On Sun, Jul 20, 2025 at 10:24:19AM +0200, Theo Buehler wrote:
> The mft->aki needs to be pushed to the main process for entp->mftaki,
> which is handed back to the parser for the mftaki check in find_issuer().
> I need to check more closely if this is still useful, but that would be
> for a separate diff anyway...
> 
> The mft->aki is also needed a few layers down in the parser for checking
> it against the CRL's AKI. Similarly, the mft->sia is used for crl->mftpath
> and while this copy in mft could be avoided, doing so means handing the
> info through the layers somehow. Borrowing it from the cert to avoid the
> copy is a bit ugly and doing it differently and cleanly seems more work
> than it's worth right now.
> 
> The rest is essentially identical to the other signed objects, with
> slight differences because the "validity" of manifests is part of the
> econtent. I adjusted the two checks for strdup() to individual checks
> which is what we normally do.

OK job@