openssl 3.3.2 → 4.0.0

data/ext/openssl/ossl_ts.c

@@ -103,7 +103,7 @@ static  const rb_data_type_t ossl_ts_resp_type = {
 static void
 ossl_ts_token_info_free(void *ptr)
 {
-        TS_TST_INFO_free(ptr);
+    TS_TST_INFO_free(ptr);
 }
 
 static const rb_data_type_t ossl_ts_token_info_type = {
@@ -132,44 +132,10 @@ asn1_to_der(void *template, int (*i2d)(void *template, unsigned char **pp))
     return str;
 }
 
-static ASN1_OBJECT*
-obj_to_asn1obj(VALUE obj)
-{
-    ASN1_OBJECT *a1obj;
-
-    StringValue(obj);
-    a1obj = OBJ_txt2obj(RSTRING_PTR(obj), 0);
-    if(!a1obj) a1obj = OBJ_txt2obj(RSTRING_PTR(obj), 1);
-    if(!a1obj) ossl_raise(eASN1Error, "invalid OBJECT ID");
-
-    return a1obj;
-}
-
 static VALUE
 obj_to_asn1obj_i(VALUE obj)
 {
-    return (VALUE)obj_to_asn1obj(obj);
-}
-
-static VALUE
-get_asn1obj(ASN1_OBJECT *obj)
-{
-    BIO *out;
-    VALUE ret;
-    int nid;
-    if ((nid = OBJ_obj2nid(obj)) != NID_undef)
-        ret = rb_str_new2(OBJ_nid2sn(nid));
-    else{
-        if (!(out = BIO_new(BIO_s_mem())))
-            ossl_raise(eTimestampError, "BIO_new(BIO_s_mem())");
-        if (i2a_ASN1_OBJECT(out, obj) <= 0) {
-            BIO_free(out);
-            ossl_raise(eTimestampError, "i2a_ASN1_OBJECT");
-        }
-        ret = ossl_membio2str(out);
-    }
-
-    return ret;
+    return (VALUE)ossl_to_asn1obj(obj);
 }
 
 static VALUE
@@ -236,11 +202,13 @@ ossl_ts_req_get_algorithm(VALUE self)
     TS_REQ *req;
     TS_MSG_IMPRINT *mi;
     X509_ALGOR *algor;
+    const ASN1_OBJECT *obj;
 
     GetTSRequest(self, req);
     mi = TS_REQ_get_msg_imprint(req);
     algor = TS_MSG_IMPRINT_get_algo(mi);
-    return get_asn1obj(algor->algorithm);
+    X509_ALGOR_get0(&obj, NULL, NULL, algor);
+    return ossl_asn1obj_to_string(obj);
 }
 
 /*
@@ -262,7 +230,7 @@ ossl_ts_req_set_algorithm(VALUE self, VALUE algo)
     X509_ALGOR *algor;
 
     GetTSRequest(self, req);
-    obj = obj_to_asn1obj(algo);
+    obj = ossl_to_asn1obj(algo);
     mi = TS_REQ_get_msg_imprint(req);
     algor = TS_MSG_IMPRINT_get_algo(mi);
     if (!X509_ALGOR_set0(algor, obj, V_ASN1_NULL, NULL)) {
@@ -291,7 +259,7 @@ ossl_ts_req_get_msg_imprint(VALUE self)
     mi = TS_REQ_get_msg_imprint(req);
     hashed_msg = TS_MSG_IMPRINT_get_msg(mi);
 
-    ret = rb_str_new((const char *)hashed_msg->data, hashed_msg->length);
+    ret = asn1str_to_str(hashed_msg);
 
     return ret;
 }
@@ -369,7 +337,7 @@ ossl_ts_req_get_policy_id(VALUE self)
     GetTSRequest(self, req);
     if (!TS_REQ_get_policy_id(req))
         return Qnil;
-    return get_asn1obj(TS_REQ_get_policy_id(req));
+    return ossl_asn1obj_to_string(TS_REQ_get_policy_id(req));
 }
 
 /*
@@ -392,7 +360,7 @@ ossl_ts_req_set_policy_id(VALUE self, VALUE oid)
     int ok;
 
     GetTSRequest(self, req);
-    obj = obj_to_asn1obj(oid);
+    obj = ossl_to_asn1obj(oid);
     ok = TS_REQ_set_policy_id(req, obj);
     ASN1_OBJECT_free(obj);
     if (!ok)
@@ -490,17 +458,19 @@ ossl_ts_req_to_der(VALUE self)
     TS_REQ *req;
     TS_MSG_IMPRINT *mi;
     X509_ALGOR *algo;
+    const ASN1_OBJECT *obj;
     ASN1_OCTET_STRING *hashed_msg;
 
