CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2025/07/18 06:20:32
Modified files:
usr.sbin/rpki-client: aspa.c cms.c extern.h filemode.c gbr.c
geofeed.c mft.c parser.c roa.c rsc.c spl.c
tak.c
Log message:
rpki-client: move from X509 ** to struct cert **
Make the CMS parsing function take a struct cert ** rather than an
X509 **. Also pass the talid. The point is: cert_parse_ee_cert() now
pulls all the information out of the X509 and ensures the presence of
required fields in the extensions, so we don't need to do that again
in the signed object handlers. Things become a bit simpler in CMS
since we can directly use the cert->notafter and ditch the up-ref dance.
In aspa_parse() and most other signed object parsers, we can do similar
things: pass in struct cert, copy AIA/AKI/SIA/SKI from the cert (that's
mostly for filemode and can be improved later on), copy validity, drop
cert_parse_ee_cert() and assign the out_cert in the success path.
gbr_parse() is nearly identical.
geofeed_parse() handles a detached object, hence is slightly special,
but really is mostly more of the same.
For mft_parse() there's an extra twist with the CRLDP, the handling of
which gets a bit simpler. Nothing special about roas, rscs have no SIA,
and spl and tak are again more of the same.
In parser.c the changes are straightforward with a shift from X509 to
struct cert.
filemode becomes a bit simpler since the signed object parsers now give
us the EE cert, so we don't need to parse that by hand anymore (which,
incidentally, moves a triple warning in -vf back to a single warning).
Similarly to mft_parse, we can use the EE cert's CRLDP to parse the
crl uri and we no longer need to deal with the X509 directly. The
printers still do, but that's something to address later on.
ok job
