-/* $OpenBSD: cert.c,v 1.31 2021/07/13 18:39:39 job Exp $ */
+/* $OpenBSD: cert.c,v 1.32 2021/09/09 14:15:49 claudio Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
const char *fn; /* currently-parsed file */
};
+static ASN1_OBJECT *carepo_oid; /* 1.3.6.1.5.5.7.48.5 (caRepository) */
+static ASN1_OBJECT *mft_oid; /* 1.3.6.1.5.5.7.48.10 (rpkiManifest) */
+static ASN1_OBJECT *notify_oid; /* 1.3.6.1.5.5.7.48.13 (rpkiNotify) */
+
+static void
+cert_init_oid(void)
+{
+ if ((carepo_oid = OBJ_txt2obj("1.3.6.1.5.5.7.48.5", 1)) == NULL)
+ errx(1, "OBJ_txt2obj for %s failed", "1.3.6.1.5.5.7.48.5");
+ if ((mft_oid = OBJ_txt2obj("1.3.6.1.5.5.7.48.10", 1)) == NULL)
+ errx(1, "OBJ_txt2obj for %s failed", "1.3.6.1.5.5.7.48.10");
+ if ((notify_oid = OBJ_txt2obj("1.3.6.1.5.5.7.48.13", 1)) == NULL)
+ errx(1, "OBJ_txt2obj for %s failed", "1.3.6.1.5.5.7.48.13");
+}
+
/*
* Append an IP address structure to our list of results.
* This will also constrain us to having at most one inheritence
const unsigned char *d, size_t dsz)
{
ASN1_SEQUENCE_ANY *seq;
+ ASN1_OBJECT *oid;
const ASN1_TYPE *t;
int rc = 0, ptag;
- char buf[128];
long plen;
if ((seq = d2i_ASN1_SEQUENCE_ANY(NULL, &d, dsz)) == NULL) {
p->fn, ASN1_tag2str(t->type), t->type);
goto out;
}
- OBJ_obj2txt(buf, sizeof(buf), t->value.object, 1);
+ oid = t->value.object;
t = sk_ASN1_TYPE_value(seq, 1);
if (t->type != V_ASN1_OTHER) {
if (!ASN1_frame(p->fn, dsz, &d, &plen, &ptag))
goto out;
- /*
- * Ignore all but manifest and RRDP notify URL.
- * Things we may see:
- * - 1.3.6.1.5.5.7.48.5 (caRepository)
- * - 1.3.6.1.5.5.7.48.10 (rpkiManifest)
- * - 1.3.6.1.5.5.7.48.13 (rpkiNotify)
- */
- if (strcmp(buf, "1.3.6.1.5.5.7.48.5") == 0)
+ if (carepo_oid == NULL)
+ cert_init_oid();
+
+ if (OBJ_cmp(oid, carepo_oid) == 0)
rc = sbgp_sia_resource_carepo(p, d, plen);
- else if (strcmp(buf, "1.3.6.1.5.5.7.48.10") == 0)
+ else if (OBJ_cmp(oid, mft_oid) == 0)
rc = sbgp_sia_resource_mft(p, d, plen);
- else if (strcmp(buf, "1.3.6.1.5.5.7.48.13") == 0)
+ else if (OBJ_cmp(oid, notify_oid) == 0)
rc = sbgp_sia_resource_notify(p, d, plen);
else
rc = 1; /* silently ignore */
-/* $OpenBSD: cms.c,v 1.9 2021/07/13 18:39:39 job Exp $ */
+/* $OpenBSD: cms.c,v 1.10 2021/09/09 14:15:49 claudio Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
* Return the eContent as a string and set "rsz" to be its length.
