From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: Re: rpki-client: convert cert and crl to opaque ASN1_STRING
To: Theo Buehler <tb@theobuehler.org>
Cc: tech@openbsd.org
Date: Mon, 1 Dec 2025 15:13:37 +0100

On Mon, Dec 01, 2025 at 02:49:03PM +0100, Theo Buehler wrote:
> Here's another chunk of the ASN1_STRING conversion. Nothing really
> interesting here. Since these are ASN1_STRINGs from serialization,
> length > 0 implies data != NULL, so we can drop a check or two.
> 
> I know it's boring and ugly.

OK claudio@
 
> Index: cert.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
> diff -u -p -r1.207 cert.c
> --- cert.c	18 Nov 2025 14:04:45 -0000	1.207
> +++ cert.c	29 Nov 2025 09:32:00 -0000
> @@ -423,7 +423,7 @@ cert_ski(const char *fn, struct cert *ce
>  	ASN1_OCTET_STRING	*os = NULL;
>  	unsigned char		 md[EVP_MAX_MD_SIZE];
>  	unsigned int		 md_len = EVP_MAX_MD_SIZE;
> -	int			 rc = 0;
> +	int			 length, rc = 0;
>  
>  	assert(cert->ski == NULL);
>  
> @@ -443,14 +443,15 @@ cert_ski(const char *fn, struct cert *ce
>  		goto out;
>  	}
>  
> -	if (os->length < 0 || md_len != (unsigned int)os->length) {
> +	length = ASN1_STRING_length(os);
> +	if (length < 0 || md_len != (unsigned int)length) {
>  		warnx("%s: RFC 6487 section 4.8.2: SKI: "
>  		    "want %u bytes SHA1 hash, have %d bytes",
> -		    fn, md_len, os->length);
> +		    fn, md_len, length);
>  		goto out;
>  	}
>  
> -	if (memcmp(os->data, md, md_len) != 0) {
> +	if (memcmp(ASN1_STRING_get0_data(os), md, md_len) != 0) {
>  		warnx("%s: SKI does not match SHA1 hash of SPK", fn);
>  		goto out;
>  	}
> @@ -467,7 +468,7 @@ static int
>  cert_aki(const char *fn, struct cert *cert, X509_EXTENSION *ext)
>  {
>  	AUTHORITY_KEYID	*akid = NULL;
> -	int		 rc = 0;
> +	int		 length, rc = 0;
>  
>  	assert(cert->aki == NULL);
>  
> @@ -487,19 +488,20 @@ cert_aki(const char *fn, struct cert *ce
>  		goto out;
>  	}
>  
> -	if (akid->keyid == NULL || akid->keyid->data == NULL) {
> +	if (akid->keyid == NULL) {
>  		warnx("%s: RFC 6487 section 4.8.3: AKI: Key Identifier missing",
>  		    fn);
>  		goto out;
>  	}
> -	if (akid->keyid->length != SHA_DIGEST_LENGTH) {
> +	length = ASN1_STRING_length(akid->keyid);
> +	if (length != SHA_DIGEST_LENGTH) {
>  		warnx("%s: RFC 6487 section 4.8.3: AKI: "
>  		    "want %d bytes SHA1 hash, have %d bytes",
> -		    fn, SHA_DIGEST_LENGTH, akid->keyid->length);
> +		    fn, SHA_DIGEST_LENGTH, length);
>  		goto out;
>  	}
>  
> -	cert->aki = hex_encode(akid->keyid->data, akid->keyid->length);
> +	cert->aki = hex_encode(ASN1_STRING_get0_data(akid->keyid), length);
>  
>  	rc = 1;
>   out:
> Index: crl.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/crl.c,v
> diff -u -p -r1.51 crl.c
> --- crl.c	18 Nov 2025 14:04:45 -0000	1.51
> +++ crl.c	29 Nov 2025 09:32:00 -0000
> @@ -105,8 +105,8 @@ crl_get_aki(const char *fn, X509_CRL *x5
>  		goto out;
>  	}
>  
> -	d = os->data;
> -	dsz = os->length;
> +	d = ASN1_STRING_get0_data(os);
> +	dsz = ASN1_STRING_length(os);
>  
>  	if (dsz != SHA_DIGEST_LENGTH) {
>  		warnx("%s: RFC 6487 section 4.8.3: AKI: "
> 

-- 
:wq Claudio