Revert all the files that should have not been committed in last commit.

5 files changed, 174 insertions, 261 deletions

diff --git a/usr.sbin/rpki-client/cms.c b/usr.sbin/rpki-client/cms.c
index 10630ab7a23..950e7b6573f 100644
--- a/usr.sbin/rpki-client/cms.c
+++ b/usr.sbin/rpki-client/cms.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cms.c,v 1.12 2022/01/18 16:18:22 claudio Exp $ */
+/*	$OpenBSD: cms.c,v 1.13 2022/01/18 16:24:55 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -36,7 +36,7 @@
  */
 unsigned char *
 cms_parse_validate(X509 **xp, const char *fn, const unsigned char *der,
-    size_t derlen, const ASN1_OBJECT *oid, size_t *rsz, int nowarn)
+    size_t derlen, const ASN1_OBJECT *oid, size_t *rsz)
 {
 	const ASN1_OBJECT	*obj;
 	ASN1_OCTET_STRING	**os = NULL;
@@ -53,8 +53,6 @@ cms_parse_validate(X509 **xp, const char *fn, const unsigned char *der,
 		return NULL;
 
 	if ((cms = d2i_CMS_ContentInfo(NULL, &der, derlen)) == NULL) {
-		if (nowarn)
-			goto out;
 		cryptowarnx("%s: RFC 6488: failed CMS parse", fn);
 		goto out;
 	}
@@ -66,8 +64,6 @@ cms_parse_validate(X509 **xp, const char *fn, const unsigned char *der,
 
 	if (!CMS_verify(cms, NULL, NULL, NULL, NULL,
 	    CMS_NO_SIGNER_CERT_VERIFY)) {
-		if (nowarn)
-			goto out;
 		cryptowarnx("%s: RFC 6488: CMS not self-signed", fn);
 		goto out;
 	}
@@ -83,8 +79,6 @@ cms_parse_validate(X509 **xp, const char *fn, const unsigned char *der,
 	if (OBJ_cmp(obj, oid) != 0) {
 		char buf[128], obuf[128];
 
-		if (nowarn)
-			goto out;
 		OBJ_obj2txt(buf, sizeof(buf), obj, 1);
 		OBJ_obj2txt(obuf, sizeof(obuf), oid, 1);
 		warnx("%s: RFC 6488 section 2.1.3.1: eContentType: "
@@ -100,8 +94,6 @@ cms_parse_validate(X509 **xp, const char *fn, const unsigned char *der,
 
 	certs = CMS_get0_signers(cms);
 	if (certs == NULL || sk_X509_num(certs) != 1) {
-		if (nowarn)
-			goto out;
 		warnx("%s: RFC 6488 section 2.1.4: eContent: "
 		    "want 1 signer, have %d", fn, sk_X509_num(certs));
 		goto out;
@@ -111,8 +103,6 @@ cms_parse_validate(X509 **xp, const char *fn, const unsigned char *der,
 	/* Verify that we have eContent to disseminate. */
 
 	if ((os = CMS_get0_content(cms)) == NULL || *os == NULL) {
-		if (nowarn)
-			goto out;
 		warnx("%s: RFC 6488 section 2.1.4: "
 		    "eContent: zero-length content", fn);
 		goto out;
diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 72e478eec85..42bb0fc3af7 100644
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.106 2022/01/18 16:18:22 claudio Exp $ */
+/*	$OpenBSD: extern.h,v 1.107 2022/01/18 16:24:55 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -418,8 +418,8 @@ void		 mft_buffer(struct ibuf *, const struct mft *);
 void		 mft_free(struct mft *);
 struct mft	*mft_parse(X509 **, const char *, const unsigned char *,
 		    size_t);
+int		 mft_check(const char *, struct mft *);
 struct mft	*mft_read(struct ibuf *);
-int		 mft_compare(const struct mft *, const struct mft *);
 