*/
unsigned char *
-cms_parse_validate(X509 **xp, const char *fn,
- const char *oid, size_t *rsz)
+cms_parse_validate(X509 **xp, const char *fn, const ASN1_OBJECT *oid,
+ size_t *rsz)
{
const ASN1_OBJECT *obj;
ASN1_OCTET_STRING **os = NULL;
BIO *bio = NULL;
CMS_ContentInfo *cms;
FILE *f;
- char buf[128];
- int rc = 0, sz;
+ int rc = 0;
STACK_OF(X509) *certs = NULL;
unsigned char *res = NULL;
/* RFC 6488 section 2.1.3.1: check the object's eContentType. */
obj = CMS_get0_eContentType(cms);
- if ((sz = OBJ_obj2txt(buf, sizeof(buf), obj, 1)) < 0)
- cryptoerrx("OBJ_obj2txt");
-
- if ((size_t)sz >= sizeof(buf)) {
- warnx("%s: RFC 6488 section 2.1.3.1: "
- "eContentType: OID too long", fn);
+ if (obj == NULL) {
+ warnx("%s: RFC 6488 section 2.1.3.1: eContentType: "
+ "OID object is NULL", fn);
goto out;
- } else if (strcmp(buf, oid)) {
+ }
+ if (OBJ_cmp(obj, oid) != 0) {
+ char buf[128], obuf[128];
+
+ OBJ_obj2txt(buf, sizeof(buf), obj, 1);
+ OBJ_obj2txt(obuf, sizeof(obuf), oid, 1);
warnx("%s: RFC 6488 section 2.1.3.1: eContentType: "
- "unknown OID: %s, want %s", fn, buf, oid);
+ "unknown OID: %s, want %s", fn, buf, obuf);
goto out;
}
-/* $OpenBSD: extern.h,v 1.66 2021/09/01 08:09:41 claudio Exp $ */
+/* $OpenBSD: extern.h,v 1.67 2021/09/09 14:15:49 claudio Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
/* Working with CMS. */
unsigned char *cms_parse_validate(X509 **, const char *,
- const char *, size_t *);
+ const ASN1_OBJECT *, size_t *);
int cms_econtent_version(const char *, const unsigned char **,
- size_t, long *);
+ size_t, long *);
/* Helper for ASN1 parsing */
int ASN1_frame(const char *, size_t,
const unsigned char **, long *, int *);
-/* $OpenBSD: gbr.c,v 1.9 2021/03/29 06:50:44 tb Exp $ */
+/* $OpenBSD: gbr.c,v 1.10 2021/09/09 14:15:49 claudio Exp $ */
/*
* Copyright (c) 2020 Claudio Jeker <claudio@openbsd.org>
*
struct gbr *res; /* results */
};
+static ASN1_OBJECT *gbr_oid;
+
/*
* Parse a full RFC 6493 file and signed by the certificate "cacert"
* (the latter is optional and may be passed as NULL to disable).
p.fn = fn;
/* OID from section 9.1, RFC 6493. */
+ if (gbr_oid == NULL) {
+ gbr_oid = OBJ_txt2obj("1.2.840.113549.1.9.16.1.35", 1);
+ if (gbr_oid == NULL)
+ errx(1, "OBJ_txt2obj for %s failed",
+ "1.2.840.113549.1.9.16.1.35");
+ }
- cms = cms_parse_validate(x509, fn,
- "1.2.840.113549.1.9.16.1.35", &cmsz);
+ cms = cms_parse_validate(x509, fn, gbr_oid, &cmsz);
if (cms == NULL)
return NULL;
-/* $OpenBSD: mft.c,v 1.37 2021/09/08 16:37:20 claudio Exp $ */
+/* $OpenBSD: mft.c,v 1.38 2021/09/09 14:15:49 claudio Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
struct mft *res; /* result object */
};
+static ASN1_OBJECT *mft_oid;
+
static const char *
gentime2str(const ASN1_GENERALIZEDTIME *time)
{
memset(&p, 0, sizeof(struct parse));
p.fn = fn;
- cms = cms_parse_validate(x509, fn, "1.2.840.113549.1.9.16.1.26",
- &cmsz);
+ if (mft_oid == NULL) {
+ mft_oid = OBJ_txt2obj("1.2.840.113549.1.9.16.1.26", 1);
+ if (mft_oid == NULL)
+ errx(1, "OBJ_txt2obj for %s failed",
+ "1.2.840.113549.1.9.16.1.26");
+ }
+
+ cms = cms_parse_validate(x509, fn, mft_oid, &cmsz);
if (cms == NULL)
return NULL;
assert(*x509 != NULL);
-/* $OpenBSD: roa.c,v 1.24 2021/09/08 16:37:20 claudio Exp $ */
+/* $OpenBSD: roa.c,v 1.25 2021/09/09 14:15:49 claudio Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
struct roa *res; /* results */
};
+static ASN1_OBJECT *roa_oid;
+
/*
* Parse IP address (ROAIPAddress), RFC 6482, section 3.3.
* Returns zero on failure, non-zero on success.
p.fn = fn;
/* OID from section 2, RFC 6482. */
+ if (roa_oid == NULL) {
+ roa_oid = OBJ_txt2obj("1.2.840.113549.1.9.16.1.24", 1);
+ if (roa_oid == NULL)
+ errx(1, "OBJ_txt2obj for %s failed",
+ "1.2.840.113549.1.9.16.1.24");
+ }
- cms = cms_parse_validate(x509, fn,
- "1.2.840.113549.1.9.16.1.24", &cmsz);
+ cms = cms_parse_validate(x509, fn, roa_oid, &cmsz);
if (cms == NULL)
return NULL;
projects / openbsd / commitdiff