Use immutable resource set

README.md

@@ -62,7 +62,8 @@ next (snapshot) release, e.g. `1.1-SNAPSHOT` after releasing `1.0`.
 
 ## Changelog
 
-## 2024-xx-yy 1.38
+## 2024-xx-yy 2.0.0
+  * **breaking**: Use **ImmutableResourceSet** in many situations
 
 ## 2024-02-28 1.37
   * Use bouncy castle 1.77 (and update API usage accordingly)

pom.xml

@@ -2,7 +2,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>net.ripe.rpki</groupId>
     <artifactId>rpki-commons</artifactId>
-    <version>1.38-SNAPSHOT</version>
+    <version>2.0.0-SNAPSHOT</version>
     <inceptionYear>2008</inceptionYear>
 
     <name>RPKI Commmons</name>

src/main/java/net/ripe/rpki/commons/crypto/cms/roa/RoaCms.java

@@ -1,6 +1,7 @@
 package net.ripe.rpki.commons.crypto.cms.roa;
 
 import net.ripe.ipresource.Asn;
+import net.ripe.ipresource.ImmutableResourceSet;
 import net.ripe.ipresource.IpResourceSet;
 import net.ripe.rpki.commons.crypto.cms.RpkiSignedObject;
 import net.ripe.rpki.commons.crypto.cms.RpkiSignedObjectInfo;
@@ -31,7 +32,7 @@ public Asn getAsn() {
         return asn;
     }
 
-    public IpResourceSet getResources() {
+    public ImmutableResourceSet getResources() {
         return getCertificate().getResources();
     }
 

src/main/java/net/ripe/rpki/commons/crypto/rfc3779/ResourceExtensionEncoder.java

@@ -1,12 +1,6 @@
 package net.ripe.rpki.commons.crypto.rfc3779;
 
-import net.ripe.ipresource.Asn;
-import net.ripe.ipresource.IpAddress;
-import net.ripe.ipresource.IpRange;
-import net.ripe.ipresource.IpResource;
-import net.ripe.ipresource.IpResourceRange;
-import net.ripe.ipresource.IpResourceSet;
-import net.ripe.ipresource.IpResourceType;
+import net.ripe.ipresource.*;
 import net.ripe.rpki.commons.crypto.util.Asn1Util;
 import org.apache.commons.lang3.Validate;
 import org.bouncycastle.asn1.ASN1Encodable;
@@ -62,8 +56,8 @@ public class ResourceExtensionEncoder {
      * @param resources   the set of IPv4 and IPv6 resources.
      * @return the DER encoding of the IP Address Block Extension.
      */
-    public ASN1Object encodeIpAddressBlocks(boolean inheritIpv4, boolean inheritIpv6, IpResourceSet resources) {
-        SortedMap<AddressFamily, IpResourceSet> addressBlocks = new TreeMap<AddressFamily, IpResourceSet>();
+    public ASN1Object encodeIpAddressBlocks(boolean inheritIpv4, boolean inheritIpv6, ImmutableResourceSet resources) {
+        SortedMap<AddressFamily, ImmutableResourceSet> addressBlocks = new TreeMap<>();
 
