From: Theo Buehler Subject: rpki-client: normalize nid printing To: tech@openbsd.org Date: Thu, 1 Feb 2024 13:04:35 +0100 job ran into an issue yesterday, where the organizationName attribute's short name was "O", easy to misread as a zero. Another issue with using OBJ_nid2{ln,sn}() is that they can return NULL, which should not be printed directly. The OID database is very inconsistent. Some OIDs have only an SN, others only an LN, long and short don't really mean anything in particular, but generally speaking the long name tends to be more human readable than the short name. So add a helper that prefers the long name over the short name and always prints the nid. The buffer is long because long names can be long: we have: "GOST R 34.11-2012 with GOST R 34.10-2012 (512 bit)" OpenSSL 3: "X509v3 Attribute Authority Issuing Distribution Point". Index: cert.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v diff -u -p -r1.122 cert.c --- cert.c 11 Jan 2024 11:55:14 -0000 1.122 +++ cert.c 1 Feb 2024 11:45:16 -0000 @@ -647,7 +647,7 @@ certificate_policies(struct parse *p, X5 if ((nid = OBJ_obj2nid(qualifier->pqualid)) != NID_id_qt_cps) { warnx("%s: RFC 7318 section 2: certificatePolicies: " - "want CPS, got %d (%s)", p->fn, nid, OBJ_nid2sn(nid)); + "want CPS, got %s", p->fn, nid2str(nid)); goto out; } @@ -794,8 +794,7 @@ cert_parse_pre(const char *fn, const uns warnx("%s: P-256 support is experimental", fn); } else if (nid != NID_sha256WithRSAEncryption) { warnx("%s: RFC 7935: wrong signature algorithm %s, want %s", - fn, OBJ_nid2ln(nid), - OBJ_nid2ln(NID_sha256WithRSAEncryption)); + fn, nid2str(nid), LN_sha256WithRSAEncryption); goto out; } @@ -970,8 +969,8 @@ cert_parse_pre(const char *fn, const uns return p.res; dup: - warnx("%s: RFC 5280 section 4.2: duplicate %s extension", fn, - OBJ_nid2sn(nid)); + warnx("%s: RFC 5280 section 4.2: duplicate extension: %s", fn, + nid2str(nid)); out: cert_free(p.res); X509_free(x); Index: cms.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v diff -u -p -r1.41 cms.c --- cms.c 10 Dec 2023 14:18:23 -0000 1.41 +++ cms.c 1 Feb 2024 11:45:06 -0000 @@ -259,7 +259,7 @@ cms_parse_validate_internal(X509 **xp, c nid = OBJ_obj2nid(obj); if (nid != NID_sha256) { warnx("%s: RFC 6488: wrong digest %s, want %s", fn, - OBJ_nid2ln(nid), OBJ_nid2ln(NID_sha256)); + nid2str(nid), LN_sha256); goto out; } X509_ALGOR_get0(&obj, NULL, NULL, psig); @@ -271,7 +271,7 @@ cms_parse_validate_internal(X509 **xp, c } else if (nid != NID_rsaEncryption && nid != NID_sha256WithRSAEncryption) { warnx("%s: RFC 6488: wrong signature algorithm %s, want %s", - fn, OBJ_nid2ln(nid), OBJ_nid2ln(NID_rsaEncryption)); + fn, nid2str(nid), LN_rsaEncryption); goto out; } Index: crl.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/crl.c,v diff -u -p -r1.31 crl.c --- crl.c 18 Jan 2024 14:34:26 -0000 1.31 +++ crl.c 1 Feb 2024 11:28:48 -0000 @@ -68,8 +68,7 @@ crl_parse(const char *fn, const unsigned warnx("%s: P-256 support is experimental", fn); } else if (nid != NID_sha256WithRSAEncryption) { warnx("%s: RFC 7935: wrong signature algorithm %s, want %s", - fn, OBJ_nid2ln(nid), - OBJ_nid2ln(NID_sha256WithRSAEncryption)); + fn, nid2str(nid), LN_sha256WithRSAEncryption); goto out; } Index: extern.h =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v diff -u -p -r1.201 extern.h --- extern.h 31 Jan 2024 06:57:21 -0000 1.201 +++ extern.h 1 Feb 2024 11:45:30 -0000 @@ -861,6 +861,7 @@ int x509_valid_subject(const char *, c time_t x509_find_expires(time_t, struct auth *, struct crl_tree *); /* printers */ +char *nid2str(int); char *time2str(time_t); void x509_print(const X509 *); void tal_print(const struct tal *); Index: print.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/print.c,v diff -u -p -r1.45 print.c --- print.c 18 Jan 2024 14:34:26 -0000 1.45 +++ print.c 1 Feb 2024 11:47:08 -0000 @@ -50,6 +50,22 @@ pretty_key_id(const char *hex) } char * +nid2str(int nid) +{ + static char buf[128]; + const char *name; + + if ((name = OBJ_nid2ln(nid)) == NULL) + name = OBJ_nid2sn(nid); + if (name == NULL) + name = "unknown"; + + snprintf(buf, sizeof(buf), "%s (nid: %d)", name, nid); + + return buf; +} + +char * time2str(time_t t) { static char buf[64]; Index: validate.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/validate.c,v diff -u -p -r1.70 validate.c --- validate.c 7 Jan 2024 09:48:03 -0000 1.70 +++ validate.c 1 Feb 2024 11:23:16 -0000 @@ -665,7 +665,7 @@ valid_ca_pkey_ec(const char *fn, EVP_PKE nid = EC_GROUP_get_curve_name(group); if (nid != NID_X9_62_prime256v1) { if ((cname = EC_curve_nid2nist(nid)) == NULL) - cname = OBJ_nid2sn(nid); + cname = nid2str(nid); warnx("%s: Expected P-256, got %s", fn, cname); return 0; } Index: x509.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v diff -u -p -r1.76 x509.c --- x509.c 31 Jan 2024 15:01:13 -0000 1.76 +++ x509.c 1 Feb 2024 11:46:01 -0000 @@ -362,7 +362,7 @@ x509_get_pubkey(X509 *x, const char *fn) nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)); if (nid != NID_X9_62_prime256v1) { if ((cname = EC_curve_nid2nist(nid)) == NULL) - cname = OBJ_nid2sn(nid); + cname = nid2str(nid); warnx("%s: Expected P-256, got %s", fn, cname); goto out; } @@ -955,8 +955,8 @@ x509_valid_subject(const char *fn, const warnx("%s: OBJ_obj2nid failed", fn); return 0; default: - warnx("%s: RFC 6487 section 4.5: unexpected attribute " - "%d (%s)", fn, nid, OBJ_nid2ln(nid)); + warnx("%s: RFC 6487 section 4.5: unexpected attribute" + " %s", fn, nid2str(nid)); return 0; } }