diff --git a/README.md b/README.md
index 89e5952b3..b22c98abf 100644
--- a/README.md
+++ b/README.md
@@ -62,7 +62,8 @@ next (snapshot) release, e.g. `1.1-SNAPSHOT` after releasing `1.0`.
## Changelog
-## 2024-xx-yy 1.38
+## 2024-xx-yy 2.0.0
+ * **breaking**: Use **ImmutableResourceSet** in many situations
## 2024-02-28 1.37
* Use bouncy castle 1.77 (and update API usage accordingly)
diff --git a/pom.xml b/pom.xml
index 537211cc5..ef37fa5ed 100644
--- a/pom.xml
+++ b/pom.xml
@@ -2,7 +2,7 @@
4.0.0
net.ripe.rpki
rpki-commons
- 1.38-SNAPSHOT
+ 2.0.0-SNAPSHOT
2008
RPKI Commmons
diff --git a/src/main/java/net/ripe/rpki/commons/crypto/cms/roa/RoaCms.java b/src/main/java/net/ripe/rpki/commons/crypto/cms/roa/RoaCms.java
index e45a21631..f69bc9240 100644
--- a/src/main/java/net/ripe/rpki/commons/crypto/cms/roa/RoaCms.java
+++ b/src/main/java/net/ripe/rpki/commons/crypto/cms/roa/RoaCms.java
@@ -1,6 +1,7 @@
package net.ripe.rpki.commons.crypto.cms.roa;
import net.ripe.ipresource.Asn;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.cms.RpkiSignedObject;
import net.ripe.rpki.commons.crypto.cms.RpkiSignedObjectInfo;
@@ -31,7 +32,7 @@ public Asn getAsn() {
return asn;
}
- public IpResourceSet getResources() {
+ public ImmutableResourceSet getResources() {
return getCertificate().getResources();
}
diff --git a/src/main/java/net/ripe/rpki/commons/crypto/rfc3779/ResourceExtensionEncoder.java b/src/main/java/net/ripe/rpki/commons/crypto/rfc3779/ResourceExtensionEncoder.java
index 78efb568b..d504ad05e 100644
--- a/src/main/java/net/ripe/rpki/commons/crypto/rfc3779/ResourceExtensionEncoder.java
+++ b/src/main/java/net/ripe/rpki/commons/crypto/rfc3779/ResourceExtensionEncoder.java
@@ -1,12 +1,6 @@
package net.ripe.rpki.commons.crypto.rfc3779;
-import net.ripe.ipresource.Asn;
-import net.ripe.ipresource.IpAddress;
-import net.ripe.ipresource.IpRange;
-import net.ripe.ipresource.IpResource;
-import net.ripe.ipresource.IpResourceRange;
-import net.ripe.ipresource.IpResourceSet;
-import net.ripe.ipresource.IpResourceType;
+import net.ripe.ipresource.*;
import net.ripe.rpki.commons.crypto.util.Asn1Util;
import org.apache.commons.lang3.Validate;
import org.bouncycastle.asn1.ASN1Encodable;
@@ -62,8 +56,8 @@ public class ResourceExtensionEncoder {
* @param resources the set of IPv4 and IPv6 resources.
* @return the DER encoding of the IP Address Block Extension.
*/
- public ASN1Object encodeIpAddressBlocks(boolean inheritIpv4, boolean inheritIpv6, IpResourceSet resources) {
- SortedMap addressBlocks = new TreeMap();
+ public ASN1Object encodeIpAddressBlocks(boolean inheritIpv4, boolean inheritIpv6, ImmutableResourceSet resources) {
+ SortedMap addressBlocks = new TreeMap<>();
if (inheritIpv4) {
addressBlocks.put(AddressFamily.IPV4, null);
@@ -89,9 +83,9 @@ public ASN1Object encodeIpAddressBlocks(boolean inheritIpv4, boolean inheritIpv6
* @param resources the set of ASNs.
* @return the DER encoding of the AS Identifier extension.
*/
- public ASN1Object encodeAsIdentifiers(boolean inherit, IpResourceSet resources) {
+ public ASN1Object encodeAsIdentifiers(boolean inherit, ImmutableResourceSet resources) {
if (inherit || resources.containsType(IpResourceType.ASN)) {
- return asIdentifiersToDer(inherit, resources, false, new IpResourceSet());
+ return asIdentifiersToDer(inherit, resources, false, ImmutableResourceSet.empty());
}
return null;
}
@@ -104,7 +98,7 @@ public ASN1Object encodeAsIdentifiers(boolean inherit, IpResourceSet resources)
* ASIdentifiers ::= SEQUENCE { asnum [0] EXPLICIT ASIdentifierChoice
* OPTIONAL, rdi [1] EXPLICIT ASIdentifierChoice OPTIONAL}
*/
- ASN1Object asIdentifiersToDer(boolean inheritAsn, IpResourceSet asnResources, boolean inheritRdi, IpResourceSet rdiResources) {
+ ASN1Object asIdentifiersToDer(boolean inheritAsn, ImmutableResourceSet asnResources, boolean inheritRdi, ImmutableResourceSet rdiResources) {
List seq = new ArrayList(2);
if (inheritAsn || asnResources.containsType(IpResourceType.ASN)) {
seq.add(new DERTaggedObject(0, asIdentifierChoiceToDer(inheritAsn, asnResources)));
@@ -119,14 +113,14 @@ ASN1Object asIdentifiersToDer(boolean inheritAsn, IpResourceSet asnResources, bo
* ASIdentifierChoice ::= CHOICE { inherit NULL, -- inherit from issuer --
* asIdsOrRanges SEQUENCE OF ASIdOrRange }
*/
- ASN1Encodable asIdentifierChoiceToDer(boolean inherit, IpResourceSet resources) {
+ ASN1Encodable asIdentifierChoiceToDer(boolean inherit, ImmutableResourceSet resources) {
return inherit ? DERNull.INSTANCE : asIdsOrRangesToDer(resources);
}
/**
* asIdsOrRanges ::= SEQUENCE OF ASIdOrRange
*/
- DERSequence asIdsOrRangesToDer(IpResourceSet resources) {
+ DERSequence asIdsOrRangesToDer(ImmutableResourceSet resources) {
List seq = new ArrayList();
for (IpResource resource : resources) {
if (IpResourceType.ASN == resource.getType()) {
@@ -161,7 +155,7 @@ ASN1Integer asIdToDer(Asn asn) {
/**
* IPAddrBlocks ::= SEQUENCE OF IPAddressFamily
*/
- ASN1Object ipAddressBlocksToDer(SortedMap resources) {
+ ASN1Object ipAddressBlocksToDer(SortedMap resources) {
List seq = new ArrayList(2);
for (AddressFamily addressFamily : resources.keySet()) {
seq.add(ipAddressFamilyToDer(addressFamily, resources.get(addressFamily)));
@@ -173,7 +167,7 @@ ASN1Object ipAddressBlocksToDer(SortedMap resource
* IPAddressFamily ::= SEQUENCE { -- AFI & opt SAFI -- addressFamily OCTET
* STRING (SIZE (2..3)), ipAddressChoice IPAddressChoice }
*/
- ASN1Object ipAddressFamilyToDer(AddressFamily addressFamily, IpResourceSet resources) {
+ ASN1Object ipAddressFamilyToDer(AddressFamily addressFamily, ImmutableResourceSet resources) {
IpResourceType type = addressFamily.toIpResourceType();
ASN1Encodable[] seq = new ASN1Encodable[2];
seq[0] = addressFamily.toDer();
@@ -185,7 +179,7 @@ ASN1Object ipAddressFamilyToDer(AddressFamily addressFamily, IpResourceSet resou
* IPAddressChoice ::= CHOICE { inherit NULL, -- inherit from issuer --
* addressesOrRanges SEQUENCE OF IPAddressOrRange }
*/
- ASN1Encodable ipAddressChoiceToDer(IpResourceType type, IpResourceSet resources) {
+ ASN1Encodable ipAddressChoiceToDer(IpResourceType type, ImmutableResourceSet resources) {
if (resources == null) {
return DERNull.INSTANCE;
}
diff --git a/src/main/java/net/ripe/rpki/commons/crypto/x509cert/GenericRpkiCertificateBuilder.java b/src/main/java/net/ripe/rpki/commons/crypto/x509cert/GenericRpkiCertificateBuilder.java
index 3183ca5df..0e10db53d 100644
--- a/src/main/java/net/ripe/rpki/commons/crypto/x509cert/GenericRpkiCertificateBuilder.java
+++ b/src/main/java/net/ripe/rpki/commons/crypto/x509cert/GenericRpkiCertificateBuilder.java
@@ -1,5 +1,6 @@
package net.ripe.rpki.commons.crypto.x509cert;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
@@ -17,7 +18,7 @@ public abstract class GenericRpkiCertificateBuilder {
private PublicKey publicKey;
private KeyPair signingKeyPair;
private BigInteger serial;
- private IpResourceSet resources = new IpResourceSet();
+ private ImmutableResourceSet resources = ImmutableResourceSet.empty();
private EnumSet inheritedResourceTypes = EnumSet.noneOf(IpResourceType.class);
private X500Principal subject;
private X500Principal issuer;
@@ -40,7 +41,7 @@ public void withSerial(BigInteger serial) {
this.serial = serial;
}
- public void withResources(IpResourceSet resources) {
+ public void withResources(ImmutableResourceSet resources) {
this.resources = resources;
}
diff --git a/src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509CertificateBuilderHelper.java b/src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509CertificateBuilderHelper.java
index cf76fbf1b..bc1084579 100644
--- a/src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509CertificateBuilderHelper.java
+++ b/src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509CertificateBuilderHelper.java
@@ -1,5 +1,6 @@
package net.ripe.rpki.commons.crypto.x509cert;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
@@ -83,7 +84,7 @@ public final class X509CertificateBuilderHelper {
private ValidityPeriod validityPeriod;
- private IpResourceSet resources;
+ private ImmutableResourceSet resources;
private PublicKey publicKey;
@@ -134,7 +135,7 @@ public X509CertificateBuilderHelper withValidityPeriod(
return this;
}
- public X509CertificateBuilderHelper withResources(IpResourceSet resources) {
+ public X509CertificateBuilderHelper withResources(ImmutableResourceSet resources) {
this.resources = resources;
return this;
}
@@ -294,7 +295,7 @@ protected X509v3CertificateBuilder createCertificateGenerator() {
* must be present. This means at least one IPvX or ASN must be either set
* explicitly or inherited..
