Download raw body.
rpki-client: dedup SKI calculation
It's not a huge win, but it gets rid of a bit of unnecessary duplication.
Index: extern.h
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
diff -u -p -r1.203 extern.h
--- extern.h 3 Feb 2024 14:30:47 -0000 1.203
+++ extern.h 15 Feb 2024 10:03:03 -0000
@@ -847,6 +847,7 @@ int x509_get_crl(X509 *, const char *,
char *x509_crl_get_aki(X509_CRL *, const char *);
char *x509_crl_get_number(X509_CRL *, const char *);
char *x509_get_pubkey(X509 *, const char *);
+char *x509_pubkey_get_ski(X509_PUBKEY *, const char *);
enum cert_purpose x509_get_purpose(X509 *, const char *);
int x509_get_time(const ASN1_TIME *, time_t *);
char *x509_convert_seqnum(const char *, const ASN1_INTEGER *);
Index: print.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/print.c,v
diff -u -p -r1.48 print.c
--- print.c 13 Feb 2024 20:40:17 -0000 1.48
+++ print.c 15 Feb 2024 09:57:36 -0000
@@ -83,28 +83,16 @@ void
tal_print(const struct tal *p)
{
char *ski;
- const unsigned char *der, *pkey_der;
+ const unsigned char *der;
X509_PUBKEY *pubkey;
- ASN1_OBJECT *obj;
- unsigned char md[SHA_DIGEST_LENGTH];
- int nid, der_len;
size_t i;
- pkey_der = p->pkey;
- if ((pubkey = d2i_X509_PUBKEY(NULL, &pkey_der, p->pkeysz)) == NULL)
+ der = p->pkey;
+ if ((pubkey = d2i_X509_PUBKEY(NULL, &der, p->pkeysz)) == NULL)
errx(1, "d2i_X509_PUBKEY failed");
- if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pubkey))
- errx(1, "X509_PUBKEY_get0_param failed");
-
- if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption)
- errx(1, "RFC 7935: wrong signature algorithm %s, want %s",
- nid2str(nid), LN_rsaEncryption);
-
- if (!EVP_Digest(der, der_len, md, NULL, EVP_sha1(), NULL))
- errx(1, "EVP_Digest failed");
-
- ski = hex_encode(md, SHA_DIGEST_LENGTH);
+ if ((ski = x509_pubkey_get_ski(pubkey, p->descr)) == NULL)
+ errx(1, "x509_pubkey_get_ski failed");
if (outformats & FORMAT_JSON) {
json_do_string("type", "tal");
Index: tak.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/tak.c,v
diff -u -p -r1.16 tak.c
--- tak.c 13 Feb 2024 22:44:21 -0000 1.16
+++ tak.c 15 Feb 2024 10:22:41 -0000
@@ -93,14 +93,11 @@ parse_takey(const char *fn, const TAKey
{
const ASN1_UTF8STRING *comment;
const ASN1_IA5STRING *certURI;
- X509_PUBKEY *pkey;
- ASN1_OBJECT *obj;
+ X509_PUBKEY *pubkey;
struct takey *res = NULL;
- const unsigned char *der;
- unsigned char *pkey_der = NULL;
- unsigned char md[SHA_DIGEST_LENGTH];
+ unsigned char *der = NULL;
size_t i;
- int der_len, nid, pkey_der_len;
+ int der_len;
if ((res = calloc(1, sizeof(struct takey))) == NULL)
err(1, NULL);
@@ -141,30 +138,16 @@ parse_takey(const char *fn, const TAKey
err(1, NULL);
}
- pkey = takey->subjectPublicKeyInfo;
- if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pkey)) {
- warnx("%s: X509_PUBKEY_get0_param failed", fn);
+ pubkey = takey->subjectPublicKeyInfo;
+ if ((res->ski = x509_pubkey_get_ski(pubkey, fn)) == NULL)
goto err;
- }
-
- if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) {
- warnx("%s: RFC 7935: wrong signature algorithm %s, want %s",
- fn, nid2str(nid), LN_rsaEncryption);
- goto err;
- }
-
- if (!EVP_Digest(der, der_len, md, NULL, EVP_sha1(), NULL)) {
- warnx("%s: EVP_Digest failed", fn);
- goto err;
- }
- res->ski = hex_encode(md, SHA_DIGEST_LENGTH);
- if ((pkey_der_len = i2d_X509_PUBKEY(pkey, &pkey_der)) <= 0) {
+ if ((der_len = i2d_X509_PUBKEY(pubkey, &der)) <= 0) {
warnx("%s: i2d_X509_PUBKEY failed", fn);
goto err;
}
- res->pubkey = pkey_der;
- res->pubkeysz = pkey_der_len;
+ res->pubkey = der;
+ res->pubkeysz = der_len;
return res;
Index: x509.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
diff -u -p -r1.79 x509.c
--- x509.c 14 Feb 2024 10:49:00 -0000 1.79
+++ x509.c 15 Feb 2024 10:24:05 -0000
@@ -375,6 +375,38 @@ x509_get_pubkey(X509 *x, const char *fn)
}
/*
+ * Compute the SKI of an RSA public key in an X509_PUBKEY using SHA-1.
+ * Returns allocated hex-encoded SKI on success, NULL on failure.
+ */
+char *
+x509_pubkey_get_ski(X509_PUBKEY *pubkey, const char *fn)
+{
+ ASN1_OBJECT *obj;
+ const unsigned char *der;
+ int der_len, nid;
+ unsigned char md[EVP_MAX_MD_SIZE];
+ unsigned int md_len = EVP_MAX_MD_SIZE;
+
+ if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pubkey)) {
+ warnx("%s: X509_PUBKEY_get0_param failed", fn);
+ return NULL;
+ }
+
+ if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) {
+ warnx("%s: RFC 7935: wrong signature algorithm %s, want %s",
+ fn, nid2str(nid), LN_rsaEncryption);
+ return NULL;
+ }
+
+ if (!EVP_Digest(der, der_len, md, &md_len, EVP_sha1(), NULL)) {
+ warnx("%s: EVP_Digest failed", fn);
+ return NULL;
+ }
+
+ return hex_encode(md, md_len);
+}
+
+/*
* Parse the Authority Information Access (AIA) extension
* See RFC 6487, section 4.8.7 for details.
* Returns NULL on failure, on success returns the AIA URI
rpki-client: dedup SKI calculation