On Tue, Jan 18, 2022 at 02:41:38PM +0100, Claudio Jeker wrote: > On Tue, Jan 18, 2022 at 02:09:08PM +0100, Theo Buehler wrote: > > On Tue, Jan 18, 2022 at 12:16:44PM +0100, Claudio Jeker wrote: > > > How X509_verify_cert() is called in rpki-client is mostly the same in all > > > places so move all this X509 boilerplate into valid_x509(). > > > > > > This simplifies the x509 validation in the parser a fair but and will also > > > make it easier for -f to validate certs. > > > > > > OK? > > > > ok > > > > I would suggest we merge the three if (crl != NULL) checks into one > > (maybe in a follow-up). > > Sure, I tried to keep this as mechanical as possible since this is nasty > code that does not permit errors. > > > The _roa and _gbr paths called the warnx() with the > > X509_verify_cert_error_string() only conditionally. I guess we can > > adjust that later if this turns out to be too noisy. > > Yes, I forgot to mention that. I think this are some left-overs from the > time where CRLs were optional. At least I see no reason why > X509_V_ERR_UNABLE_TO_GET_CRL errors are only printed at verbose level 1 or > higher.
I looked a bit more into this. So I added this reduced verbosity in Rev 1.17 of main.c. This was before the Elk Lakes hackathon that fixed most of the validation code. For example in Rev 1.39 of main a few months later the lookup of CRLs changed to use the AKI for lookups and away from using some sort of normalized name. I think this and some of the later diffs made this workaround obsolete. -- :wq Claudio