 void		 roa_buffer(struct ibuf *, const struct roa *);
 void		 roa_free(struct roa *);
@@ -454,7 +454,7 @@ int		 valid_origin(const char *, const char *);
 /* Working with CMS. */
 unsigned char	*cms_parse_validate(X509 **, const char *,
 		    const unsigned char *, size_t,
-		    const ASN1_OBJECT *, size_t *, int);
+		    const ASN1_OBJECT *, size_t *);
 int		 cms_econtent_version(const char *, const unsigned char **,
 		    size_t, long *);
 /* Helper for ASN1 parsing */
diff --git a/usr.sbin/rpki-client/gbr.c b/usr.sbin/rpki-client/gbr.c
index 85cd5a5af83..ecdb1f57551 100644
--- a/usr.sbin/rpki-client/gbr.c
+++ b/usr.sbin/rpki-client/gbr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: gbr.c,v 1.13 2022/01/18 16:18:22 claudio Exp $ */
+/*	$OpenBSD: gbr.c,v 1.14 2022/01/18 16:24:55 claudio Exp $ */
 /*
  * Copyright (c) 2020 Claudio Jeker <claudio@openbsd.org>
  *
@@ -53,7 +53,7 @@ gbr_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
 	memset(&p, 0, sizeof(struct parse));
 	p.fn = fn;
 
-	cms = cms_parse_validate(x509, fn, der, len, gbr_oid, &cmsz, 0);
+	cms = cms_parse_validate(x509, fn, der, len, gbr_oid, &cmsz);
 	if (cms == NULL)
 		return NULL;
 
diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c
index bfa8b71b3fc..e393d25f0d3 100644
--- a/usr.sbin/rpki-client/mft.c
+++ b/usr.sbin/rpki-client/mft.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mft.c,v 1.47 2022/01/18 16:18:22 claudio Exp $ */
+/*	$OpenBSD: mft.c,v 1.48 2022/01/18 16:24:55 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -403,8 +403,9 @@ out:
 /*
  * Parse the objects that have been published in the manifest.
  * This conforms to RFC 6486.
- * On success the MFT content is returned. Stale MFTs only set
- * the stale flag and returned like valid MFTs.
+ * Note that if the MFT is stale, all referenced objects are stripped
+ * from the parsed content.
+ * The MFT content is otherwise returned.
  */
 struct mft *
 mft_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
@@ -417,7 +418,7 @@ mft_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len)
 	memset(&p, 0, sizeof(struct parse));
 	p.fn = fn;
 
-	cms = cms_parse_validate(x509, fn, der, len, mft_oid, &cmsz, 0);
+	cms = cms_parse_validate(x509, fn, der, len, mft_oid, &cmsz);
 	if (cms == NULL)
 		return NULL;
 	assert(*x509 != NULL);
@@ -531,39 +532,3 @@ mft_read(struct ibuf *b)
 
 	return p;
 }
-
-/*
- * Compare two MFT files, returns 1 if first MFT is better and 0 if second
- * should be used.
- */
-int
-mft_compare(const struct mft *a, const struct mft *b)
-{
-	BIGNUM *abn = NULL, *bbn = NULL;
-	int r;
-
-	if (a == NULL)
-		return 0;
-	if (b == NULL)
-		return 1;
-
-warnx("%s: seq a %s, seq b %s", __func__, a->seqnum, b->seqnum);
-	BN_hex2bn(&abn, a->seqnum);
-	BN_hex2bn(&bbn, b->seqnum);
-
-	r = BN_cmp(abn, bbn);
-	BN_free(abn);
-	BN_free(bbn);
-
-	if (r <= 0)
-		return 0;
-
-warnx("%s: prefer b", __func__);
-	/*
-	 * Equal sequence numbers should not happen for different content.
-	 * In this case we prefer the newer MFT. It seems some CA update
-	 * the EE cert and timestamps without issuing a new serial.
-	 * This is bad bad bad bad bad.
-	 */
-	return 1;
-}
diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c
index a21c3a47cf6..1ac396a4a22 100644
--- a/usr.sbin/rpki-client/parser.c
+++ b/usr.sbin/rpki-client/parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.c,v 1.40 2022/01/18 16:18:22 claudio Exp $ */
+/*	$OpenBSD: parser.c,v 1.41 2022/01/18 16:24:55 claudio Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -50,7 +50,6 @@ static struct crl_tree	 crlt = RB_INITIALIZER(&crlt);
 struct parse_repo {
 	RB_ENTRY(parse_repo)	 entry;
 	char			*path;
-	char			*validpath;
 	unsigned int		 id;
 };
 
