diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2024-06-11 07:27:15 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2024-06-11 07:27:15 +0000 |
commit | 3bc0ef9240fe0e1ddc04e59379c24cfc7559e616 (patch) | |
tree | 04a32f85706c624ad9eaa357ad6aa7ad23e6ef7a /usr.sbin/rpki-client | |
parent | 9d4b22aaa748bc282a3b461fec9589391a266672 (diff) |
rpki-client: simplify signature type checking for certs/CRLs
The OpenSSL 1.1 get_signature_nid() API is available for all libraries
that we support and it does exactly what we want. It is much simpler
than the unergonomic accessors we used previously. The ASN.1 templates
ensure that the relevant struct members aren't NULL after successful
deserialization, so the calls are safe.
ok claudio
Diffstat (limited to 'usr.sbin/rpki-client')
-rw-r--r-- | usr.sbin/rpki-client/cert.c | 11 | ||||
-rw-r--r-- | usr.sbin/rpki-client/crl.c | 11 |
2 files changed, 6 insertions, 16 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 6c8f7a2493b..4f80e182dd9 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.145 2024/06/10 10:50:13 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.146 2024/06/11 07:27:14 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler <tb@openbsd.org> * Copyright (c) 2021 Job Snijders <job@openbsd.org> @@ -797,9 +797,7 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len) int i, extsz; X509 *x = NULL; X509_EXTENSION *ext = NULL; - const X509_ALGOR *palg; const ASN1_BIT_STRING *piuid = NULL, *psuid = NULL; - const ASN1_OBJECT *cobj; ASN1_OBJECT *obj; EVP_PKEY *pkey; int nid, ip, as, sia, cp, crldp, aia, aki, ski, @@ -832,13 +830,10 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len) goto out; } - X509_get0_signature(NULL, &palg, x); - if (palg == NULL) { - warnx("%s: X509_get0_signature", fn); + if ((nid = X509_get_signature_nid(x)) == NID_undef) { + warnx("%s: unknown signature type", fn); goto out; } - X509_ALGOR_get0(&cobj, NULL, NULL, palg); - nid = OBJ_obj2nid(cobj); if (experimental && nid == NID_ecdsa_with_SHA256) { if (verbose) warnx("%s: P-256 support is experimental", fn); diff --git a/usr.sbin/rpki-client/crl.c b/usr.sbin/rpki-client/crl.c index 0e7705c7429..fb9447ef31e 100644 --- a/usr.sbin/rpki-client/crl.c +++ b/usr.sbin/rpki-client/crl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: crl.c,v 1.37 2024/06/05 13:36:28 tb Exp $ */ +/* $OpenBSD: crl.c,v 1.38 2024/06/11 07:27:14 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -165,9 +165,7 @@ crl_parse(const char *fn, const unsigned char *der, size_t len) { const unsigned char *oder; struct crl *crl; - const X509_ALGOR *palg; const X509_NAME *name; - const ASN1_OBJECT *cobj; const ASN1_TIME *at; int count, nid, rc = 0; @@ -200,13 +198,10 @@ crl_parse(const char *fn, const unsigned char *der, size_t len) if (!x509_valid_name(fn, "issuer", name)) goto out; - X509_CRL_get0_signature(crl->x509_crl, NULL, &palg); - if (palg == NULL) { - warnx("%s: X509_CRL_get0_signature", fn); + if ((nid = X509_CRL_get_signature_nid(crl->x509_crl)) == NID_undef) { + warnx("%s: unknown signature type", fn); goto out; } - X509_ALGOR_get0(&cobj, NULL, NULL, palg); - nid = OBJ_obj2nid(cobj); if (experimental && nid == NID_ecdsa_with_SHA256) { if (verbose) warnx("%s: P-256 support is experimental", fn); |