     GetTSRequest(self, req);
     mi = TS_REQ_get_msg_imprint(req);
 
     algo = TS_MSG_IMPRINT_get_algo(mi);
-    if (OBJ_obj2nid(algo->algorithm) == NID_undef)
+    X509_ALGOR_get0(&obj, NULL, NULL, algo);
+    if (OBJ_obj2nid(obj) == NID_undef)
         ossl_raise(eTimestampError, "Message imprint missing algorithm");
 
     hashed_msg = TS_MSG_IMPRINT_get_msg(mi);
-    if (!hashed_msg->length)
+    if (!ASN1_STRING_length(hashed_msg))
         ossl_raise(eTimestampError, "Message imprint missing hashed message");
 
     return asn1_to_der((void *)req, (int (*)(void *, unsigned char **))i2d_TS_REQ);
@@ -620,14 +590,7 @@ ossl_ts_resp_get_failure_info(VALUE self)
 {
     TS_RESP *resp;
     TS_STATUS_INFO *si;
-
-    /* The ASN1_BIT_STRING_get_bit changed from 1.0.0. to 1.1.0, making this
-     * const. */
-    #if defined(HAVE_TS_STATUS_INFO_GET0_FAILURE_INFO)
     const ASN1_BIT_STRING *fi;
-    #else
-    ASN1_BIT_STRING *fi;
-    #endif
 
     GetTSResponse(self, resp);
     si = TS_RESP_get_status_info(resp);
@@ -858,16 +821,26 @@ ossl_ts_resp_verify(int argc, VALUE *argv, VALUE self)
         X509_up_ref(cert);
     }
 
+    if (!X509_STORE_up_ref(x509st)) {
+        sk_X509_pop_free(x509inter, X509_free);
+        TS_VERIFY_CTX_free(ctx);
+        ossl_raise(eTimestampError, "X509_STORE_up_ref");
+    }
+
+#ifdef HAVE_TS_VERIFY_CTX_SET0_CERTS
+    TS_VERIFY_CTX_set0_certs(ctx, x509inter);
+    TS_VERIFY_CTX_set0_store(ctx, x509st);
+#else
+# if OSSL_OPENSSL_PREREQ(3, 0, 0) || OSSL_IS_LIBRESSL
     TS_VERIFY_CTX_set_certs(ctx, x509inter);
-    TS_VERIFY_CTX_add_flags(ctx, TS_VFY_SIGNATURE);
+# else
+    TS_VERIFY_CTS_set_certs(ctx, x509inter);
+# endif
     TS_VERIFY_CTX_set_store(ctx, x509st);
+#endif
+    TS_VERIFY_CTX_add_flags(ctx, TS_VFY_SIGNATURE);
 
     ok = TS_RESP_verify_response(ctx, resp);
-    /*
-     * TS_VERIFY_CTX_set_store() call above does not increment the reference
-     * counter, so it must be unset before TS_VERIFY_CTX_free() is called.
-     */
-    TS_VERIFY_CTX_set_store(ctx, NULL);
     TS_VERIFY_CTX_free(ctx);
 
     if (!ok)
@@ -954,7 +927,7 @@ ossl_ts_token_info_get_policy_id(VALUE self)
     TS_TST_INFO *info;
 
     GetTSTokenInfo(self, info);
-    return get_asn1obj(TS_TST_INFO_get_policy_id(info));
+    return ossl_asn1obj_to_string(TS_TST_INFO_get_policy_id(info));
 }
 
 /*
@@ -976,11 +949,13 @@ ossl_ts_token_info_get_algorithm(VALUE self)
     TS_TST_INFO *info;
     TS_MSG_IMPRINT *mi;
     X509_ALGOR *algo;
+    const ASN1_OBJECT *obj;
 
     GetTSTokenInfo(self, info);
     mi = TS_TST_INFO_get_msg_imprint(info);
     algo = TS_MSG_IMPRINT_get_algo(mi);
-    return get_asn1obj(algo->algorithm);
+    X509_ALGOR_get0(&obj, NULL, NULL, algo);
+    return ossl_asn1obj_to_string(obj);
 }
 
