From: Theo Buehler <tb@theobuehler.org>
Subject: rpki-client: fix RFC references in ta_parse()
To: tech@openbsd.org
Date: Thu, 6 Jun 2024 09:11:51 +0200

Section 8 of RFC 6487 has no (sub)subsections. The CRL reference shows
that it's not just 8 and 4 that are swapped. 4.8.3 is about the AKI and
states that in a TA it should be set to the SKI if present, so it's
better than 4.8.2. 4.8.7 is indeed about the AIA. p->crl is set via
x509_get_crl() which parses CRL distribution points, section 4.8.6.

Index: cert.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
diff -u -p -r1.137 cert.c
--- cert.c	6 Jun 2024 03:29:52 -0000	1.137
+++ cert.c	6 Jun 2024 07:03:26 -0000
@@ -1103,17 +1103,17 @@ ta_parse(const char *fn, struct cert *p,
 		goto badcert;
 	}
 	if (p->aki != NULL && strcmp(p->aki, p->ski)) {
-		warnx("%s: RFC 6487 section 8.4.2: "
+		warnx("%s: RFC 6487 section 4.8.3: "
 		    "trust anchor AKI, if specified, must match SKI", fn);
 		goto badcert;
 	}
 	if (p->aia != NULL) {
-		warnx("%s: RFC 6487 section 8.4.7: "
+		warnx("%s: RFC 6487 section 4.8.7: "
 		    "trust anchor must not have AIA", fn);
 		goto badcert;
 	}
 	if (p->crl != NULL) {
-		warnx("%s: RFC 6487 section 8.4.2: "
+		warnx("%s: RFC 6487 section 4.8.6: "
 		    "trust anchor may not specify CRL resource", fn);
 		goto badcert;
 	}