From 50aad25e032f942f262cef32046958988eb7ff95 Mon Sep 17 00:00:00 2001 From: claudio Date: Thu, 1 Apr 2021 08:29:10 +0000 Subject: [PATCH] Make build_crls() behave like build_chain(). If there is not auth data just NULL the STACK_OF() pointer since libcrypto calls can handle that. Update comments to be more accurate. With and OK tb@ --- usr.sbin/rpki-client/parser.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c index b884249253d..7ba4221251f 100644 --- a/usr.sbin/rpki-client/parser.c +++ b/usr.sbin/rpki-client/parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parser.c,v 1.6 2021/03/02 09:00:46 claudio Exp $ */ +/* $OpenBSD: parser.c,v 1.7 2021/04/01 08:29:10 claudio Exp $ */ /* * Copyright (c) 2019 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -417,10 +417,9 @@ proc_parser_gbr(struct entity *entp, X509_STORE *store, } /* - * Use the parent (id) to walk the tree to the root and - * build a certificate chain from cert->x509. Do not include - * the root node since this node should already be in the X509_STORE - * as a trust anchor. + * Use the parent to walk the tree to the root and build a certificate + * chain from cert->x509. Do not include the root node since this node + * should already be in the X509_STORE as a trust anchor. */ static void build_chain(const struct auth *a, STACK_OF(X509) **chain) @@ -439,20 +438,24 @@ build_chain(const struct auth *a, STACK_OF(X509) **chain) } } -/* use the parent (id) to walk the tree to the root and - build a stack of CRLs */ +/* + * Add the CRL based on the certs SKI value. + * No need to insert any other CRL since those were already checked. + */ static void build_crls(const struct auth *a, struct crl_tree *crlt, STACK_OF(X509_CRL) **crls) { struct crl find, *found; - if ((*crls = sk_X509_CRL_new_null()) == NULL) - errx(1, "sk_X509_CRL_new_null"); + *crls = NULL; if (a == NULL) return; + if ((*crls = sk_X509_CRL_new_null()) == NULL) + errx(1, "sk_X509_CRL_new_null"); + find.aki = a->cert->ski; found = RB_FIND(crl_tree, crlt, &find); if (found && !sk_X509_CRL_push(*crls, found->x509_crl)) -- 2.20.1