 /*
@@ -1006,7 +981,7 @@ ossl_ts_token_info_get_msg_imprint(VALUE self)
     GetTSTokenInfo(self, info);
     mi = TS_TST_INFO_get_msg_imprint(info);
     hashed_msg = TS_MSG_IMPRINT_get_msg(mi);
-    ret = rb_str_new((const char *)hashed_msg->data, hashed_msg->length);
+    ret = asn1str_to_str(hashed_msg);
 
     return ret;
 }
@@ -1146,9 +1121,14 @@ ossl_tsfac_time_cb(struct TS_resp_ctx *ctx, void *data, time_t *sec, long *usec)
 }
 
 static VALUE
-ossl_evp_get_digestbyname_i(VALUE arg)
+ossl_evp_md_fetch_i(VALUE args_)
 {
-    return (VALUE)ossl_evp_get_digestbyname(arg);
+    VALUE *args = (VALUE *)args_, md_holder;
+    const EVP_MD *md;
+
+    md = ossl_evp_md_fetch(args[1], &md_holder);
+    rb_ary_push(args[0], md_holder);
+    return (VALUE)md;
 }
 
 static VALUE
@@ -1184,7 +1164,8 @@ ossl_obj2bio_i(VALUE arg)
 static VALUE
 ossl_tsfac_create_ts(VALUE self, VALUE key, VALUE certificate, VALUE request)
 {
-    VALUE serial_number, def_policy_id, gen_time, additional_certs, allowed_digests;
+    VALUE serial_number, def_policy_id, gen_time, additional_certs,
+          allowed_digests, allowed_digests_tmp = Qnil;
     VALUE str;
     STACK_OF(X509) *inter_certs;
     VALUE tsresp, ret = Qnil;
@@ -1245,7 +1226,7 @@ ossl_tsfac_create_ts(VALUE self, VALUE key, VALUE certificate, VALUE request)
     if (rb_obj_is_kind_of(additional_certs, rb_cArray)) {
         inter_certs = ossl_protect_x509_ary2sk(additional_certs, &status);
         if (status)
-                goto end;
+            goto end;
 
         /* this dups the sk_X509 and ups each cert's ref count */
         TS_RESP_CTX_set_certs(ctx, inter_certs);
@@ -1261,16 +1242,18 @@ ossl_tsfac_create_ts(VALUE self, VALUE key, VALUE certificate, VALUE request)
 
     allowed_digests = ossl_tsfac_get_allowed_digests(self);
     if (rb_obj_is_kind_of(allowed_digests, rb_cArray)) {
-        int i;
-        VALUE rbmd;
-        const EVP_MD *md;
-
-        for (i = 0; i < RARRAY_LEN(allowed_digests); i++) {
-            rbmd = rb_ary_entry(allowed_digests, i);
-            md = (const EVP_MD *)rb_protect(ossl_evp_get_digestbyname_i, rbmd, &status);
+        allowed_digests_tmp = rb_ary_new_capa(RARRAY_LEN(allowed_digests));
+        for (long i = 0; i < RARRAY_LEN(allowed_digests); i++) {
+            VALUE args[] = {
+                allowed_digests_tmp,
+                rb_ary_entry(allowed_digests, i),
+            };
+            const EVP_MD *md = (const EVP_MD *)rb_protect(ossl_evp_md_fetch_i,
+                                                          (VALUE)args, &status);
             if (status)
                 goto end;
-            TS_RESP_CTX_add_md(ctx, md);
+            if (!TS_RESP_CTX_add_md(ctx, md))
+                goto end;
         }
     }
 
@@ -1284,6 +1267,7 @@ ossl_tsfac_create_ts(VALUE self, VALUE key, VALUE certificate, VALUE request)
 
     response = TS_RESP_create_response(ctx, req_bio);
     BIO_free(req_bio);
+    RB_GC_GUARD(allowed_digests_tmp);
 
     if (!response) {
         err_msg = "Error during response generation";
@@ -1297,7 +1281,7 @@ ossl_tsfac_create_ts(VALUE self, VALUE key, VALUE certificate, VALUE request)
     SetTSResponse(tsresp, response);
     ret = tsresp;
 
