From 78de35773665c96cc0dbb081f7ba59064bb221c2 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Thu, 1 Feb 2024 15:11:38 +0000
Subject: [PATCH] Normalize the nid printing

OBJ_nid2* can return NULL if the gloriously consistent objects.txt
database doesn't specify a long or a short name. So try the long name
first, fall back to the short name, and if both fail, use "unknown".
Always include the nid as a decimal.

ok claudio
---
 usr.sbin/rpki-client/cert.c     | 11 +++++------
 usr.sbin/rpki-client/cms.c      |  6 +++---
 usr.sbin/rpki-client/crl.c      |  5 ++---
 usr.sbin/rpki-client/extern.h   |  3 ++-
 usr.sbin/rpki-client/print.c    | 18 +++++++++++++++++-
 usr.sbin/rpki-client/validate.c |  4 ++--
 usr.sbin/rpki-client/x509.c     |  8 ++++----
 7 files changed, 35 insertions(+), 20 deletions(-)

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 9e113ce41a6..e528e927a78 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cert.c,v 1.122 2024/01/11 11:55:14 job Exp $ */
+/*	$OpenBSD: cert.c,v 1.123 2024/02/01 15:11:38 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -647,7 +647,7 @@ certificate_policies(struct parse *p, X509_EXTENSION *ext)
 
 	if ((nid = OBJ_obj2nid(qualifier->pqualid)) != NID_id_qt_cps) {
 		warnx("%s: RFC 7318 section 2: certificatePolicies: "
-		    "want CPS, got %d (%s)", p->fn, nid, OBJ_nid2sn(nid));
+		    "want CPS, got %s", p->fn, nid2str(nid));
 		goto out;
 	}
 
@@ -794,8 +794,7 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
 			warnx("%s: P-256 support is experimental", fn);
 	} else if (nid != NID_sha256WithRSAEncryption) {
 		warnx("%s: RFC 7935: wrong signature algorithm %s, want %s",
-		    fn, OBJ_nid2ln(nid),
-		    OBJ_nid2ln(NID_sha256WithRSAEncryption));
+		    fn, nid2str(nid), LN_sha256WithRSAEncryption);
 		goto out;
 	}
 
@@ -970,8 +969,8 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len)
 	return p.res;
 
  dup:
-	warnx("%s: RFC 5280 section 4.2: duplicate %s extension", fn,
-	    OBJ_nid2sn(nid));
+	warnx("%s: RFC 5280 section 4.2: duplicate extension: %s", fn,
+	    nid2str(nid));
  out:
 	cert_free(p.res);
 	X509_free(x);
diff --git a/usr.sbin/rpki-client/cms.c b/usr.sbin/rpki-client/cms.c
index 145f250b925..8b9485caac8 100644
--- a/usr.sbin/rpki-client/cms.c
+++ b/usr.sbin/rpki-client/cms.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cms.c,v 1.41 2023/12/10 14:18:23 job Exp $ */
+/*	$OpenBSD: cms.c,v 1.42 2024/02/01 15:11:38 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -259,7 +259,7 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der,
 	nid = OBJ_obj2nid(obj);
 	if (nid != NID_sha256) {
 		warnx("%s: RFC 6488: wrong digest %s, want %s", fn,
-		    OBJ_nid2ln(nid), OBJ_nid2ln(NID_sha256));
+		    nid2str(nid), LN_sha256);
 		goto out;
 	}
 	X509_ALGOR_get0(&obj, NULL, NULL, psig);
@@ -271,7 +271,7 @@ cms_parse_validate_internal(X509 **xp, const char *fn, const unsigned char *der,
 	} else if (nid != NID_rsaEncryption &&
 	    nid != NID_sha256WithRSAEncryption) {
 		warnx("%s: RFC 6488: wrong signature algorithm %s, want %s",
-		    fn, OBJ_nid2ln(nid), OBJ_nid2ln(NID_rsaEncryption));
+		    fn, nid2str(nid), LN_rsaEncryption);
 		goto out;
 	}
 