@@ -73,75 +72,20 @@ repo_get(unsigned int id)
 }
 
 static void
-repo_add(unsigned int id, char *path, char *validpath)
+repo_add(unsigned int id, char *path)
 {
 	struct parse_repo *rp;
 
-	if ((rp = calloc(1, sizeof(*rp))) == NULL)
+	if ((rp = malloc(sizeof(*rp))) == NULL)
 		err(1, NULL);
 	rp->id = id;
-	if (path != NULL)
-		if ((rp->path = strdup(path)) == NULL)
-			err(1, NULL);
-	if (validpath != NULL)
-		if ((rp->validpath = strdup(validpath)) == NULL)
-			err(1, NULL);
+	if ((rp->path = strdup(path)) == NULL)
+		err(1, NULL);
 
 	if (RB_INSERT(repo_tree, &repos, rp) != NULL)
 		errx(1, "repository already added: id %d, %s", id, path);
 }
 
-/*
- * Build access path to file based on repoid, path and file values.
- * If wantalt == 1 the function can return NULL, if wantalt == 0 it
- * can not fail.
- */
-static char *
-parse_filepath(unsigned int repoid, const char *path, const char *file,
-    int wantalt)
-{
-	struct parse_repo	*rp;
-	char			*fn, *repopath;
-
-	/* build file path based on repoid, entity path and filename */
-	rp = repo_get(repoid);
-	if (rp == NULL) {
-		/* no repo so no alternative path. */
-		if (wantalt)
-			return NULL;
-
-		if (path == NULL) {
-			if ((fn = strdup(file)) == NULL)
-				err(1, NULL);
-		} else {
-			if (asprintf(&fn, "%s/%s", path, file) == -1)
-				err(1, NULL);
-		}
-	} else {
-		if (wantalt || rp->path == NULL)
-			repopath = rp->validpath;
-		else
-			repopath = rp->path;
-
-		if (repopath == NULL)
-			return NULL;
-
-		if (path == NULL) {
-			if (asprintf(&fn, "%s/%s", repopath, file) == -1)
-				err(1, NULL);
-		} else {
-			if (asprintf(&fn, "%s/%s/%s", repopath, path,
-			    file) == -1)
-				err(1, NULL);
-		}
-	}
-	return fn;
-}
-
-/*
- * Callback for X509_verify_cert() to handle critical extensions in old
- * LibreSSL libraries or OpenSSL libs without RFC3779 support.
- */
 static int
 verify_cb(int ok, X509_STORE_CTX *store_ctx)
 {
@@ -200,74 +144,52 @@ verify_cb(int ok, X509_STORE_CTX *store_ctx)
 }
 
 /*
- * Validate the X509 certificate.  If crl is NULL don't check CRL.
- * Returns 1 for valid certificates, returns 0 if there is a verify error
+ * Parse and validate a ROA.
+ * This is standard stuff.
+ * Returns the roa on success, NULL on failure.
  */
-static int
-valid_x509(char *file, X509 *x509, struct auth *a, struct crl *crl)
+static struct roa *
+proc_parser_roa(char *file, const unsigned char *der, size_t len)
 {
-	STACK_OF(X509)		*chain;
-	STACK_OF(X509_CRL)	*crls = NULL;
+	struct roa		*roa;
+	X509			*x509;
 	int			 c;
+	struct auth		*a;
+	STACK_OF(X509)		*chain;
+	STACK_OF(X509_CRL)	*crls;
+	struct crl		*crl;
+
+	if ((roa = roa_parse(&x509, file, der, len)) == NULL)
+		return NULL;
 
