From: Claudio Jeker Subject: Re: rpki-client: remove cms_parse_validate_detached() To: Theo Buehler Cc: tech@openbsd.org Date: Fri, 23 Jan 2026 13:10:21 +0100 On Fri, Jan 23, 2026 at 08:46:30AM +0100, Theo Buehler wrote: > On Wed, Jan 14, 2026 at 08:11:01AM +0100, Theo Buehler wrote: > > Geofeed (RIP) was the only consumer of this and we don't have immediate > > plans to implement another detached content type. So we no longer need a > > BIO for the content. All callers of cms_parse_validate() pass in a &cmsz, > > and cms_parse_validate() itself passes in &res, so cms_extract_econtent() > > can lose the NULL checks. > > > > One could go further and untangle the cms_parse_validate() -> _internal() > > indirection, but for now this is good enough and I have some fiddly diffs > > in here. > > It would be nice to have this out of the way. I'm also still waiting on > > https://marc.info/?l=openbsd-tech&m=176893107713557&w=2 > > These are both pretty simple diffs :) OK on the diff below. Need to look for the other. > Index: cms.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v > diff -u -p -r1.59 cms.c > --- cms.c 3 Dec 2025 10:19:28 -0000 1.59 > +++ cms.c 21 Jan 2026 07:02:46 -0000 > @@ -22,7 +22,6 @@ > #include > #include > > -#include > #include > > #include "extern.h" > @@ -33,10 +32,6 @@ cms_extract_econtent(const char *fn, CMS > { > ASN1_OCTET_STRING **os = NULL; > > - /* Detached signature case: no eContent to extract, so do nothing. */ > - if (res == NULL || rsz == NULL) > - return 1; > - > if ((os = CMS_get0_content(cms)) == NULL || *os == NULL) { > warnx("%s: RFC 6488 section 2.1.4: " > "eContent: zero-length content", fn); > @@ -176,7 +171,7 @@ cms_SignerInfo_check_attributes(const ch > > static int > cms_parse_validate_internal(struct cert **out_cert, const char *fn, int talid, > - const unsigned char *der, size_t len, const ASN1_OBJECT *oid, BIO *bio, > + const unsigned char *der, size_t len, const ASN1_OBJECT *oid, > unsigned char **res, size_t *rsz, time_t *signtime) > { > struct cert *cert = NULL; > @@ -218,7 +213,7 @@ cms_parse_validate_internal(struct cert > * The CMS is self-signed with a signing certificate. > * Verify that the self-signage is correct. > */ > - if (!CMS_verify(cms, NULL, NULL, bio, NULL, > + if (!CMS_verify(cms, NULL, NULL, NULL, NULL, > CMS_NO_SIGNER_CERT_VERIFY)) { > warnx("%s: CMS verification error", fn); > goto out; > @@ -398,22 +393,8 @@ cms_parse_validate(struct cert **out_cer > unsigned char *res = NULL; > > if (!cms_parse_validate_internal(out_cert, fn, talid, der, derlen, oid, > - NULL, &res, rsz, st)) > + &res, rsz, st)) > return NULL; > > return res; > -} > - > -/* > - * Parse and validate a detached CMS signature. > - * bio must contain the original message, der must contain the CMS. > - * Return the 1 on success, 0 on failure. > - */ > -int > -cms_parse_validate_detached(struct cert **out_cert, const char *fn, int talid, > - const unsigned char *der, size_t derlen, const ASN1_OBJECT *oid, BIO *bio, > - time_t *st) > -{ > - return cms_parse_validate_internal(out_cert, fn, talid, der, derlen, > - oid, bio, NULL, NULL, st); > } > Index: extern.h > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v > diff -u -p -r1.272 extern.h > --- extern.h 20 Jan 2026 16:49:03 -0000 1.272 > +++ extern.h 21 Jan 2026 07:02:46 -0000 > @@ -797,9 +797,6 @@ int valid_spl(const char *, struct cer > unsigned char *cms_parse_validate(struct cert **, const char *, int, > const unsigned char *, size_t, const ASN1_OBJECT *, > size_t *, time_t *); > -int cms_parse_validate_detached(struct cert **, const char *, int, > - const unsigned char *, size_t, const ASN1_OBJECT *, BIO *, > - time_t *); > > /* Work with RFC 3779 IP addresses, prefixes, ranges. */ > > -- :wq Claudio