This switches the cert parser to use d2i_X509 instead of the BIO versions.
--
:wq Claudio
Index: cert.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
retrieving revision 1.40
diff -u -p -r1.40 cert.c
--- cert.c 23 Oct 2021 16:06:04 -0000 1.40
+++ cert.c 26 Oct 2021 11:32:12 -0000
@@ -976,7 +976,8 @@ out:
* is also dereferenced.
*/
static struct cert *
-cert_parse_inner(X509 **xp, const char *fn, int ta)
+cert_parse_inner(X509 **xp, const char *fn, const unsigned char *der,
+ size_t len, int ta)
{
int rc = 0, extsz, c;
int sia_present = 0;
@@ -985,28 +986,19 @@ cert_parse_inner(X509 **xp, const char *
X509_EXTENSION *ext = NULL;
ASN1_OBJECT *obj;
struct parse p;
- BIO *bio = NULL;
- FILE *f;
*xp = NULL;
- if ((f = fopen(fn, "rb")) == NULL) {
- warn("%s", fn);
+ /* just fail for empty buffers, the warning was printed elsewhere */
+ if (der == NULL)
return NULL;
- }
-
- if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) {
- if (verbose > 0)
- cryptowarnx("%s: BIO_new_file", fn);
- return NULL;
- }
memset(&p, 0, sizeof(struct parse));
p.fn = fn;
if ((p.res = calloc(1, sizeof(struct cert))) == NULL)
err(1, NULL);
- if ((x = *xp = d2i_X509_bio(bio, NULL)) == NULL) {
+ if ((x = *xp = d2i_X509(NULL, &der, len)) == NULL) {
cryptowarnx("%s: d2i_X509_bio", p.fn);
goto out;
}
@@ -1144,7 +1136,6 @@ cert_parse_inner(X509 **xp, const char *
rc = 1;
out:
- BIO_free_all(bio);
if (rc == 0) {
cert_free(p.res);
X509_free(x);
@@ -1154,19 +1145,20 @@ out:
}
struct cert *
-cert_parse(X509 **xp, const char *fn)
+cert_parse(X509 **xp, const char *fn, const unsigned char *der, size_t len)
{
- return cert_parse_inner(xp, fn, 0);
+ return cert_parse_inner(xp, fn, der, len, 0);
}
struct cert *
-ta_parse(X509 **xp, const char *fn, const unsigned char *pkey, size_t pkeysz)
+ta_parse(X509 **xp, const char *fn, const unsigned char *der, size_t len,
+ const unsigned char *pkey, size_t pkeysz)
{
EVP_PKEY *pk = NULL, *opk = NULL;
struct cert *p;
int rc = 0;
- if ((p = cert_parse_inner(xp, fn, 1)) == NULL)
+ if ((p = cert_parse_inner(xp, fn, der, len, 1)) == NULL)
return NULL;
if (pkey != NULL) {
Index: extern.h
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
retrieving revision 1.78
diff -u -p -r1.78 extern.h
--- extern.h 26 Oct 2021 10:52:49 -0000 1.78
+++ extern.h 26 Oct 2021 10:58:44 -0000
@@ -403,8 +403,10 @@ struct tal *tal_read(struct ibuf *);
void cert_buffer(struct ibuf *, const struct cert *);
void cert_free(struct cert *);
-struct cert *cert_parse(X509 **, const char *);
-struct cert *ta_parse(X509 **, const char *, const unsigned char *, size_t);
+struct cert *cert_parse(X509 **, const char *, const unsigned char *,
+ size_t);
+struct cert *ta_parse(X509 **, const char *, const unsigned char *, size_t,
+ const unsigned char *, size_t);
struct cert *cert_read(struct ibuf *);
void cert_insert_brks(struct brk_tree *, struct cert *);
Index: parser.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/parser.c,v
retrieving revision 1.18
diff -u -p -r1.18 parser.c
--- parser.c 26 Oct 2021 10:52:50 -0000 1.18
+++ parser.c 26 Oct 2021 10:59:06 -0000
@@ -191,7 +191,8 @@ proc_parser_mft(struct entity *entp, con
* parse failure.
*/
static struct cert *
-proc_parser_cert(const struct entity *entp)
+proc_parser_cert(const struct entity *entp, const unsigned char *der,
+ size_t len)
{
struct cert *cert;
X509 *x509;
@@ -204,7 +205,7 @@ proc_parser_cert(const struct entity *en
/* Extract certificate data and X509. */
- cert = cert_parse(&x509, entp->file);
+ cert = cert_parse(&x509, entp->file, der, len);
if (cert == NULL)
return NULL;
@@ -282,7 +283,8 @@ proc_parser_cert(const struct entity *en
* parse failure.
*/
static struct cert *
-proc_parser_root_cert(const struct entity *entp)
+proc_parser_root_cert(const struct entity *entp, const unsigned char *der,
+ size_t len)
{
char subject[256];
ASN1_TIME *notBefore, *notAfter;
@@ -296,7 +298,7 @@ proc_parser_root_cert(const struct entit
/* Extract certificate data and X509. */
- cert = ta_parse(&x509, entp->file, entp->pkey, entp->pkeysz);
+ cert = ta_parse(&x509, entp->file, der, len, entp->pkey, entp->pkeysz);
if (cert == NULL)
return NULL;
@@ -561,7 +563,7 @@ parse_entity(struct entityq *q, struct m
io_simple_buffer(b, &entp->type, sizeof(entp->type));
f = NULL;
- if (entp->type != RTYPE_TAL && entp->type != RTYPE_CER) {
+ if (entp->type != RTYPE_TAL) {
f = load_file(entp->file, &flen);
if (f == NULL)
warn("%s", entp->file);
@@ -577,9 +579,9 @@ parse_entity(struct entityq *q, struct m
break;
case RTYPE_CER:
if (entp->has_pkey)
- cert = proc_parser_root_cert(entp);
+ cert = proc_parser_root_cert(entp, f, flen);
else
- cert = proc_parser_cert(entp);
+ cert = proc_parser_cert(entp, f, flen);
c = (cert != NULL);
io_simple_buffer(b, &c, sizeof(int));
if (cert != NULL)
