From: Theo Buehler Subject: rpki-client: convert rsc, tak, x509 to opaque ASN1_STRING To: tech@openbsd.org Date: Tue, 2 Dec 2025 09:50:12 +0100 These three are entirely straightforward conversions. There's a forgotten XXX in parse_takey() which I'll fix in a follow-up. Index: rsc.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/rsc.c,v diff -u -p -r1.42 rsc.c --- rsc.c 24 Aug 2025 12:34:39 -0000 1.42 +++ rsc.c 29 Nov 2025 09:32:00 -0000 @@ -228,7 +228,6 @@ rsc_parse_checklist(const char *fn, stru const STACK_OF(FileNameAndHash) *checkList) { FileNameAndHash *fh; - ASN1_IA5STRING *fileName; struct rscfile *file; size_t num_files, i; @@ -249,25 +248,33 @@ rsc_parse_checklist(const char *fn, stru rsc->num_files = num_files; for (i = 0; i < num_files; i++) { + const unsigned char *data; + int length; + fh = sk_FileNameAndHash_value(checkList, i); file = &rsc->files[i]; - if (fh->hash->length != SHA256_DIGEST_LENGTH) { + data = ASN1_STRING_get0_data(fh->hash); + length = ASN1_STRING_length(fh->hash); + if (length != SHA256_DIGEST_LENGTH) { warnx("%s: RSC Digest: invalid SHA256 length", fn); return 0; } - memcpy(file->hash, fh->hash->data, SHA256_DIGEST_LENGTH); + memcpy(file->hash, data, length); - if ((fileName = fh->fileName) == NULL) + if (fh->fileName == NULL) continue; - if (!valid_filename(fileName->data, fileName->length)) { + data = ASN1_STRING_get0_data(fh->fileName); + length = ASN1_STRING_length(fh->fileName); + + if (!valid_filename(data, length)) { warnx("%s: RSC FileNameAndHash: bad filename", fn); return 0; } - file->filename = strndup(fileName->data, fileName->length); + file->filename = strndup(data, length); if (file->filename == NULL) err(1, NULL); } Index: tak.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/tak.c,v diff -u -p -r1.27 tak.c --- tak.c 19 Aug 2025 11:30:20 -0000 1.27 +++ tak.c 29 Nov 2025 09:32:00 -0000 @@ -68,9 +68,10 @@ parse_takey(const char *fn, const TAKey const ASN1_IA5STRING *certURI; X509_PUBKEY *pubkey; struct takey *res = NULL; + const unsigned char *data; unsigned char *der = NULL; size_t i; - int der_len; + int der_len, length; if ((res = calloc(1, sizeof(struct takey))) == NULL) err(1, NULL); @@ -83,11 +84,12 @@ parse_takey(const char *fn, const TAKey for (i = 0; i < res->num_comments; i++) { comment = sk_ASN1_UTF8STRING_value(takey->comments, i); - res->comments[i] = calloc(comment->length + 1, 4); + data = ASN1_STRING_get0_data(comment); + length = ASN1_STRING_length(comment); + res->comments[i] = calloc(length + 1, 4); if (res->comments[i] == NULL) err(1, NULL); - (void)strvisx(res->comments[i], comment->data, - comment->length, VIS_SAFE); + (void)strvisx(res->comments[i], data, length, VIS_SAFE); } } @@ -101,14 +103,16 @@ parse_takey(const char *fn, const TAKey for (i = 0; i < res->num_uris; i++) { certURI = sk_ASN1_IA5STRING_value(takey->certificateURIs, i); - if (!valid_uri(certURI->data, certURI->length, NULL)) { + data = ASN1_STRING_get0_data(certURI); + length = ASN1_STRING_length(certURI); + if (!valid_uri(data, length, NULL)) { warnx("%s: invalid TA URI", fn); goto err; } /* XXX: enforce that protocol is rsync or https. */ - res->uris[i] = strndup(certURI->data, certURI->length); + res->uris[i] = strndup(data, length); if (res->uris[i] == NULL) err(1, NULL); } Index: x509.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v diff -u -p -r1.123 x509.c --- x509.c 18 Nov 2025 14:04:45 -0000 1.123 +++ x509.c 29 Nov 2025 09:32:00 -0000 @@ -312,7 +312,7 @@ int x509_get_generalized_time(const char *fn, const char *descr, const ASN1_TIME *at, time_t *t) { - if (at->length != GENTIME_LENGTH) { + if (ASN1_STRING_length(at) != GENTIME_LENGTH) { warnx("%s: %s time format invalid", fn, descr); return 0; } @@ -331,7 +331,8 @@ int x509_location(const char *fn, const char *descr, GENERAL_NAME *location, char **out) { - ASN1_IA5STRING *uri; + const unsigned char *data; + int length; assert(*out == NULL); @@ -340,14 +341,15 @@ x509_location(const char *fn, const char return 0; } - uri = location->d.uniformResourceIdentifier; + data = ASN1_STRING_get0_data(location->d.uniformResourceIdentifier); + length = ASN1_STRING_length(location->d.uniformResourceIdentifier); - if (!valid_uri(uri->data, uri->length, NULL)) { + if (!valid_uri(data, length, NULL)) { warnx("%s: RFC 6487 section 4.8: %s bad location", fn, descr); return 0; } - if ((*out = strndup(uri->data, uri->length)) == NULL) + if ((*out = strndup(data, length)) == NULL) err(1, NULL); return 1; @@ -375,7 +377,8 @@ valid_printable_octet(const uint8_t u8) static int valid_printable_string(const char *fn, const char *descr, const ASN1_STRING *as) { - int i; + const unsigned char *data; + int i, length; /* * The following check can be enabled after AFRINIC re-issues CA certs. @@ -388,10 +391,12 @@ valid_printable_string(const char *fn, c return 0; } - for (i = 0; i < as->length; i++) { - if (!valid_printable_octet(as->data[i])) { + data = ASN1_STRING_get0_data(as); + length = ASN1_STRING_length(as); + for (i = 0; i < length; i++) { + if (!valid_printable_octet(data[i])) { warnx("%s: invalid %s: PrintableString contains 0x%02x", - fn, descr, as->data[i]); + fn, descr, data[i]); return 0; } }