From: Theo Buehler Subject: rpki-client: garbage collect some x509_* API To: tech@openbsd.org Date: Fri, 18 Jul 2025 14:29:38 +0200 This purely - diff could have been part of the previous diff, but that one was already large enough. Drop some unused code after it's been superseded by better versions in cert.c. No regress adjustment needed. Index: extern.h =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v diff -u -p -r1.249 extern.h --- extern.h 18 Jul 2025 12:20:32 -0000 1.249 +++ extern.h 18 Jul 2025 12:25:36 -0000 @@ -951,13 +951,6 @@ struct ibuf *io_buf_get(struct msgbuf *) void x509_init_oid(void); int x509_cache_extensions(X509 *, const char *); -int x509_get_aia(X509 *, const char *, char **); -int x509_get_aki(X509 *, const char *, char **); -int x509_get_sia(X509 *, const char *, char **); -int x509_get_ski(X509 *, const char *, char **); -int x509_get_notbefore(X509 *, const char *, time_t *); -int x509_get_notafter(X509 *, const char *, time_t *); -int x509_get_crl(X509 *, const char *, char **); char *x509_pubkey_get_ski(X509_PUBKEY *, const char *); int x509_get_time(const ASN1_TIME *, time_t *); char *x509_convert_seqnum(const char *, const char *, Index: x509.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v diff -u -p -r1.114 x509.c --- x509.c 10 Jul 2025 19:22:48 -0000 1.114 +++ x509.c 18 Jul 2025 12:25:36 -0000 @@ -158,119 +158,6 @@ x509_cache_extensions(X509 *x509, const } /* - * Parse X509v3 authority key identifier (AKI), RFC 6487 sec. 4.8.3. - * Returns the AKI or NULL if it could not be parsed. - * The AKI is formatted as a hex string. - */ -int -x509_get_aki(X509 *x, const char *fn, char **aki) -{ - const unsigned char *d; - AUTHORITY_KEYID *akid; - ASN1_OCTET_STRING *os; - int dsz, crit, rc = 0; - - *aki = NULL; - akid = X509_get_ext_d2i(x, NID_authority_key_identifier, &crit, NULL); - if (akid == NULL) { - if (crit != -1) { - warnx("%s: RFC 6487 section 4.8.3: error parsing AKI", - fn); - return 0; - } - return 1; - } - if (crit != 0) { - warnx("%s: RFC 6487 section 4.8.3: " - "AKI: extension not non-critical", fn); - goto out; - } - if (akid->issuer != NULL || akid->serial != NULL) { - warnx("%s: RFC 6487 section 4.8.3: AKI: " - "authorityCertIssuer or authorityCertSerialNumber present", - fn); - goto out; - } - - os = akid->keyid; - if (os == NULL) { - warnx("%s: RFC 6487 section 4.8.3: AKI: " - "Key Identifier missing", fn); - goto out; - } - - d = os->data; - dsz = os->length; - - if (dsz != SHA_DIGEST_LENGTH) { - warnx("%s: RFC 6487 section 4.8.3: AKI: " - "want %d bytes SHA1 hash, have %d bytes", - fn, SHA_DIGEST_LENGTH, dsz); - goto out; - } - - *aki = hex_encode(d, dsz); - rc = 1; -out: - AUTHORITY_KEYID_free(akid); - return rc; -} - -/* - * Validate the X509v3 subject key identifier (SKI), RFC 6487 section 4.8.2: - * "The SKI is a SHA-1 hash of the value of the DER-encoded ASN.1 BIT STRING of - * the Subject Public Key, as described in Section 4.2.1.2 of RFC 5280." - * Returns the SKI formatted as hex string, or NULL if it couldn't be parsed. - */ -int -x509_get_ski(X509 *x, const char *fn, char **ski) -{ - ASN1_OCTET_STRING *os; - unsigned char md[EVP_MAX_MD_SIZE]; - unsigned int md_len = EVP_MAX_MD_SIZE; - int crit, rc = 0; - - *ski = NULL; - os = X509_get_ext_d2i(x, NID_subject_key_identifier, &crit, NULL); - if (os == NULL) { - if (crit != -1) { - warnx("%s: RFC 6487 section 4.8.2: error parsing SKI", - fn); - return 0; - } - return 1; - } - if (crit != 0) { - warnx("%s: RFC 6487 section 4.8.2: " - "SKI: extension not non-critical", fn); - goto out; - } - - if (!X509_pubkey_digest(x, EVP_sha1(), md, &md_len)) { - warnx("%s: X509_pubkey_digest", fn); - goto out; - } - - if (os->length < 0 || md_len != (size_t)os->length) { - warnx("%s: RFC 6487 section 4.8.2: SKI: " - "want %u bytes SHA1 hash, have %d bytes", - fn, md_len, os->length); - goto out; - } - - if (memcmp(os->data, md, md_len) != 0) { - warnx("%s: