A while ago rpki-client was changed to validate the sha256 hashes of

files referenced in MFT files during the validation of the MFT file.
An MFT is only valid if all files are present and their hashes are valid.
Because of this there is no longer the need to check the hash when
these files are parsed later on. Remove these checks for CRT, ROA and CRL
files. Use the presence of the pkey when parsing cert files to decide
if it is a root cert or not.
OK tb@

1 files changed, 2 insertions, 2 deletions

diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c
index 767a84da490..1f41bfecd03 100644
--- a/usr.sbin/rpki-client/mft.c
+++ b/usr.sbin/rpki-client/mft.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mft.c,v 1.23 2021/01/08 08:09:07 claudio Exp $ */
+/*	$OpenBSD: mft.c,v 1.24 2021/01/29 10:13:16 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -384,7 +384,7 @@ mft_parse(X509 **x509, const char *fn)
 	p.fn = fn;
 
 	cms = cms_parse_validate(x509, fn, "1.2.840.113549.1.9.16.1.26",
-	    NULL, &cmsz);
+	    &cmsz);
 	if (cms == NULL)
 		return NULL;
 	assert(*x509 != NULL);