+	a = valid_ski_aki(file, &auths, roa->ski, roa->aki);
 	build_chain(a, &chain);
-	if (crl != NULL)
-		build_crls(crl, &crls);
+	crl = get_crl(a);
+	build_crls(crl, &crls);
 
 	assert(x509 != NULL);
 	if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL))
 		cryptoerrx("X509_STORE_CTX_init");
-
 	X509_STORE_CTX_set_verify_cb(ctx, verify_cb);
 	if (!X509_STORE_CTX_set_app_data(ctx, file))
 		cryptoerrx("X509_STORE_CTX_set_app_data");
-	if (crl != NULL)
-		X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK);
+	X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK);
 	X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH);
 	X509_STORE_CTX_set0_trusted_stack(ctx, chain);
-	if (crl != NULL)
-		X509_STORE_CTX_set0_crls(ctx, crls);
+	X509_STORE_CTX_set0_crls(ctx, crls);
 
 	if (X509_verify_cert(ctx) <= 0) {
 		c = X509_STORE_CTX_get_error(ctx);
-		warnx("%s: %s", file, X509_verify_cert_error_string(c));
 		X509_STORE_CTX_cleanup(ctx);
-		sk_X509_free(chain);
-		sk_X509_CRL_free(crls);
-		return 0;
-	}
-
-	X509_STORE_CTX_cleanup(ctx);
-	sk_X509_free(chain);
-	sk_X509_CRL_free(crls);
-	return 1;
-}
-
-/*
- * Parse and validate a ROA.
- * This is standard stuff.
- * Returns the roa on success, NULL on failure.
- */
-static struct roa *
-proc_parser_roa(char *file, const unsigned char *der, size_t len)
-{
-	struct roa		*roa;
-	struct crl		*crl;
-	struct auth		*a;
-	X509			*x509;
-
-	if ((roa = roa_parse(&x509, file, der, len)) == NULL)
-		return NULL;
-
-	a = valid_ski_aki(file, &auths, roa->ski, roa->aki);
-	crl = get_crl(a);
-
-	if (!valid_x509(file, x509, a, crl)) {
+		if (verbose > 0 || c != X509_V_ERR_UNABLE_TO_GET_CRL)
+			warnx("%s: %s", file, X509_verify_cert_error_string(c));
 		X509_free(x509);
 		roa_free(roa);
+		sk_X509_free(chain);
+		sk_X509_CRL_free(crls);
 		return NULL;
 	}
-	X509_free(x509);
+	X509_STORE_CTX_cleanup(ctx);
 
 	/*
 	 * Check CRL to figure out the soonest transitive expiry moment
@@ -292,6 +214,10 @@ proc_parser_roa(char *file, const unsigned char *der, size_t len)
 	if (valid_roa(file, &auths, roa))
 		roa->valid = 1;
 
+	sk_X509_free(chain);
+	sk_X509_CRL_free(crls);
+	X509_free(x509);
+
 	return roa;
 }
 
@@ -299,12 +225,17 @@ proc_parser_roa(char *file, const unsigned char *der, size_t len)
  * Check all files and their hashes in a MFT structure.
  * Return zero on failure, non-zero on success.
  */
-static int
+int
 mft_check(const char *fn, struct mft *p)
 {
 	size_t	i;
-	int	fd, try, rc = 1;
-	char	*h, *path;
+	int	fd, rc = 1;
+	char	*cp, *h, *path = NULL;
+
+	/* Check hash of file now, but first build path for it */
+	cp = strrchr(fn, '/');
+	assert(cp != NULL);
+	assert(cp - fn < INT_MAX);
 