diff --git a/usr.sbin/rpki-client/crl.c b/usr.sbin/rpki-client/crl.c
index 4b213a5107c..6ea592560e7 100644
--- a/usr.sbin/rpki-client/crl.c
+++ b/usr.sbin/rpki-client/crl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: crl.c,v 1.31 2024/01/18 14:34:26 job Exp $ */
+/*	$OpenBSD: crl.c,v 1.32 2024/02/01 15:11:38 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -68,8 +68,7 @@ crl_parse(const char *fn, const unsigned char *der, size_t len)
 			warnx("%s: P-256 support is experimental", fn);
 	} else if (nid != NID_sha256WithRSAEncryption) {
 		warnx("%s: RFC 7935: wrong signature algorithm %s, want %s",
-		    fn, OBJ_nid2ln(nid),
-		    OBJ_nid2ln(NID_sha256WithRSAEncryption));
+		    fn, nid2str(nid), LN_sha256WithRSAEncryption);
 		goto out;
 	}
 
diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 9912ebcf22a..0264ce64656 100644
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.201 2024/01/31 06:57:21 tb Exp $ */
+/*	$OpenBSD: extern.h,v 1.202 2024/02/01 15:11:38 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -861,6 +861,7 @@ int		 x509_valid_subject(const char *, const X509 *);
 time_t		 x509_find_expires(time_t, struct auth *, struct crl_tree *);
 
 /* printers */
+char		*nid2str(int);
 char		*time2str(time_t);
 void		 x509_print(const X509 *);
 void		 tal_print(const struct tal *);
diff --git a/usr.sbin/rpki-client/print.c b/usr.sbin/rpki-client/print.c
index 03112fe7bd2..9395cd00880 100644
--- a/usr.sbin/rpki-client/print.c
+++ b/usr.sbin/rpki-client/print.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: print.c,v 1.45 2024/01/18 14:34:26 job Exp $ */
+/*	$OpenBSD: print.c,v 1.46 2024/02/01 15:11:38 tb Exp $ */
 /*
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -49,6 +49,22 @@ pretty_key_id(const char *hex)
 	return buf;
 }
 
+char *
+nid2str(int nid)
+{
+	static char buf[128];
+	const char *name;
+
+	if ((name = OBJ_nid2ln(nid)) == NULL)
+		name = OBJ_nid2sn(nid);
+	if (name == NULL)
+		name = "unknown";
+
+	snprintf(buf, sizeof(buf), "nid %d (%s)", nid, name);
+
+	return buf;
+}
+
 char *
 time2str(time_t t)
 {
diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c
index 0b4cfaa06c7..c0c4ee5e96e 100644
--- a/usr.sbin/rpki-client/validate.c
+++ b/usr.sbin/rpki-client/validate.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: validate.c,v 1.70 2024/01/07 09:48:03 tb Exp $ */
+/*	$OpenBSD: validate.c,v 1.71 2024/02/01 15:11:38 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -665,7 +665,7 @@ valid_ca_pkey_ec(const char *fn, EVP_PKEY *pkey)
 	nid = EC_GROUP_get_curve_name(group);
 	if (nid != NID_X9_62_prime256v1) {
 		if ((cname = EC_curve_nid2nist(nid)) == NULL)
-			cname = OBJ_nid2sn(nid);
+			cname = nid2str(nid);
 		warnx("%s: Expected P-256, got %s", fn, cname);
 		return 0;
 	}
diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index 38b1e5df1e5..dd0f3301723 100644
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509.c,v 1.76 2024/01/31 15:01:13 job Exp $ */
+/*	$OpenBSD: x509.c,v 1.77 2024/02/01 15:11:38 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -362,7 +362,7 @@ x509_get_pubkey(X509 *x, const char *fn)
 	nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
 	if (nid != NID_X9_62_prime256v1) {
 		if ((cname = EC_curve_nid2nist(nid)) == NULL)
-			cname = OBJ_nid2sn(nid);
+			cname = nid2str(nid);
 		warnx("%s: Expected P-256, got %s", fn, cname);
 		goto out;
 	}
@@ -955,8 +955,8 @@ x509_valid_subject(const char *fn, const X509 *x)
 			warnx("%s: OBJ_obj2nid failed", fn);
 			return 0;
 		default:
-			warnx("%s: RFC 6487 section 4.5: unexpected attribute "
-			    "%d (%s)", fn, nid, OBJ_nid2ln(nid));
+			warnx("%s: RFC 6487 section 4.5: unexpected attribute"
+			    " %s", fn, nid2str(nid));
 			return 0;
 		}
 	}
-- 
2.20.1