         if (inheritIpv4) {
             addressBlocks.put(AddressFamily.IPV4, null);
@@ -89,9 +83,9 @@ public ASN1Object encodeIpAddressBlocks(boolean inheritIpv4, boolean inheritIpv6
      * @param resources the set of ASNs.
      * @return the DER encoding of the AS Identifier extension.
      */
-    public ASN1Object encodeAsIdentifiers(boolean inherit, IpResourceSet resources) {
+    public ASN1Object encodeAsIdentifiers(boolean inherit, ImmutableResourceSet resources) {
         if (inherit || resources.containsType(IpResourceType.ASN)) {
-            return asIdentifiersToDer(inherit, resources, false, new IpResourceSet());
+            return asIdentifiersToDer(inherit, resources, false, ImmutableResourceSet.empty());
         }
         return null;
     }
@@ -104,7 +98,7 @@ public ASN1Object encodeAsIdentifiers(boolean inherit, IpResourceSet resources)
      * ASIdentifiers ::= SEQUENCE { asnum [0] EXPLICIT ASIdentifierChoice
      * OPTIONAL, rdi [1] EXPLICIT ASIdentifierChoice OPTIONAL}
      */
-    ASN1Object asIdentifiersToDer(boolean inheritAsn, IpResourceSet asnResources, boolean inheritRdi, IpResourceSet rdiResources) {
+    ASN1Object asIdentifiersToDer(boolean inheritAsn, ImmutableResourceSet asnResources, boolean inheritRdi, ImmutableResourceSet rdiResources) {
         List<ASN1Encodable> seq = new ArrayList<ASN1Encodable>(2);
         if (inheritAsn || asnResources.containsType(IpResourceType.ASN)) {
             seq.add(new DERTaggedObject(0, asIdentifierChoiceToDer(inheritAsn, asnResources)));
@@ -119,14 +113,14 @@ ASN1Object asIdentifiersToDer(boolean inheritAsn, IpResourceSet asnResources, bo
      * ASIdentifierChoice ::= CHOICE { inherit NULL, -- inherit from issuer --
      * asIdsOrRanges SEQUENCE OF ASIdOrRange }
      */
-    ASN1Encodable asIdentifierChoiceToDer(boolean inherit, IpResourceSet resources) {
+    ASN1Encodable asIdentifierChoiceToDer(boolean inherit, ImmutableResourceSet resources) {
         return inherit ? DERNull.INSTANCE : asIdsOrRangesToDer(resources);
     }
 
     /**
      * asIdsOrRanges ::= SEQUENCE OF ASIdOrRange
      */
-    DERSequence asIdsOrRangesToDer(IpResourceSet resources) {
+    DERSequence asIdsOrRangesToDer(ImmutableResourceSet resources) {
         List<ASN1Encodable> seq = new ArrayList<ASN1Encodable>();
         for (IpResource resource : resources) {
             if (IpResourceType.ASN == resource.getType()) {
@@ -161,7 +155,7 @@ ASN1Integer asIdToDer(Asn asn) {
     /**
      * IPAddrBlocks ::= SEQUENCE OF IPAddressFamily
      */
-    ASN1Object ipAddressBlocksToDer(SortedMap<AddressFamily, IpResourceSet> resources) {
+    ASN1Object ipAddressBlocksToDer(SortedMap<AddressFamily, ImmutableResourceSet> resources) {
         List<ASN1Encodable> seq = new ArrayList<ASN1Encodable>(2);
         for (AddressFamily addressFamily : resources.keySet()) {
             seq.add(ipAddressFamilyToDer(addressFamily, resources.get(addressFamily)));
@@ -173,7 +167,7 @@ ASN1Object ipAddressBlocksToDer(SortedMap<AddressFamily, IpResourceSet> resource
      * IPAddressFamily ::= SEQUENCE { -- AFI & opt SAFI -- addressFamily OCTET
      * STRING (SIZE (2..3)), ipAddressChoice IPAddressChoice }
      */
-    ASN1Object ipAddressFamilyToDer(AddressFamily addressFamily, IpResourceSet resources) {
+    ASN1Object ipAddressFamilyToDer(AddressFamily addressFamily, ImmutableResourceSet resources) {
         IpResourceType type = addressFamily.toIpResourceType();
         ASN1Encodable[] seq = new ASN1Encodable[2];
         seq[0] = addressFamily.toDer();
@@ -185,7 +179,7 @@ ASN1Object ipAddressFamilyToDer(AddressFamily addressFamily, IpResourceSet resou
      * IPAddressChoice ::= CHOICE { inherit NULL, -- inherit from issuer --
      * addressesOrRanges SEQUENCE OF IPAddressOrRange }
      */
-    ASN1Encodable ipAddressChoiceToDer(IpResourceType type, IpResourceSet resources) {
+    ASN1Encodable ipAddressChoiceToDer(IpResourceType type, ImmutableResourceSet resources) {
         if (resources == null) {
             return DERNull.INSTANCE;
         }

src/main/java/net/ripe/rpki/commons/crypto/x509cert/GenericRpkiCertificateBuilder.java

@@ -1,5 +1,6 @@
 package net.ripe.rpki.commons.crypto.x509cert;
 
