CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2025/07/11 03:20:23
Modified files:
usr.sbin/rpki-client: cms.c extern.h validate.c
Log message:
rpki-client: remove valid_ca_pkey()
CMS_verify() hangs each signer (EE) cert's public key off the signerInfo
corresponding to it (via CMS_set1_signers_certs() if you must know),
which we then go and validate via valid_ca_pkey().
While this happens to work, it has a wrong smell to it. With recent
changes, cert_parse_ee_cert() validates this key more completely later
on, so it's not only not right but also redundant. All the calls to
cert_parse_ee_cert() after cms_parse_validate() will be merged into a
single call in cms_parse_validate(), so this will become tighter.
The valid_ca_pkey API is unused otherwise, so garbage collect it.
ok job
