CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2025/06/30 05:06:48
Modified files:
usr.sbin/rpki-client: cert.c extern.h
Log message:
rpki-client: also parse SIA extensions for EE certs
Parse SIA extensions for EE certificates. There should only be (perhaps
multiple) id-ad-signed-Object access methods, but unfortunately the
ecosystem is polluted with currently roughly 50k EE certs containing
an rpkiNotify access method. So we need to continue to tolerate that.
Rename sbgp_sia() (whose name doesn't make much sense) to cert_ca_sia().
Add cert_ee_sia() which is similar to cert_ca_sia() and x509_get_sia().
There's duplication of code and work because of the latter. I am going
to remove x509_get_sia() further down the road, which will make use of
the new cert->signedobj member. Since it's only for EE certs, there's
no need to transfer it over the pipes.
Likewise, cert_parse_ee_cert() and cert_parse_pre() will see quite a bit
of deduplication.
ok job
