On Thu, Feb 01, 2024 at 01:04:35PM +0100, Theo Buehler wrote:
> job ran into an issue yesterday, where the organizationName attribute's
> short name was "O", easy to misread as a zero. Another issue with using
> OBJ_nid2{ln,sn}() is that they can return NULL, which should not be
> printed directly.
> 
> The OID database is very inconsistent. Some OIDs have only an SN, others
> only an LN, long and short don't really mean anything in particular, but
> generally speaking the long name tends to be more human readable than
> the short name.
> 
> So add a helper that prefers the long name over the short name and
> always prints the nid. The buffer is long because long names can be long:
> we have:	"GOST R 34.11-2012 with GOST R 34.10-2012 (512 bit)"
> OpenSSL 3:	"X509v3 Attribute Authority Issuing Distribution Point".

Why are those APIs so unusable?
Diff is OK claudio@
One minor comment:

>  char *
> +nid2str(int nid)
> +{
> +	static char buf[128];
> +	const char *name;
> +
> +	if ((name = OBJ_nid2ln(nid)) == NULL)
> +		name = OBJ_nid2sn(nid);
> +	if (name == NULL)
> +		name = "unknown";
> +
> +	snprintf(buf, sizeof(buf), "%s (nid: %d)", name, nid);

Would it make sense to reverse this string as in "nid %d (%s)", nid, name?
In case OpenSSL adds an even longer long name it would trunkate the string
but still show the NID number.

> +
> +	return buf;
> +}

-- 
:wq Claudio