*/
- protected void validateResource(IpResourceSet resources) {
+ protected void validateResource(ImmutableResourceSet resources) {
// at least one resource type must be either set or inherited
final boolean atLeastOneResourceTypeUsed = EnumSet.allOf(IpResourceType.class)
.stream()
diff --git a/src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificate.java b/src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificate.java
index 6014077c4..b4d566045 100644
--- a/src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificate.java
+++ b/src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificate.java
@@ -44,8 +44,8 @@ public ImmutableResourceSet resources() {
return resourceExtension.getResources();
}
- public IpResourceSet getResources() {
- return new IpResourceSet(resources());
+ public ImmutableResourceSet getResources() {
+ return resources();
}
public EnumSet getInheritedResourceTypes() {
diff --git a/src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateBuilder.java b/src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateBuilder.java
index 83edd80d9..61800ee16 100644
--- a/src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateBuilder.java
+++ b/src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateBuilder.java
@@ -1,5 +1,6 @@
package net.ripe.rpki.commons.crypto.x509cert;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
@@ -22,7 +23,7 @@
*/
public class X509ResourceCertificateBuilder {
private final X509CertificateBuilderHelper builderHelper;
- private IpResourceSet resources = new IpResourceSet();
+ private ImmutableResourceSet resources = ImmutableResourceSet.empty();
private EnumSet inheritedResourceTypes = EnumSet.noneOf(IpResourceType.class);
public X509ResourceCertificateBuilder() {
@@ -72,7 +73,7 @@ public X509ResourceCertificateBuilder withKeyUsage(int keyUsage) {
return this;
}
- public X509ResourceCertificateBuilder withResources(IpResourceSet resources) {
+ public X509ResourceCertificateBuilder withResources(ImmutableResourceSet resources) {
this.resources = resources;
builderHelper.withResources(resources);
return this;
diff --git a/src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509RouterCertificateBuilder.java b/src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509RouterCertificateBuilder.java
index c76ee5639..694d82148 100644
--- a/src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509RouterCertificateBuilder.java
+++ b/src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509RouterCertificateBuilder.java
@@ -1,6 +1,7 @@
package net.ripe.rpki.commons.crypto.x509cert;
import net.ripe.ipresource.Asn;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
@@ -74,7 +75,7 @@ public X509RouterCertificateBuilder withAsns(int[] asns) {
for (int asn : asns) {
resources.add(new Asn(asn));
}
- builderHelper.withResources(resources);
+ builderHelper.withResources(ImmutableResourceSet.of(resources));
}
return this;
}
diff --git a/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/CertificateRepositoryObjectValidationContext.java b/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/CertificateRepositoryObjectValidationContext.java
index a335f6520..925b5ae13 100644
--- a/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/CertificateRepositoryObjectValidationContext.java
+++ b/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/CertificateRepositoryObjectValidationContext.java
@@ -1,6 +1,7 @@
package net.ripe.rpki.commons.validation.objectvalidators;
import com.google.common.collect.Lists;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.x509cert.X509CertificateObject;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
@@ -27,15 +28,18 @@ public class CertificateRepositoryObjectValidationContext {
private final X509CertificateObject certificate;
- private final IpResourceSet resources;
+ /**
+ * Mutable because it can be reduced when overclaiming
+ */
+ private final ImmutableResourceSet resources;
- private IpResourceSet overclaiming = new IpResourceSet();
+ private ImmutableResourceSet overclaiming = ImmutableResourceSet.empty();
public CertificateRepositoryObjectValidationContext(URI location, X509ResourceCertificate certificate) {
this(location, certificate, certificate.getResources(), Lists.newArrayList(certificate.getSubject().getName()));
}
- public CertificateRepositoryObjectValidationContext(URI location, X509ResourceCertificate certificate, IpResourceSet resources, List subjectChain) {
+ public CertificateRepositoryObjectValidationContext(URI location, X509ResourceCertificate certificate, ImmutableResourceSet resources, List subjectChain) {
this.location = location;
this.certificate = certificate;
this.resources = resources;
@@ -85,28 +89,32 @@ public byte[] getSubjectKeyIdentifier() {
}
public void addOverclaiming(IpResourceSet overclaiming) {
- this.overclaiming.addAll(overclaiming);
+ this.overclaiming = new ImmutableResourceSet.Builder().addAll(this.overclaiming).addAll(overclaiming).build();
}
public CertificateRepositoryObjectValidationContext createChildContext(URI childLocation, X509ResourceCertificate childCertificate) {
- IpResourceSet effectiveResources = childCertificate.deriveResources(resources);
+ var effectiveResources = childCertificate.deriveResources(resources);
removeOverclaimingResources(effectiveResources);
List childSubjects = Lists.newArrayList(subjectChain);
childSubjects.add(childCertificate.getSubject().getName());
return new CertificateRepositoryObjectValidationContext(childLocation, childCertificate, effectiveResources, childSubjects);
}
- public IpResourceSet getResources() {
- IpResourceSet result = new IpResourceSet(resources);
- removeOverclaimingResources(result);
- return result;
+ public ImmutableResourceSet getResources() {
+ return removeOverclaimingResources(resources);
}
- private void removeOverclaimingResources(IpResourceSet resources) {
+ /**
+ * Remove the resources that are overclaimed in this context from the passed in resources.
+ * @param resources resources to clean
+ * @return resources - overclaiming
+ */
+ private ImmutableResourceSet removeOverclaimingResources(ImmutableResourceSet resources) {
if (overclaiming.isEmpty() || resources.isEmpty()) {
- return;
+ return resources;
}
- resources.removeAll(overclaiming);
+
+ return new ImmutableResourceSet.Builder().addAll(resources).removeAll(overclaiming).build();
}
@Override
diff --git a/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/ResourceValidatorFactory.java b/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/ResourceValidatorFactory.java
index 0f073f99b..cb6fd6174 100644
--- a/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/ResourceValidatorFactory.java
+++ b/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/ResourceValidatorFactory.java
@@ -1,5 +1,6 @@
package net.ripe.rpki.commons.validation.objectvalidators;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.crl.X509Crl;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
@@ -12,7 +13,7 @@ public static X509ResourceCertificateParentChildValidator getX509ResourceCertifi
CertificateRepositoryObjectValidationContext context,
ValidationOptions options, ValidationResult result, X509Crl crl) {
- return new X509ResourceCertificateParentChildValidator(options, result, context.getCertificate(), crl, context.getResources());
+ return new X509ResourceCertificateParentChildValidator(options, result, context.getCertificate(), crl, ImmutableResourceSet.of(context.getResources()));
}
public static X509ResourceCertificateValidator getX509ResourceCertificateValidator(
@@ -22,12 +23,12 @@ public static X509ResourceCertificateValidator getX509ResourceCertificateValidat
if (options.isAllowOverclaimParentChild())
return new X509ResourceCertificateParentChildLooseValidator(options, result, crl, context);
- return new X509ResourceCertificateParentChildValidator(options, result, context.getCertificate(), crl, context.getResources());
+ return new X509ResourceCertificateParentChildValidator(options, result, context.getCertificate(), crl, ImmutableResourceSet.of(context.getResources()));
}
public static X509ResourceCertificateParentChildValidator getX509ResourceCertificateParentChildStrictValidator(
ValidationOptions options, ValidationResult result, X509ResourceCertificate parent,
- IpResourceSet resources, X509Crl crl) {
+ ImmutableResourceSet resources, X509Crl crl) {
return new X509ResourceCertificateParentChildValidator(options, result, parent, crl, resources);
}
}
diff --git a/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/X509ResourceCertificateBottomUpValidator.java b/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/X509ResourceCertificateBottomUpValidator.java
index 79de5db42..64b0c4716 100644
--- a/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/X509ResourceCertificateBottomUpValidator.java
+++ b/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/X509ResourceCertificateBottomUpValidator.java
@@ -66,7 +66,7 @@ public void validate(String location, X509ResourceCertificate certificate) {
X509ResourceCertificate parent = certificates.get(0).getCertificate();
certificates.remove(0); // No need to validate the root (1st parent) certificate against itself
- IpResourceSet resources = parent.getResources();
+ var resources = parent.getResources();
for (CertificateWithLocation certificateWithLocation : certificates) {
String childLocation = certificateWithLocation.getLocation().getName();
diff --git a/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/X509ResourceCertificateParentChildLooseValidator.java b/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/X509ResourceCertificateParentChildLooseValidator.java
index 26cad23b9..cce58ddb8 100644
--- a/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/X509ResourceCertificateParentChildLooseValidator.java
+++ b/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/X509ResourceCertificateParentChildLooseValidator.java
@@ -31,8 +31,8 @@ public void validate(String location, X509ResourceCertificate certificate) {
private void verifyResources() {
final ValidationResult result = getValidationResult();
final X509ResourceCertificate child = getChild();
- final IpResourceSet resources = context.getResources();
- final IpResourceSet childResourceSet = child.deriveResources(resources);
+ final var resources = context.getResources();
+ final var childResourceSet = child.deriveResources(resources);
if (child.isRoot()) {
result.rejectIfTrue(child.isResourceSetInherited(), ROOT_INHERITS_RESOURCES);
diff --git a/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/X509ResourceCertificateParentChildValidator.java b/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/X509ResourceCertificateParentChildValidator.java
index f196b621e..6eb313c4c 100644
--- a/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/X509ResourceCertificateParentChildValidator.java
+++ b/src/main/java/net/ripe/rpki/commons/validation/objectvalidators/X509ResourceCertificateParentChildValidator.java
@@ -1,5 +1,6 @@
package net.ripe.rpki.commons.validation.objectvalidators;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.crl.X509Crl;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
@@ -11,13 +12,13 @@
public class X509ResourceCertificateParentChildValidator extends X509CertificateParentChildValidator implements X509ResourceCertificateValidator {
- private IpResourceSet resources;
+ private ImmutableResourceSet resources;
public X509ResourceCertificateParentChildValidator(ValidationOptions options,
ValidationResult result,
X509ResourceCertificate parent,
X509Crl crl,
- IpResourceSet resources) {
+ ImmutableResourceSet resources) {
super(options, result, parent, crl);
this.resources = resources;
}
@@ -31,7 +32,7 @@ public void validate(String location, X509ResourceCertificate certificate) {
private void verifyResources() {
final ValidationResult result = getValidationResult();
final X509ResourceCertificate child = getChild();
- final IpResourceSet childResourceSet = child.deriveResources(resources);
+ final var childResourceSet = child.deriveResources(resources);
if (child.isRoot()) {
result.rejectIfTrue(child.isResourceSetInherited(), ROOT_INHERITS_RESOURCES);
diff --git a/src/main/java/net/ripe/rpki/commons/xml/XStreamXmlSerializerBuilder.java b/src/main/java/net/ripe/rpki/commons/xml/XStreamXmlSerializerBuilder.java
index fec0fb170..20a0c542e 100644
--- a/src/main/java/net/ripe/rpki/commons/xml/XStreamXmlSerializerBuilder.java
+++ b/src/main/java/net/ripe/rpki/commons/xml/XStreamXmlSerializerBuilder.java
@@ -37,7 +37,7 @@
import javax.security.auth.x500.X500Principal;
-public final class XStreamXmlSerializerBuilder {
+public class XStreamXmlSerializerBuilder {
private static final boolean STRICT = true;
private static final boolean NOT_STRICT = false;
@@ -47,28 +47,29 @@ public final class XStreamXmlSerializerBuilder {
public static XStreamXmlSerializerBuilder newStrictXmlSerializerBuilder(Class objectType) {
- return new XStreamXmlSerializerBuilder<>(objectType, STRICT);
+ return new XStreamXmlSerializerBuilder(objectType, STRICT);
}
public static XStreamXmlSerializerBuilder newForgivingXmlSerializerBuilder(Class objectType) {
- return new XStreamXmlSerializerBuilder<>(objectType, NOT_STRICT);
+ return new XStreamXmlSerializerBuilder(objectType, NOT_STRICT);
}
- XStreamXmlSerializerBuilder(Class objectType, boolean strict) {
+ @SuppressWarnings("this-escape")
+ protected XStreamXmlSerializerBuilder(Class objectType, boolean strict) {
super();
this.objectType = objectType;
createDefaultXStream(strict);
}
/**
- * Instantiate XStream and set up the security framework to prevent injection and remote code execution.
