summaryrefslogtreecommitdiff
path: root/usr.sbin/rpki-client
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2024-06-11 07:27:15 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2024-06-11 07:27:15 +0000
commit3bc0ef9240fe0e1ddc04e59379c24cfc7559e616 (patch)
tree04a32f85706c624ad9eaa357ad6aa7ad23e6ef7a /usr.sbin/rpki-client
parent9d4b22aaa748bc282a3b461fec9589391a266672 (diff)
rpki-client: simplify signature type checking for certs/CRLs
The OpenSSL 1.1 get_signature_nid() API is available for all libraries that we support and it does exactly what we want. It is much simpler than the unergonomic accessors we used previously. The ASN.1 templates ensure that the relevant struct members aren't NULL after successful deserialization, so the calls are safe. ok claudio
Diffstat (limited to 'usr.sbin/rpki-client')
-rw-r--r--usr.sbin/rpki-client/cert.c11
-rw-r--r--usr.sbin/rpki-client/crl.c11
2 files changed, 6 insertions, 16 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 6c8f7a2493b..4f80e182dd9 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cert.c,v 1.145 2024/06/10 10:50:13 tb Exp $ */
+/* $OpenBSD: cert.c,v 1.146 2024/06/11 07:27:14 tb Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -797,9 +797,7 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
int i, extsz;
X509 *x = NULL;
X509_EXTENSION *ext = NULL;
- const X509_ALGOR *palg;
const ASN1_BIT_STRING *piuid = NULL, *psuid = NULL;
- const ASN1_OBJECT *cobj;
ASN1_OBJECT *obj;
EVP_PKEY *pkey;
int nid, ip, as, sia, cp, crldp, aia, aki, ski,
@@ -832,13 +830,10 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
goto out;
}
- X509_get0_signature(NULL, &palg, x);
- if (palg == NULL) {
- warnx("%s: X509_get0_signature", fn);
+ if ((nid = X509_get_signature_nid(x)) == NID_undef) {
+ warnx("%s: unknown signature type", fn);
goto out;
}
- X509_ALGOR_get0(&cobj, NULL, NULL, palg);
- nid = OBJ_obj2nid(cobj);
if (experimental && nid == NID_ecdsa_with_SHA256) {
if (verbose)
warnx("%s: P-256 support is experimental", fn);
diff --git a/usr.sbin/rpki-client/crl.c b/usr.sbin/rpki-client/crl.c
index 0e7705c7429..fb9447ef31e 100644
--- a/usr.sbin/rpki-client/crl.c
+++ b/usr.sbin/rpki-client/crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: crl.c,v 1.37 2024/06/05 13:36:28 tb Exp $ */
+/* $OpenBSD: crl.c,v 1.38 2024/06/11 07:27:14 tb Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -165,9 +165,7 @@ crl_parse(const char *fn, const unsigned char *der, size_t len)
{
const unsigned char *oder;
struct crl *crl;
- const X509_ALGOR *palg;
const X509_NAME *name;
- const ASN1_OBJECT *cobj;
const ASN1_TIME *at;
int count, nid, rc = 0;
@@ -200,13 +198,10 @@ crl_parse(const char *fn, const unsigned char *der, size_t len)
if (!x509_valid_name(fn, "issuer", name))
goto out;
- X509_CRL_get0_signature(crl->x509_crl, NULL, &palg);
- if (palg == NULL) {
- warnx("%s: X509_CRL_get0_signature", fn);
+ if ((nid = X509_CRL_get_signature_nid(crl->x509_crl)) == NID_undef) {
+ warnx("%s: unknown signature type", fn);
goto out;
}
- X509_ALGOR_get0(&cobj, NULL, NULL, palg);
- nid = OBJ_obj2nid(cobj);
if (experimental && nid == NID_ecdsa_with_SHA256) {
if (verbose)
warnx("%s: P-256 support is experimental", fn);