Download raw body.
rpki-client: normalize nid printing
job ran into an issue yesterday, where the organizationName attribute's
short name was "O", easy to misread as a zero. Another issue with using
OBJ_nid2{ln,sn}() is that they can return NULL, which should not be
printed directly.
The OID database is very inconsistent. Some OIDs have only an SN, others
only an LN, long and short don't really mean anything in particular, but
generally speaking the long name tends to be more human readable than
the short name.
So add a helper that prefers the long name over the short name and
always prints the nid. The buffer is long because long names can be long:
we have: "GOST R 34.11-2012 with GOST R 34.10-2012 (512 bit)"
OpenSSL 3: "X509v3 Attribute Authority Issuing Distribution Point".
Index: cert.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
diff -u -p -r1.122 cert.c
--- cert.c 11 Jan 2024 11:55:14 -0000 1.122
+++ cert.c 1 Feb 2024 11:45:16 -0000
@@ -647,7 +647,7 @@ certificate_policies(struct parse *p, X5
if ((nid = OBJ_obj2nid(qualifier->pqualid)) != NID_id_qt_cps) {
warnx("%s: RFC 7318 section 2: certificatePolicies: "
- "want CPS, got %d (%s)", p->fn, nid, OBJ_nid2sn(nid));
+ "want CPS, got %s", p->fn, nid2str(nid));
goto out;
}
@@ -794,8 +794,7 @@ cert_parse_pre(const char *fn, const uns
warnx("%s: P-256 support is experimental", fn);
} else if (nid != NID_sha256WithRSAEncryption) {
warnx("%s: RFC 7935: wrong signature algorithm %s, want %s",
- fn, OBJ_nid2ln(nid),
- OBJ_nid2ln(NID_sha256WithRSAEncryption));
+ fn, nid2str(nid), LN_sha256WithRSAEncryption);
goto out;
}
@@ -970,8 +969,8 @@ cert_parse_pre(const char *fn, const uns
return p.res;
dup:
- warnx("%s: RFC 5280 section 4.2: duplicate %s extension", fn,
- OBJ_nid2sn(nid));
+ warnx("%s: RFC 5280 section 4.2: duplicate extension: %s", fn,
+ nid2str(nid));
out:
cert_free(p.res);
X509_free(x);
Index: cms.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v
diff -u -p -r1.41 cms.c
--- cms.c 10 Dec 2023 14:18:23 -0000 1.41
+++ cms.c 1 Feb 2024 11:45:06 -0000
@@ -259,7 +259,7 @@ cms_parse_validate_internal(X509 **xp, c
nid = OBJ_obj2nid(obj);
if (nid != NID_sha256) {
warnx("%s: RFC 6488: wrong digest %s, want %s", fn,
- OBJ_nid2ln(nid), OBJ_nid2ln(NID_sha256));
+ nid2str(nid), LN_sha256);
goto out;
}
X509_ALGOR_get0(&obj, NULL, NULL, psig);
@@ -271,7 +271,7 @@ cms_parse_validate_internal(X509 **xp, c
} else if (nid != NID_rsaEncryption &&
nid != NID_sha256WithRSAEncryption) {
warnx("%s: RFC 6488: wrong signature algorithm %s, want %s",
- fn, OBJ_nid2ln(nid), OBJ_nid2ln(NID_rsaEncryption));
+ fn, nid2str(nid), LN_rsaEncryption);
goto out;
}
Index: crl.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/crl.c,v
diff -u -p -r1.31 crl.c
--- crl.c 18 Jan 2024 14:34:26 -0000 1.31
+++ crl.c 1 Feb 2024 11:28:48 -0000
@@ -68,8 +68,7 @@ crl_parse(const char *fn, const unsigned
warnx("%s: P-256 support is experimental", fn);
} else if (nid != NID_sha256WithRSAEncryption) {
warnx("%s: RFC 7935: wrong signature algorithm %s, want %s",
- fn, OBJ_nid2ln(nid),
- OBJ_nid2ln(NID_sha256WithRSAEncryption));
+ fn, nid2str(nid), LN_sha256WithRSAEncryption);
goto out;
}
Index: extern.h
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
diff -u -p -r1.201 extern.h
--- extern.h 31 Jan 2024 06:57:21 -0000 1.201
+++ extern.h 1 Feb 2024 11:45:30 -0000
@@ -861,6 +861,7 @@ int x509_valid_subject(const char *, c
time_t x509_find_expires(time_t, struct auth *, struct crl_tree *);
/* printers */
+char *nid2str(int);
char *time2str(time_t);
void x509_print(const X509 *);
void tal_print(const struct tal *);
Index: print.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/print.c,v
diff -u -p -r1.45 print.c
--- print.c 18 Jan 2024 14:34:26 -0000 1.45
+++ print.c 1 Feb 2024 11:47:08 -0000
@@ -50,6 +50,22 @@ pretty_key_id(const char *hex)
}
char *
+nid2str(int nid)
+{
+ static char buf[128];
+ const char *name;
+
+ if ((name = OBJ_nid2ln(nid)) == NULL)
+ name = OBJ_nid2sn(nid);
+ if (name == NULL)
+ name = "unknown";
+
+ snprintf(buf, sizeof(buf), "%s (nid: %d)", name, nid);
+
+ return buf;
+}
+
+char *
time2str(time_t t)
{
static char buf[64];
Index: validate.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/validate.c,v
diff -u -p -r1.70 validate.c
--- validate.c 7 Jan 2024 09:48:03 -0000 1.70
+++ validate.c 1 Feb 2024 11:23:16 -0000
@@ -665,7 +665,7 @@ valid_ca_pkey_ec(const char *fn, EVP_PKE
nid = EC_GROUP_get_curve_name(group);
if (nid != NID_X9_62_prime256v1) {
if ((cname = EC_curve_nid2nist(nid)) == NULL)
- cname = OBJ_nid2sn(nid);
+ cname = nid2str(nid);
warnx("%s: Expected P-256, got %s", fn, cname);
return 0;
}
Index: x509.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
diff -u -p -r1.76 x509.c
--- x509.c 31 Jan 2024 15:01:13 -0000 1.76
+++ x509.c 1 Feb 2024 11:46:01 -0000
@@ -362,7 +362,7 @@ x509_get_pubkey(X509 *x, const char *fn)
nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
if (nid != NID_X9_62_prime256v1) {
if ((cname = EC_curve_nid2nist(nid)) == NULL)
- cname = OBJ_nid2sn(nid);
+ cname = nid2str(nid);
warnx("%s: Expected P-256, got %s", fn, cname);
goto out;
}
@@ -955,8 +955,8 @@ x509_valid_subject(const char *fn, const
warnx("%s: OBJ_obj2nid failed", fn);
return 0;
default:
- warnx("%s: RFC 6487 section 4.5: unexpected attribute "
- "%d (%s)", fn, nid, OBJ_nid2ln(nid));
+ warnx("%s: RFC 6487 section 4.5: unexpected attribute"
+ " %s", fn, nid2str(nid));
return 0;
}
}
rpki-client: normalize nid printing