 	for (i = 0; i < p->filesz; i++) {
 		const struct mftfile *m = &p->files[i];
@@ -315,24 +246,15 @@ mft_check(const char *fn, struct mft *p)
 			free(h);
 			continue;
 		}
-
-		fd = -1;
-		try = 0;
-		path = NULL;
-		do {
-			free(path);
-			if ((path = parse_filepath(p->repoid, p->path, m->file,
-			    try++)) == NULL)
-				break;
-			fd = open(path, O_RDONLY);
-		} while (fd == -1 && try < 2);
-
-		free(path);
-
+		if (asprintf(&path, "%.*s/%s", (int)(cp - fn), fn,
+		    m->file) == -1)
+			err(1, NULL);
+		fd = open(path, O_RDONLY);
 		if (!valid_filehash(fd, m->hash, sizeof(m->hash))) {
 			warnx("%s: bad message digest for %s", fn, m->file);
 			rc = 0;
 		}
+		free(path);
 	}
 
 	return rc;
@@ -354,31 +276,49 @@ proc_parser_mft(char *file, const unsigned char *der, size_t len,
 {
 	struct mft		*mft;
 	X509			*x509;
+	int			 c;
 	struct auth		*a;
+	STACK_OF(X509)		*chain;
 
 	if ((mft = mft_parse(&x509, file, der, len)) == NULL)
 		return NULL;
 
 	a = valid_ski_aki(file, &auths, mft->ski, mft->aki);
+	build_chain(a, &chain);
 
-	if (!valid_x509(file, x509, a, NULL)) {
+	if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL))
+		cryptoerrx("X509_STORE_CTX_init");
+
+	/* CRL checks disabled here because CRL is referenced from mft */
+	X509_STORE_CTX_set_verify_cb(ctx, verify_cb);
+	if (!X509_STORE_CTX_set_app_data(ctx, file))
+		cryptoerrx("X509_STORE_CTX_set_app_data");
+	X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH);
+	X509_STORE_CTX_set0_trusted_stack(ctx, chain);
+
+	if (X509_verify_cert(ctx) <= 0) {
+		c = X509_STORE_CTX_get_error(ctx);
+		X509_STORE_CTX_cleanup(ctx);
+		warnx("%s: %s", file, X509_verify_cert_error_string(c));
 		mft_free(mft);
 		X509_free(x509);
+		sk_X509_free(chain);
 		return NULL;
 	}
+
+	X509_STORE_CTX_cleanup(ctx);
+	sk_X509_free(chain);
 	X509_free(x509);
 
-	mft->repoid = repoid;
+	if (!mft_check(file, mft)) {
+		mft_free(mft);
+		return NULL;
+	}
+
 	if (path != NULL)
 		if ((mft->path = strdup(path)) == NULL)
 			err(1, NULL);
-
-	if (!mft->stale)
-		if (!mft_check(file, mft)) {
-			mft_free(mft);
-			return NULL;
-		}
-
+	mft->repoid = repoid;
 	return mft;
 }
 
@@ -394,8 +334,10 @@ proc_parser_cert(char *file, const unsigned char *der, size_t len)
 {
 	struct cert		*cert;
 	X509			*x509;
-	struct auth		*a;
-	struct crl		*crl;
+	int			 c;
+	struct auth		*a = NULL;
+	STACK_OF(X509)		*chain;
+	STACK_OF(X509_CRL)	*crls;
 
 	/* Extract certificate data and X509. */
 
@@ -404,13 +346,35 @@ proc_parser_cert(char *file, const unsigned char *der, size_t len)
 		return NULL;
 
 	a = valid_ski_aki(file, &auths, cert->ski, cert->aki);
-	crl = get_crl(a);
+	build_chain(a, &chain);
+	build_crls(get_crl(a), &crls);
+
+	assert(x509 != NULL);
+	if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL))
+		cryptoerrx("X509_STORE_CTX_init");
+
+	X509_STORE_CTX_set_verify_cb(ctx, verify_cb);
+	if (!X509_STORE_CTX_set_app_data(ctx, file))
+		cryptoerrx("X509_STORE_CTX_set_app_data");
+	X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK);
+	X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH);
+	X509_STORE_CTX_set0_trusted_stack(ctx, chain);
+	X509_STORE_CTX_set0_crls(ctx, crls);
 
