP Resources
-                IpResources::encode_families(
-                    self.v4_resources.finalize(),
-                    self.v6_resources.finalize()
-                ).map(|res| {
-                    extension(&oid::PE_IP_ADDR_BLOCK, true, res)
-                }),
+                IpResources::encode_extension(
+                    self.overclaim,
+                    &self.v4_resources.finalize(),
+                    &self.v6_resources.finalize()
+                ),
 
                 // AS Resources
-                self.as_resources.finalize().map(|res| {
-                    extension(&oid::PE_AUTONOMOUS_SYS_IDS, true, res.encode())
-                })
+                self.as_resources.finalize().encode_extension(
+                    self.overclaim
+                ),
             )))
         )))
     }