On Thu, Jun 06, 2024 at 09:11:51AM +0200, Theo Buehler wrote:
> Section 8 of RFC 6487 has no (sub)subsections. The CRL reference shows
> that it's not just 8 and 4 that are swapped. 4.8.3 is about the AKI and
> states that in a TA it should be set to the SKI if present, so it's
> better than 4.8.2. 4.8.7 is indeed about the AIA. p->crl is set via
> x509_get_crl() which parses CRL distribution points, section 4.8.6.
> 
> Index: cert.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
> diff -u -p -r1.137 cert.c
> --- cert.c	6 Jun 2024 03:29:52 -0000	1.137
> +++ cert.c	6 Jun 2024 07:03:26 -0000
> @@ -1103,17 +1103,17 @@ ta_parse(const char *fn, struct cert *p,
>  		goto badcert;
>  	}
>  	if (p->aki != NULL && strcmp(p->aki, p->ski)) {
> -		warnx("%s: RFC 6487 section 8.4.2: "
> +		warnx("%s: RFC 6487 section 4.8.3: "
>  		    "trust anchor AKI, if specified, must match SKI", fn);
>  		goto badcert;
>  	}
>  	if (p->aia != NULL) {
> -		warnx("%s: RFC 6487 section 8.4.7: "
> +		warnx("%s: RFC 6487 section 4.8.7: "
>  		    "trust anchor must not have AIA", fn);
>  		goto badcert;
>  	}
>  	if (p->crl != NULL) {
> -		warnx("%s: RFC 6487 section 8.4.2: "
> +		warnx("%s: RFC 6487 section 4.8.6: "
>  		    "trust anchor may not specify CRL resource", fn);
>  		goto badcert;
>  	}
> 

Go for it. OK claudio@

-- 
:wq Claudio