From 7793203b0d96fb398f56b84dc63d1b5f7c9d0765 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Thu, 16 Nov 2023 11:10:59 +0000
Subject: [PATCH] Add a helper to extrct the CRL Number from a crl

ok claudio
---
 usr.sbin/rpki-client/extern.h |  4 +++-
 usr.sbin/rpki-client/x509.c   | 32 +++++++++++++++++++++++++++++++-
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 52df7f8e06d..e33c0e1018f 100644
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.193 2023/10/13 12:06:49 job Exp $ */
+/*	$OpenBSD: extern.h,v 1.194 2023/11/16 11:10:59 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -432,6 +432,7 @@ RB_PROTOTYPE(brk_tree, brk, entry, brkcmp);
 struct crl {
 	RB_ENTRY(crl)	 entry;
 	char		*aki;
+	char		*number;
 	X509_CRL	*x509_crl;
 	time_t		 lastupdate;	/* do not use before */
 	time_t		 nextupdate;	/* do not use after */
@@ -847,6 +848,7 @@ int		 x509_get_notbefore(X509 *, const char *, time_t *);
 int		 x509_get_notafter(X509 *, const char *, time_t *);
 int		 x509_get_crl(X509 *, const char *, char **);
 char		*x509_crl_get_aki(X509_CRL *, const char *);
+char		*x509_crl_get_number(X509_CRL *, const char *);
 char		*x509_get_pubkey(X509 *, const char *);
 enum cert_purpose	 x509_get_purpose(X509 *, const char *);
 int		 x509_get_time(const ASN1_TIME *, time_t *);
diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index 9a3b637a035..5a06568f209 100644
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509.c,v 1.74 2023/09/12 09:33:30 job Exp $ */
+/*	$OpenBSD: x509.c,v 1.75 2023/11/16 11:10:59 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -805,6 +805,36 @@ out:
 	return res;
 }
 
+/*
+ * Retrieve CRL Number extension. Returns a printable hexadecimal representation
+ * of the number which has to be freed after use.
+ */
+char *
+x509_crl_get_number(X509_CRL *crl, const char *fn)
+{
+	ASN1_INTEGER		*aint;
+	int			 crit;
+	char			*res = NULL;
+
+	aint = X509_CRL_get_ext_d2i(crl, NID_crl_number, &crit, NULL);
+	if (aint == NULL) {
+		warnx("%s: RFC 6487 section 5: CRL Number missing", fn);
+		return NULL;
+	}
+	if (crit != 0) {
+		warnx("%s: RFC 5280, section 5.2.3: "
+		    "CRL Number not non-critical", fn);
+		goto out;
+	}
+
+	/* This checks that the number is non-negative and <= 20 bytes. */
+	res = x509_convert_seqnum(fn, aint);
+
+ out:
+	ASN1_INTEGER_free(aint);
+	return res;
+}
+
 /*
  * Convert passed ASN1_TIME to time_t *t.
  * Returns 1 on success and 0 on failure.
-- 
2.20.1