+ * Instantiate XStream and set-up the security framework to prevent injection and remote code execution.
*
* Types that are allowed are:
* * A list of default types included in XStream.
* * The type the serializer is built for.
* * Types that have been aliased (i.e. the mapped name of the class is not it's qualified name).
*
- * Note that the allowlist is only checked on deserialization.
+ * Note that the whitelist is only checked on deserialization.
*/
private void createDefaultXStream(boolean strict) {
if(strict) {
@@ -99,10 +100,14 @@ private void createDefaultXStream(boolean strict) {
registerRpkiRelated();
}
- private HierarchicalStreamDriver getStreamDriver() {
+ protected HierarchicalStreamDriver getStreamDriver() {
return new XppDriver();
}
+ protected final Class getObjectType() {
+ return objectType;
+ }
+
private void registerIpResourceRelated() {
withAliasType("resource", IpResource.class);
withConverter(new IpResourceConverter());
@@ -145,12 +150,12 @@ private void registerRpkiRelated() {
withAllowedType(RoaCms.class);
}
- public XStreamXmlSerializerBuilder withConverter(Converter converter) {
+ public final XStreamXmlSerializerBuilder withConverter(Converter converter) {
xStream.registerConverter(converter);
return this;
}
- public XStreamXmlSerializerBuilder withConverter(SingleValueConverter converter) {
+ public final XStreamXmlSerializerBuilder withConverter(SingleValueConverter converter) {
xStream.registerConverter(converter);
return this;
}
@@ -196,10 +201,14 @@ public final XStreamXmlSerializerBuilder withAliasField(String alias, Class build() {
- return new XStreamXmlSerializer<>(xStream, objectType);
+ return new XStreamXmlSerializer(xStream, objectType);
+ }
+
+ protected XStream getXStream() {
+ return xStream;
}
- private static final class MyXStream extends XStream {
+ private final static class MyXStream extends XStream {
private MyXStream(HierarchicalStreamDriver hierarchicalStreamDriver) {
super(new SunUnsafeReflectionProvider(), hierarchicalStreamDriver);
diff --git a/src/test/java/net/ripe/rpki/commons/crypto/cms/aspa/AspaCmsTest.java b/src/test/java/net/ripe/rpki/commons/crypto/cms/aspa/AspaCmsTest.java
index b5a1f8cfa..cc0f62541 100644
--- a/src/test/java/net/ripe/rpki/commons/crypto/cms/aspa/AspaCmsTest.java
+++ b/src/test/java/net/ripe/rpki/commons/crypto/cms/aspa/AspaCmsTest.java
@@ -8,6 +8,7 @@
import com.pholser.junit.quickcheck.runner.JUnitQuickcheck;
import net.ripe.ipresource.Asn;
import net.ripe.ipresource.AsnGen;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.crypto.util.KeyPairFactoryTest;
@@ -77,7 +78,7 @@ public static AspaCms createAspa() {
public static AspaCms createAspa(Asn customerAsn, ImmutableSortedSet providerAsSet) {
AspaCmsBuilder builder = new AspaCmsBuilder();
- builder.withCertificate(createCertificate(new IpResourceSet(customerAsn)));
+ builder.withCertificate(createCertificate(ImmutableResourceSet.of(customerAsn)));
builder.withCustomerAsn(customerAsn);
builder.withProviderASSet(
providerAsSet
@@ -86,7 +87,7 @@ public static AspaCms createAspa(Asn customerAsn, ImmutableSortedSet provid
return builder.build(TEST_KEY_PAIR.getPrivate());
}
- private static X509ResourceCertificate createCertificate(IpResourceSet resources) {
+ private static X509ResourceCertificate createCertificate(ImmutableResourceSet resources) {
X509ResourceCertificateBuilder builder = new X509ResourceCertificateBuilder();
builder.withCa(false).withIssuerDN(TEST_DN).withSubjectDN(TEST_DN).withSerial(ROA_CERT_SERIAL);
builder.withPublicKey(TEST_KEY_PAIR.getPublic());
diff --git a/src/test/java/net/ripe/rpki/commons/crypto/cms/ghostbuster/GhostbustersCmsParserTest.java b/src/test/java/net/ripe/rpki/commons/crypto/cms/ghostbuster/GhostbustersCmsParserTest.java
index 431f3d19c..6901a534b 100644
--- a/src/test/java/net/ripe/rpki/commons/crypto/cms/ghostbuster/GhostbustersCmsParserTest.java
+++ b/src/test/java/net/ripe/rpki/commons/crypto/cms/ghostbuster/GhostbustersCmsParserTest.java
@@ -1,5 +1,6 @@
package net.ripe.rpki.commons.crypto.cms.ghostbuster;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.crypto.util.KeyPairFactoryTest;
@@ -103,7 +104,7 @@ private static X509ResourceCertificate createCertificate() {
builder.withSigningKeyPair(TEST_KEY_PAIR);
final DateTime now = UTC.dateTime();
builder.withValidityPeriod(new ValidityPeriod(now.minusMinutes(1), now.plusYears(1)));
- builder.withResources(IpResourceSet.ALL_PRIVATE_USE_RESOURCES);
+ builder.withResources(ImmutableResourceSet.ALL_PRIVATE_USE_RESOURCES);
builder.withCrlDistributionPoints(CRL_DP);
builder.withSubjectInformationAccess(new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_SIGNED_OBJECT, TEST_ROA_LOCATION));
builder.withAuthorityInformationAccess(new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_CA_CA_ISSUERS, TEST_CA_LOCATION));
diff --git a/src/test/java/net/ripe/rpki/commons/crypto/cms/manifest/ManifestCmsParserTest.java b/src/test/java/net/ripe/rpki/commons/crypto/cms/manifest/ManifestCmsParserTest.java
index 5f63be9d6..796d6d472 100644
--- a/src/test/java/net/ripe/rpki/commons/crypto/cms/manifest/ManifestCmsParserTest.java
+++ b/src/test/java/net/ripe/rpki/commons/crypto/cms/manifest/ManifestCmsParserTest.java
@@ -1,5 +1,6 @@
package net.ripe.rpki.commons.crypto.cms.manifest;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
@@ -103,7 +104,7 @@ static X509ResourceCertificate createValidManifestEECertificate(KeyPair keyPair)
builder.withCa(false).withKeyUsage(KeyUsage.digitalSignature).withSubjectDN(TEST_DN).withIssuerDN(TEST_DN).withSerial(BigInteger.ONE);
builder.withPublicKey(keyPair.getPublic());
builder.withSigningKeyPair(keyPair);
- builder.withResources(new IpResourceSet());
+ builder.withResources(ImmutableResourceSet.empty());
builder.withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class));
builder.withValidityPeriod(new ValidityPeriod(THIS_UPDATE_TIME, NEXT_UPDATE_TIME));
builder.withSubjectInformationAccess(
@@ -117,7 +118,7 @@ static X509ResourceCertificate createValidManifestEECertificate() {
builder.withCa(false).withKeyUsage(KeyUsage.digitalSignature).withSubjectDN(TEST_DN).withIssuerDN(TEST_DN).withSerial(BigInteger.ONE);
builder.withPublicKey(TEST_KEY_PAIR.getPublic());
builder.withSigningKeyPair(TEST_KEY_PAIR);
- builder.withResources(new IpResourceSet());
+ builder.withResources(ImmutableResourceSet.empty());
builder.withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class));
builder.withValidityPeriod(new ValidityPeriod(THIS_UPDATE_TIME, NEXT_UPDATE_TIME));
builder.withSubjectInformationAccess(
@@ -131,7 +132,7 @@ static X509ResourceCertificate createTenSlashEightResourceCertificate() {
builder.withCa(false).withKeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign).withSubjectDN(TEST_DN).withIssuerDN(TEST_DN).withSerial(BigInteger.ONE);
builder.withPublicKey(TEST_KEY_PAIR.getPublic());
builder.withSigningKeyPair(TEST_KEY_PAIR);
- builder.withResources(IpResourceSet.parse("10.0.0.0/8"));
+ builder.withResources(ImmutableResourceSet.parse("10.0.0.0/8"));
builder.withValidityPeriod(new ValidityPeriod(THIS_UPDATE_TIME, NEXT_UPDATE_TIME));
return builder.build();
}
diff --git a/src/test/java/net/ripe/rpki/commons/crypto/cms/manifest/ManifestCmsTest.java b/src/test/java/net/ripe/rpki/commons/crypto/cms/manifest/ManifestCmsTest.java
index d4f788c65..074495874 100644
--- a/src/test/java/net/ripe/rpki/commons/crypto/cms/manifest/ManifestCmsTest.java
+++ b/src/test/java/net/ripe/rpki/commons/crypto/cms/manifest/ManifestCmsTest.java
@@ -1,6 +1,7 @@
package net.ripe.rpki.commons.crypto.cms.manifest;
import com.google.common.collect.Lists;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
@@ -55,7 +56,7 @@ public class ManifestCmsTest {
private static final URI ROOT_MANIFEST_CRL_LOCATION = URI.create("rsync://foo.host/bar/bar.crl");
// Root certificate
- private static final IpResourceSet ROOT_RESOURCE_SET = IpResourceSet.parse("10.0.0.0/8, 192.168.0.0/16, ffce::/16, AS21212");
+ private static final ImmutableResourceSet ROOT_RESOURCE_SET = ImmutableResourceSet.parse("10.0.0.0/8, 192.168.0.0/16, ffce::/16, AS21212");
public static final KeyPair ROOT_KEY_PAIR = KeyPairFactoryTest.TEST_KEY_PAIR;
// Manifest EE certificate
@@ -125,7 +126,7 @@ public void shouldVerifyFileContents() {
@Test
public void shouldValidateManifestCms() {
X509Crl crl = getRootCrl();
- IpResourceSet resources = rootCertificate.getResources();
+ var resources = rootCertificate.getResources();
CertificateRepositoryObjectValidationContext context = new CertificateRepositoryObjectValidationContext(ROOT_CERTIFICATE_LOCATION, rootCertificate, resources, Lists.newArrayList(rootCertificate.getSubject().getName()));