+import net.ripe.ipresource.ImmutableResourceSet;
 import net.ripe.ipresource.IpResourceSet;
 import net.ripe.ipresource.IpResourceType;
 import net.ripe.rpki.commons.crypto.ValidityPeriod;
@@ -17,7 +18,7 @@ public abstract class GenericRpkiCertificateBuilder {
     private PublicKey publicKey;
     private KeyPair signingKeyPair;
     private BigInteger serial;
-    private IpResourceSet resources = new IpResourceSet();
+    private ImmutableResourceSet resources = ImmutableResourceSet.empty();
     private EnumSet<IpResourceType> inheritedResourceTypes = EnumSet.noneOf(IpResourceType.class);
     private X500Principal subject;
     private X500Principal issuer;
@@ -40,7 +41,7 @@ public void withSerial(BigInteger serial) {
         this.serial = serial;
     }
 
-    public void withResources(IpResourceSet resources) {
+    public void withResources(ImmutableResourceSet resources) {
         this.resources = resources;
     }
 

src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509CertificateBuilderHelper.java

@@ -1,5 +1,6 @@
 package net.ripe.rpki.commons.crypto.x509cert;
 
+import net.ripe.ipresource.ImmutableResourceSet;
 import net.ripe.ipresource.IpResourceSet;
 import net.ripe.ipresource.IpResourceType;
 import net.ripe.rpki.commons.crypto.ValidityPeriod;
@@ -83,7 +84,7 @@ public final class X509CertificateBuilderHelper {
 
     private ValidityPeriod validityPeriod;
 
-    private IpResourceSet resources;
+    private ImmutableResourceSet resources;
 
     private PublicKey publicKey;
 
@@ -134,7 +135,7 @@ public X509CertificateBuilderHelper withValidityPeriod(
         return this;
     }
 
-    public X509CertificateBuilderHelper withResources(IpResourceSet resources) {
+    public X509CertificateBuilderHelper withResources(ImmutableResourceSet resources) {
         this.resources = resources;
         return this;
     }
@@ -294,7 +295,7 @@ protected X509v3CertificateBuilder createCertificateGenerator() {
      * must be present. This means at least one IPvX or ASN must be either set
      * explicitly or inherited..
      */
-    protected void validateResource(IpResourceSet resources) {
+    protected void validateResource(ImmutableResourceSet resources) {
         // at least one resource type must be either set or inherited
         final boolean atLeastOneResourceTypeUsed = EnumSet.allOf(IpResourceType.class)
             .stream()

src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificate.java

@@ -44,8 +44,8 @@ public ImmutableResourceSet resources() {
         return resourceExtension.getResources();
     }
 
-    public IpResourceSet getResources() {
-        return new IpResourceSet(resources());
+    public ImmutableResourceSet getResources() {
+        return resources();
     }
 
     public EnumSet<IpResourceType> getInheritedResourceTypes() {

src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateBuilder.java

@@ -1,5 +1,6 @@
 package net.ripe.rpki.commons.crypto.x509cert;
 
+import net.ripe.ipresource.ImmutableResourceSet;
 import net.ripe.ipresource.IpResourceSet;
 import net.ripe.ipresource.IpResourceType;
 import net.ripe.rpki.commons.crypto.ValidityPeriod;
@@ -22,7 +23,7 @@
  */
 public class X509ResourceCertificateBuilder {
     private final X509CertificateBuilderHelper builderHelper;
-    private IpResourceSet resources = new IpResourceSet();
+    private ImmutableResourceSet resources = ImmutableResourceSet.empty();
     private EnumSet<IpResourceType> inheritedResourceTypes = EnumSet.noneOf(IpResourceType.class);
 
     public X509ResourceCertificateBuilder() {
@@ -72,7 +73,7 @@ public X509ResourceCertificateBuilder withKeyUsage(int keyUsage) {
         return this;
     }
 
-    public X509ResourceCertificateBuilder withResources(IpResourceSet resources) {
+    public X509ResourceCertificateBuilder withResources(ImmutableResourceSet resources) {
         this.resources = resources;
         builderHelper.withResources(resources);
         return this;

src/main/java/net/ripe/rpki/commons/crypto/x509cert/X509RouterCertificateBuilder.java

