rpki-client: simplify signature type checking for certs/CRLs

The OpenSSL 1.1 get_signature_nid() API is available for all libraries
that we support and it does exactly what we want. It is much simpler
than the unergonomic accessors we used previously. The ASN.1 templates
ensure that the relevant struct members aren't NULL after successful
deserialization, so the calls are safe.

ok claudio

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 6c8f7a2..4f80e18 100644 (file)
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: cert.c,v 1.145 2024/06/10 10:50:13 tb Exp $ */
+/*     $OpenBSD: cert.c,v 1.146 2024/06/11 07:27:14 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -797,9 +797,7 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
        int                      i, extsz;
        X509                    *x = NULL;
        X509_EXTENSION          *ext = NULL;
-       const X509_ALGOR        *palg;
        const ASN1_BIT_STRING   *piuid = NULL, *psuid = NULL;
-       const ASN1_OBJECT       *cobj;
        ASN1_OBJECT             *obj;
        EVP_PKEY                *pkey;
        int                      nid, ip, as, sia, cp, crldp, aia, aki, ski,
@@ -832,13 +830,10 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
                goto out;
        }
 
-       X509_get0_signature(NULL, &palg, x);
-       if (palg == NULL) {
-               warnx("%s: X509_get0_signature", fn);
+       if ((nid = X509_get_signature_nid(x)) == NID_undef) {
+               warnx("%s: unknown signature type", fn);
                goto out;
        }
-       X509_ALGOR_get0(&cobj, NULL, NULL, palg);
-       nid = OBJ_obj2nid(cobj);
        if (experimental && nid == NID_ecdsa_with_SHA256) {
                if (verbose)
                        warnx("%s: P-256 support is experimental", fn);

diff --git a/usr.sbin/rpki-client/crl.c b/usr.sbin/rpki-client/crl.c
index 0e7705c..fb9447e 100644 (file)
--- a/usr.sbin/rpki-client/crl.c
+++ b/usr.sbin/rpki-client/crl.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: crl.c,v 1.37 2024/06/05 13:36:28 tb Exp $ */
+/*     $OpenBSD: crl.c,v 1.38 2024/06/11 07:27:14 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -165,9 +165,7 @@ crl_parse(const char *fn, const unsigned char *der, size_t len)
 {
        const unsigned char     *oder;
        struct crl              *crl;
-       const X509_ALGOR        *palg;
        const X509_NAME         *name;
-       const ASN1_OBJECT       *cobj;
        const ASN1_TIME         *at;
        int                      count, nid, rc = 0;
 
@@ -200,13 +198,10 @@ crl_parse(const char *fn, const unsigned char *der, size_t len)
        if (!x509_valid_name(fn, "issuer", name))
                goto out;
 
-       X509_CRL_get0_signature(crl->x509_crl, NULL, &palg);
-       if (palg == NULL) {
-               warnx("%s: X509_CRL_get0_signature", fn);
+       if ((nid = X509_CRL_get_signature_nid(crl->x509_crl)) == NID_undef) {
+               warnx("%s: unknown signature type", fn);
                goto out;
        }
-       X509_ALGOR_get0(&cobj, NULL, NULL, palg);
-       nid = OBJ_obj2nid(cobj);
        if (experimental && nid == NID_ecdsa_with_SHA256) {
                if (verbose)
                        warnx("%s: P-256 support is experimental", fn);