ValidationResult result = ValidationResult.withLocation(ROOT_SIA_MANIFEST_RSYNC_LOCATION);
@@ -140,7 +141,7 @@ public void shouldValidateManifestCms() {
@Test
public void shouldNotValidateWithInvalidCrl() {
- IpResourceSet resources = rootCertificate.getResources();
+ var resources = rootCertificate.getResources();
CertificateRepositoryObjectValidationContext context = new CertificateRepositoryObjectValidationContext(ROOT_CERTIFICATE_LOCATION, rootCertificate, resources, Lists.newArrayList(rootCertificate.getSubject().getName()));
final ValidationResult result = ValidationResult.withLocation(ROOT_SIA_MANIFEST_RSYNC_LOCATION);
@@ -170,7 +171,7 @@ public void shouldWarnWhenManifestIsStale() {
DateTimeUtils.setCurrentMillisFixed(NEXT_UPDATE_TIME.plusDays(1).getMillis());
- IpResourceSet resources = rootCertificate.getResources();
+ var resources = rootCertificate.getResources();
CertificateRepositoryObjectValidationContext context = new CertificateRepositoryObjectValidationContext(ROOT_CERTIFICATE_LOCATION, rootCertificate, resources, Lists.newArrayList(rootCertificate.getSubject().getName()));
@@ -197,7 +198,7 @@ public void shouldRejectWhenManifestIsTooStaleDueToNegativeGracePeriod() {
DateTimeUtils.setCurrentMillisFixed(NEXT_UPDATE_TIME.minusDays(1).getMillis());
- IpResourceSet resources = rootCertificate.getResources();
+ var resources = rootCertificate.getResources();
CertificateRepositoryObjectValidationContext context = new CertificateRepositoryObjectValidationContext(ROOT_CERTIFICATE_LOCATION, rootCertificate, resources, Lists.newArrayList(rootCertificate.getSubject().getName()));
@@ -225,7 +226,7 @@ public void shouldRejectWhenThisUpdateTimeIsNotBeforeNextUpdateTime() {
// validity period checks the ordering of the dates, so use withThisUpdate explicitly
subject = getRootManifestBuilder().withThisUpdateTime(NEXT_UPDATE_TIME.plusSeconds(1)).build(MANIFEST_KEY_PAIR.getPrivate());
- IpResourceSet resources = rootCertificate.getResources();
+ var resources = rootCertificate.getResources();
CertificateRepositoryObjectValidationContext context = new CertificateRepositoryObjectValidationContext(
ROOT_CERTIFICATE_LOCATION, rootCertificate, resources, Lists.newArrayList(rootCertificate.getSubject().getName()));
@@ -249,7 +250,7 @@ public void shouldRejectWhenManifestIsTooStale() {
DateTimeUtils.setCurrentMillisFixed(NEXT_UPDATE_TIME.plusDays(1).getMillis());
- IpResourceSet resources = rootCertificate.getResources();
+ var resources = rootCertificate.getResources();
CertificateRepositoryObjectValidationContext context = new CertificateRepositoryObjectValidationContext(ROOT_CERTIFICATE_LOCATION, rootCertificate, resources, Lists.newArrayList(rootCertificate.getSubject().getName()));
@@ -277,7 +278,7 @@ public void shouldRejectWhenCertificateIsExpired() {
DateTimeUtils.setCurrentMillisFixed(NEXT_UPDATE_TIME.plusDays(8).getMillis());
- IpResourceSet resources = rootCertificate.getResources();
+ var resources = rootCertificate.getResources();
CertificateRepositoryObjectValidationContext context = new CertificateRepositoryObjectValidationContext(ROOT_CERTIFICATE_LOCATION, rootCertificate, resources, Lists.newArrayList(rootCertificate.getSubject().getName()));
@@ -310,7 +311,7 @@ public void shouldRejectWhenThisUpdateInFuture() {
DateTimeUtils.setCurrentMillisFixed(THIS_UPDATE_TIME.minusSeconds(1).getMillis());
- IpResourceSet resources = rootCertificate.getResources();
+ var resources = rootCertificate.getResources();
CertificateRepositoryObjectValidationContext context = new CertificateRepositoryObjectValidationContext(ROOT_CERTIFICATE_LOCATION, rootCertificate, resources, Lists.newArrayList(rootCertificate.getSubject().getName()));
@@ -350,7 +351,7 @@ public void shouldRejectFileNamesThatEscapeRepository() {
subject = builder.build(MANIFEST_KEY_PAIR.getPrivate());
- IpResourceSet resources = rootCertificate.getResources();
+ var resources = rootCertificate.getResources();
CertificateRepositoryObjectValidationContext context = new CertificateRepositoryObjectValidationContext(ROOT_CERTIFICATE_LOCATION, rootCertificate, resources, Lists.newArrayList(rootCertificate.getSubject().getName()));
ValidationOptions options = ValidationOptions.strictValidation();
diff --git a/src/test/java/net/ripe/rpki/commons/crypto/cms/manifest/RpkiSignedObjectEeCertificateBuilderTest.java b/src/test/java/net/ripe/rpki/commons/crypto/cms/manifest/RpkiSignedObjectEeCertificateBuilderTest.java
index 4a15b163a..1556c3b77 100644
--- a/src/test/java/net/ripe/rpki/commons/crypto/cms/manifest/RpkiSignedObjectEeCertificateBuilderTest.java
+++ b/src/test/java/net/ripe/rpki/commons/crypto/cms/manifest/RpkiSignedObjectEeCertificateBuilderTest.java
@@ -1,5 +1,6 @@
package net.ripe.rpki.commons.crypto.cms.manifest;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
@@ -60,7 +61,7 @@ public void shouldCreateEeCertificate() {
subject.withSignatureProvider(DEFAULT_SIGNATURE_PROVIDER);
- subject.withResources(new IpResourceSet());
+ subject.withResources(ImmutableResourceSet.empty());
subject.withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class));
// when
diff --git a/src/test/java/net/ripe/rpki/commons/crypto/cms/roa/RoaCmsObjectMother.java b/src/test/java/net/ripe/rpki/commons/crypto/cms/roa/RoaCmsObjectMother.java
index 23be6fcb2..fc30ecbc0 100644
--- a/src/test/java/net/ripe/rpki/commons/crypto/cms/roa/RoaCmsObjectMother.java
+++ b/src/test/java/net/ripe/rpki/commons/crypto/cms/roa/RoaCmsObjectMother.java
@@ -1,6 +1,7 @@
package net.ripe.rpki.commons.crypto.cms.roa;
import net.ripe.ipresource.Asn;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpRange;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
@@ -15,6 +16,7 @@
import java.security.KeyPair;
import java.util.ArrayList;
import java.util.List;
+import java.util.stream.Collectors;
import static net.ripe.rpki.commons.crypto.x509cert.X509CertificateBuilderHelper.*;
@@ -63,17 +65,15 @@ public static RoaCms getRoaCms(List prefixes, ValidityPeriod validity
}
private static X509ResourceCertificate createCertificate(List prefixes, ValidityPeriod validityPeriod) {
- IpResourceSet resources = new IpResourceSet();
- for (RoaPrefix prefix : prefixes) {
- resources.add(prefix.getPrefix());
- }
+ var resources = prefixes.stream().map(RoaPrefix::getPrefix).collect(ImmutableResourceSet.collector());
+
X509ResourceCertificateBuilder builder = createCertificateBuilder(resources, validityPeriod);
builder.withSigningKeyPair(TEST_KEY_PAIR);
X509ResourceCertificate result = builder.build();
return result;
}
- private static X509ResourceCertificateBuilder createCertificateBuilder(IpResourceSet resources, ValidityPeriod validityPeriod) {
+ private static X509ResourceCertificateBuilder createCertificateBuilder(ImmutableResourceSet resources, ValidityPeriod validityPeriod) {
X509ResourceCertificateBuilder builder = new X509ResourceCertificateBuilder();
builder.withCa(false).withIssuerDN(TEST_DN).withSubjectDN(TEST_DN).withSerial(BigInteger.TEN);
builder.withPublicKey(TEST_KEY_PAIR.getPublic());
diff --git a/src/test/java/net/ripe/rpki/commons/crypto/cms/roa/RoaCmsTest.java b/src/test/java/net/ripe/rpki/commons/crypto/cms/roa/RoaCmsTest.java
index 5fabae5ed..7285671d9 100644
--- a/src/test/java/net/ripe/rpki/commons/crypto/cms/roa/RoaCmsTest.java
+++ b/src/test/java/net/ripe/rpki/commons/crypto/cms/roa/RoaCmsTest.java
@@ -1,5 +1,6 @@
package net.ripe.rpki.commons.crypto.cms.roa;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.crypto.crl.CrlLocator;
@@ -43,7 +44,7 @@ public class RoaCmsTest {
private List ipv4Prefixes;
private List allPrefixes;
- private IpResourceSet allResources;
+ private ImmutableResourceSet allResources;
private RoaCms subject;
@@ -54,10 +55,10 @@ public void setUp() {
ipv4Prefixes.add(TEST_IPV4_PREFIX_2);
allPrefixes = new ArrayList<>(ipv4Prefixes);
allPrefixes.add(TEST_IPV6_PREFIX);
- allResources = new IpResourceSet();
- for (RoaPrefix prefix : allPrefixes) {
- allResources.add(prefix.getPrefix());
- }
+ allResources = allPrefixes.stream().map(RoaPrefix::getPrefix).collect(ImmutableResourceSet.collector());
+
+ assert !allPrefixes.isEmpty();
+
subject = createRoaCms(allPrefixes);
}
@@ -81,18 +82,16 @@ public static X509ResourceCertificate createCertificate(List prefixes
return createCertificate(prefixes, TEST_KEY_PAIR);
}
public static X509ResourceCertificate createCertificate(List prefixes, KeyPair keyPair) {
- IpResourceSet resources = new IpResourceSet();
- for (RoaPrefix prefix : prefixes) {
- resources.add(prefix.getPrefix());
- }
+ var resources = prefixes.stream().map(RoaPrefix::getPrefix).collect(ImmutableResourceSet.collector());
+
