From: Theo Buehler <tb@theobuehler.org>
Subject: rpki-client: hexdump unknown extensions
To: tech@openbsd.org
Date: Sat, 21 Jun 2025 09:32:11 +0200

job found a test roa which looks pretty odd in the rpki-client -vf
output since its signer cert contains a weird non-critical extension -
in fact a crl distribution point with a mangled OID. We should reject
this ROA since the EE cert has no CRLDP extension. I am working on
fixing this, also in normal mode.

Nevertheless, since the ext isn't critical, we might still accept an EE
cert containing it. It currently looks like this:

...
            Subject Information Access:
                Signed Object - URI:rsync://my.server.com/data/my.server.com/repo/0/223.roa

            0.31:
                0d0b.`.^.\rsync://my.server.com/data/my.server.com/repo/0/49bcd8158062792e5a8b7fd810148fae5e4d4623.crl
            X509v3 Authority Key Identifier:
                keyid:B5:B5:53:CE:63:8E:70:D7:E7:0F:57:12:1A:AF:F6:77:A4:3E:FA:CA
...

This dumps that extension's value via ASN1_STRING_print() to stdout which
looks odd and it specifically lets \r and \n through which is not great.

Let's use a hexdump which is better at sanitizing and it makes it
clearer that we didn't accidentally dump garbage to stdout. This uses
BIO_dump_indent() internally, which I rewrote a while back. Now in
OpenSSL this function is still the rather horrific tjh garbage it's
always been, but shrug.

The above would then look like this.

...
            Subject Information Access:
                Signed Object - URI:rsync://my.server.com/data/my.server.com/repo/0/223.roa

            0.31:
                0000 - 30 64 30 62 a0 60 a0 5e-86 5c 72 73 79   0d0b.`.^.\rsy
                000d - 6e 63 3a 2f 2f 6d 79 2e-73 65 72 76 65   nc://my.serve
                001a - 72 2e 63 6f 6d 2f 64 61-74 61 2f 6d 79   r.com/data/my
                0027 - 2e 73 65 72 76 65 72 2e-63 6f 6d 2f 72   .server.com/r
                0034 - 65 70 6f 2f 30 2f 34 39-62 63 64 38 31   epo/0/49bcd81
                0041 - 35 38 30 36 32 37 39 32-65 35 61 38 62   58062792e5a8b
                004e - 37 66 64 38 31 30 31 34-38 66 61 65 35   7fd810148fae5
                005b - 65 34 64 34 36 32 33 2e-63 72 6c         e4d4623.crl

            X509v3 Authority Key Identifier:
                keyid:B5:B5:53:CE:63:8E:70:D7:E7:0F:57:12:1A:AF:F6:77:A4:3E:FA:CA
...

Long story short: replace X509_FLAG_COMPAT (aka 0) in X509_print_ex_fp()
as called by X509_print_fp() with X509V3_EXT_DUMP_UNKNOWN.

Index: filemode.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/filemode.c,v
diff -u -p -r1.60 filemode.c
--- filemode.c	13 Jun 2025 12:29:58 -0000	1.60
+++ filemode.c	20 Jun 2025 17:42:51 -0000
@@ -643,7 +643,8 @@ proc_parser_file(char *file, unsigned ch
 			goto out;
 
 		if (verbose) {
-			if (!X509_print_fp(stdout, x509))
+			if (!X509_print_ex_fp(stdout, x509, XN_FLAG_COMPAT,
+			    X509V3_EXT_DUMP_UNKNOWN))
 				errx(1, "X509_print_fp");
 		}