From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: Re: rpki-client: dedup SKI calculation
To: Theo Buehler <tb@theobuehler.org>
Cc: tech@openbsd.org
Date: Thu, 15 Feb 2024 11:41:50 +0100

On Thu, Feb 15, 2024 at 11:25:21AM +0100, Theo Buehler wrote:
> It's not a huge win, but it gets rid of a bit of unnecessary duplication. 

Sure. Looks reasonable.
 
> Index: extern.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
> diff -u -p -r1.203 extern.h
> --- extern.h	3 Feb 2024 14:30:47 -0000	1.203
> +++ extern.h	15 Feb 2024 10:03:03 -0000
> @@ -847,6 +847,7 @@ int		 x509_get_crl(X509 *, const char *,
>  char		*x509_crl_get_aki(X509_CRL *, const char *);
>  char		*x509_crl_get_number(X509_CRL *, const char *);
>  char		*x509_get_pubkey(X509 *, const char *);
> +char		*x509_pubkey_get_ski(X509_PUBKEY *, const char *);
>  enum cert_purpose	 x509_get_purpose(X509 *, const char *);
>  int		 x509_get_time(const ASN1_TIME *, time_t *);
>  char		*x509_convert_seqnum(const char *, const ASN1_INTEGER *);
> Index: print.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/print.c,v
> diff -u -p -r1.48 print.c
> --- print.c	13 Feb 2024 20:40:17 -0000	1.48
> +++ print.c	15 Feb 2024 09:57:36 -0000
> @@ -83,28 +83,16 @@ void
>  tal_print(const struct tal *p)
>  {
>  	char			*ski;
> -	const unsigned char	*der, *pkey_der;
> +	const unsigned char	*der;
>  	X509_PUBKEY		*pubkey;
> -	ASN1_OBJECT		*obj;
> -	unsigned char		 md[SHA_DIGEST_LENGTH];
> -	int			 nid, der_len;
>  	size_t			 i;
>  
> -	pkey_der = p->pkey;
> -	if ((pubkey = d2i_X509_PUBKEY(NULL, &pkey_der, p->pkeysz)) == NULL)
> +	der = p->pkey;
> +	if ((pubkey = d2i_X509_PUBKEY(NULL, &der, p->pkeysz)) == NULL)
>  		errx(1, "d2i_X509_PUBKEY failed");
>  
> -	if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pubkey))
> -		errx(1, "X509_PUBKEY_get0_param failed");
> -
> -	if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption)
> -		errx(1, "RFC 7935: wrong signature algorithm %s, want %s",
> -		    nid2str(nid), LN_rsaEncryption);
> -
> -	if (!EVP_Digest(der, der_len, md, NULL, EVP_sha1(), NULL))
> -		errx(1, "EVP_Digest failed");
> -
> -	ski = hex_encode(md, SHA_DIGEST_LENGTH);
> +	if ((ski = x509_pubkey_get_ski(pubkey, p->descr)) == NULL)
> +		errx(1, "x509_pubkey_get_ski failed");
>  
>  	if (outformats & FORMAT_JSON) {
>  		json_do_string("type", "tal");
> Index: tak.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/tak.c,v
> diff -u -p -r1.16 tak.c
> --- tak.c	13 Feb 2024 22:44:21 -0000	1.16
> +++ tak.c	15 Feb 2024 10:22:41 -0000
> @@ -93,14 +93,11 @@ parse_takey(const char *fn, const TAKey 
>  {
>  	const ASN1_UTF8STRING	*comment;
>  	const ASN1_IA5STRING	*certURI;
> -	X509_PUBKEY		*pkey;
> -	ASN1_OBJECT		*obj;
> +	X509_PUBKEY		*pubkey;
>  	struct takey		*res = NULL;
> -	const unsigned char	*der;
> -	unsigned char		*pkey_der = NULL;
> -	unsigned char		 md[SHA_DIGEST_LENGTH];
> +	unsigned char		*der = NULL;
>  	size_t			 i;
> -	int			 der_len, nid, pkey_der_len;
> +	int			 der_len;
>  
>  	if ((res = calloc(1, sizeof(struct takey))) == NULL)
>  		err(1, NULL);
> @@ -141,30 +138,16 @@ parse_takey(const char *fn, const TAKey 
>  			err(1, NULL);
>  	}
>  
> -	pkey = takey->subjectPublicKeyInfo;
> -	if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pkey)) {
> -		warnx("%s: X509_PUBKEY_get0_param failed", fn);
> +	pubkey = takey->subjectPublicKeyInfo;
> +	if ((res->ski = x509_pubkey_get_ski(pubkey, fn)) == NULL)
>  		goto err;
> -	}
> -
> -	if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) {
> -		warnx("%s: RFC 7935: wrong signature algorithm %s, want %s",
> -		    fn, nid2str(nid), LN_rsaEncryption);
> -		goto err;
> -	}
> -
> -	if (!EVP_Digest(der, der_len, md, NULL, EVP_sha1(), NULL)) {
> -		warnx("%s: EVP_Digest failed", fn);
> -		goto err;
> -	}
> -	res->ski = hex_encode(md, SHA_DIGEST_LENGTH);
>  
> -	if ((pkey_der_len = i2d_X509_PUBKEY(pkey, &pkey_der)) <= 0) {
> +	if ((der_len = i2d_X509_PUBKEY(pubkey, &der)) <= 0) {
>  		warnx("%s: i2d_X509_PUBKEY failed", fn);
>  		goto err;
>  	}
> -	res->pubkey = pkey_der;
> -	res->pubkeysz = pkey_der_len;
> +	res->pubkey = der;
> +	res->pubkeysz = der_len;
>  
>  	return res;
>  
> Index: x509.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
> diff -u -p -r1.79 x509.c
> --- x509.c	14 Feb 2024 10:49:00 -0000	1.79
> +++ x509.c	15 Feb 2024 10:24:05 -0000
> @@ -375,6 +375,38 @@ x509_get_pubkey(X509 *x, const char *fn)
>  }
>  
>  /*
> + * Compute the SKI of an RSA public key in an X509_PUBKEY using SHA-1.
> + * Returns allocated hex-encoded SKI on success, NULL on failure.
> + */
> +char *
> +x509_pubkey_get_ski(X509_PUBKEY *pubkey, const char *fn)
> +{
> +	ASN1_OBJECT		*obj;
> +	const unsigned char	*der;
> +	int			 der_len, nid;
> +	unsigned char		 md[EVP_MAX_MD_SIZE];
> +	unsigned int		 md_len = EVP_MAX_MD_SIZE;
> +
> +	if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pubkey)) {
> +		warnx("%s: X509_PUBKEY_get0_param failed", fn);
> +		return NULL;
> +	}
> +
> +	if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) {
> +		warnx("%s: RFC 7935: wrong signature algorithm %s, want %s",
> +		    fn, nid2str(nid), LN_rsaEncryption);
> +		return NULL;
> +	}
> +
> +	if (!EVP_Digest(der, der_len, md, &md_len, EVP_sha1(), NULL)) {
> +		warnx("%s: EVP_Digest failed", fn);
> +		return NULL;
> +	}
> +
> +	return hex_encode(md, md_len);
> +}
> +
> +/*
>   * Parse the Authority Information Access (AIA) extension
>   * See RFC 6487, section 4.8.7 for details.
>   * Returns NULL on failure, on success returns the AIA URI
> 

-- 
:wq Claudio