X509ResourceCertificateBuilder builder = createCertificateBuilder(resources, keyPair);
return builder.build();
}
- private static X509ResourceCertificateBuilder createCertificateBuilder(IpResourceSet resources) {
+ private static X509ResourceCertificateBuilder createCertificateBuilder(ImmutableResourceSet resources) {
return createCertificateBuilder(resources, TEST_KEY_PAIR);
}
- private static X509ResourceCertificateBuilder createCertificateBuilder(IpResourceSet resources, KeyPair keyPair) {
+ private static X509ResourceCertificateBuilder createCertificateBuilder(ImmutableResourceSet resources, KeyPair keyPair) {
X509ResourceCertificateBuilder builder = new X509ResourceCertificateBuilder();
builder.withCa(false).withIssuerDN(TEST_DN).withSubjectDN(TEST_DN).withSerial(ROA_CERT_SERIAL);
builder.withPublicKey(keyPair.getPublic());
@@ -134,7 +133,7 @@ public void shouldVerifySignature() {
@Test(expected = IllegalArgumentException.class)
public void shouldRejectCaCertificateInRoa() {
- X509ResourceCertificate caCert = createCertificateBuilder(new IpResourceSet(TEST_IPV4_PREFIX_1.getPrefix(), TEST_IPV4_PREFIX_2.getPrefix(), TEST_IPV6_PREFIX.getPrefix())).withCa(true).build();
+ X509ResourceCertificate caCert = createCertificateBuilder(ImmutableResourceSet.of(TEST_IPV4_PREFIX_1.getPrefix(), TEST_IPV4_PREFIX_2.getPrefix(), TEST_IPV6_PREFIX.getPrefix())).withCa(true).build();
subject = new RoaCmsBuilder().withAsn(TEST_ASN).withPrefixes(allPrefixes).withCertificate(caCert).build(TEST_KEY_PAIR.getPrivate());
}
diff --git a/src/test/java/net/ripe/rpki/commons/crypto/crl/X509CrlValidatorTest.java b/src/test/java/net/ripe/rpki/commons/crypto/crl/X509CrlValidatorTest.java
index c9fd58b1e..82e2f2c11 100644
--- a/src/test/java/net/ripe/rpki/commons/crypto/crl/X509CrlValidatorTest.java
+++ b/src/test/java/net/ripe/rpki/commons/crypto/crl/X509CrlValidatorTest.java
@@ -1,5 +1,6 @@
package net.ripe.rpki.commons.crypto.crl;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.crypto.util.PregeneratedKeyPairFactory;
@@ -29,7 +30,7 @@ public class X509CrlValidatorTest {
// Test data
private static final X500Principal ROOT_CERTIFICATE_NAME = new X500Principal("CN=For Testing Only, CN=RIPE NCC, C=NL");
- private static final IpResourceSet ROOT_RESOURCE_SET = IpResourceSet.parse("10.0.0.0/8, 192.168.0.0/16, ffce::/16, AS21212");
+ private static final ImmutableResourceSet ROOT_RESOURCE_SET = ImmutableResourceSet.parse("10.0.0.0/8, 192.168.0.0/16, ffce::/16, AS21212");
private static final BigInteger ROOT_SERIAL_NUMBER = BigInteger.valueOf(900);
private static final ValidityPeriod VALIDITY_PERIOD;
diff --git a/src/test/java/net/ripe/rpki/commons/crypto/rfc3779/ResourceExtensionEncoderTest.java b/src/test/java/net/ripe/rpki/commons/crypto/rfc3779/ResourceExtensionEncoderTest.java
index f71cd04f2..e90f6086a 100644
--- a/src/test/java/net/ripe/rpki/commons/crypto/rfc3779/ResourceExtensionEncoderTest.java
+++ b/src/test/java/net/ripe/rpki/commons/crypto/rfc3779/ResourceExtensionEncoderTest.java
@@ -1,9 +1,6 @@
package net.ripe.rpki.commons.crypto.rfc3779;
-import net.ripe.ipresource.Asn;
-import net.ripe.ipresource.IpRange;
-import net.ripe.ipresource.IpResourceSet;
-import net.ripe.ipresource.IpResourceType;
+import net.ripe.ipresource.*;
import net.ripe.rpki.commons.crypto.util.Asn1UtilTest;
import org.junit.Before;
import org.junit.Test;
@@ -185,7 +182,7 @@ public void shouldEncodeIpAddressOrRange() {
@Test
public void shouldEncodeIpAddressChoice() {
- IpResourceSet resources = new IpResourceSet(IpRange.parse("128.5.0.4/32"), IpRange.parse("10.5.4.0-10.5.15.255"));
+ var resources = ImmutableResourceSet.of(IpRange.parse("128.5.0.4/32"), IpRange.parse("10.5.4.0-10.5.15.255"));
Asn1UtilTest.assertEncoded(ENCODED_IPV4_RESOURCES, subject.ipAddressChoiceToDer(IpResourceType.IPv4, resources));
Asn1UtilTest.assertEncoded(ENCODED_NULL, subject.ipAddressChoiceToDer(IpResourceType.IPv4, null));
@@ -193,35 +190,35 @@ public void shouldEncodeIpAddressChoice() {
@Test(expected = IllegalArgumentException.class)
public void shouldRejectEmptyIpAddressesOrRanges() {
- IpResourceSet resources = new IpResourceSet(IpRange.parse("128.5.0.4/30"));
+ var resources = ImmutableResourceSet.of(IpRange.parse("128.5.0.4/30"));
subject.ipAddressChoiceToDer(IpResourceType.IPv6, resources);
}
@Test
public void shouldEncodeIpAddressFamily() {
- IpResourceSet resources = new IpResourceSet(IpRange.parse("128.5.0.4/32"), IpRange.parse("10.5.4.0-10.5.15.255"));
+ var resources = ImmutableResourceSet.of(IpRange.parse("128.5.0.4/32"), IpRange.parse("10.5.4.0-10.5.15.255"));
Asn1UtilTest.assertEncoded(ENCODED_IPV4_ADDRESS_FAMILY_RESOURCES, subject.ipAddressFamilyToDer(AddressFamily.IPV4, resources));
}
@Test
public void shouldEncodeIpAddressFamilyWithSafi() {
- IpResourceSet resources = new IpResourceSet(IpRange.parse("128.5.0.4/32"), IpRange.parse("10.5.4.0-10.5.15.255"));
+ var resources = ImmutableResourceSet.of(IpRange.parse("128.5.0.4/32"), IpRange.parse("10.5.4.0-10.5.15.255"));
Asn1UtilTest.assertEncoded(ENCODED_IPV4_MULTICAST_ADDRESS_FAMILY_RESOURCES, subject.ipAddressFamilyToDer(AddressFamily.IPV4.withSubsequentAddressFamilyIdentifier(2), resources));
}
@Test
public void shouldEncodeIpAddressBlocks() throws IOException {
- IpResourceSet resources = new IpResourceSet(IpRange.parse("128.5.0.4/32"), IpRange.parse("10.5.4.0-10.5.15.255"), IpRange.parse("2001:0:200::-2001:0:3ff:ffff:ffff:ffff:ffff:ffff"));
+ var resources = ImmutableResourceSet.of(IpRange.parse("128.5.0.4/32"), IpRange.parse("10.5.4.0-10.5.15.255"), IpRange.parse("2001:0:200::-2001:0:3ff:ffff:ffff:ffff:ffff:ffff"));
assertArrayEquals(ENCODED_IP_ADDRESS_BLOCKS, subject.encodeIpAddressBlocks(false, false, resources).getEncoded());
- resources = new IpResourceSet(IpRange.parse("128.5.0.4/32"), IpRange.parse("10.5.4.0-10.5.15.255"));
- assertArrayEquals(ENCODED_IPV4_ONLY_ADDRESS_BLOCKS, subject.encodeIpAddressBlocks(false, false, resources).getEncoded());
+ var otherResources = ImmutableResourceSet.of(IpRange.parse("128.5.0.4/32"), IpRange.parse("10.5.4.0-10.5.15.255"));
+ assertArrayEquals(ENCODED_IPV4_ONLY_ADDRESS_BLOCKS, subject.encodeIpAddressBlocks(false, false, otherResources).getEncoded());
}
@Test
public void shouldNotEncodeEmptyIpAddressBlocksExtension() {
- assertNull(subject.encodeIpAddressBlocks(false, false, new IpResourceSet()));
+ assertNull(subject.encodeIpAddressBlocks(false, false, ImmutableResourceSet.empty()));
}
@Test
@@ -247,26 +244,26 @@ public void shouldEncodeAsIdOrRange() {
@Test
public void shouldEncodeAsIdsOrRanges() {
- IpResourceSet resources = new IpResourceSet(ASN_412_233, ASN_127.upTo(ASN_128));
+ var resources = ImmutableResourceSet.of(ASN_412_233, ASN_127.upTo(ASN_128));
Asn1UtilTest.assertEncoded(ENCODED_AS_IDS_OR_RANGES, subject.asIdsOrRangesToDer(resources));
}
@Test
public void shouldEncodeAsIdentifierChoice() {
- IpResourceSet resources = new IpResourceSet(ASN_412_233, ASN_127.upTo(ASN_128));
+ var resources = ImmutableResourceSet.of(ASN_412_233, ASN_127.upTo(ASN_128));
Asn1UtilTest.assertEncoded(ENCODED_NULL, subject.asIdentifierChoiceToDer(true, resources));
Asn1UtilTest.assertEncoded(ENCODED_AS_IDS_OR_RANGES, subject.asIdentifierChoiceToDer(false, resources));
}
@Test
public void shouldEncodeAsIdentifiers() throws IOException {
- IpResourceSet resources = new IpResourceSet(ASN_412_233, ASN_127.upTo(ASN_128));
+ var resources = ImmutableResourceSet.of(ASN_412_233, ASN_127.upTo(ASN_128));
assertArrayEquals(ENCODED_AS_IDENTIFIERS, subject.encodeAsIdentifiers(false, resources).getEncoded());
}
@Test
public void shouldNotEncodeEmptyAsIdentifiersExtension() {
- assertNull(subject.encodeAsIdentifiers(false, IpResourceSet.parse("10.0.0.0/8")));
+ assertNull(subject.encodeAsIdentifiers(false, ImmutableResourceSet.parse("10.0.0.0/8")));
}
/**
@@ -274,9 +271,9 @@ public void shouldNotEncodeEmptyAsIdentifiersExtension() {
*/
@Test
public void shouldEncodeRfc3779AppendixBFirstExample() {
- SortedMap resources = new TreeMap();
+ SortedMap resources = new TreeMap<>();
resources.put(AddressFamily.IPV4.withSubsequentAddressFamilyIdentifier(1),
- IpResourceSet.parse("10.0.32.0/20, 10.0.64.0/24, 10.1.0.0/16, 10.2.48.0/20, 10.2.64.0/24, 10.3.0.0/16"));
+ ImmutableResourceSet.parse("10.0.32.0/20, 10.0.64.0/24, 10.1.0.0/16, 10.2.48.0/20, 10.2.64.0/24, 10.3.0.0/16"));
resources.put(AddressFamily.IPV6, null);
Asn1UtilTest.assertEncoded(RFC3779_APPENDIX_B_EXAMPLE_1, subject.ipAddressBlocksToDer(resources));
}
@@ -288,10 +285,10 @@ public void shouldEncodeRfc3779AppendixBFirstExample() {
*/
@Test
public void shouldEncodeRfc3779AppendixBSecondExample() {
- SortedMap resources = new TreeMap();
- resources.put(AddressFamily.IPV6, IpResourceSet.parse("2001:0:2::/48"));
