1- /* $OpenBSD: cert.c,v 1.207 2025/11/18 14:04:45 tb Exp $ */
1+ /* $OpenBSD: cert.c,v 1.208 2025/12/01 14:40:56 tb Exp $ */
22/*
33 * Copyright (c) 2022,2025 Theo Buehler <tb@openbsd.org>
44 * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -423,7 +423,7 @@ cert_ski(const char *fn, struct cert *cert, X509_EXTENSION *ext)
423423 ASN1_OCTET_STRING * os = NULL ;
424424 unsigned char md [EVP_MAX_MD_SIZE ];
425425 unsigned int md_len = EVP_MAX_MD_SIZE ;
426- int rc = 0 ;
426+ int length , rc = 0 ;
427427
428428 assert (cert -> ski == NULL );
429429
@@ -443,14 +443,15 @@ cert_ski(const char *fn, struct cert *cert, X509_EXTENSION *ext)
443443 goto out ;
444444 }
445445
446- if (os -> length < 0 || md_len != (unsigned int )os -> length ) {
446+ length = ASN1_STRING_length (os );
447+ if (length < 0 || md_len != (unsigned int )length ) {
447448 warnx ("%s: RFC 6487 section 4.8.2: SKI: "
448449 "want %u bytes SHA1 hash, have %d bytes" ,
449- fn , md_len , os -> length );
450+ fn , md_len , length );
450451 goto out ;
451452 }
452453
453- if (memcmp (os -> data , md , md_len ) != 0 ) {
454+ if (memcmp (ASN1_STRING_get0_data ( os ) , md , md_len ) != 0 ) {
454455 warnx ("%s: SKI does not match SHA1 hash of SPK" , fn );
455456 goto out ;
456457 }
@@ -467,7 +468,7 @@ static int
467468cert_aki (const char * fn , struct cert * cert , X509_EXTENSION * ext )
468469{
469470 AUTHORITY_KEYID * akid = NULL ;
470- int rc = 0 ;
471+ int length , rc = 0 ;
471472
472473 assert (cert -> aki == NULL );
473474
@@ -487,19 +488,20 @@ cert_aki(const char *fn, struct cert *cert, X509_EXTENSION *ext)
487488 goto out ;
488489 }
489490
490- if (akid -> keyid == NULL || akid -> keyid -> data == NULL ) {
491+ if (akid -> keyid == NULL ) {
491492 warnx ("%s: RFC 6487 section 4.8.3: AKI: Key Identifier missing" ,
492493 fn );
493494 goto out ;
494495 }
495- if (akid -> keyid -> length != SHA_DIGEST_LENGTH ) {
496+ length = ASN1_STRING_length (akid -> keyid );
497+ if (length != SHA_DIGEST_LENGTH ) {
496498 warnx ("%s: RFC 6487 section 4.8.3: AKI: "
497499 "want %d bytes SHA1 hash, have %d bytes" ,
498- fn , SHA_DIGEST_LENGTH , akid -> keyid -> length );
500+ fn , SHA_DIGEST_LENGTH , length );
499501 goto out ;
500502 }
501503
502- cert -> aki = hex_encode (akid -> keyid -> data , akid -> keyid -> length );
504+ cert -> aki = hex_encode (ASN1_STRING_get0_data ( akid -> keyid ), length );
503505
504506 rc = 1 ;
505507 out :
0 commit comments