CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2024/06/07 07:24:35
Modified files:
usr.sbin/rpki-client: parser.c
Log message:
rpki-client: if anything changed, choose the freshly-fetched TA
Instead of just looking at the serial number it's easier to use X509_cmp().
This compares the certs' hashes computed during the extension caching. This
is currently SHA-512 for LibreSSL and SHA-1 for OpenSSL, which is good
enough. After all, the TA certs were signed by a trusted source and if you
choose to use OpenSSL this won't be the worst of your problems.
ok job
