From 073e107a94a20866404b25c8981661aab65df794 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Tue, 11 Jun 2024 07:27:14 +0000
Subject: [PATCH] rpki-client: simplify signature type checking for certs/CRLs

The OpenSSL 1.1 get_signature_nid() API is available for all libraries
that we support and it does exactly what we want. It is much simpler
than the unergonomic accessors we used previously. The ASN.1 templates
ensure that the relevant struct members aren't NULL after successful
deserialization, so the calls are safe.

ok claudio
---
 usr.sbin/rpki-client/cert.c | 11 +++--------
 usr.sbin/rpki-client/crl.c  | 11 +++--------
 2 files changed, 6 insertions(+), 16 deletions(-)

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 6c8f7a2493b..4f80e182dd9 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cert.c,v 1.145 2024/06/10 10:50:13 tb Exp $ */
+/*	$OpenBSD: cert.c,v 1.146 2024/06/11 07:27:14 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -797,9 +797,7 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
 	int			 i, extsz;
 	X509			*x = NULL;
 	X509_EXTENSION		*ext = NULL;
-	const X509_ALGOR	*palg;
 	const ASN1_BIT_STRING	*piuid = NULL, *psuid = NULL;
-	const ASN1_OBJECT	*cobj;
 	ASN1_OBJECT		*obj;
 	EVP_PKEY		*pkey;
 	int			 nid, ip, as, sia, cp, crldp, aia, aki, ski,
@@ -832,13 +830,10 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
 		goto out;
 	}
 
-	X509_get0_signature(NULL, &palg, x);
-	if (palg == NULL) {
-		warnx("%s: X509_get0_signature", fn);
+	if ((nid = X509_get_signature_nid(x)) == NID_undef) {
+		warnx("%s: unknown signature type", fn);
 		goto out;
 	}
-	X509_ALGOR_get0(&cobj, NULL, NULL, palg);
-	nid = OBJ_obj2nid(cobj);
 	if (experimental && nid == NID_ecdsa_with_SHA256) {
 		if (verbose)
 			warnx("%s: P-256 support is experimental", fn);
diff --git a/usr.sbin/rpki-client/crl.c b/usr.sbin/rpki-client/crl.c
index 0e7705c7429..fb9447ef31e 100644
--- a/usr.sbin/rpki-client/crl.c
+++ b/usr.sbin/rpki-client/crl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: crl.c,v 1.37 2024/06/05 13:36:28 tb Exp $ */
+/*	$OpenBSD: crl.c,v 1.38 2024/06/11 07:27:14 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -165,9 +165,7 @@ crl_parse(const char *fn, const unsigned char *der, size_t len)
 {
 	const unsigned char	*oder;
 	struct crl		*crl;
-	const X509_ALGOR	*palg;
 	const X509_NAME		*name;
-	const ASN1_OBJECT	*cobj;
 	const ASN1_TIME		*at;
 	int			 count, nid, rc = 0;
 
@@ -200,13 +198,10 @@ crl_parse(const char *fn, const unsigned char *der, size_t len)
 	if (!x509_valid_name(fn, "issuer", name))
 		goto out;
 
-	X509_CRL_get0_signature(crl->x509_crl, NULL, &palg);
-	if (palg == NULL) {
-		warnx("%s: X509_CRL_get0_signature", fn);
+	if ((nid = X509_CRL_get_signature_nid(crl->x509_crl)) == NID_undef) {
+		warnx("%s: unknown signature type", fn);
 		goto out;
 	}
-	X509_ALGOR_get0(&cobj, NULL, NULL, palg);
-	nid = OBJ_obj2nid(cobj);
 	if (experimental && nid == NID_ecdsa_with_SHA256) {
 		if (verbose)
 			warnx("%s: P-256 support is experimental", fn);
-- 
2.20.1