From: Claudio Jeker Subject: Re: rpki-client: convert rsc, tak, x509 to opaque ASN1_STRING To: Theo Buehler Cc: tech@openbsd.org Date: Tue, 2 Dec 2025 10:17:44 +0100 On Tue, Dec 02, 2025 at 09:50:12AM +0100, Theo Buehler wrote: > These three are entirely straightforward conversions. There's a > forgotten XXX in parse_takey() which I'll fix in a follow-up. OK claudio@ > Index: rsc.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/rsc.c,v > diff -u -p -r1.42 rsc.c > --- rsc.c 24 Aug 2025 12:34:39 -0000 1.42 > +++ rsc.c 29 Nov 2025 09:32:00 -0000 > @@ -228,7 +228,6 @@ rsc_parse_checklist(const char *fn, stru > const STACK_OF(FileNameAndHash) *checkList) > { > FileNameAndHash *fh; > - ASN1_IA5STRING *fileName; > struct rscfile *file; > size_t num_files, i; > > @@ -249,25 +248,33 @@ rsc_parse_checklist(const char *fn, stru > rsc->num_files = num_files; > > for (i = 0; i < num_files; i++) { > + const unsigned char *data; > + int length; > + > fh = sk_FileNameAndHash_value(checkList, i); > > file = &rsc->files[i]; > > - if (fh->hash->length != SHA256_DIGEST_LENGTH) { > + data = ASN1_STRING_get0_data(fh->hash); > + length = ASN1_STRING_length(fh->hash); > + if (length != SHA256_DIGEST_LENGTH) { > warnx("%s: RSC Digest: invalid SHA256 length", fn); > return 0; > } > - memcpy(file->hash, fh->hash->data, SHA256_DIGEST_LENGTH); > + memcpy(file->hash, data, length); > > - if ((fileName = fh->fileName) == NULL) > + if (fh->fileName == NULL) > continue; > > - if (!valid_filename(fileName->data, fileName->length)) { > + data = ASN1_STRING_get0_data(fh->fileName); > + length = ASN1_STRING_length(fh->fileName); > + > + if (!valid_filename(data, length)) { > warnx("%s: RSC FileNameAndHash: bad filename", fn); > return 0; > } > > - file->filename = strndup(fileName->data, fileName->length); > + file->filename = strndup(data, length); > if (file->filename == NULL) > err(1, NULL); > } > Index: tak.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/tak.c,v > diff -u -p -r1.27 tak.c > --- tak.c 19 Aug 2025 11:30:20 -0000 1.27 > +++ tak.c 29 Nov 2025 09:32:00 -0000 > @@ -68,9 +68,10 @@ parse_takey(const char *fn, const TAKey > const ASN1_IA5STRING *certURI; > X509_PUBKEY *pubkey; > struct takey *res = NULL; > + const unsigned char *data; > unsigned char *der = NULL; > size_t i; > - int der_len; > + int der_len, length; > > if ((res = calloc(1, sizeof(struct takey))) == NULL) > err(1, NULL); > @@ -83,11 +84,12 @@ parse_takey(const char *fn, const TAKey > > for (i = 0; i < res->num_comments; i++) { > comment = sk_ASN1_UTF8STRING_value(takey->comments, i); > - res->comments[i] = calloc(comment->length + 1, 4); > + data = ASN1_STRING_get0_data(comment); > + length = ASN1_STRING_length(comment); > + res->comments[i] = calloc(length + 1, 4); > if (res->comments[i] == NULL) > err(1, NULL); > - (void)strvisx(res->comments[i], comment->data, > - comment->length, VIS_SAFE); > + (void)strvisx(res->comments[i], data, length, VIS_SAFE); > } > } > > @@ -101,14 +103,16 @@ parse_takey(const char *fn, const TAKey > > for (i = 0; i < res->num_uris; i++) { > certURI = sk_ASN1_IA5STRING_value(takey->certificateURIs, i); > - if (!valid_uri(certURI->data, certURI->length, NULL)) { > + data = ASN1_STRING_get0_data(certURI); > + length = ASN1_STRING_length(certURI); > + if (!valid_uri(data, length, NULL)) { > warnx("%s: invalid TA URI", fn); > goto err; > } > > /* XXX: enforce that protocol is rsync or https. */ > > - res->uris[i] = strndup(certURI->data, certURI->length); > + res->uris[i] = strndup(data, length); > if (res->uris[i] == NULL) > err(1, NULL); > } > Index: x509.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v > diff -u -p -r1.123 x509.c > --- x509.c 18 Nov 2025 14:04:45 -0000 1.123 > +++ x509.c 29 Nov 2025 09:32:00 -0000 > @@ -312,7 +312,7 @@ int > x509_get_generalized_time(const char *fn, const char *descr, > const ASN1_TIME *at, time_t *t) > { > - if (at->length != GENTIME_LENGTH) { > + if (ASN1_STRING_length(at) != GENTIME_LENGTH) { > warnx("%s: %s time format invalid", fn, descr); > return 0; > } > @@ -331,7 +331,8 @@ int > x509_location(const char *fn, const char *descr, GENERAL_NAME *location, > char **out) > { > - ASN1_IA5STRING *uri; > + const unsigned char *data; > + int length; > > assert(*out == NULL); > > @@ -340,14 +341,15 @@ x509_location(const char *fn, const char > return 0; > } > > - uri = location->d.uniformResourceIdentifier; > + data = ASN1_STRING_get0_data(location->d.uniformResourceIdentifier); > + length = ASN1_STRING_length(location->d.uniformResourceIdentifier); > > - if (!valid_uri(uri->data, uri->length, NULL)) { > + if (!valid_uri(data, length, NULL)) { > warnx("%s: RFC 6487 section 4.8: %s bad location", fn, descr); > return 0; > } > > - if ((*out = strndup(uri->data, uri->length)) == NULL) > + if ((*out = strndup(data, length)) == NULL) > err(1, NULL); > > return 1; > @@ -375,7 +377,8 @@ valid_printable_octet(const uint8_t u8) > static int > valid_printable_string(const char *fn, const char *descr, const ASN1_STRING *as) > { > - int i; > + const unsigned char *data; > + int i, length; > > /* > * The following check can be enabled after AFRINIC re-issues CA certs. > @@ -388,10 +391,12 @@ valid_printable_string(const char *fn, c > return 0; > } > > - for (i = 0; i < as->length; i++) { > - if (!valid_printable_octet(as->data[i])) { > + data = ASN1_STRING_get0_data(as); > + length = ASN1_STRING_length(as); > + for (i = 0; i < length; i++) { > + if (!valid_printable_octet(data[i])) { > warnx("%s: invalid %s: PrintableString contains 0x%02x", > - fn, descr, as->data[i]); > + fn, descr, data[i]); > return 0; > } > } > -- :wq Claudio