Download raw body.
rpki-client: remove cms_parse_validate_detached()
On Fri, Jan 23, 2026 at 08:46:30AM +0100, Theo Buehler wrote:
> On Wed, Jan 14, 2026 at 08:11:01AM +0100, Theo Buehler wrote:
> > Geofeed (RIP) was the only consumer of this and we don't have immediate
> > plans to implement another detached content type. So we no longer need a
> > BIO for the content. All callers of cms_parse_validate() pass in a &cmsz,
> > and cms_parse_validate() itself passes in &res, so cms_extract_econtent()
> > can lose the NULL checks.
> >
> > One could go further and untangle the cms_parse_validate() -> _internal()
> > indirection, but for now this is good enough and I have some fiddly diffs
> > in here.
>
> It would be nice to have this out of the way. I'm also still waiting on
>
> https://marc.info/?l=openbsd-tech&m=176893107713557&w=2
>
> These are both pretty simple diffs :)
OK on the diff below. Need to look for the other.
> Index: cms.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v
> diff -u -p -r1.59 cms.c
> --- cms.c 3 Dec 2025 10:19:28 -0000 1.59
> +++ cms.c 21 Jan 2026 07:02:46 -0000
> @@ -22,7 +22,6 @@
> #include <string.h>
> #include <unistd.h>
>
> -#include <openssl/bio.h>
> #include <openssl/cms.h>
>
> #include "extern.h"
> @@ -33,10 +32,6 @@ cms_extract_econtent(const char *fn, CMS
> {
> ASN1_OCTET_STRING **os = NULL;
>
> - /* Detached signature case: no eContent to extract, so do nothing. */
> - if (res == NULL || rsz == NULL)
> - return 1;
> -
> if ((os = CMS_get0_content(cms)) == NULL || *os == NULL) {
> warnx("%s: RFC 6488 section 2.1.4: "
> "eContent: zero-length content", fn);
> @@ -176,7 +171,7 @@ cms_SignerInfo_check_attributes(const ch
>
> static int
> cms_parse_validate_internal(struct cert **out_cert, const char *fn, int talid,
> - const unsigned char *der, size_t len, const ASN1_OBJECT *oid, BIO *bio,
> + const unsigned char *der, size_t len, const ASN1_OBJECT *oid,
> unsigned char **res, size_t *rsz, time_t *signtime)
> {
> struct cert *cert = NULL;
> @@ -218,7 +213,7 @@ cms_parse_validate_internal(struct cert
> * The CMS is self-signed with a signing certificate.
> * Verify that the self-signage is correct.
> */
> - if (!CMS_verify(cms, NULL, NULL, bio, NULL,
> + if (!CMS_verify(cms, NULL, NULL, NULL, NULL,
> CMS_NO_SIGNER_CERT_VERIFY)) {
> warnx("%s: CMS verification error", fn);
> goto out;
> @@ -398,22 +393,8 @@ cms_parse_validate(struct cert **out_cer
> unsigned char *res = NULL;
>
> if (!cms_parse_validate_internal(out_cert, fn, talid, der, derlen, oid,
> - NULL, &res, rsz, st))
> + &res, rsz, st))
> return NULL;
>
> return res;
> -}
> -
> -/*
> - * Parse and validate a detached CMS signature.
> - * bio must contain the original message, der must contain the CMS.
> - * Return the 1 on success, 0 on failure.
> - */
> -int
> -cms_parse_validate_detached(struct cert **out_cert, const char *fn, int talid,
> - const unsigned char *der, size_t derlen, const ASN1_OBJECT *oid, BIO *bio,
> - time_t *st)
> -{
> - return cms_parse_validate_internal(out_cert, fn, talid, der, derlen,
> - oid, bio, NULL, NULL, st);
> }
> Index: extern.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
> diff -u -p -r1.272 extern.h
> --- extern.h 20 Jan 2026 16:49:03 -0000 1.272
> +++ extern.h 21 Jan 2026 07:02:46 -0000
> @@ -797,9 +797,6 @@ int valid_spl(const char *, struct cer
> unsigned char *cms_parse_validate(struct cert **, const char *, int,
> const unsigned char *, size_t, const ASN1_OBJECT *,
> size_t *, time_t *);
> -int cms_parse_validate_detached(struct cert **, const char *, int,
> - const unsigned char *, size_t, const ASN1_OBJECT *, BIO *,
> - time_t *);
>
> /* Work with RFC 3779 IP addresses, prefixes, ranges. */
>
>
--
:wq Claudio
rpki-client: remove cms_parse_validate_detached()