SKI does not match SHA1 hash of SPK", fn); - goto out; - } - - *ski = hex_encode(md, md_len); - rc = 1; - out: - ASN1_OCTET_STRING_free(os); - return rc; -} - -/* * Compute the SKI of an RSA public key in an X509_PUBKEY using SHA-1. * Returns allocated hex-encoded SKI on success, NULL on failure. */ @@ -304,219 +191,6 @@ x509_pubkey_get_ski(X509_PUBKEY *pubkey, } /* - * Parse the Authority Information Access (AIA) extension - * See RFC 6487, section 4.8.7 for details. - * Returns NULL on failure, on success returns the AIA URI - * (which has to be freed after use). - */ -int -x509_get_aia(X509 *x, const char *fn, char **out_aia) -{ - ACCESS_DESCRIPTION *ad; - AUTHORITY_INFO_ACCESS *info; - int crit, rc = 0; - - assert(*out_aia == NULL); - - info = X509_get_ext_d2i(x, NID_info_access, &crit, NULL); - if (info == NULL) { - if (crit != -1) { - warnx("%s: RFC 6487 section 4.8.7: error parsing AIA", - fn); - return 0; - } - return 1; - } - - if (crit != 0) { - warnx("%s: RFC 6487 section 4.8.7: " - "AIA: extension not non-critical", fn); - goto out; - } - - if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) { - warnx("%s: RFC 6487 section 4.8.7: AIA must be absent from " - "a self-signed certificate", fn); - goto out; - } - - if (sk_ACCESS_DESCRIPTION_num(info) != 1) { - warnx("%s: RFC 6487 section 4.8.7: AIA: " - "want 1 element, have %d", fn, - sk_ACCESS_DESCRIPTION_num(info)); - goto out; - } - - ad = sk_ACCESS_DESCRIPTION_value(info, 0); - if (OBJ_obj2nid(ad->method) != NID_ad_ca_issuers) { - warnx("%s: RFC 6487 section 4.8.7: AIA: " - "expected caIssuers, have %d", fn, OBJ_obj2nid(ad->method)); - goto out; - } - - if (!x509_location(fn, "AIA: caIssuers", ad->location, out_aia)) - goto out; - - rc = 1; - - out: - AUTHORITY_INFO_ACCESS_free(info); - return rc; -} - -/* - * Parse the Subject Information Access (SIA) extension for an EE cert. - * See RFC 6487, section 4.8.8.2 for details. - * Returns NULL on failure, on success returns the SIA signedObject URI - * (which has to be freed after use). - */ -int -x509_get_sia(X509 *x, const char *fn, char **out_sia) -{ - ACCESS_DESCRIPTION *ad; - AUTHORITY_INFO_ACCESS *info; - ASN1_OBJECT *oid; - int i, crit, rc = 0; - - assert(*out_sia == NULL); - - info = X509_get_ext_d2i(x, NID_sinfo_access, &crit, NULL); - if (info == NULL) { - if (crit != -1) { - warnx("%s: error parsing SIA", fn); - return 0; - } - return 1; - } - - if (crit != 0) { - warnx("%s: RFC 6487 section 4.8.8: " - "SIA: extension not non-critical", fn); - goto out; - } - - for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) { - char *sia; - - ad = sk_ACCESS_DESCRIPTION_value(info, i); - oid = ad->method; - - /* - * XXX: RFC 6487 4.8.8.2 states that the accessMethod MUST be - * signedObject. However, rpkiNotify accessMethods currently - * exist in the wild. Consider removing this special case. - * See also https://www.rfc-editor.org/errata/eid7239. - */ - if (OBJ_cmp(oid, notify_oid) == 0) { - if (verbose > 1) - warnx("%s: RFC 6487 section 4.8.8.2: SIA should" - " not contain rpkiNotify accessMethod", fn); - continue; - } - if (OBJ_cmp(oid, signedobj_oid) != 0) { - char buf[128]; - - OBJ_obj2txt(buf, sizeof(buf), oid, 0); - warnx("%s: RFC 6487 section 4.8.8.2: unexpected" - " accessMethod: %s", fn, buf); - goto out; - } - - sia = NULL; - if (!x509_location(fn, "SIA: signedObject", ad->location, &sia)) - goto out; - - if (*out_sia == NULL && strncasecmp(sia, RSYNC_PROTO, - RSYNC_PROTO_LEN) == 0) { - const char *p = sia + RSYNC_PROTO_LEN; - size_t fnlen, plen; - - if (filemode) { - if (rtype_from_file_extension(sia) != - rtype_from_file_extension(fn)) { - warnx("%s: SIA signedObject contains " - "unexpected filename extension", - fn); - free(sia); - goto out; - } - *out_sia = sia; - continue; - } - - fnlen = strlen(fn); - plen = strlen(p); - - if (fnlen < plen || strcmp(p, fn + fnlen - plen) != 0) { - warnx("%s: mismatch between