From: Theo Buehler Subject: rpki-client: remove cms_parse_validate_detached() To: tech@openbsd.org Date: Wed, 14 Jan 2026 08:11:01 +0100 Geofeed (RIP) was the only consumer of this and we don't have immediate plans to implement another detached content type. So we no longer need a BIO for the content. All callers of cms_parse_validate() pass in a &cmsz, and cms_parse_validate() itself passes in &res, so cms_extract_econtent() can lose the NULL checks. One could go further and untangle the cms_parse_validate() -> _internal() indirection, but for now this is good enough and I have some fiddly diffs in here. Index: cms.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v diff -u -p -r1.59 cms.c --- cms.c 3 Dec 2025 10:19:28 -0000 1.59 +++ cms.c 13 Jan 2026 22:33:00 -0000 @@ -22,7 +22,6 @@ #include #include -#include #include #include "extern.h" @@ -33,10 +32,6 @@ cms_extract_econtent(const char *fn, CMS { ASN1_OCTET_STRING **os = NULL; - /* Detached signature case: no eContent to extract, so do nothing. */ - if (res == NULL || rsz == NULL) - return 1; - if ((os = CMS_get0_content(cms)) == NULL || *os == NULL) { warnx("%s: RFC 6488 section 2.1.4: " "eContent: zero-length content", fn); @@ -176,7 +171,7 @@ cms_SignerInfo_check_attributes(const ch static int cms_parse_validate_internal(struct cert **out_cert, const char *fn, int talid, - const unsigned char *der, size_t len, const ASN1_OBJECT *oid, BIO *bio, + const unsigned char *der, size_t len, const ASN1_OBJECT *oid, unsigned char **res, size_t *rsz, time_t *signtime) { struct cert *cert = NULL; @@ -218,7 +213,7 @@ cms_parse_validate_internal(struct cert * The CMS is self-signed with a signing certificate. * Verify that the self-signage is correct. */ - if (!CMS_verify(cms, NULL, NULL, bio, NULL, + if (!CMS_verify(cms, NULL, NULL, NULL, NULL, CMS_NO_SIGNER_CERT_VERIFY)) { warnx("%s: CMS verification error", fn); goto out; @@ -398,22 +393,8 @@ cms_parse_validate(struct cert **out_cer unsigned char *res = NULL; if (!cms_parse_validate_internal(out_cert, fn, talid, der, derlen, oid, - NULL, &res, rsz, st)) + &res, rsz, st)) return NULL; return res; -} - -/* - * Parse and validate a detached CMS signature. - * bio must contain the original message, der must contain the CMS. - * Return the 1 on success, 0 on failure. - */ -int -cms_parse_validate_detached(struct cert **out_cert, const char *fn, int talid, - const unsigned char *der, size_t derlen, const ASN1_OBJECT *oid, BIO *bio, - time_t *st) -{ - return cms_parse_validate_internal(out_cert, fn, talid, der, derlen, - oid, bio, NULL, NULL, st); } Index: extern.h =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v diff -u -p -r1.269 extern.h --- extern.h 13 Jan 2026 21:36:17 -0000 1.269 +++ extern.h 13 Jan 2026 22:33:00 -0000 @@ -796,9 +796,6 @@ int valid_spl(const char *, struct cer unsigned char *cms_parse_validate(struct cert **, const char *, int, const unsigned char *, size_t, const ASN1_OBJECT *, size_t *, time_t *); -int cms_parse_validate_detached(struct cert **, const char *, int, - const unsigned char *, size_t, const ASN1_OBJECT *, BIO *, - time_t *); /* Work with RFC 3779 IP addresses, prefixes, ranges. */