From: Theo Buehler <tb@theobuehler.org>
Subject: rpki-client: convert cert and crl to opaque ASN1_STRING
To: tech@openbsd.org
Date: Mon, 1 Dec 2025 14:49:03 +0100

Here's another chunk of the ASN1_STRING conversion. Nothing really
interesting here. Since these are ASN1_STRINGs from serialization,
length > 0 implies data != NULL, so we can drop a check or two.

I know it's boring and ugly.

Index: cert.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
diff -u -p -r1.207 cert.c
--- cert.c	18 Nov 2025 14:04:45 -0000	1.207
+++ cert.c	29 Nov 2025 09:32:00 -0000
@@ -423,7 +423,7 @@ cert_ski(const char *fn, struct cert *ce
 	ASN1_OCTET_STRING	*os = NULL;
 	unsigned char		 md[EVP_MAX_MD_SIZE];
 	unsigned int		 md_len = EVP_MAX_MD_SIZE;
-	int			 rc = 0;
+	int			 length, rc = 0;
 
 	assert(cert->ski == NULL);
 
@@ -443,14 +443,15 @@ cert_ski(const char *fn, struct cert *ce
 		goto out;
 	}
 
-	if (os->length < 0 || md_len != (unsigned int)os->length) {
+	length = ASN1_STRING_length(os);
+	if (length < 0 || md_len != (unsigned int)length) {
 		warnx("%s: RFC 6487 section 4.8.2: SKI: "
 		    "want %u bytes SHA1 hash, have %d bytes",
-		    fn, md_len, os->length);
+		    fn, md_len, length);
 		goto out;
 	}
 
-	if (memcmp(os->data, md, md_len) != 0) {
+	if (memcmp(ASN1_STRING_get0_data(os), md, md_len) != 0) {
 		warnx("%s: SKI does not match SHA1 hash of SPK", fn);
 		goto out;
 	}
@@ -467,7 +468,7 @@ static int
 cert_aki(const char *fn, struct cert *cert, X509_EXTENSION *ext)
 {
 	AUTHORITY_KEYID	*akid = NULL;
-	int		 rc = 0;
+	int		 length, rc = 0;
 
 	assert(cert->aki == NULL);
 
@@ -487,19 +488,20 @@ cert_aki(const char *fn, struct cert *ce
 		goto out;
 	}
 
-	if (akid->keyid == NULL || akid->keyid->data == NULL) {
+	if (akid->keyid == NULL) {
 		warnx("%s: RFC 6487 section 4.8.3: AKI: Key Identifier missing",
 		    fn);
 		goto out;
 	}
-	if (akid->keyid->length != SHA_DIGEST_LENGTH) {
+	length = ASN1_STRING_length(akid->keyid);
+	if (length != SHA_DIGEST_LENGTH) {
 		warnx("%s: RFC 6487 section 4.8.3: AKI: "
 		    "want %d bytes SHA1 hash, have %d bytes",
-		    fn, SHA_DIGEST_LENGTH, akid->keyid->length);
+		    fn, SHA_DIGEST_LENGTH, length);
 		goto out;
 	}
 
-	cert->aki = hex_encode(akid->keyid->data, akid->keyid->length);
+	cert->aki = hex_encode(ASN1_STRING_get0_data(akid->keyid), length);
 
 	rc = 1;
  out:
Index: crl.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/crl.c,v
diff -u -p -r1.51 crl.c
--- crl.c	18 Nov 2025 14:04:45 -0000	1.51
+++ crl.c	29 Nov 2025 09:32:00 -0000
@@ -105,8 +105,8 @@ crl_get_aki(const char *fn, X509_CRL *x5
 		goto out;
 	}
 
-	d = os->data;
-	dsz = os->length;
+	d = ASN1_STRING_get0_data(os);
+	dsz = ASN1_STRING_length(os);
 
 	if (dsz != SHA_DIGEST_LENGTH) {
 		warnx("%s: RFC 6487 section 4.8.3: AKI: "