Factor SKI calculation into a helper

This is a straightforward deduplication and simplification made more
obvious by prior refactoring by job.

"sure" claudio

diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 2f472c9..2eb167d 100644 (file)
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: extern.h,v 1.203 2024/02/03 14:30:47 job Exp $ */
+/*     $OpenBSD: extern.h,v 1.204 2024/02/16 05:18:29 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -847,6 +847,7 @@ int          x509_get_crl(X509 *, const char *, char **);
 char           *x509_crl_get_aki(X509_CRL *, const char *);
 char           *x509_crl_get_number(X509_CRL *, const char *);
 char           *x509_get_pubkey(X509 *, const char *);
+char           *x509_pubkey_get_ski(X509_PUBKEY *, const char *);
 enum cert_purpose       x509_get_purpose(X509 *, const char *);
 int             x509_get_time(const ASN1_TIME *, time_t *);
 char           *x509_convert_seqnum(const char *, const ASN1_INTEGER *);

diff --git a/usr.sbin/rpki-client/print.c b/usr.sbin/rpki-client/print.c
index bbd478c..1e5503b 100644 (file)
--- a/usr.sbin/rpki-client/print.c
+++ b/usr.sbin/rpki-client/print.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: print.c,v 1.48 2024/02/13 20:40:17 job Exp $ */
+/*     $OpenBSD: print.c,v 1.49 2024/02/16 05:18:29 tb Exp $ */
 /*
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -83,28 +83,16 @@ void
 tal_print(const struct tal *p)
 {
        char                    *ski;
-       const unsigned char     *der, *pkey_der;
+       const unsigned char     *der;
        X509_PUBKEY             *pubkey;
-       ASN1_OBJECT             *obj;
-       unsigned char            md[SHA_DIGEST_LENGTH];
-       int                      nid, der_len;
        size_t                   i;
 
-       pkey_der = p->pkey;
-       if ((pubkey = d2i_X509_PUBKEY(NULL, &pkey_der, p->pkeysz)) == NULL)
+       der = p->pkey;
+       if ((pubkey = d2i_X509_PUBKEY(NULL, &der, p->pkeysz)) == NULL)
                errx(1, "d2i_X509_PUBKEY failed");
 
-       if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pubkey))
-               errx(1, "X509_PUBKEY_get0_param failed");
-
-       if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption)
-               errx(1, "RFC 7935: wrong signature algorithm %s, want %s",
-                   nid2str(nid), LN_rsaEncryption);
-
-       if (!EVP_Digest(der, der_len, md, NULL, EVP_sha1(), NULL))
-               errx(1, "EVP_Digest failed");
-
-       ski = hex_encode(md, SHA_DIGEST_LENGTH);
+       if ((ski = x509_pubkey_get_ski(pubkey, p->descr)) == NULL)
+               errx(1, "x509_pubkey_get_ski failed");
 
        if (outformats & FORMAT_JSON) {
                json_do_string("type", "tal");

diff --git a/usr.sbin/rpki-client/tak.c b/usr.sbin/rpki-client/tak.c
index e786630..4273b6d 100644 (file)
--- a/usr.sbin/rpki-client/tak.c
+++ b/usr.sbin/rpki-client/tak.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: tak.c,v 1.16 2024/02/13 22:44:21 job Exp $ */
+/*     $OpenBSD: tak.c,v 1.17 2024/02/16 05:18:29 tb Exp $ */
 /*
  * Copyright (c) 2022 Job Snijders <job@fastly.com>
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -93,14 +93,11 @@ parse_takey(const char *fn, const TAKey *takey)
 {
        const ASN1_UTF8STRING   *comment;
        const ASN1_IA5STRING    *certURI;
-       X509_PUBKEY             *pkey;
-       ASN1_OBJECT             *obj;
+       X509_PUBKEY             *pubkey;
        struct takey            *res = NULL;
-       const unsigned char     *der;
-       unsigned char           *pkey_der = NULL;
-       unsigned char            md[SHA_DIGEST_LENGTH];
+       unsigned char           *der = NULL;
        size_t                   i;
-       int                      der_len, nid, pkey_der_len;
+       int                      der_len;
 
        if ((res = calloc(1, sizeof(struct takey))) == NULL)
                err(1, NULL);
@@ -141,30 +138,16 @@ parse_takey(const char *fn, const TAKey *takey)
                        err(1, NULL);
        }
 
-       pkey = takey->subjectPublicKeyInfo;
-       if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pkey)) {
-               warnx("%s: X509_PUBKEY_get0_param failed", fn);
+       pubkey = takey->subjectPublicKeyInfo;
+       if ((res->ski = x509_pubkey_get_ski(pubkey, fn)) == NULL)
                goto err;
-       }
-
-       if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) {
-               warnx("%s: RFC 7935: wrong signature algorithm %s, want %s",
-                   fn, nid2str(nid), LN_rsaEncryption);
-               goto err;
-       }
-
-       if (!EVP_Digest(der, der_len, md, NULL, EVP_sha1(), NULL)) {
-               warnx("%s: EVP_Digest failed", fn);
-               goto err;
-       }
-       res->ski = hex_encode(md, SHA_DIGEST_LENGTH);
 
-       if ((pkey_der_len = i2d_X509_PUBKEY(pkey, &pkey_der)) <= 0) {
+       if ((der_len = i2d_X509_PUBKEY(pubkey, &der)) <= 0) {
                warnx("%s: i2d_X509_PUBKEY failed", fn);
                goto err;
        }
-       res->pubkey = pkey_der;
-       res->pubkeysz = pkey_der_len;
+       res->pubkey = der;
+       res->pubkeysz = der_len;
 
        return res;
 

diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index 679fe50..c9e340b 100644 (file)
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: x509.c,v 1.79 2024/02/14 10:49:00 tb Exp $ */
+/*     $OpenBSD: x509.c,v 1.80 2024/02/16 05:18:29 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -374,6 +374,38 @@ x509_get_pubkey(X509 *x, const char *fn)
        return res;
 }
 
+/*
+ * Compute the SKI of an RSA public key in an X509_PUBKEY using SHA-1.
+ * Returns allocated hex-encoded SKI on success, NULL on failure.
+ */
+char *
+x509_pubkey_get_ski(X509_PUBKEY *pubkey, const char *fn)
+{
+       ASN1_OBJECT             *obj;
+       const unsigned char     *der;
+       int                      der_len, nid;
+       unsigned char            md[EVP_MAX_MD_SIZE];
+       unsigned int             md_len = EVP_MAX_MD_SIZE;
+
+       if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pubkey)) {
+               warnx("%s: X509_PUBKEY_get0_param failed", fn);
+               return NULL;
+       }
+
+       if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) {
+               warnx("%s: RFC 7935: wrong signature algorithm %s, want %s",
+                   fn, nid2str(nid), LN_rsaEncryption);
+               return NULL;
+       }
+
+       if (!EVP_Digest(der, der_len, md, &md_len, EVP_sha1(), NULL)) {
+               warnx("%s: EVP_Digest failed", fn);
+               return NULL;
+       }
+
+       return hex_encode(md, md_len);
+}
+
 /*
  * Parse the Authority Information Access (AIA) extension
  * See RFC 6487, section 4.8.7 for details.