+ SortedMap resources = new TreeMap<>();
+ resources.put(AddressFamily.IPV6, ImmutableResourceSet.parse("2001:0:2::/48"));
resources.put(AddressFamily.IPV4.withSubsequentAddressFamilyIdentifier(1),
- IpResourceSet.parse("10.0.0.0/8,176.16.0.0/12"));
+ ImmutableResourceSet.parse("10.0.0.0/8,176.16.0.0/12"));
resources.put(AddressFamily.IPV4.withSubsequentAddressFamilyIdentifier(2), null);
Asn1UtilTest.assertEncoded(RFC3779_APPENDIX_B_EXAMPLE_2, subject.ipAddressBlocksToDer(resources));
}
@@ -301,7 +298,7 @@ public void shouldEncodeRfc3779AppendixBSecondExample() {
*/
@Test
public void shouldEncodeRfc3779AppendixCExample() {
- IpResourceSet asnResources = IpResourceSet.parse("AS135, AS3000-AS3999, AS5001");
+ var asnResources = ImmutableResourceSet.parse("AS135, AS3000-AS3999, AS5001");
Asn1UtilTest.assertEncoded(RFC3779_APPENDIX_C_EXAMPLE, subject.asIdentifiersToDer(false, asnResources, true, null));
}
diff --git a/src/test/java/net/ripe/rpki/commons/crypto/util/PregeneratedKeyPairFactory.java b/src/test/java/net/ripe/rpki/commons/crypto/util/PregeneratedKeyPairFactory.java
index ff63887bf..0d9a6d2bb 100644
--- a/src/test/java/net/ripe/rpki/commons/crypto/util/PregeneratedKeyPairFactory.java
+++ b/src/test/java/net/ripe/rpki/commons/crypto/util/PregeneratedKeyPairFactory.java
@@ -1,5 +1,6 @@
package net.ripe.rpki.commons.crypto.util;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
@@ -96,7 +97,7 @@ private static X509ResourceCertificate createCertificate(KeyPair keyPair) {
builder.withCa(false);
builder.withIssuerDN(new X500Principal("CN=issuer"));
builder.withSubjectDN(new X500Principal("CN=subject"));
- builder.withResources(IpResourceSet.parse("AS1-AS10,10/8,ffc0::/16"));
+ builder.withResources(ImmutableResourceSet.parse("AS1-AS10,10/8,ffc0::/16"));
builder.withSigningKeyPair(keyPair);
builder.withPublicKey(keyPair.getPublic());
return builder.build();
diff --git a/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509CertificateBuilderHelperTest.java b/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509CertificateBuilderHelperTest.java
index c4ab645f1..2e9d03fb8 100644
--- a/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509CertificateBuilderHelperTest.java
+++ b/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509CertificateBuilderHelperTest.java
@@ -1,5 +1,6 @@
package net.ripe.rpki.commons.crypto.x509cert;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
@@ -38,7 +39,7 @@ public void setUp() {
subject.withSigningKeyPair(SECOND_TEST_KEY_PAIR);
DateTime now = UTC.dateTime();
subject.withValidityPeriod(new ValidityPeriod(now, new DateTime(now.getYear() + 1, 1, 1, 0, 0, 0, 0, DateTimeZone.UTC)));
- subject.withResources(IpResourceSet.ALL_PRIVATE_USE_RESOURCES);
+ subject.withResources(ImmutableResourceSet.ALL_PRIVATE_USE_RESOURCES);
}
@Test(expected = IllegalArgumentException.class)
@@ -55,13 +56,13 @@ public void shouldMakeSureTheresNoExtendedKeyUsage() throws CertificateParsingEx
@Test(expected = IllegalArgumentException.class)
public void shouldFailOnEmptyResources() {
- subject.withResources(new IpResourceSet());
+ subject.withResources(ImmutableResourceSet.empty());
subject.generateCertificate();
}
@Test
public void shouldNotFailOnOneInheritResourceType() {
- subject.withResources(new IpResourceSet());
+ subject.withResources(ImmutableResourceSet.empty());
subject.withInheritedResourceTypes(EnumSet.of(IpResourceType.IPv4));
subject.generateCertificate();
}
@@ -98,4 +99,4 @@ public void shouldFailOnTooLargeSerial() {
subject.withSerial(BigInteger.ONE.shiftLeft(160));
subject.generateCertificate();
}
-}
+}
\ No newline at end of file
diff --git a/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509CertificateUtilTest.java b/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509CertificateUtilTest.java
index 974c97212..53e2c9726 100644
--- a/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509CertificateUtilTest.java
+++ b/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509CertificateUtilTest.java
@@ -2,6 +2,7 @@
import com.google.common.base.Charsets;
import com.google.common.io.CharSource;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import org.junit.Ignore;
import org.junit.Test;
@@ -19,10 +20,10 @@ public class X509CertificateUtilTest {
@Test
public void shouldGetEncodedSubjectPublicKeyInfo() throws CertificateEncodingException, IOException {
- X509ResourceCertificate cert1 = X509ResourceCertificateTest.createSelfSignedCaCertificateBuilder().withResources(IpResourceSet.ALL_PRIVATE_USE_RESOURCES).build();
+ X509ResourceCertificate cert1 = X509ResourceCertificateTest.createSelfSignedCaCertificateBuilder().withResources(ImmutableResourceSet.ALL_PRIVATE_USE_RESOURCES).build();
String encoded1 = X509CertificateUtil.getEncodedSubjectPublicKeyInfo(cert1.getCertificate());
- X509ResourceCertificate cert2 = X509ResourceCertificateTest.createSelfSignedCaCertificateBuilder().withResources(IpResourceSet.ALL_PRIVATE_USE_RESOURCES).build();
+ X509ResourceCertificate cert2 = X509ResourceCertificateTest.createSelfSignedCaCertificateBuilder().withResources(ImmutableResourceSet.ALL_PRIVATE_USE_RESOURCES).build();
String encoded2 = X509CertificateUtil.getEncodedSubjectPublicKeyInfo(cert2.getCertificate());
assertNotNull(encoded1);
diff --git a/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateBuilderTest.java b/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateBuilderTest.java
index 2dde5cd12..d3d68a4d5 100644
--- a/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateBuilderTest.java
+++ b/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateBuilderTest.java
@@ -1,5 +1,6 @@
package net.ripe.rpki.commons.crypto.x509cert;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.crypto.rfc3779.ResourceExtensionEncoder;
@@ -31,7 +32,7 @@ public void setUp() {
subject.withSigningKeyPair(SECOND_TEST_KEY_PAIR);
DateTime now = UTC.dateTime();
subject.withValidityPeriod(new ValidityPeriod(now, new DateTime(now.getYear() + 1, 1, 1, 0, 0, 0, 0, DateTimeZone.UTC)));
- subject.withResources(IpResourceSet.ALL_PRIVATE_USE_RESOURCES);
+ subject.withResources(ImmutableResourceSet.ALL_PRIVATE_USE_RESOURCES);
}
@Test(expected = NullPointerException.class)
@@ -42,7 +43,7 @@ public void shouldRequireResourcesForResourceCertificates() {
@Test(expected = IllegalArgumentException.class)
public void shouldRequireNonEmptyResourceSetForResourceCertificates() {
- subject.withResources(IpResourceSet.parse(""));
+ subject.withResources(ImmutableResourceSet.parse(""));
subject.build();
}
@@ -107,7 +108,7 @@ public void shouldNotSetBasicConstraintsForNonCAs() {
@Test
public void shouldHaveSubjectKeyIdentifierForResourceCertificates() {
- subject.withResources(IpResourceSet.parse("10/8"));
+ subject.withResources(ImmutableResourceSet.parse("10/8"));
X509ResourceCertificate certificate = subject.build();
assertNotNull(certificate.getSubjectKeyIdentifier());
@@ -115,7 +116,7 @@ public void shouldHaveSubjectKeyIdentifierForResourceCertificates() {
@Test
public void shouldHaveAuthorityKeyIdentifierForResourceCertificates() {
- subject.withResources(IpResourceSet.parse("10/8"));
+ subject.withResources(ImmutableResourceSet.parse("10/8"));
subject.withAuthorityKeyIdentifier(true);
X509ResourceCertificate certificate = subject.build();
@@ -124,7 +125,7 @@ public void shouldHaveAuthorityKeyIdentifierForResourceCertificates() {
@Test
public void shouldHaveResourceExtensionForResourceCertificates() {
- subject.withResources(IpResourceSet.parse("10/8, AS123"));
+ subject.withResources(ImmutableResourceSet.parse("10/8, AS123"));
X509ResourceCertificate certificate = subject.build();
assertNotNull(certificate.getCertificate().getExtensionValue(ResourceExtensionEncoder.OID_IP_ADDRESS_BLOCKS.getId()));
@@ -135,7 +136,7 @@ public void shouldHaveResourceExtensionForResourceCertificates() {
public void shouldHaveKeyUsageIfSet() {
subject.withCa(true);
subject.withKeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign);
- subject.withResources(IpResourceSet.parse("10/8"));
+ subject.withResources(ImmutableResourceSet.parse("10/8"));
X509ResourceCertificate certificate = subject.build();
assertNotNull(certificate.getCertificate().getKeyUsage());
@@ -155,6 +156,4 @@ public void shouldFailOnIncorrectProvider() {
subject.withSignatureProvider("foo");
subject.build();
}
-
-
}
diff --git a/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateParserTest.java b/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateParserTest.java
index 209f50fac..a3b5eb111 100644
--- a/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateParserTest.java
+++ b/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateParserTest.java
