On Tue, Jan 18, 2022 at 05:39:07PM +0100, Claudio Jeker wrote:
> On Tue, Jan 18, 2022 at 05:20:45PM +0100, Theo Buehler wrote:
> > On Tue, Jan 18, 2022 at 04:16:17PM +0100, Claudio Jeker wrote:
> > > This diff cleans up cert.c a bit.
> > >
> > > It removes the X509 handle from cert_parse() and ta_parse(). Callers
> > > should instead use cert->x509. No need to double the work on us here.
> >
> > I never understood the point of this handle and I know I chased it down
> > several times since it confused me. Glad to see it go.
> >
> > > While there switch auth_insert() to a void function. This function can
> > > not fail. Again the result is simpler code in parser.c
> >
> > To save anton some work: the signature change of *_parse() will need
> > adjustments in regress. With those,
>
> Will have a look.
>
> > > - if ((opk = X509_get_pubkey(*xp)) == NULL)
> > > + if ((opk = X509_get_pubkey(p->x509)) == NULL)
> >
> > You could switch this to X509_get0_pubkey() and get rid of the
> > EVP_PKEY_free(opk) a few lines down.
> >
>
> Like this?
ok
>
> --
> :wq Claudio
>
> Index: cert.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
> retrieving revision 1.51
> diff -u -p -r1.51 cert.c
> --- cert.c 18 Jan 2022 16:36:49 -0000 1.51
> +++ cert.c 18 Jan 2022 16:38:15 -0000
> @@ -1168,7 +1168,7 @@ ta_parse(const char *fn, const unsigned
> pk = d2i_PUBKEY(NULL, &pkey, pkeysz);
> assert(pk != NULL);
>
> - if ((opk = X509_get_pubkey(p->x509)) == NULL)
> + if ((opk = X509_get0_pubkey(p->x509)) == NULL)
> cryptowarnx("%s: RFC 6487 (trust anchor): "
> "missing pubkey", fn);
> else if (EVP_PKEY_cmp(pk, opk) != 1)
> @@ -1178,7 +1178,6 @@ ta_parse(const char *fn, const unsigned
> rc = 1;
>
> EVP_PKEY_free(pk);
> - EVP_PKEY_free(opk);
> }
>
> if (rc == 0) {
