Download raw body.
rpki-client: remove cms_parse_validate_detached()
On Wed, Jan 14, 2026 at 08:11:01AM +0100, Theo Buehler wrote:
> Geofeed (RIP) was the only consumer of this and we don't have immediate
> plans to implement another detached content type. So we no longer need a
> BIO for the content. All callers of cms_parse_validate() pass in a &cmsz,
> and cms_parse_validate() itself passes in &res, so cms_extract_econtent()
> can lose the NULL checks.
>
> One could go further and untangle the cms_parse_validate() -> _internal()
> indirection, but for now this is good enough and I have some fiddly diffs
> in here.
It would be nice to have this out of the way. I'm also still waiting on
https://marc.info/?l=openbsd-tech&m=176893107713557&w=2
These are both pretty simple diffs :)
Index: cms.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v
diff -u -p -r1.59 cms.c
--- cms.c 3 Dec 2025 10:19:28 -0000 1.59
+++ cms.c 21 Jan 2026 07:02:46 -0000
@@ -22,7 +22,6 @@
#include <string.h>
#include <unistd.h>
-#include <openssl/bio.h>
#include <openssl/cms.h>
#include "extern.h"
@@ -33,10 +32,6 @@ cms_extract_econtent(const char *fn, CMS
{
ASN1_OCTET_STRING **os = NULL;
- /* Detached signature case: no eContent to extract, so do nothing. */
- if (res == NULL || rsz == NULL)
- return 1;
-
if ((os = CMS_get0_content(cms)) == NULL || *os == NULL) {
warnx("%s: RFC 6488 section 2.1.4: "
"eContent: zero-length content", fn);
@@ -176,7 +171,7 @@ cms_SignerInfo_check_attributes(const ch
static int
cms_parse_validate_internal(struct cert **out_cert, const char *fn, int talid,
- const unsigned char *der, size_t len, const ASN1_OBJECT *oid, BIO *bio,
+ const unsigned char *der, size_t len, const ASN1_OBJECT *oid,
unsigned char **res, size_t *rsz, time_t *signtime)
{
struct cert *cert = NULL;
@@ -218,7 +213,7 @@ cms_parse_validate_internal(struct cert
* The CMS is self-signed with a signing certificate.
* Verify that the self-signage is correct.
*/
- if (!CMS_verify(cms, NULL, NULL, bio, NULL,
+ if (!CMS_verify(cms, NULL, NULL, NULL, NULL,
CMS_NO_SIGNER_CERT_VERIFY)) {
warnx("%s: CMS verification error", fn);
goto out;
@@ -398,22 +393,8 @@ cms_parse_validate(struct cert **out_cer
unsigned char *res = NULL;
if (!cms_parse_validate_internal(out_cert, fn, talid, der, derlen, oid,
- NULL, &res, rsz, st))
+ &res, rsz, st))
return NULL;
return res;
-}
-
-/*
- * Parse and validate a detached CMS signature.
- * bio must contain the original message, der must contain the CMS.
- * Return the 1 on success, 0 on failure.
- */
-int
-cms_parse_validate_detached(struct cert **out_cert, const char *fn, int talid,
- const unsigned char *der, size_t derlen, const ASN1_OBJECT *oid, BIO *bio,
- time_t *st)
-{
- return cms_parse_validate_internal(out_cert, fn, talid, der, derlen,
- oid, bio, NULL, NULL, st);
}
Index: extern.h
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
diff -u -p -r1.272 extern.h
--- extern.h 20 Jan 2026 16:49:03 -0000 1.272
+++ extern.h 21 Jan 2026 07:02:46 -0000
@@ -797,9 +797,6 @@ int valid_spl(const char *, struct cer
unsigned char *cms_parse_validate(struct cert **, const char *, int,
const unsigned char *, size_t, const ASN1_OBJECT *,
size_t *, time_t *);
-int cms_parse_validate_detached(struct cert **, const char *, int,
- const unsigned char *, size_t, const ASN1_OBJECT *, BIO *,
- time_t *);
/* Work with RFC 3779 IP addresses, prefixes, ranges. */
rpki-client: remove cms_parse_validate_detached()