> > I can live with valid_auth(), but what it really does is returning the
> > issuing CA cert after looking it up by its internal id and seeing if
> > AKI/SKI match expectations. Maybe find_issuer()?
> 
> That is better. I will also move the code to parser.c since it is the only
> consumer of this function and it is misplaced in validate.c

Agreed on moving the code - I intended to look into doing that as a
follow up.

I really like how this diff turned out. Much simpler than anticipated
and I think it's a big improvement overall for the logic in both modes.
Lovely.

ok tb

Of course there must be a whitespace nit:

> Index: filemode.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/filemode.c,v
> diff -u -p -r1.41 filemode.c
> --- filemode.c	21 Apr 2024 19:27:44 -0000	1.41
> +++ filemode.c	15 May 2024 18:26:46 -0000
> @@ -47,6 +47,50 @@ static struct crl_tree	 crlt = RB_INITIA
>  
>  struct tal		*talobj[TALSZ_MAX];
>  
> +struct uripath {
> +	RB_ENTRY(uripath)	entry;

Could you add a space before entry so the member names line up like in
most other structs?

> +	const char		*uri;
> +	struct cert		*cert;
> +};