NLnetLabs
diff --git a/‎Cargo.lock
+3-3 b/‎Cargo.lock
+3-3
diff --git a/‎Cargo.toml
+2-2 b/‎Cargo.toml
+2-2
diff --git a/‎Changelog.md
+9 b/‎Changelog.md
+9
diff --git a/‎src/commons/api/ca.rs
+12 b/‎src/commons/api/ca.rs
+12
diff --git a/‎src/daemon/ca/aspa.rs
+9-5 b/‎src/daemon/ca/aspa.rs
+9-5
diff --git a/‎src/daemon/ca/child.rs
+106-8 b/‎src/daemon/ca/child.rs
+106-8
@@ -1,7 +1,7 @@
 [package]
 # Note: some of these values are also used when building Debian packages below.
 name    = "krill"
-version = "0.9.3-rc2"
+version = "0.9.3-rc3"
 edition = "2018"
 authors = [ "The NLnet Labs RPKI team <[email protected]>" ]
 description = "Resource Public Key Infrastructure (RPKI) daemon"
@@ -44,7 +44,7 @@ rand                  = "^0.8"
 regex                 = { version = "^1.4", optional = true, default_features = false, features = ["std"] }
 reqwest               = { version = "0.11", features = ["json"] }
 rpassword             = { version = "^5.0", optional = true }
-rpki                  = { version = "0.13.1-rc1", features = [ "repository", "rrdp", "serde" ] }
+rpki                  = { version = "0.13.1-rc2", features = [ "repository", "rrdp", "serde" ] }
 # rpki                  = { version = "0.13.1-rc1", git = "https://github.com/NLnetLabs/rpki-rs/", features = [ "repository", "rrdp", "serde" ] }
 scrypt                = { version = "^0.6", optional = true, default-features = false }
 serde                 = { version = "^1.0", features = ["derive"] }
 
@@ -1,7 +1,16 @@
 # Change Log
 
+<<<<<<< HEAD
+## 0.9.3 (RC3) 'The Thundering Herd'
+
+RC3 fixes the following issues in RC2:
+- Use the, now official, ASPA OID (#700)
+- Re-issue ASPA objects on key rolls (717)
+
+=======
 ## 0.9.3 (RC2) 'The Thundering Herd'
 
+>>>>>>> main
 This release adds the following features and fixes:
 - Prevent a thundering herd of hosted CAs publishing at the same time (#692) 
 - Re-issue ROAs to ensure that short EE subject names are used (#700)
 
@@ -335,6 +335,18 @@ impl IssuedCert {
     pub fn replaces(&self) -> Option<&ReplacedObject> {
         self.replaces.as_ref()
     }
+
+    /// Returns a (possibly empty) set of reduced applicable resources which is the intersection
+    /// of the encompassing resources and this certificate's current resources.
+    /// Returns None if the current resource set is not overclaiming and does not need to be
+    /// reduced.
+    pub fn reduced_applicable_resources(&self, encompassing: &ResourceSet) -> Option<ResourceSet> {
+        if encompassing.contains(&self.resource_set) {
+            None
+        } else {
+            Some(encompassing.intersection(&self.resource_set))
+        }
+    }
 }
 
 impl PartialEq for IssuedCert {
 
@@ -8,7 +8,6 @@
 
 use std::{collections::HashMap, fmt::Debug};
 
-use chrono::Duration;
 use rpki::repository::{
     aspa::{Aspa, AspaBuilder},
     sigobj::SignedObjectBuilder,
@@ -190,19 +189,24 @@ impl AspaObjects {
         Ok(object_updates)
     }
 
-    // Re-new ASPAs before they would expire
+    // Re-new ASPAs, if the renew_threshold is specified, then
+    // only objects which will expire before that time will be
+    // renewed.
     pub fn renew(
         &self,
         certified_key: &CertifiedKey,
+        renew_threshold: Option<Time>,
         issuance_timing: &IssuanceTimingConfig,
         signer: &KrillSigner,
     ) -> KrillResult<AspaObjectsUpdates> {
         let mut updates = AspaObjectsUpdates::default();
 
-        let renew_threshold = Time::now() + Duration::weeks(issuance_timing.timing_aspa_reissue_weeks_before);
-
         for aspa in self.0.values() {
-            if aspa.expires() < renew_threshold {
+            let renew = renew_threshold
+                .map(|threshold| aspa.expires() < threshold)
+                .unwrap_or(true); // always renew if no threshold is specified
+
+            if renew {
                 let aspa_definition = aspa.definition().clone();
 
                 let new_aspa = self.make_aspa(aspa_definition, certified_key, issuance_timing, signer)?;
 
