From: Theo Buehler <tb@theobuehler.org>
Subject: rpki-client: dedup SKI calculation
To: tech@openbsd.org
Date: Thu, 15 Feb 2024 11:25:21 +0100

It's not a huge win, but it gets rid of a bit of unnecessary duplication. 

Index: extern.h
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
diff -u -p -r1.203 extern.h
--- extern.h	3 Feb 2024 14:30:47 -0000	1.203
+++ extern.h	15 Feb 2024 10:03:03 -0000
@@ -847,6 +847,7 @@ int		 x509_get_crl(X509 *, const char *,
 char		*x509_crl_get_aki(X509_CRL *, const char *);
 char		*x509_crl_get_number(X509_CRL *, const char *);
 char		*x509_get_pubkey(X509 *, const char *);
+char		*x509_pubkey_get_ski(X509_PUBKEY *, const char *);
 enum cert_purpose	 x509_get_purpose(X509 *, const char *);
 int		 x509_get_time(const ASN1_TIME *, time_t *);
 char		*x509_convert_seqnum(const char *, const ASN1_INTEGER *);
Index: print.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/print.c,v
diff -u -p -r1.48 print.c
--- print.c	13 Feb 2024 20:40:17 -0000	1.48
+++ print.c	15 Feb 2024 09:57:36 -0000
@@ -83,28 +83,16 @@ void
 tal_print(const struct tal *p)
 {
 	char			*ski;
-	const unsigned char	*der, *pkey_der;
+	const unsigned char	*der;
 	X509_PUBKEY		*pubkey;
-	ASN1_OBJECT		*obj;
-	unsigned char		 md[SHA_DIGEST_LENGTH];
-	int			 nid, der_len;
 	size_t			 i;
 
-	pkey_der = p->pkey;
-	if ((pubkey = d2i_X509_PUBKEY(NULL, &pkey_der, p->pkeysz)) == NULL)
+	der = p->pkey;
+	if ((pubkey = d2i_X509_PUBKEY(NULL, &der, p->pkeysz)) == NULL)
 		errx(1, "d2i_X509_PUBKEY failed");
 
-	if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pubkey))
-		errx(1, "X509_PUBKEY_get0_param failed");
-
-	if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption)
-		errx(1, "RFC 7935: wrong signature algorithm %s, want %s",
-		    nid2str(nid), LN_rsaEncryption);
-
-	if (!EVP_Digest(der, der_len, md, NULL, EVP_sha1(), NULL))
-		errx(1, "EVP_Digest failed");
-
-	ski = hex_encode(md, SHA_DIGEST_LENGTH);
+	if ((ski = x509_pubkey_get_ski(pubkey, p->descr)) == NULL)
+		errx(1, "x509_pubkey_get_ski failed");
 
 	if (outformats & FORMAT_JSON) {
 		json_do_string("type", "tal");
Index: tak.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/tak.c,v
diff -u -p -r1.16 tak.c
--- tak.c	13 Feb 2024 22:44:21 -0000	1.16
+++ tak.c	15 Feb 2024 10:22:41 -0000
@@ -93,14 +93,11 @@ parse_takey(const char *fn, const TAKey 
 {
 	const ASN1_UTF8STRING	*comment;
 	const ASN1_IA5STRING	*certURI;
-	X509_PUBKEY		*pkey;
-	ASN1_OBJECT		*obj;
+	X509_PUBKEY		*pubkey;
 	struct takey		*res = NULL;
-	const unsigned char	*der;
-	unsigned char		*pkey_der = NULL;
-	unsigned char		 md[SHA_DIGEST_LENGTH];
+	unsigned char		*der = NULL;
 	size_t			 i;
-	int			 der_len, nid, pkey_der_len;
+	int			 der_len;
 
 	if ((res = calloc(1, sizeof(struct takey))) == NULL)
 		err(1, NULL);
@@ -141,30 +138,16 @@ parse_takey(const char *fn, const TAKey 
 			err(1, NULL);
 	}
 
-	pkey = takey->subjectPublicKeyInfo;
-	if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pkey)) {
-		warnx("%s: X509_PUBKEY_get0_param failed", fn);
+	pubkey = takey->subjectPublicKeyInfo;
+	if ((res->ski = x509_pubkey_get_ski(pubkey, fn)) == NULL)
 		goto err;
-	}
-
-	if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) {
-		warnx("%s: RFC 7935: wrong signature algorithm %s, want %s",
-		    fn, nid2str(nid), LN_rsaEncryption);
-		goto err;
-	}
-
-	if (!EVP_Digest(der, der_len, md, NULL, EVP_sha1(), NULL)) {
-		warnx("%s: EVP_Digest failed", fn);
-		goto err;
-	}
-	res->ski = hex_encode(md, SHA_DIGEST_LENGTH);
 
-	if ((pkey_der_len = i2d_X509_PUBKEY(pkey, &pkey_der)) <= 0) {
+	if ((der_len = i2d_X509_PUBKEY(pubkey, &der)) <= 0) {
 		warnx("%s: i2d_X509_PUBKEY failed", fn);
 		goto err;
 	}
-	res->pubkey = pkey_der;
-	res->pubkeysz = pkey_der_len;
+	res->pubkey = der;
+	res->pubkeysz = der_len;
 
 	return res;
 
Index: x509.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
diff -u -p -r1.79 x509.c
--- x509.c	14 Feb 2024 10:49:00 -0000	1.79
+++ x509.c	15 Feb 2024 10:24:05 -0000
@@ -375,6 +375,38 @@ x509_get_pubkey(X509 *x, const char *fn)
 }
 
 /*
+ * Compute the SKI of an RSA public key in an X509_PUBKEY using SHA-1.
+ * Returns allocated hex-encoded SKI on success, NULL on failure.
+ */
+char *
+x509_pubkey_get_ski(X509_PUBKEY *pubkey, const char *fn)
+{
+	ASN1_OBJECT		*obj;
+	const unsigned char	*der;
+	int			 der_len, nid;
+	unsigned char		 md[EVP_MAX_MD_SIZE];
+	unsigned int		 md_len = EVP_MAX_MD_SIZE;
+
+	if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pubkey)) {
+		warnx("%s: X509_PUBKEY_get0_param failed", fn);
+		return NULL;
+	}
+
+	if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) {
+		warnx("%s: RFC 7935: wrong signature algorithm %s, want %s",
+		    fn, nid2str(nid), LN_rsaEncryption);
+		return NULL;
+	}
+
+	if (!EVP_Digest(der, der_len, md, &md_len, EVP_sha1(), NULL)) {
+		warnx("%s: EVP_Digest failed", fn);
+		return NULL;
+	}
+
+	return hex_encode(md, md_len);
+}
+
+/*
  * Parse the Authority Information Access (AIA) extension
  * See RFC 6487, section 4.8.7 for details.
  * Returns NULL on failure, on success returns the AIA URI