From: tb Date: Fri, 16 Feb 2024 05:18:29 +0000 (+0000) Subject: Factor SKI calculation into a helper X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=23c6f3a22705efceb42c611c5e178273d2526022;p=openbsd Factor SKI calculation into a helper This is a straightforward deduplication and simplification made more obvious by prior refactoring by job. "sure" claudio --- diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 2f472c9a1ba..2eb167dc254 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.203 2024/02/03 14:30:47 job Exp $ */ +/* $OpenBSD: extern.h,v 1.204 2024/02/16 05:18:29 tb Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -847,6 +847,7 @@ int x509_get_crl(X509 *, const char *, char **); char *x509_crl_get_aki(X509_CRL *, const char *); char *x509_crl_get_number(X509_CRL *, const char *); char *x509_get_pubkey(X509 *, const char *); +char *x509_pubkey_get_ski(X509_PUBKEY *, const char *); enum cert_purpose x509_get_purpose(X509 *, const char *); int x509_get_time(const ASN1_TIME *, time_t *); char *x509_convert_seqnum(const char *, const ASN1_INTEGER *); diff --git a/usr.sbin/rpki-client/print.c b/usr.sbin/rpki-client/print.c index bbd478ce6ea..1e5503b2a1c 100644 --- a/usr.sbin/rpki-client/print.c +++ b/usr.sbin/rpki-client/print.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print.c,v 1.48 2024/02/13 20:40:17 job Exp $ */ +/* $OpenBSD: print.c,v 1.49 2024/02/16 05:18:29 tb Exp $ */ /* * Copyright (c) 2021 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -83,28 +83,16 @@ void tal_print(const struct tal *p) { char *ski; - const unsigned char *der, *pkey_der; + const unsigned char *der; X509_PUBKEY *pubkey; - ASN1_OBJECT *obj; - unsigned char md[SHA_DIGEST_LENGTH]; - int nid, der_len; size_t i; - pkey_der = p->pkey; - if ((pubkey = d2i_X509_PUBKEY(NULL, &pkey_der, p->pkeysz)) == NULL) + der = p->pkey; + if ((pubkey = d2i_X509_PUBKEY(NULL, &der, p->pkeysz)) == NULL) errx(1, "d2i_X509_PUBKEY failed"); - if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pubkey)) - errx(1, "X509_PUBKEY_get0_param failed"); - - if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) - errx(1, "RFC 7935: wrong signature algorithm %s, want %s", - nid2str(nid), LN_rsaEncryption); - - if (!EVP_Digest(der, der_len, md, NULL, EVP_sha1(), NULL)) - errx(1, "EVP_Digest failed"); - - ski = hex_encode(md, SHA_DIGEST_LENGTH); + if ((ski = x509_pubkey_get_ski(pubkey, p->descr)) == NULL) + errx(1, "x509_pubkey_get_ski failed"); if (outformats & FORMAT_JSON) { json_do_string("type", "tal"); diff --git a/usr.sbin/rpki-client/tak.c b/usr.sbin/rpki-client/tak.c index e786630a974..4273b6de675 100644 --- a/usr.sbin/rpki-client/tak.c +++ b/usr.sbin/rpki-client/tak.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tak.c,v 1.16 2024/02/13 22:44:21 job Exp $ */ +/* $OpenBSD: tak.c,v 1.17 2024/02/16 05:18:29 tb Exp $ */ /* * Copyright (c) 2022 Job Snijders * Copyright (c) 2022 Theo Buehler @@ -93,14 +93,11 @@ parse_takey(const char *fn, const TAKey *takey) { const ASN1_UTF8STRING *comment; const ASN1_IA5STRING *certURI; - X509_PUBKEY *pkey; - ASN1_OBJECT *obj; + X509_PUBKEY *pubkey; struct takey *res = NULL; - const unsigned char *der; - unsigned char *pkey_der = NULL; - unsigned char md[SHA_DIGEST_LENGTH]; + unsigned char *der = NULL; size_t i; - int der_len, nid, pkey_der_len; + int der_len; if ((res = calloc(1, sizeof(struct takey))) == NULL) err(1, NULL); @@ -141,30 +138,16 @@ parse_takey(const char *fn, const TAKey *takey) err(1, NULL); } - pkey = takey->subjectPublicKeyInfo; - if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pkey)) { - warnx("%s: X509_PUBKEY_get0_param failed", fn); + pubkey = takey->subjectPublicKeyInfo; + if ((res->ski = x509_pubkey_get_ski(pubkey, fn)) == NULL) goto err; - } - - if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) { - warnx("%s: RFC 7935: wrong signature algorithm %s, want %s", - fn, nid2str(nid), LN_rsaEncryption); - goto err; - } - - if (!EVP_Digest(der, der_len, md, NULL, EVP_sha1(), NULL)) { - warnx("%s: EVP_Digest failed", fn); - goto err; - } - res->ski = hex_encode(md, SHA_DIGEST_LENGTH); - if ((pkey_der_len = i2d_X509_PUBKEY(pkey, &pkey_der)) <= 0) { + if ((der_len = i2d_X509_PUBKEY(pubkey, &der)) <= 0) { warnx("%s: i2d_X509_PUBKEY failed", fn); goto err; } - res->pubkey = pkey_der; - res->pubkeysz = pkey_der_len; + res->pubkey = der; + res->pubkeysz = der_len; return res; diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 679fe503921..c9e340b6c19 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.79 2024/02/14 10:49:00 tb Exp $ */ +/* $OpenBSD: x509.c,v 1.80 2024/02/16 05:18:29 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Claudio Jeker @@ -374,6 +374,38 @@ x509_get_pubkey(X509 *x, const char *fn) return res; } +/* + * Compute the SKI of an RSA public key in an X509_PUBKEY using SHA-1. + * Returns allocated hex-encoded SKI on success, NULL on failure. + */ +char * +x509_pubkey_get_ski(X509_PUBKEY *pubkey, const char *fn) +{ + ASN1_OBJECT *obj; + const unsigned char *der; + int der_len, nid; + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int md_len = EVP_MAX_MD_SIZE; + + if (!X509_PUBKEY_get0_param(&obj, &der, &der_len, NULL, pubkey)) { + warnx("%s: X509_PUBKEY_get0_param failed", fn); + return NULL; + } + + if ((nid = OBJ_obj2nid(obj)) != NID_rsaEncryption) { + warnx("%s: RFC 7935: wrong signature algorithm %s, want %s", + fn, nid2str(nid), LN_rsaEncryption); + return NULL; + } + + if (!EVP_Digest(der, der_len, md, &md_len, EVP_sha1(), NULL)) { + warnx("%s: EVP_Digest failed", fn); + return NULL; + } + + return hex_encode(md, md_len); +} + /* * Parse the Authority Information Access (AIA) extension * See RFC 6487, section 4.8.7 for details.