-	if (!valid_x509(file, x509, a, crl)) {
+	if (X509_verify_cert(ctx) <= 0) {
+		c = X509_STORE_CTX_get_error(ctx);
+		warnx("%s: %s", file, X509_verify_cert_error_string(c));
+		X509_STORE_CTX_cleanup(ctx);
 		cert_free(cert);
+		sk_X509_free(chain);
+		sk_X509_CRL_free(crls);
 		X509_free(x509);
 		return NULL;
 	}
+
+	X509_STORE_CTX_cleanup(ctx);
+	sk_X509_free(chain);
+	sk_X509_CRL_free(crls);
 	X509_free(x509);
 
 	cert->talid = a->cert->talid;
@@ -571,18 +535,39 @@ proc_parser_gbr(char *file, const unsigned char *der, size_t len)
 {
 	struct gbr		*gbr;
 	X509			*x509;
+	int			 c;
 	struct auth		*a;
-	struct crl		*crl;
+	STACK_OF(X509)		*chain;
+	STACK_OF(X509_CRL)	*crls;
 
 	if ((gbr = gbr_parse(&x509, file, der, len)) == NULL)
 		return;
 
 	a = valid_ski_aki(file, &auths, gbr->ski, gbr->aki);
-	crl = get_crl(a);
 
-	/* return value can be ignored since nothing happens here */
-	valid_x509(file, x509, a, crl);
+	build_chain(a, &chain);
+	build_crls(get_crl(a), &crls);
 
+	assert(x509 != NULL);
+	if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL))
+		cryptoerrx("X509_STORE_CTX_init");
+	X509_STORE_CTX_set_verify_cb(ctx, verify_cb);
+	if (!X509_STORE_CTX_set_app_data(ctx, file))
+		cryptoerrx("X509_STORE_CTX_set_app_data");
+	X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK);
+	X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH);
+	X509_STORE_CTX_set0_trusted_stack(ctx, chain);
+	X509_STORE_CTX_set0_crls(ctx, crls);
+
+	if (X509_verify_cert(ctx) <= 0) {
+		c = X509_STORE_CTX_get_error(ctx);
+		if (verbose > 0 || c != X509_V_ERR_UNABLE_TO_GET_CRL)
+			warnx("%s: %s", file, X509_verify_cert_error_string(c));
+	}
+
+	X509_STORE_CTX_cleanup(ctx);
+	sk_X509_free(chain);
+	sk_X509_CRL_free(crls);
 	X509_free(x509);
 	gbr_free(gbr);
 }
@@ -644,40 +629,33 @@ build_crls(const struct crl *crl, STACK_OF(X509_CRL) **crls)
 }
 
 static char *
-parse_load_file(struct entity *entp, unsigned char **f, size_t *flen)
+parse_filepath(struct entity *entp)
 {
-	char *file, *nfile;
-
-	file = parse_filepath(entp->repoid, entp->path, entp->file, 0);
+	struct parse_repo	*rp;
+	char			*file;
 
