Add a helper to extrct the CRL Number from a crl

ok claudio

diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 52df7f8..e33c0e1 100644 (file)
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: extern.h,v 1.193 2023/10/13 12:06:49 job Exp $ */
+/*     $OpenBSD: extern.h,v 1.194 2023/11/16 11:10:59 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -432,6 +432,7 @@ RB_PROTOTYPE(brk_tree, brk, entry, brkcmp);
 struct crl {
        RB_ENTRY(crl)    entry;
        char            *aki;
+       char            *number;
        X509_CRL        *x509_crl;
        time_t           lastupdate;    /* do not use before */
        time_t           nextupdate;    /* do not use after */
@@ -847,6 +848,7 @@ int          x509_get_notbefore(X509 *, const char *, time_t *);
 int             x509_get_notafter(X509 *, const char *, time_t *);
 int             x509_get_crl(X509 *, const char *, char **);
 char           *x509_crl_get_aki(X509_CRL *, const char *);
+char           *x509_crl_get_number(X509_CRL *, const char *);
 char           *x509_get_pubkey(X509 *, const char *);
 enum cert_purpose       x509_get_purpose(X509 *, const char *);
 int             x509_get_time(const ASN1_TIME *, time_t *);

diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index 9a3b637..5a06568 100644 (file)
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: x509.c,v 1.74 2023/09/12 09:33:30 job Exp $ */
+/*     $OpenBSD: x509.c,v 1.75 2023/11/16 11:10:59 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -805,6 +805,36 @@ out:
        return res;
 }
 
+/*
+ * Retrieve CRL Number extension. Returns a printable hexadecimal representation
+ * of the number which has to be freed after use.
+ */
+char *
+x509_crl_get_number(X509_CRL *crl, const char *fn)
+{
+       ASN1_INTEGER            *aint;
+       int                      crit;
+       char                    *res = NULL;
+
+       aint = X509_CRL_get_ext_d2i(crl, NID_crl_number, &crit, NULL);
+       if (aint == NULL) {
+               warnx("%s: RFC 6487 section 5: CRL Number missing", fn);
+               return NULL;
+       }
+       if (crit != 0) {
+               warnx("%s: RFC 5280, section 5.2.3: "
+                   "CRL Number not non-critical", fn);
+               goto out;
+       }
+
+       /* This checks that the number is non-negative and <= 20 bytes. */
+       res = x509_convert_seqnum(fn, aint);
+
+ out:
+       ASN1_INTEGER_free(aint);
+       return res;
+}
+
 /*
  * Convert passed ASN1_TIME to time_t *t.
  * Returns 1 on success and 0 on failure.