pathname and SIA " - "(%s)", fn, sia); - free(sia); - goto out; - } - - *out_sia = sia; - continue; - } - if (verbose) - warnx("%s: RFC 6487 section 4.8.8: SIA: " - "ignoring location %s", fn, sia); - free(sia); - } - - if (*out_sia == NULL) { - warnx("%s: RFC 6487 section 4.8.8.2: " - "SIA without rsync accessLocation", fn); - goto out; - } - - rc = 1; - - out: - AUTHORITY_INFO_ACCESS_free(info); - return rc; -} - -/* - * Extract the notBefore of a certificate. - */ -int -x509_get_notbefore(X509 *x, const char *fn, time_t *tt) -{ - const ASN1_TIME *at; - - at = X509_get0_notBefore(x); - if (at == NULL) { - warnx("%s: X509_get0_notBefore failed", fn); - return 0; - } - if (!x509_get_time(at, tt)) { - warnx("%s: ASN1_TIME_to_tm failed", fn); - return 0; - } - return 1; -} - -/* - * Extract the notAfter from a certificate. - */ -int -x509_get_notafter(X509 *x, const char *fn, time_t *tt) -{ - const ASN1_TIME *at; - - at = X509_get0_notAfter(x); - if (at == NULL) { - warnx("%s: X509_get0_notafter failed", fn); - return 0; - } - if (!x509_get_time(at, tt)) { - warnx("%s: ASN1_TIME_to_tm failed", fn); - return 0; - } - return 1; -} - -/* * Check whether all RFC 3779 extensions are set to inherit. * Return 1 if both AS & IP are set to inherit. * Return 0 on failure (such as missing extensions or no inheritance). @@ -594,108 +268,6 @@ x509_any_inherits(X509 *x) ASIdentifiers_free(asidentifiers); sk_IPAddressFamily_pop_free(addrblk, IPAddressFamily_free); - return rc; -} - -/* - * Parse the very specific subset of information in the CRL distribution - * point extension. - * See RFC 6487, section 4.8.6 for details. - * Returns NULL on failure, the crl URI on success which has to be freed - * after use. - */ -int -x509_get_crl(X509 *x, const char *fn, char **out_crl) -{ - CRL_DIST_POINTS *crldp; - DIST_POINT *dp; - GENERAL_NAMES *names; - GENERAL_NAME *name; - int i, crit, rc = 0; - - assert(*out_crl == NULL); - - crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, &crit, NULL); - if (crldp == NULL) { - if (crit != -1) { - warnx("%s: RFC 6487 section 4.8.6: failed to parse " - "CRL distribution points", fn); - return 0; - } - return 1; - } - - if (crit != 0) { - warnx("%s: RFC 6487 section 4.8.6: " - "CRL distribution point: extension not non-critical", fn); - goto out; - } - - if (sk_DIST_POINT_num(crldp) != 1) { - warnx("%s: RFC 6487 section 4.8.6: CRL: " - "want 1 element, have %d", fn, - sk_DIST_POINT_num(crldp)); - goto out; - } - - dp = sk_DIST_POINT_value(crldp, 0); - if (dp->CRLissuer != NULL) { - warnx("%s: RFC 6487 section 4.8.6: CRL CRLIssuer field" - " disallowed", fn); - goto out; - } - if (dp->reasons != NULL) { - warnx("%s: RFC 6487 section 4.8.6: CRL Reasons field" - " disallowed", fn); - goto out; - } - if (dp->distpoint == NULL) { - warnx("%s: RFC 6487 section 4.8.6: CRL: " - "no distribution point name", fn); - goto out; - } - if (dp->distpoint->dpname != NULL) { - warnx("%s: RFC 6487 section 4.8.6: nameRelativeToCRLIssuer" - " disallowed", fn); - goto out; - } - /* Need to hardcode the alternative 0 due to missing macros or enum. */ - if (dp->distpoint->type != 0) { - warnx("%s: RFC 6487 section 4.8.6: CRL DistributionPointName:" - " expected fullName, have %d", fn, dp->distpoint->type); - goto out; - } - - names = dp->distpoint->name.fullname; - for (i = 0; i < sk_GENERAL_NAME_num(names); i++) { - char *crl = NULL; - - name = sk_GENERAL_NAME_value(names, i); - - if (!x509_location(fn, "CRL distribution point", name, &crl)) - goto out; - - if (*out_crl == NULL && strncasecmp(crl, RSYNC_PROTO, - RSYNC_PROTO_LEN) == 0) { - *out_crl = crl; - continue; - } - if (verbose) - warnx("%s: ignoring CRL distribution point %s", - fn, crl); - free(crl); - } - - if (*out_crl == NULL) { - warnx("%s: RFC 6487 section 4.8.6: no rsync URI " - "in CRL distributionPoint", fn); - goto out; - } - - rc = 1; - - out: - CRL_DIST_POINTS_free(crldp); return rc; }