-end:
+  end:
     ASN1_INTEGER_free(asn1_serial);
     ASN1_OBJECT_free(def_policy_id_obj);
     TS_RESP_CTX_free(ctx);
@@ -1314,10 +1298,6 @@ end:
 void
 Init_ossl_ts(void)
 {
-    #if 0
-    mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
-    #endif
-
     /*
      * Possible return value for +Response#failure_info+. Indicates that the
      * timestamp server rejects the message imprint algorithm used in the
@@ -1527,65 +1507,39 @@ Init_ossl_ts(void)
      *      fac.default_policy_id = '1.2.3.4.5'
      *      fac.additional_certificates = [ inter1, inter2 ]
      *      timestamp = fac.create_timestamp(p12.key, p12.certificate, req)
-     *
-     * ==Attributes
-     *
-     * ===default_policy_id
+     */
+    cTimestampFactory = rb_define_class_under(mTimestamp, "Factory", rb_cObject);
+    /*
+     * The list of digest algorithms that the factory is allowed
+     * create timestamps for. Known vulnerable or weak algorithms should not be
+     * allowed where possible. Must be an Array of String or OpenSSL::Digest
+     * subclass instances.
+     */
+    rb_attr(cTimestampFactory, rb_intern_const("allowed_digests"), 1, 1, 0);
+    /*
+     * A String representing the default policy object identifier, or +nil+.
      *
      * Request#policy_id will always be preferred over this if present in the
-     * Request, only if Request#policy_id is nil default_policy will be used.
+     * Request, only if Request#policy_id is +nil+ default_policy will be used.
      * If none of both is present, a TimestampError will be raised when trying
      * to create a Response.
-     *
-     * call-seq:
-     *       factory.default_policy_id = "string" -> string
-     *       factory.default_policy_id            -> string or nil
-     *
-     * ===serial_number
-     *
-     * Sets or retrieves the serial number to be used for timestamp creation.
-     * Must be present for timestamp creation.
-     *
-     * call-seq:
-     *       factory.serial_number = number -> number
-     *       factory.serial_number          -> number or nil
-     *
-     * ===gen_time
-     *
-     * Sets or retrieves the Time value to be used in the Response. Must be
-     * present for timestamp creation.
-     *
-     * call-seq:
-     *       factory.gen_time = Time -> Time
-     *       factory.gen_time        -> Time or nil
-     *
-     * ===additional_certs
-     *
-     * Sets or retrieves additional certificates apart from the timestamp
-     * certificate (e.g. intermediate certificates) to be added to the Response.
-     * Must be an Array of OpenSSL::X509::Certificate.
-     *
-     * call-seq:
-     *       factory.additional_certs = [cert1, cert2] -> [ cert1, cert2 ]
-     *       factory.additional_certs                  -> array or nil
-     *
-     * ===allowed_digests
-     *
-     * Sets or retrieves the digest algorithms that the factory is allowed
-     * create timestamps for. Known vulnerable or weak algorithms should not be
-     * allowed where possible.
-     * Must be an Array of String or OpenSSL::Digest subclass instances.
-     *
-     * call-seq:
-     *       factory.allowed_digests = ["sha1", OpenSSL::Digest.new('SHA256').new] -> [ "sha1", OpenSSL::Digest) ]
-     *       factory.allowed_digests                                               -> array or nil
-     *
      */
-    cTimestampFactory = rb_define_class_under(mTimestamp, "Factory", rb_cObject);
-    rb_attr(cTimestampFactory, rb_intern_const("allowed_digests"), 1, 1, 0);
     rb_attr(cTimestampFactory, rb_intern_const("default_policy_id"), 1, 1, 0);
+    /*
+     * The serial number to be used for timestamp creation. Must be present for
+     * timestamp creation. Must be an instance of OpenSSL::BN or Integer.
+     */
     rb_attr(cTimestampFactory, rb_intern_const("serial_number"), 1, 1, 0);
+    /*
+     * The Time value to be used in the Response. Must be present for timestamp
+     * creation.
+     */
     rb_attr(cTimestampFactory, rb_intern_const("gen_time"), 1, 1, 0);
+    /*
+     * Additional certificates apart from the timestamp certificate (e.g.
+     * intermediate certificates) to be added to the Response.
+     * Must be an Array of OpenSSL::X509::Certificate, or +nil+.
+     */
     rb_attr(cTimestampFactory, rb_intern_const("additional_certs"), 1, 1, 0);
     rb_define_method(cTimestampFactory, "create_timestamp", ossl_tsfac_create_ts, 3);
 }

data/ext/openssl/ossl_x509.c

@@ -13,7 +13,8 @@ VALUE mX509;
 
 #define DefX509Const(x) rb_define_const(mX509, #x, INT2NUM(X509_##x))
 #define DefX509Default(x,i) \
-  rb_define_const(mX509, "DEFAULT_" #x, rb_str_new2(X509_get_default_##i()))
+    rb_define_const(mX509, "DEFAULT_" #x, \
+                    rb_obj_freeze(rb_str_new_cstr(X509_get_default_##i())))
 
