Rework SIA handling to be less incorrect
Currently we would only accept rsync URIs in caRepository and rpkiManifest.
This is wrong. The specification requires at least one rsync URI to be
resent, but allows for other URI types, ordered by descending CA preference.
With this diff we will still only respect the first rsync address, but we
will no longer reject certificates listing other URIs. Make the warning
conditional on verbose mode.
Also make it clearer that sbgp_sia() (which is poorly named) is for CA
certs while x509_get_sia() is for EE certs.
input/ok claudio
projects / openbsd / commit