@@ -7,14 +7,17 @@ use rpki::repository::{crypto::KeyIdentifier, x509::Time};
 use crate::{
     commons::{
         api::{
-            ChildCaInfo, ChildHandle, ChildState, IssuedCert, ResourceClassName, ResourceSet, SuspendedCert,
-            UnsuspendedCert,
+            ChildCaInfo, ChildHandle, ChildState, HexEncodedHash, IssuedCert, ReplacedObject, ResourceClassName,
+            ResourceSet, Revocation, SuspendedCert, UnsuspendedCert,
         },
-        crypto::IdCert,
+        crypto::{CsrInfo, IdCert, KrillSigner, SignSupport},
         error::Error,
         KrillResult,
     },
-    daemon::config::IssuanceTimingConfig,
+    daemon::{
+        ca::{CertifiedKey, ChildCertificateUpdates},
+        config::IssuanceTimingConfig,
+    },
 };
 
 //------------ UsedKeyState ------------------------------------------------
@@ -184,6 +187,105 @@ impl ChildCertificates {
         self.issued.values()
     }
 
+    /// Re-issue everything when activating a new key
+    pub fn activate_key(
+        &self,
+        new_key: &CertifiedKey,
+        issuance_timing: &IssuanceTimingConfig,
+        signer: &KrillSigner,
+    ) -> KrillResult<ChildCertificateUpdates> {
+        let mut updates = ChildCertificateUpdates::default();
+        for issued in self.issued.values() {
+            updates.issue(self.re_issue(issued, None, new_key, issuance_timing, signer)?);
+        }
+        // Also re-issue suspended certificates, they may yet become unsuspended at some point
+        for suspended in self.suspended.values() {
+            updates.suspend(self.re_issue(suspended, None, new_key, issuance_timing, signer)?);
+        }
+        Ok(updates)
+    }
+
+    /// Shrink any overclaiming certificates.
+    ///
+    /// NOTE: We need to pro-actively shrink child certificates to avoid invalidating them.
+    ///       But, if we gain additional resources it is up to child to request a new certificate
+    ///       with those resources.
+    pub fn shrink_overclaiming(
+        &self,
+        updated_key: &CertifiedKey,
+        issuance_timing: &IssuanceTimingConfig,
+        signer: &KrillSigner,
+    ) -> KrillResult<ChildCertificateUpdates> {
+        let mut updates = ChildCertificateUpdates::default();
+
+        let updated_resources = updated_key.incoming_cert().resources();
+
+        for issued in self.issued.values() {
+            if let Some(reduced_set) = issued.reduced_applicable_resources(updated_resources) {
+                if reduced_set.is_empty() {
+                    // revoke
+                    updates.remove(issued.subject_key_identifier());
+                } else {
+                    // re-issue
+                    updates.issue(self.re_issue(issued, Some(reduced_set), updated_key, issuance_timing, signer)?);
+                }
+            }
+        }
+
+        // Also shrink suspended, in case they would come back
+        for suspended in self.suspended.values() {
+            if let Some(reduced_set) = suspended.reduced_applicable_resources(updated_resources) {
+                if reduced_set.is_empty() {
+                    // revoke
+                    updates.remove(suspended.subject_key_identifier());
+                } else {
+                    // re-issue shrunk suspended
+                    //
+                    // Note: this will not be published yet, but remain suspended
+                    //       until the child contacts us again, or is manually
+                    //       un-suspended.
+                    updates.suspend(self.re_issue(
+                        suspended,
+                        Some(reduced_set),
+                        updated_key,
+                        issuance_timing,
+                        signer,
+                    )?);
+                }
+            }
+        }
+
+        Ok(updates)
+    }
+
+    /// Re-issue a delegated certificate to replace an earlier
+    /// one which is about to be outdated or has changed resources.
+    fn re_issue(
+        &self,
+        previous: &IssuedCert,
+        updated_resources: Option<ResourceSet>,
+        signing_key: &CertifiedKey,
+        issuance_timing: &IssuanceTimingConfig,
+        signer: &KrillSigner,
+    ) -> KrillResult<IssuedCert> {
+        let (_uri, limit, resource_set, cert) = previous.clone().unpack();
+        let csr = CsrInfo::from(&cert);
+        let resource_set = updated_resources.unwrap_or(resource_set);
+        let replaced = ReplacedObject::new(Revocation::from(&cert), HexEncodedHash::from(&cert));
+
+        let re_issued = SignSupport::make_issued_cert(
+            csr,
+            &resource_set,
+            limit,
+            Some(replaced),
+            signing_key,
+            issuance_timing.timing_child_certificate_valid_weeks,
+            signer,
+        )?;
+
+        Ok(re_issued)
+    }
+
     pub fn expiring(&self, issuance_timing: &IssuanceTimingConfig) -> Vec<&IssuedCert> {
         self.issued
             .values()
@@ -200,10 +302,6 @@ impl ChildCertificates {
             .filter(|issued| !resources.contains(issued.resource_set()))
             .collect()
     }
-
-    pub fn iter(&self) -> impl Iterator<Item = &IssuedCert> {
-        self.issued.values()
-    }
 }
 
 impl Default for ChildCertificates {