CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2025/07/20 06:00:49
Modified files:
usr.sbin/rpki-client: extern.h filemode.c mft.c print.c
Log message:
rpki-client: remove AIA and SKI for manifests
These are only used by file mode and can be retrieved from the EE cert.
Keep the AKI and SIA for now:
The mft->aki needs to be pushed to the main process for entp->mftaki,
which is handed back to the parser for the mftaki check in find_issuer().
I need to check more closely if this is still useful, but that would be
for a separate diff anyway...
The mft->aki is also needed a few layers down in the parser for checking
it against the CRL's AKI. Similarly, the mft->sia is used for crl->mftpath
and while this copy in mft could be avoided, doing so means handing the
info through the layers somehow. Borrowing it from the cert to avoid the
copy is a bit ugly and doing it differently and cleanly seems more work
than it's worth right now.
The rest is essentially identical to the other signed objects, with
slight differences because the "validity" of manifests is part of the
econtent. I adjusted the two checks for strdup() to individual checks
which is what we normally do.
ok job
