RIPE NCC has merged 14b47a9

* gitlab: cleanup redundant environments [6965edd3]
* Add column to force manifest re-issuance [53e35c92]
* Add deploy job for new 'production-5c' environment [fa2cd9e9]
* nCipherKM: 13.4.4 -> 13.4.5 [d1911ca2]
* nCipherKM: 13.3.2 -> 13.4.4 [661f00d2]
* Log for what CA we reissue the cert [feb84917]
* Bump Thales versions [316aa905]
* Log the certificate URI when updating resources [7b276613]

.gitlab-ci.yml

@@ -176,15 +176,6 @@ pilot:
       when: never
     - when: manual
 
-dev:
-  <<: *delivr-deploy
-  environment:
-    name: dev
-  rules:
-    - if: $CI_MERGE_REQUEST_EVENT_TYPE == "merge_train"
-      when: never
-    - when: manual
-
 publish-to-github:
   stage: publish
   image: alpine:latest

build.gradle

@@ -34,6 +34,7 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
     implementation 'org.springframework.boot:spring-boot-starter-quartz'
     implementation 'org.springframework.boot:spring-boot-starter-security'
+    // for http client - we do not use reactive patterns in general
     implementation 'org.springframework.boot:spring-boot-starter-webflux'
     if (osdetector.os == "osx") {
         runtimeOnly "io.netty:netty-resolver-dns-native-macos:${managedVersions['io.netty:netty-resolver-dns-native-macos']}:osx-${osdetector.arch}"

hsm/build.gradle

@@ -31,9 +31,9 @@ dependencies {
         }
     }
     thalesImplementation "net.ripe.rpki:rpki-commons:$rpki_commons_version"
-    thalesImplementation 'com.thales.esecurity.asg.ripe.db-jceprovider:DBProvider:1.2'
+    thalesImplementation 'com.thales.esecurity.asg.ripe.db-jceprovider:DBProvider:1.4'
     // **When using JDK 11** make sure the matching version of nCipherKM is on classpath because DBProvider depends on it.
-    thalesImplementation 'com.ncipher.nfast:nCipherKM:12.81.2'
+    thalesImplementation 'com.ncipher.nfast:nCipherKM:13.4.5'
 
     thalesImplementation 'org.springframework:spring-context:5.3.27'
     // used in spring-context, but not exported.

src/main/java/net/ripe/rpki/domain/ManagedCertificateAuthority.java

@@ -215,7 +215,8 @@ private boolean resourcesChanged(CertificateIssuanceRequest request, OutgoingRes
             final ImmutableResourceSet removed = latestOutgoingCertificate.getResources().difference(request.getResourceExtension().getResources());
 
             log.info(
-                    "Current certificate for resource class {} of {} has different resources. Added resources: {}, removed resources: {}",
+                    "Current certificate at {} for resource class {} of {} has different resources. Added resources: {}, removed resources: {}",
+                    v("url", latestOutgoingCertificate.getPublicationUri()),
                     DEFAULT_RESOURCE_CLASS, v("subject", request.getSubjectDN()),
                     v("addedResources", added), v("removedResources", removed),
                     v("currentResources", latestOutgoingCertificate.getResources()), v("requestedResources", request.getResourceExtension())
@@ -291,12 +292,12 @@ private OutgoingResourceCertificate findOrIssueOutgoingResourceCertificate(Child
         }
 
         if (latestOutgoingCertificate == null) {
-            log.info("No current certificate for resource class {} and current key pair, requesting new certificate", DEFAULT_RESOURCE_CLASS);
+            log.info("No current certificate for resource class {} and current key pair for {}, requesting new certificate", DEFAULT_RESOURCE_CLASS, requestingCa.getName());
         }
 
         int count = resourceCertificateRepository.countNonExpiredOutgoingCertificates(request.getSubjectPublicKey(), getCurrentKeyPair());
         if (count >= issuedCertificatesPerSignedKeyLimit) {
-            throw new CertificationResourceLimitExceededException("number of issued certificates for public key exceeds the limit (" + count + " >= " + issuedCertificatesPerSignedKeyLimit + ")");
+            throw new CertificationResourceLimitExceededException("number of issued certificates for public key " + request.getSubjectPublicKey() + " of " + request.getSubjectDN() + " exceeds the limit (" + count + " >= " + issuedCertificatesPerSignedKeyLimit + ")");
         }
 
         return getCurrentKeyPair().processCertificateIssuanceRequest(requestingCa, request, validityPeriod, resourceCertificateRepository);

src/main/java/net/ripe/rpki/domain/manifest/ManifestEntity.java

@@ -74,6 +74,12 @@ public class ManifestEntity extends EntitySupport {
     @Column(name = "nextnumber", nullable = false)
     private long nextNumber;
 
+    /**
+     * Does the manifest need to be re-issued right now?
+     */
+    @Column(name = "needs_reissuance", nullable = false)
+    private boolean needsReissuance = false;
+
     @ManyToOne(optional = false)
     @JoinColumn(name = "keypair_id", nullable = false)
     private KeyPairEntity keyPair;
@@ -128,7 +134,8 @@ public boolean isUpdateNeeded(DateTime now, Collection<PublishedObject> manifest
         return cms == null
                 || isCloseToNextUpdateTime(now, cms)
                 || parentCertificatePublicationLocationChanged(cms, keyPair.getCurrentIncomingCertificate())
-                || !cms.matchesFiles(manifestEntries.stream().collect(Collectors.toMap(PublishedObject::getFilename, PublishedObject::getContent, (a, b) -> b)));
+                || !cms.matchesFiles(manifestEntries.stream().collect(Collectors.toMap(PublishedObject::getFilename, PublishedObject::getContent, (a, b) -> b)))
+                || needsReissuance;
     }
 
     public void update(OutgoingResourceCertificate eeCertificate,
@@ -157,6 +164,7 @@ public void update(OutgoingResourceCertificate eeCertificate,
         publishedObject = new PublishedObject(keyPair, keyPair.getManifestFilename(), manifestCms.getEncoded(), false, keyPair.getCertificateRepositoryLocation(), manifestCms.getValidityPeriod(), manifestCms.getSigningTime());
 
         this.nextNumber++;
+        this.needsReissuance = false;
     }
 
     private ManifestCms buildManifestCms(Collection<PublishedObject> manifestEntries, KeyPair eeKeyPair, String signatureProvider) {

src/main/java/net/ripe/rpki/services/impl/background/ResourceCacheService.java

@@ -401,7 +401,7 @@ private static Optional<Rejection> isAcceptableDiff(ResourceDiffStat diffStat) {
             return Optional.of(new Rejection(
                     String.format(
                             "The sum of all per-CA changes (%d) is too big, added %d prefixes, deleted %d prefixes",
-                            diffStat.totalAdded + diffStat.totalDeleted,
+                            diffStat.totalPerCaMutations(),
                             diffStat.totalAdded, diffStat.totalDeleted
                     ),
                     Optional.of(summary)

src/main/resources/db/migration/V129__manifest_force_reissuance.sql

@@ -0,0 +1 @@
+ALTER TABLE manifestentity ADD COLUMN needs_reissuance BOOLEAN DEFAULT FALSE;