@@ -5,6 +5,7 @@
import com.pholser.junit.quickcheck.Property;
import com.pholser.junit.quickcheck.generator.Size;
import com.pholser.junit.quickcheck.runner.JUnitQuickcheck;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.util.UTC;
@@ -102,7 +103,7 @@ public void shouldFailOnInvalidSignatureAlgorithm() throws CertificateEncodingEx
builder.withSigningKeyPair(SECOND_TEST_KEY_PAIR);
DateTime now = UTC.dateTime();
builder.withValidityPeriod(new ValidityPeriod(now, new DateTime(now.getYear() + 1, 1, 1, 0, 0, 0, 0, DateTimeZone.UTC)));
- builder.withResources(IpResourceSet.ALL_PRIVATE_USE_RESOURCES);
+ builder.withResources(ImmutableResourceSet.ALL_PRIVATE_USE_RESOURCES);
builder.withSignatureAlgorithm("MD5withRSA");
X509Certificate certificate = builder.generateCertificate();
diff --git a/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateTest.java b/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateTest.java
index d0ea501e9..88b0a15d1 100644
--- a/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateTest.java
+++ b/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateTest.java
@@ -1,5 +1,6 @@
package net.ripe.rpki.commons.crypto.x509cert;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
@@ -48,7 +49,7 @@ public class X509ResourceCertificateTest {
private static final ValidationLocation CRL_DP_VALIDATION_LOCATION = new ValidationLocation(TEST_TA_CRL);
public static final X500Principal TEST_SELF_SIGNED_CERTIFICATE_NAME = new X500Principal("CN=TEST-SELF-SIGNED-CERT");
- private static final IpResourceSet TEST_RESOURCE_SET = IpResourceSet.parse("10.0.0.0/8, 192.168.0.0/16, ffce::/16, AS21212");
+ private static final ImmutableResourceSet TEST_RESOURCE_SET = ImmutableResourceSet.parse("10.0.0.0/8, 192.168.0.0/16, ffce::/16, AS21212");
private CrlLocator crlLocator;
private static final ValidityPeriod TEST_VALIDITY_PERIOD;
@@ -94,7 +95,7 @@ public static X509ResourceCertificate createSelfSignedCaResourceCertificate() {
return createSelfSignedCaResourceCertificate(TEST_RESOURCE_SET);
}
- public static X509ResourceCertificate createSelfSignedCaResourceCertificate(IpResourceSet ipResourceSet) {
+ public static X509ResourceCertificate createSelfSignedCaResourceCertificate(ImmutableResourceSet ipResourceSet) {
X509ResourceCertificateBuilder builder = createSelfSignedCaResourceCertificateBuilder().withResources(ipResourceSet);
return builder.build();
}
@@ -140,7 +141,7 @@ public void shouldDecodeResourceExtensions() {
@Test
public void shouldSupportResourceInheritance() {
- X509ResourceCertificate inherited = createSelfSignedCaResourceCertificateBuilder().withResources(new IpResourceSet()).withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class)).build();
+ X509ResourceCertificate inherited = createSelfSignedCaResourceCertificateBuilder().withResources(ImmutableResourceSet.empty()).withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class)).build();
assertTrue(inherited.isResourceSetInherited());
assertTrue(inherited.getResources().isEmpty());
assertFalse(createSelfSignedCaResourceCertificate(TEST_RESOURCE_SET).isResourceSetInherited());
@@ -150,7 +151,7 @@ public void shouldSupportResourceInheritance() {
@Test
public void shouldSupportInheritedAsnsOnly() {
- X509ResourceCertificate subject = createSelfSignedCaCertificateBuilder().withResources(IpResourceSet.parse("10.0.0.0/8")).withInheritedResourceTypes(EnumSet.of(IpResourceType.ASN)).build();
+ X509ResourceCertificate subject = createSelfSignedCaCertificateBuilder().withResources(ImmutableResourceSet.parse("10.0.0.0/8")).withInheritedResourceTypes(EnumSet.of(IpResourceType.ASN)).build();
assertTrue(subject.isResourceTypesInherited(EnumSet.of(IpResourceType.ASN)));
assertFalse(subject.isResourceTypesInherited(EnumSet.of(IpResourceType.IPv4)));
@@ -162,7 +163,7 @@ public void shouldSupportInheritedAsnsOnly() {
@Test
public void shouldSupportInheritedIpAddressesOnly() {
- X509ResourceCertificate subject = createSelfSignedCaCertificateBuilder().withResources(IpResourceSet.parse("AS1234")).withInheritedResourceTypes(EnumSet.of(IpResourceType.IPv4, IpResourceType.IPv6)).build();
+ X509ResourceCertificate subject = createSelfSignedCaCertificateBuilder().withResources(ImmutableResourceSet.parse("AS1234")).withInheritedResourceTypes(EnumSet.of(IpResourceType.IPv4, IpResourceType.IPv6)).build();
assertFalse(subject.isResourceTypesInherited(EnumSet.of(IpResourceType.ASN)));
assertTrue(subject.isResourceTypesInherited(EnumSet.of(IpResourceType.IPv4)));
@@ -304,12 +305,15 @@ public void shouldValidateWhenCrlOk() {
assertFalse(result.hasFailureForLocation(CERT_URI_VALIDATION_LOCATION));
}
+ /**
+ * This is effectively an invariant of ImmutableResourceSet
+ */
@Test
public void shouldReturnImmutableResources() {
X509ResourceCertificate cert = createSelfSignedCaResourceCertificate();
- IpResourceSet resources = cert.getResources();
- resources.removeAll(new IpResourceSet(resources));
+ var resources = cert.getResources();
+ resources.forEach(resources::remove);
assertFalse(cert.getResources().isEmpty());
}
diff --git a/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509RouterCertificateParserTest.java b/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509RouterCertificateParserTest.java
index 5ffc1f1d6..fabd304e6 100644
--- a/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509RouterCertificateParserTest.java
+++ b/src/test/java/net/ripe/rpki/commons/crypto/x509cert/X509RouterCertificateParserTest.java
@@ -1,6 +1,7 @@
package net.ripe.rpki.commons.crypto.x509cert;
import com.google.common.io.Files;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.util.UTC;
@@ -68,7 +69,7 @@ public void shouldFailOnInvalidSignatureAlgorithm() throws CertificateEncodingEx
builder.withSigningKeyPair(SECOND_TEST_KEY_PAIR);
DateTime now = UTC.dateTime();
builder.withValidityPeriod(new ValidityPeriod(now, new DateTime(now.getYear() + 1, 1, 1, 0, 0, 0, 0, DateTimeZone.UTC)));
- builder.withResources(IpResourceSet.ALL_PRIVATE_USE_RESOURCES);
+ builder.withResources(ImmutableResourceSet.ALL_PRIVATE_USE_RESOURCES);
builder.withSignatureAlgorithm("MD5withRSA");
X509Certificate certificate = builder.generateCertificate();
diff --git a/src/test/java/net/ripe/rpki/commons/provisioning/ProvisioningObjectMother.java b/src/test/java/net/ripe/rpki/commons/provisioning/ProvisioningObjectMother.java
index dd7e1808b..eb8d184c4 100644
--- a/src/test/java/net/ripe/rpki/commons/provisioning/ProvisioningObjectMother.java
+++ b/src/test/java/net/ripe/rpki/commons/provisioning/ProvisioningObjectMother.java
@@ -1,5 +1,6 @@
package net.ripe.rpki.commons.provisioning;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.crypto.crl.X509CrlBuilder;
@@ -67,7 +68,7 @@ private static X509ResourceCertificate generateX509() {
builder.withSigningKeyPair(SECOND_TEST_KEY_PAIR);
DateTime now = new DateTime(2011, 3, 1, 0, 0, 0, 0, DateTimeZone.UTC);
builder.withValidityPeriod(new ValidityPeriod(now, now.plusYears(5)));
- builder.withResources(IpResourceSet.ALL_PRIVATE_USE_RESOURCES);
+ builder.withResources(ImmutableResourceSet.ALL_PRIVATE_USE_RESOURCES);
builder.withCrlDistributionPoints(RPKI_CA_CERT_REQUEST_CA_CRL_URI);
builder.withSubjectInformationAccess(
new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_CA_REPOSITORY, RPKI_CA_CERT_REQUEST_CA_REPO_URI),
diff --git a/src/test/java/net/ripe/rpki/commons/validation/CertificateRepositoryObjectValidationContextTest.java b/src/test/java/net/ripe/rpki/commons/validation/CertificateRepositoryObjectValidationContextTest.java
index c2c143018..baba35334 100644
--- a/src/test/java/net/ripe/rpki/commons/validation/CertificateRepositoryObjectValidationContextTest.java
+++ b/src/test/java/net/ripe/rpki/commons/validation/CertificateRepositoryObjectValidationContextTest.java
@@ -1,6 +1,7 @@
package net.ripe.rpki.commons.validation;
import com.google.common.testing.EqualsTester;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
@@ -17,7 +18,7 @@
public class CertificateRepositoryObjectValidationContextTest {
- private static final IpResourceSet CHILD_RESOURCE_SET = IpResourceSet.parse("10.8.0.0/16");
+ private static final ImmutableResourceSet CHILD_RESOURCE_SET = ImmutableResourceSet.parse("10.8.0.0/16");
private static URI location = URI.create("rsync://host/path");
private static X509ResourceCertificate certificate = X509ResourceCertificateTest.createSelfSignedCaResourceCertificate();
@@ -36,7 +37,7 @@ public void setUp() {
certificateWithInheritedResources = X509ResourceCertificateTest.
createSelfSignedCaResourceCertificateBuilder().
withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class))
- .withResources(new IpResourceSet()).