@@ -1,6 +1,7 @@
 package net.ripe.rpki.commons.crypto.x509cert;
 
 import net.ripe.ipresource.Asn;
+import net.ripe.ipresource.ImmutableResourceSet;
 import net.ripe.ipresource.IpResourceSet;
 import net.ripe.ipresource.IpResourceType;
 import net.ripe.rpki.commons.crypto.ValidityPeriod;
@@ -74,7 +75,7 @@ public X509RouterCertificateBuilder withAsns(int[] asns) {
             for (int asn : asns) {
                 resources.add(new Asn(asn));
             }
-            builderHelper.withResources(resources);
+            builderHelper.withResources(ImmutableResourceSet.of(resources));
         }
         return this;
     }

src/main/java/net/ripe/rpki/commons/validation/objectvalidators/CertificateRepositoryObjectValidationContext.java

@@ -1,6 +1,7 @@
 package net.ripe.rpki.commons.validation.objectvalidators;
 
 import com.google.common.collect.Lists;
+import net.ripe.ipresource.ImmutableResourceSet;
 import net.ripe.ipresource.IpResourceSet;
 import net.ripe.rpki.commons.crypto.x509cert.X509CertificateObject;
 import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
@@ -27,15 +28,18 @@ public class CertificateRepositoryObjectValidationContext {
 
     private final X509CertificateObject certificate;
 
-    private final IpResourceSet resources;
+    /**
+     * Mutable because it can be reduced when overclaiming
+     */
+    private final ImmutableResourceSet resources;
 
-    private IpResourceSet overclaiming = new IpResourceSet();
+    private ImmutableResourceSet overclaiming = ImmutableResourceSet.empty();
 
     public CertificateRepositoryObjectValidationContext(URI location, X509ResourceCertificate certificate) {
         this(location, certificate, certificate.getResources(), Lists.newArrayList(certificate.getSubject().getName()));
     }
 
-    public CertificateRepositoryObjectValidationContext(URI location, X509ResourceCertificate certificate, IpResourceSet resources, List<String> subjectChain) {
+    public CertificateRepositoryObjectValidationContext(URI location, X509ResourceCertificate certificate, ImmutableResourceSet resources, List<String> subjectChain) {
         this.location = location;
         this.certificate = certificate;
         this.resources = resources;
@@ -85,28 +89,32 @@ public byte[] getSubjectKeyIdentifier() {
     }
 
     public void addOverclaiming(IpResourceSet overclaiming) {
-        this.overclaiming.addAll(overclaiming);
+        this.overclaiming = new ImmutableResourceSet.Builder().addAll(this.overclaiming).addAll(overclaiming).build();
     }
 
     public CertificateRepositoryObjectValidationContext createChildContext(URI childLocation, X509ResourceCertificate childCertificate) {
-        IpResourceSet effectiveResources = childCertificate.deriveResources(resources);
+        var effectiveResources = childCertificate.deriveResources(resources);
         removeOverclaimingResources(effectiveResources);
         List<String> childSubjects = Lists.newArrayList(subjectChain);
         childSubjects.add(childCertificate.getSubject().getName());
         return new CertificateRepositoryObjectValidationContext(childLocation, childCertificate, effectiveResources, childSubjects);
     }
 
-    public IpResourceSet getResources() {
-        IpResourceSet result = new IpResourceSet(resources);
-        removeOverclaimingResources(result);
-        return result;
+    public ImmutableResourceSet getResources() {
+        return removeOverclaimingResources(resources);
     }
 
-    private void removeOverclaimingResources(IpResourceSet resources) {
+    /**
+     * Remove the resources that are overclaimed in this context from the passed in resources.
+     * @param resources resources to clean
+     * @return resources - overclaiming
+     */
+    private ImmutableResourceSet removeOverclaimingResources(ImmutableResourceSet resources) {
         if (overclaiming.isEmpty() || resources.isEmpty()) {
-            return;
+            return resources;
         }
-        resources.removeAll(overclaiming);
+
+        return new ImmutableResourceSet.Builder().addAll(resources).removeAll(overclaiming).build();
     }
 
     @Override

src/main/java/net/ripe/rpki/commons/validation/objectvalidators/ResourceValidatorFactory.java

@@ -1,5 +1,6 @@
 package net.ripe.rpki.commons.validation.objectvalidators;
 
+import net.ripe.ipresource.ImmutableResourceSet;
 import net.ripe.ipresource.IpResourceSet;
 import net.ripe.rpki.commons.crypto.crl.X509Crl;
 import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
@@ -12,7 +13,7 @@ public static X509ResourceCertificateParentChildValidator getX509ResourceCertifi
             CertificateRepositoryObjectValidationContext context,
             ValidationOptions options, ValidationResult result, X509Crl crl) {
 
