From: Job Snijders <job@openbsd.org>
Subject: Re: rework rpki-client certificate discovery
To: Theo Buehler <tb@theobuehler.org>, tech@openbsd.org
Date: Thu, 16 May 2024 18:41:09 +0000

Dear Claudio, tb,

Thank you for your work on this! Two nits:

On Thu, May 16, 2024 at 12:51:17PM +0200, Claudio Jeker wrote:
> +	if (issuer == NULL) {
> +		cert->certid = cert->talid;
> +	} else {
> +		cert->certid = ++certid;
> +		if (certid > CERTID_MAX)
> +			err(1, "%s: too many certificates", fn);

Is err() here the best approach? Could an alternative be to stop
processing additional CA certs, cobble on, write output files, and exit
with a non-zero error exit code to alert the operator? So for example
return NULL instead of adding the CA cert to the auth tree.

> +		na->depth = issuer->depth + 1;
> +	}
> +
> +	if (na->depth >= MAX_CERT_DEPTH) {
> +		warnx("%s: stack depth exhausted", fn);

maybe: warnx("%s: maximum certificate chain depth exhausted", fn); ?

Other than that things look good. I've loaded this diff on
console.rpki-client.org and some other systems. Let's have this run over
the weekend before committing.

Kind regards,

Job