+ .withResources(ImmutableResourceSet.of()).
build();
}
diff --git a/src/test/java/net/ripe/rpki/commons/validation/X509ResourceCertificateBottomUpValidatorTest.java b/src/test/java/net/ripe/rpki/commons/validation/X509ResourceCertificateBottomUpValidatorTest.java
index 19419ad09..370880afd 100644
--- a/src/test/java/net/ripe/rpki/commons/validation/X509ResourceCertificateBottomUpValidatorTest.java
+++ b/src/test/java/net/ripe/rpki/commons/validation/X509ResourceCertificateBottomUpValidatorTest.java
@@ -1,5 +1,6 @@
package net.ripe.rpki.commons.validation;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.CertificateRepositoryObjectFile;
@@ -34,7 +35,7 @@
public class X509ResourceCertificateBottomUpValidatorTest {
private static final X500Principal ROOT_CERTIFICATE_NAME = new X500Principal("CN=For Testing Only - RIPE NCC - NL");
- private static final IpResourceSet ROOT_RESOURCE_SET = IpResourceSet.parse("10.0.0.0/8, 192.168.0.0/16, ffce::/16, AS21212");
+ private static final ImmutableResourceSet ROOT_RESOURCE_SET = ImmutableResourceSet.parse("10.0.0.0/8, 192.168.0.0/16, ffce::/16, AS21212");
private static final BigInteger ROOT_SERIAL_NUMBER = BigInteger.valueOf(900);
private static final ValidityPeriod VALIDITY_PERIOD = new ValidityPeriod(UTC.dateTime().minusMinutes(1), UTC.dateTime().plusYears(1));
@@ -42,8 +43,8 @@ public class X509ResourceCertificateBottomUpValidatorTest {
private static final BigInteger FIRST_CHILD_SERIAL_NUMBER = ROOT_SERIAL_NUMBER.add(BigInteger.valueOf(1));
private static final X500Principal SECOND_CHILD_CERTIFICATE_NAME = new X500Principal("CN=For Testing Only - Second Child - NL");
private static final BigInteger SECOND_CHILD_SERIAL_NUMBER = FIRST_CHILD_SERIAL_NUMBER.add(BigInteger.valueOf(1));
- private static final IpResourceSet CHILD_RESOURCE_SET = IpResourceSet.parse("10.0.0.0/8, 192.168.0.0/17, ffce::/16, AS21212");
- private static final IpResourceSet INVALID_CHILD_RESOURCE_SET = IpResourceSet.parse("10.0.0.0/8, 192.168.0.0/15, ffce::/16, AS21212");
+ private static final ImmutableResourceSet CHILD_RESOURCE_SET = ImmutableResourceSet.parse("10.0.0.0/8, 192.168.0.0/17, ffce::/16, AS21212");
+ private static final ImmutableResourceSet INVALID_CHILD_RESOURCE_SET = ImmutableResourceSet.parse("10.0.0.0/8, 192.168.0.0/15, ffce::/16, AS21212");
private static final ValidityPeriod EXPIRED_VALIDITY_PERIOD = new ValidityPeriod(UTC.dateTime().minusMonths(2), UTC.dateTime().minusMonths(1));
private static final KeyPair ROOT_KEY_PAIR = PregeneratedKeyPairFactory.getInstance().generate();
diff --git a/src/test/java/net/ripe/rpki/commons/validation/X509ResourceCertificateParentChildValidatorTest.java b/src/test/java/net/ripe/rpki/commons/validation/X509ResourceCertificateParentChildValidatorTest.java
index 03f59a0e7..d339238b5 100644
--- a/src/test/java/net/ripe/rpki/commons/validation/X509ResourceCertificateParentChildValidatorTest.java
+++ b/src/test/java/net/ripe/rpki/commons/validation/X509ResourceCertificateParentChildValidatorTest.java
@@ -3,6 +3,7 @@
import com.pholser.junit.quickcheck.From;
import com.pholser.junit.quickcheck.Property;
import com.pholser.junit.quickcheck.runner.JUnitQuickcheck;
+import net.ripe.ipresource.ImmutableResourceSet;
import net.ripe.ipresource.IpResource;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
@@ -30,6 +31,7 @@
import java.security.KeyPair;
import java.util.EnumSet;
import java.util.List;
+import java.util.stream.Collectors;
import static net.ripe.rpki.commons.crypto.x509cert.X509CertificateBuilderHelper.DEFAULT_SIGNATURE_PROVIDER;
import static org.hamcrest.Matchers.greaterThan;
@@ -43,7 +45,7 @@
public class X509ResourceCertificateParentChildValidatorTest {
private static final X500Principal ROOT_CERTIFICATE_NAME = new X500Principal("CN=For Testing Only, CN=RIPE NCC, C=NL");
- private static final IpResourceSet ROOT_RESOURCE_SET = IpResourceSet.parse("10.0.0.0/8, 192.168.0.0/16, ffce::/16, AS21212");
+ private static final ImmutableResourceSet ROOT_RESOURCE_SET = ImmutableResourceSet.parse("10.0.0.0/8, 192.168.0.0/16, ffce::/16, AS21212");
private static final BigInteger ROOT_SERIAL_NUMBER = BigInteger.valueOf(900);
private static final DateTime NOW = UTC.dateTime();
private static final ValidityPeriod VALIDITY_PERIOD = new ValidityPeriod(NOW.minusMinutes(1), NOW.plusYears(1));
@@ -51,7 +53,7 @@ public class X509ResourceCertificateParentChildValidatorTest {
private static final X500Principal FIRST_CHILD_CERTIFICATE_NAME = new X500Principal("CN=For Testing Only, CN=First Child, C=NL");
private static final BigInteger FIRST_CHILD_SERIAL_NUMBER = ROOT_SERIAL_NUMBER.add(BigInteger.valueOf(1));
private static final X500Principal SECOND_CHILD_CERTIFICATE_NAME = new X500Principal("CN=For Testing Only, CN=Second Child, C=NL");
- private static final IpResourceSet INVALID_CHILD_RESOURCE_SET = IpResourceSet.parse("10.0.0.0/8, 192.168.0.0/15, ffce::/16, AS21212");
+ private static final ImmutableResourceSet INVALID_CHILD_RESOURCE_SET = ImmutableResourceSet.parse("10.0.0.0/8, 192.168.0.0/15, ffce::/16, AS21212");
private static final ValidityPeriod EXPIRED_VALIDITY_PERIOD = new ValidityPeriod(NOW.minusMonths(2), NOW.minusMonths(1));
private static final KeyPair ROOT_KEY_PAIR = PregeneratedKeyPairFactory.getInstance().generate();
@@ -227,10 +229,10 @@ public void validParentChildSubResources(List<@From(IpResourceGen.class) IpResou
assumeThat(parentResources.size(), greaterThan(0));
assumeThat(childResourceCount, greaterThan(0));
- final IpResourceSet parentResourceSet = new IpResourceSet(parentResources);
+ final var parentResourceSet = ImmutableResourceSet.of(parentResources);
// some part of the parent resources become child
- final IpResourceSet childResourceSet = new IpResourceSet(
+ final var childResourceSet = ImmutableResourceSet.of(
parentResources.subList(0, Math.abs(childResourceCount) % parentResources.size()));
if (childResourceSet.isEmpty()) {
return;
@@ -246,18 +248,19 @@ public void validParentChildOverClaiming(List<@From(IpResourceGen.class) IpResou
List<@From(IpResourceGen.class) IpResource> extraChildResources) {
assumeThat(parentResources.size(), greaterThan(0));
- final IpResourceSet parentResourceSet = new IpResourceSet(parentResources);
- final IpResourceSet childResourceSet = new IpResourceSet(extraChildResources);
+ final var parentResourceSet = ImmutableResourceSet.of(parentResources);
+ final var childResourceSet = ImmutableResourceSet.of(extraChildResources);
// some part of the parent resources become child
- parentResources.subList(0, Math.abs(childResourceCount) % parentResources.size()).forEach(childResourceSet::add);
+ var parentSubset = parentResources.subList(0, Math.abs(childResourceCount) % parentResources.size()).stream().collect(ImmutableResourceSet.collector());
+ var totalChildResources = new ImmutableResourceSet.Builder().addAll(childResourceSet).addAll(parentSubset).build();
assumeThat(childResourceSet.isEmpty(), is(false));
- ValidationResult result = validateParentChildPair(parentResourceSet, childResourceSet);
+ ValidationResult result = validateParentChildPair(parentResourceSet, totalChildResources);
if (extraChildResources.isEmpty()) {
assertFalse(result.hasFailures());
} else {
- IpResourceSet overclaiming = new IpResourceSet(childResourceSet);
+ IpResourceSet overclaiming = new IpResourceSet(totalChildResources);
overclaiming.removeAll(parentResourceSet);
if (!overclaiming.isEmpty()) {
final ValidationCheck failure = result.getFailuresForAllLocations().get(0);
@@ -275,16 +278,18 @@ public void validParentChildOverClaimingLooseValidation(List<@From(IpResourceGen
return;
}
- final IpResourceSet parentResourceSet = new IpResourceSet(parentResources);
- final IpResourceSet childResourceSet = new IpResourceSet(extraChildResources);
+ final var parentResourceSet = ImmutableResourceSet.of(parentResources);
+ final var childResourceSet = ImmutableResourceSet.of(extraChildResources);
// some part of the parent resources become child
- parentResources.subList(0, Math.abs(childResourceCount) % parentResources.size()).forEach(childResourceSet::add);
+ var overlappingChildResources = parentResources.subList(0, Math.abs(childResourceCount) % parentResources.size()).stream().collect(ImmutableResourceSet.collector());
+ var totalChildResources = new ImmutableResourceSet.Builder().addAll(childResourceSet).addAll(overlappingChildResources).build();
+
if (childResourceSet.isEmpty()) {
return;
}
- ValidationResult result = validateParentChildReconsidered(parentResourceSet, childResourceSet);
+ ValidationResult result = validateParentChildReconsidered(parentResourceSet, totalChildResources);
assertFalse(result.hasFailures());
if (!extraChildResources.isEmpty()) {
IpResourceSet overclaiming = new IpResourceSet(childResourceSet);
@@ -297,15 +302,15 @@ public void validParentChildOverClaimingLooseValidation(List<@From(IpResourceGen
}
}
- private ValidationResult validateParentChildReconsidered(IpResourceSet parentResourceSet, IpResourceSet childResourceSet) {
+ private ValidationResult validateParentChildReconsidered(ImmutableResourceSet parentResourceSet, ImmutableResourceSet childResourceSet) {
return validateParentChildPairImpl(parentResourceSet, childResourceSet, true);
}
- private ValidationResult validateParentChildPair(IpResourceSet parentResourceSet, IpResourceSet childResourceSet) {
+ private ValidationResult validateParentChildPair(ImmutableResourceSet parentResourceSet, ImmutableResourceSet childResourceSet) {
return validateParentChildPairImpl(parentResourceSet, childResourceSet, false);
}
- private ValidationResult validateParentChildPairImpl(IpResourceSet parentResourceSet, IpResourceSet childResourceSet, boolean reconsidered) {
+ private ValidationResult validateParentChildPairImpl(ImmutableResourceSet parentResourceSet, ImmutableResourceSet childResourceSet, boolean reconsidered) {
final X509ResourceCertificate parentCertificate = createRootCertificateBuilder()
.withResources(parentResourceSet)
.build();
@@ -334,7 +339,7 @@ private X509ResourceCertificate getRootResourceCertificate() {
}
private X509ResourceCertificate getRootResourceCertificateWithInheritedResources() {
- return createRootCertificateBuilder().withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class)).withResources(new IpResourceSet()).build();
+ return createRootCertificateBuilder().withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class)).withResources(ImmutableResourceSet.empty()).build();
}
private X509ResourceCertificateBuilder createRootCertificateBuilder() {