-        return new X509ResourceCertificateParentChildValidator(options, result, context.getCertificate(), crl, context.getResources());
+        return new X509ResourceCertificateParentChildValidator(options, result, context.getCertificate(), crl, ImmutableResourceSet.of(context.getResources()));
     }
 
     public static X509ResourceCertificateValidator getX509ResourceCertificateValidator(
@@ -22,12 +23,12 @@ public static X509ResourceCertificateValidator getX509ResourceCertificateValidat
         if (options.isAllowOverclaimParentChild())
             return new X509ResourceCertificateParentChildLooseValidator(options, result, crl, context);
 
-        return new X509ResourceCertificateParentChildValidator(options, result, context.getCertificate(), crl, context.getResources());
+        return new X509ResourceCertificateParentChildValidator(options, result, context.getCertificate(), crl, ImmutableResourceSet.of(context.getResources()));
     }
 
     public static X509ResourceCertificateParentChildValidator getX509ResourceCertificateParentChildStrictValidator(
             ValidationOptions options, ValidationResult result, X509ResourceCertificate parent,
-            IpResourceSet resources, X509Crl crl) {
+            ImmutableResourceSet resources, X509Crl crl) {
         return new X509ResourceCertificateParentChildValidator(options, result, parent, crl, resources);
     }
 }

src/main/java/net/ripe/rpki/commons/validation/objectvalidators/X509ResourceCertificateBottomUpValidator.java

@@ -66,7 +66,7 @@ public void validate(String location, X509ResourceCertificate certificate) {
         X509ResourceCertificate parent = certificates.get(0).getCertificate();
         certificates.remove(0); // No need to validate the root (1st parent) certificate against itself
 
-        IpResourceSet resources = parent.getResources();
+        var resources = parent.getResources();
 
         for (CertificateWithLocation certificateWithLocation : certificates) {
             String childLocation = certificateWithLocation.getLocation().getName();

src/main/java/net/ripe/rpki/commons/validation/objectvalidators/X509ResourceCertificateParentChildLooseValidator.java

@@ -31,8 +31,8 @@ public void validate(String location, X509ResourceCertificate certificate) {
     private void verifyResources() {
         final ValidationResult result = getValidationResult();
         final X509ResourceCertificate child = getChild();
-        final IpResourceSet resources = context.getResources();
-        final IpResourceSet childResourceSet = child.deriveResources(resources);
+        final var resources = context.getResources();
+        final var childResourceSet = child.deriveResources(resources);
 
         if (child.isRoot()) {
             result.rejectIfTrue(child.isResourceSetInherited(), ROOT_INHERITS_RESOURCES);

src/main/java/net/ripe/rpki/commons/validation/objectvalidators/X509ResourceCertificateParentChildValidator.java

@@ -1,5 +1,6 @@
 package net.ripe.rpki.commons.validation.objectvalidators;
 
+import net.ripe.ipresource.ImmutableResourceSet;
 import net.ripe.ipresource.IpResourceSet;
 import net.ripe.rpki.commons.crypto.crl.X509Crl;
 import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
@@ -11,13 +12,13 @@
 
 public class X509ResourceCertificateParentChildValidator extends X509CertificateParentChildValidator<X509ResourceCertificate> implements X509ResourceCertificateValidator {
 
-    private IpResourceSet resources;
+    private ImmutableResourceSet resources;
 
     public X509ResourceCertificateParentChildValidator(ValidationOptions options,
                                                        ValidationResult result,
                                                        X509ResourceCertificate parent,
                                                        X509Crl crl,
-                                                       IpResourceSet resources) {
+                                                       ImmutableResourceSet resources) {
         super(options, result, parent, crl);
         this.resources = resources;
     }
@@ -31,7 +32,7 @@ public void validate(String location, X509ResourceCertificate certificate) {
     private void verifyResources() {
         final ValidationResult result = getValidationResult();
         final X509ResourceCertificate child = getChild();
-        final IpResourceSet childResourceSet = child.deriveResources(resources);
+        final var childResourceSet = child.deriveResources(resources);
 
         if (child.isRoot()) {
             result.rejectIfTrue(child.isResourceSetInherited(), ROOT_INHERITS_RESOURCES);