-	/* TAL files include the data already */
-	if (entp->type == RTYPE_TAL) {
-		*f = NULL;
-		*flen = 0;
-		return file;
+	/* build file path based on repoid, entity path and filename */
+	rp = repo_get(entp->repoid);
+	if (rp == NULL) {
+		if (entp->path == NULL) {
+			if ((file = strdup(entp->file)) == NULL)
+					err(1, NULL);
+		} else {
+			if (asprintf(&file, "%s/%s", entp->path,
+			    entp->file) == -1)
+				err(1, NULL);
+		}
+	} else {
+		if (entp->path == NULL) {
+			if (asprintf(&file, "%s/%s", rp->path,
+			    entp->file) == -1)
+				err(1, NULL);
+		} else {
+			if (asprintf(&file, "%s/%s/%s", rp->path,
+			    entp->path, entp->file) == -1)
+				err(1, NULL);
+		}
 	}
-
-	*f = load_file(file, flen);
-	if (*f != NULL)
-		return file;
-
-	if (errno != ENOENT)
-		goto fail;
-
-	/* try alternate file location */
-	nfile = parse_filepath(entp->repoid, entp->path, entp->file, 1);
-	if (nfile == NULL)
-		goto fail;
-
-	free(file);
-	file = nfile;
-
-	*f = load_file(file, flen);
-	if (*f != NULL)
-		return file;
-
-fail:
-	warn("parse file %s", file);
 	return file;
 }
 
@@ -687,12 +665,12 @@ parse_entity(struct entityq *q, struct msgbuf *msgq)
 	struct entity	*entp;
 	struct tal	*tal;
 	struct cert	*cert;
-	struct mft	*mft, *mft2;
+	struct mft	*mft;
 	struct roa	*roa;
 	struct ibuf	*b;
 	unsigned char	*f;
 	size_t		 flen;
-	char		*file, *nfile;
+	char		*file;
 	int		 c;
 
 	while ((entp = TAILQ_FIRST(q)) != NULL) {
@@ -700,18 +678,23 @@ parse_entity(struct entityq *q, struct msgbuf *msgq)
 
 		/* handle RTYPE_REPO first */
 		if (entp->type == RTYPE_REPO) {
-			repo_add(entp->repoid, entp->path, entp->file);
+			repo_add(entp->repoid, entp->path);
 			entity_free(entp);
 			continue;
 		}
 
-		file = parse_load_file(entp, &f, &flen);
+		f = NULL;
+		file = parse_filepath(entp);
+		if (entp->type != RTYPE_TAL) {
+			f = load_file(file, &flen);
+			if (f == NULL)
+				warn("%s", file);
+		}
 
-		/* pass back at least type, repoid and filename */
+		/* pass back at least type and filename */
 		b = io_new_buffer();
 		io_simple_buffer(b, &entp->type, sizeof(entp->type));
-		if (entp->type != RTYPE_MFT)	/* MFT handled specially */
-			io_str_buffer(b, file);
+		io_str_buffer(b, file);
 
 		switch (entp->type) {
 		case RTYPE_TAL:
@@ -746,31 +729,7 @@ parse_entity(struct entityq *q, struct msgbuf *msgq)
 		case RTYPE_MFT:
 			mft = proc_parser_mft(file, f, flen,
 			    entp->path, entp->repoid);
-
-			/* need to check alternate mft and compare serial */
-			nfile = parse_filepath(entp->repoid, entp->path,
-			    entp->file, 1);
-			if (nfile != NULL && strcmp(nfile, file) != 0) {
-				free(f);
-				f = load_file(nfile, &flen);
-				mft2 = proc_parser_mft(nfile, f, flen,
-				    entp->path, entp->repoid);
-				if (mft_compare(mft2, mft)) {
-					/* swap MFT */
-warnx("using old valid MFT %s", nfile);
-					mft_free(mft);
-					mft = mft2;
-					mft2 = NULL;
-					free(file);
-					file = nfile;
-					nfile = NULL;
-				}
-				mft_free(mft2);
-			}
-			free(nfile);
-
 			c = (mft != NULL);
-			io_str_buffer(b, file);
 			io_simple_buffer(b, &c, sizeof(int));
 			if (mft != NULL)
 				mft_buffer(b, mft);
@@ -817,7 +776,6 @@ proc_parser(int fd)
 	ERR_load_crypto_strings();
 	OpenSSL_add_all_ciphers();
 	OpenSSL_add_all_digests();
-	x509_init_oid();
 
 	if ((ctx = X509_STORE_CTX_new()) == NULL)
 		cryptoerrx("X509_STORE_CTX_new");