Skip to content
/ src Public

Commit b46498d

Browse files
committed
rpki-client: convert cert.c and crl.c to use opaque ASN1_STRING
Mostly mechanical. If the length is not zero, the data isn't NULL either because this is a deserialized extension, so drop a check. ok claudio
1 parent c7986f4 commit b46498d

2 files changed

Lines changed: 15 additions & 13 deletions

File tree

usr.sbin/rpki-client/cert.c

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
/* $OpenBSD: cert.c,v 1.207 2025/11/18 14:04:45 tb Exp $ */
1+
/* $OpenBSD: cert.c,v 1.208 2025/12/01 14:40:56 tb Exp $ */
22
/*
33
* Copyright (c) 2022,2025 Theo Buehler <tb@openbsd.org>
44
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -423,7 +423,7 @@ cert_ski(const char *fn, struct cert *cert, X509_EXTENSION *ext)
423423
ASN1_OCTET_STRING *os = NULL;
424424
unsigned char md[EVP_MAX_MD_SIZE];
425425
unsigned int md_len = EVP_MAX_MD_SIZE;
426-
int rc = 0;
426+
int length, rc = 0;
427427

428428
assert(cert->ski == NULL);
429429

@@ -443,14 +443,15 @@ cert_ski(const char *fn, struct cert *cert, X509_EXTENSION *ext)
443443
goto out;
444444
}
445445

446-
if (os->length < 0 || md_len != (unsigned int)os->length) {
446+
length = ASN1_STRING_length(os);
447+
if (length < 0 || md_len != (unsigned int)length) {
447448
warnx("%s: RFC 6487 section 4.8.2: SKI: "
448449
"want %u bytes SHA1 hash, have %d bytes",
449-
fn, md_len, os->length);
450+
fn, md_len, length);
450451
goto out;
451452
}
452453

453-
if (memcmp(os->data, md, md_len) != 0) {
454+
if (memcmp(ASN1_STRING_get0_data(os), md, md_len) != 0) {
454455
warnx("%s: SKI does not match SHA1 hash of SPK", fn);
455456
goto out;
456457
}
@@ -467,7 +468,7 @@ static int
467468
cert_aki(const char *fn, struct cert *cert, X509_EXTENSION *ext)
468469
{
469470
AUTHORITY_KEYID *akid = NULL;
470-
int rc = 0;
471+
int length, rc = 0;
471472

472473
assert(cert->aki == NULL);
473474

@@ -487,19 +488,20 @@ cert_aki(const char *fn, struct cert *cert, X509_EXTENSION *ext)
487488
goto out;
488489
}
489490

490-
if (akid->keyid == NULL || akid->keyid->data == NULL) {
491+
if (akid->keyid == NULL) {
491492
warnx("%s: RFC 6487 section 4.8.3: AKI: Key Identifier missing",
492493
fn);
493494
goto out;
494495
}
495-
if (akid->keyid->length != SHA_DIGEST_LENGTH) {
496+
length = ASN1_STRING_length(akid->keyid);
497+
if (length != SHA_DIGEST_LENGTH) {
496498
warnx("%s: RFC 6487 section 4.8.3: AKI: "
497499
"want %d bytes SHA1 hash, have %d bytes",
498-
fn, SHA_DIGEST_LENGTH, akid->keyid->length);
500+
fn, SHA_DIGEST_LENGTH, length);
499501
goto out;
500502
}
501503

502-
cert->aki = hex_encode(akid->keyid->data, akid->keyid->length);
504+
cert->aki = hex_encode(ASN1_STRING_get0_data(akid->keyid), length);
503505

504506
rc = 1;
505507
out:

usr.sbin/rpki-client/crl.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
/* $OpenBSD: crl.c,v 1.51 2025/11/18 14:04:45 tb Exp $ */
1+
/* $OpenBSD: crl.c,v 1.52 2025/12/01 14:40:56 tb Exp $ */
22
/*
33
* Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
44
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -105,8 +105,8 @@ crl_get_aki(const char *fn, X509_CRL *x509_crl)
105105
goto out;
106106
}
107107

108-
d = os->data;
109-
dsz = os->length;
108+
d = ASN1_STRING_get0_data(os);
109+
dsz = ASN1_STRING_length(os);
110110

111111
if (dsz != SHA_DIGEST_LENGTH) {
112112
warnx("%s: RFC 6487 section 4.8.3: AKI: "

0 commit comments

Comments
 (0)