Mailing List Archive

On Thu, Feb 15, 2024 at 11:25:21AM +0100, Theo Buehler wrote: > It's not a huge win, but it gets rid of a bit of unnecessary duplication. Sure. Looks reasonable. > Index: extern.h > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v > diff -u -p -r1.203 extern.h > --- extern.h 3 Feb 2024 14:30:47 -0000 1.203 > +++ extern.h 15 Feb 2024 10:03:03 -0000 > @@ -847,6 +847,7 @@ int x509_get_crl(X509 *, const char *, > char *x509_crl_get_aki(X509_CRL *, const char *); > char *x509_crl_get_number(X509_CRL *, const char *); > char *x509_get_pubkey(X509 *, const char *); > +char *x509_pubkey_get_ski(X509_PUBKEY *, const char *); > enum cert_purpose x509_get_purpose(X509 *, const char *); > int x509_get_time(const ASN1_TIME *, time_t *); > char *x509_convert_seqnum(const char *, const ASN1_INTEGER *); > Index: print.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/print.c,v > diff -u -p -r1.48 print.c > --- print.c 13 Feb 2024 20:40:17 -0000 1.48 > +++ print.c 15 Feb 2024 09:57:36 -0000 > @@ -83,28 +83,16 @@ void > tal_print(const struct tal *p) > { > char *ski; > - const unsigned char *der, *pkey_der; > + const unsigned char *der; > X509_PUBKEY *pubkey; > - ASN1_OBJECT *obj; > - unsigned char md[SHA_DIGEST_LENGTH]; > - int nid, der_len; > size_t i; > > - pkey_der = p->pkey; > - if ((pubkey = d2i_X509_PUBKEY(NULL, &pkey_der, p->pkeysz)) == NULL) > + der = p->pkey; > + if ((pubkey = d2i_X509_PUBKEY(NULL, &der, p->pkeysz)) == NULL) > errx(1, "d2i_X509_PUBKEY failed"); > > - if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pubkey)) > - errx(1, "X509_PUBKEY_get0_param failed"); > - > - if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) > - errx(1, "RFC 7935: wrong signature algorithm %s, want %s", > - nid2str(nid), LN_rsaEncryption); > - > - if (!EVP_Digest(der, der_len, md, NULL, EVP_sha1(), NULL)) > - errx(1, "EVP_Digest failed"); > - > - ski = hex_encode(md, SHA_DIGEST_LENGTH); > + if ((ski = x509_pubkey_get_ski(pubkey, p->descr)) == NULL) > + errx(1, "x509_pubkey_get_ski failed"); > > if (outformats & FORMAT_JSON) { > json_do_string("type", "tal"); > Index: tak.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/tak.c,v > diff -u -p -r1.16 tak.c > --- tak.c 13 Feb 2024 22:44:21 -0000 1.16 > +++ tak.c 15 Feb 2024 10:22:41 -0000 > @@ -93,14 +93,11 @@ parse_takey(const char *fn, const TAKey > { > const ASN1_UTF8STRING *comment; > const ASN1_IA5STRING *certURI; > - X509_PUBKEY *pkey; > - ASN1_OBJECT *obj; > + X509_PUBKEY *pubkey; > struct takey *res = NULL; > - const unsigned char *der; > - unsigned char *pkey_der = NULL; > - unsigned char md[SHA_DIGEST_LENGTH]; > + unsigned char *der = NULL; > size_t i; > - int der_len, nid, pkey_der_len; > + int der_len; > > if ((res = calloc(1, sizeof(struct takey))) == NULL) > err(1, NULL); > @@ -141,30 +138,16 @@ parse_takey(const char *fn, const TAKey > err(1, NULL); > } > > - pkey = takey->subjectPublicKeyInfo; > - if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pkey)) { > - warnx("%s: X509_PUBKEY_get0_param failed", fn); > + pubkey = takey->subjectPublicKeyInfo; > + if ((res->ski = x509_pubkey_get_ski(pubkey, fn)) == NULL) > goto err; > - } > - > - if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) { > - warnx("%s: RFC 7935: wrong signature algorithm %s, want %s", > - fn, nid2str(nid), LN_rsaEncryption); > - goto err; > - } > - > - if (!EVP_Digest(der, der_len, md, NULL, EVP_sha1(), NULL)) { > - warnx("%s: EVP_Digest failed", fn); > - goto err; > - } > - res->ski = hex_encode(md, SHA_DIGEST_LENGTH); > > - if ((pkey_der_len = i2d_X509_PUBKEY(pkey, &pkey_der)) <= 0) { > + if ((der_len = i2d_X509_PUBKEY(pubkey, &der)) <= 0) { > warnx("%s: i2d_X509_PUBKEY failed", fn); > goto err; > } > - res->pubkey = pkey_der; > - res->pubkeysz = pkey_der_len; > + res->pubkey = der; > + res->pubkeysz = der_len; > > return res; > > Index: x509.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v > diff -u -p -r1.79 x509.c > --- x509.c 14 Feb 2024 10:49:00 -0000 1.79 > +++ x509.c 15 Feb 2024 10:24:05 -0000 > @@ -375,6 +375,38 @@ x509_get_pubkey(X509 *x, const char *fn) > } > > /* > + * Compute the SKI of an RSA public key in an X509_PUBKEY using SHA-1. > + * Returns allocated hex-encoded SKI on success, NULL on failure. > + */ > +char * > +x509_pubkey_get_ski(X509_PUBKEY *pubkey, const char *fn) > +{ > + ASN1_OBJECT *obj; > + const unsigned char *der; > + int der_len, nid; > + unsigned char md[EVP_MAX_MD_SIZE]; > + unsigned int md_len = EVP_MAX_MD_SIZE; > + > + if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pubkey)) { > + warnx("%s: X509_PUBKEY_get0_param failed", fn); > + return NULL; > + } > + > + if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) { > + warnx("%s: RFC 7935: wrong signature algorithm %s, want %s", > + fn, nid2str(nid), LN_rsaEncryption); > + return NULL; > + } > + > + if (!EVP_Digest(der, der_len, md, &md_len, EVP_sha1(), NULL)) { > + warnx("%s: EVP_Digest failed", fn); > + return NULL; > + } > + > + return hex_encode(md, md_len); > +} > + > +/* > * Parse the Authority Information Access (AIA) extension > * See RFC 6487, section 4.8.7 for details. > * Returns NULL on failure, on success returns the AIA URI > -- :wq Claudio

2024-02-15 10:25 Theo Buehler:
rpki-client: dedup SKI calculation
- 2024-02-15 10:41 Claudio Jeker:
  rpki-client: dedup SKI calculation