CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/01/28 01:42:07
Modified files:
usr.sbin/rpki-client: cert.c
Log message:
rpki-client: explain why we do what we do in ta_check_pubkey()
The base64-encoded SPKI blob in the TAL should really be matched against
the corresponding part of the cert's DER. Unfortunately, libcrypto only
stores internal representations in the X509's cert_info field, so what it
hands back via the X509_* and X509_PUBKEY_* API is at best re-encoded and
therefore unsuitable for this purpose. Document this so when I will have
forgotten this the day after tomorrow, I still have a chance of not wasting
as much time for a third or fourth time next time I revisit this.
ok claudio
