From 7cdd491f062abed9dba71d7c9c05f6ef8d0987a3 Mon Sep 17 00:00:00 2001 From: claudio Date: Thu, 10 Feb 2022 17:33:28 +0000 Subject: [PATCH] Fix serial number printing in crl_print() for large serials. Create a common x509_convert_seqnum() function to convert the various ASN1_INTEGERs into hexnumbers and use this for mft and crl handling. With and OK tb@, also OK job@ --- usr.sbin/rpki-client/extern.h | 3 ++- usr.sbin/rpki-client/mft.c | 28 +++-------------------- usr.sbin/rpki-client/print.c | 23 ++++++++++++++----- usr.sbin/rpki-client/x509.c | 42 ++++++++++++++++++++++++++++++++++- 4 files changed, 64 insertions(+), 32 deletions(-) diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 277a7bb2c74..69d2872dd94 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.119 2022/02/10 15:33:47 claudio Exp $ */ +/* $OpenBSD: extern.h,v 1.120 2022/02/10 17:33:28 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -586,6 +586,7 @@ char *x509_crl_get_aki(X509_CRL *, const char *); char *x509_get_pubkey(X509 *, const char *); enum cert_purpose x509_get_purpose(X509 *, const char *); int x509_get_time(const ASN1_TIME *, time_t *); +char *x509_convert_seqnum(const char *, const ASN1_INTEGER *); /* printers */ char *time2str(time_t); diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c index 30014dc5dd4..fb00d19dc0b 100644 --- a/usr.sbin/rpki-client/mft.c +++ b/usr.sbin/rpki-client/mft.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mft.c,v 1.52 2022/01/28 15:30:23 claudio Exp $ */ +/* $OpenBSD: mft.c,v 1.53 2022/02/10 17:33:28 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -297,7 +297,6 @@ mft_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p) const ASN1_TYPE *t; const ASN1_GENERALIZEDTIME *from, *until; long mft_version; - BIGNUM *mft_seqnum = NULL; int i = 0, rc = 0; if ((seq = d2i_ASN1_SEQUENCE_ANY(NULL, &d, dsz)) == NULL) { @@ -345,29 +344,9 @@ mft_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p) goto out; } - mft_seqnum = ASN1_INTEGER_to_BN(t->value.integer, NULL); - if (mft_seqnum == NULL) { - warnx("%s: ASN1_INTEGER_to_BN error", p->fn); + p->res->seqnum = x509_convert_seqnum(p->fn, t->value.integer); + if (p->res->seqnum == NULL) goto out; - } - - if (BN_is_negative(mft_seqnum)) { - warnx("%s: RFC 6486 section 4.2.1: manifestNumber: " - "want positive integer, have negative.", p->fn); - goto out; - } - - if (BN_num_bytes(mft_seqnum) > 20) { - warnx("%s: RFC 6486 section 4.2.1: manifestNumber: " - "want 20 or less than octets, have more.", p->fn); - goto out; - } - - p->res->seqnum = BN_bn2hex(mft_seqnum); - if (p->res->seqnum == NULL) { - warnx("%s: BN_bn2hex error", p->fn); - goto out; - } /* * Timestamps: this and next update time. @@ -433,7 +412,6 @@ mft_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p) rc = 1; out: sk_ASN1_TYPE_pop_free(seq, ASN1_TYPE_free); - BN_free(mft_seqnum); return rc; } diff --git a/usr.sbin/rpki-client/print.c b/usr.sbin/rpki-client/print.c index 958a87a7c56..c9ca62be178 100644 --- a/usr.sbin/rpki-client/print.c +++ b/usr.sbin/rpki-client/print.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print.c,v 1.4 2022/02/10 15:33:47 claudio Exp $ */ +/* $OpenBSD: print.c,v 1.5 2022/02/10 17:33:28 claudio Exp $ */ /* * Copyright (c) 2021 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -132,11 +132,20 @@ crl_print(const struct crl *p) { STACK_OF(X509_REVOKED) *revlist; X509_REVOKED *rev; + ASN1_INTEGER *crlnum; int i; - long serial; + char *serial; time_t t; printf("Authority key identifier: %s\n", pretty_key_id(p->aki)); + + crlnum = X509_CRL_get_ext_d2i(p->x509_crl, NID_crl_number, NULL, NULL); + serial = x509_convert_seqnum(__func__, crlnum); + if (serial != NULL) + printf("CRL Serial Number: %s\n", serial); + free(serial); + ASN1_INTEGER_free(crlnum); + printf("CRL valid since: %s\n", time2str(p->issued)); printf("CRL valid until: %s\n", time2str(p->expires)); @@ -145,10 +154,14 @@ crl_print(const struct crl *p) if (i == 0) printf("Revoked Certificates:\n"); rev = sk_X509_REVOKED_value(revlist, i); - serial = ASN1_INTEGER_get(X509_REVOKED_get0_serialNumber(rev)); + + serial = x509_convert_seqnum(__func__, + X509_REVOKED_get0_serialNumber(rev)); x509_get_time(X509_REVOKED_get0_revocationDate(rev), &t); - printf(" Serial: %8lx\tRevocation Date: %s\n", serial, - time2str(t)); + if (serial != NULL) + printf(" Serial: %8s Revocation Date: %s\n", + serial, time2str(t)); + free(serial); } if (i == 0) printf("No Revoked Certificates\n"); diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 7e1b855129f..43abbdbfd47 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.35 2022/02/10 15:33:47 claudio Exp $ */ +/* $OpenBSD: x509.c,v 1.36 2022/02/10 17:33:28 claudio Exp $ */ /* * Copyright (c) 2021 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -494,3 +494,43 @@ x509_get_time(const ASN1_TIME *at, time_t *t) errx(1, "mktime failed"); return 1; } + +/* + * Convert an ASN1_INTEGER into a hexstring. + * Returned string needs to be freed by the caller. + */ +char * +x509_convert_seqnum(const char *fn, const ASN1_INTEGER *i) +{ + BIGNUM *seqnum = NULL; + char *s = NULL; + + if (i == NULL) + goto out; + + seqnum = ASN1_INTEGER_to_BN(i, NULL); + if (seqnum == NULL) { + warnx("%s: ASN1_INTEGER_to_BN error", fn); + goto out; + } + + if (BN_is_negative(seqnum)) { + warnx("%s: %s: want positive integer, have negative.", + __func__, fn); + goto out; + } + + if (BN_num_bytes(seqnum) > 20) { + warnx("%s: %s: want 20 octets or fewer, have more.", + __func__, fn); + goto out; + } + + s = BN_bn2hex(seqnum); + if (s == NULL) + warnx("%s: BN_bn2hex error", fn); + + out: + BN_free(seqnum); + return s; +} -- 2.20.1