 ASN1_TIME *
 ossl_x509_time_adjust(ASN1_TIME *s, VALUE time)
@@ -29,10 +30,6 @@ ossl_x509_time_adjust(ASN1_TIME *s, VALUE time)
 void
 Init_ossl_x509(void)
 {
-#if 0
-    mOSSL = rb_define_module("OpenSSL");
-#endif
-
     mX509 = rb_define_module_under(mOSSL, "X509");
 
     Init_ossl_x509attr();
@@ -48,9 +45,7 @@ Init_ossl_x509(void)
 
     /* Certificate verification error code */
     DefX509Const(V_OK);
-#if defined(X509_V_ERR_UNSPECIFIED) /* 1.0.1r, 1.0.2f, 1.1.0 */
     DefX509Const(V_ERR_UNSPECIFIED);
-#endif
     DefX509Const(V_ERR_UNABLE_TO_GET_ISSUER_CERT);
     DefX509Const(V_ERR_UNABLE_TO_GET_CRL);
     DefX509Const(V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE);
@@ -104,10 +99,10 @@ Init_ossl_x509(void)
     DefX509Const(V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX);
     DefX509Const(V_ERR_UNSUPPORTED_NAME_SYNTAX);
     DefX509Const(V_ERR_CRL_PATH_VALIDATION_ERROR);
-#if defined(X509_V_ERR_PATH_LOOP)
+#if defined(X509_V_ERR_PATH_LOOP) /* OpenSSL 1.1.0, missing in LibreSSL */
     DefX509Const(V_ERR_PATH_LOOP);
 #endif
-#if defined(X509_V_ERR_SUITE_B_INVALID_VERSION)
+#if defined(X509_V_ERR_SUITE_B_INVALID_VERSION) /* OpenSSL 1.1.0, missing in LibreSSL */
     DefX509Const(V_ERR_SUITE_B_INVALID_VERSION);
     DefX509Const(V_ERR_SUITE_B_INVALID_ALGORITHM);
     DefX509Const(V_ERR_SUITE_B_INVALID_CURVE);
@@ -118,27 +113,21 @@ Init_ossl_x509(void)
     DefX509Const(V_ERR_HOSTNAME_MISMATCH);
     DefX509Const(V_ERR_EMAIL_MISMATCH);
     DefX509Const(V_ERR_IP_ADDRESS_MISMATCH);
-#if defined(X509_V_ERR_DANE_NO_MATCH)
+#if defined(X509_V_ERR_DANE_NO_MATCH) /* OpenSSL 1.1.0, missing in LibreSSL */
     DefX509Const(V_ERR_DANE_NO_MATCH);
 #endif
-#if defined(X509_V_ERR_EE_KEY_TOO_SMALL)
     DefX509Const(V_ERR_EE_KEY_TOO_SMALL);
     DefX509Const(V_ERR_CA_KEY_TOO_SMALL);
     DefX509Const(V_ERR_CA_MD_TOO_WEAK);
-#endif
-#if defined(X509_V_ERR_INVALID_CALL)
     DefX509Const(V_ERR_INVALID_CALL);
-#endif
-#if defined(X509_V_ERR_STORE_LOOKUP)
     DefX509Const(V_ERR_STORE_LOOKUP);
-#endif
-#if defined(X509_V_ERR_NO_VALID_SCTS)
+#if defined(X509_V_ERR_NO_VALID_SCTS) /* OpenSSL 1.1.0, missing in LibreSSL */
     DefX509Const(V_ERR_NO_VALID_SCTS);
 #endif
-#if defined(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION)
+#if defined(X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION) /* OpenSSL 1.1.0, missing in LibreSSL */
     DefX509Const(V_ERR_PROXY_SUBJECT_NAME_VIOLATION);
 #endif
-#if defined(X509_V_ERR_OCSP_VERIFY_NEEDED)
+#if defined(X509_V_ERR_OCSP_VERIFY_NEEDED) /* OpenSSL 1.1.1, missing in LibreSSL */
     DefX509Const(V_ERR_OCSP_VERIFY_NEEDED);
     DefX509Const(V_ERR_OCSP_VERIFY_FAILED);
     DefX509Const(V_ERR_OCSP_CERT_UNKNOWN);
@@ -189,17 +178,13 @@ Init_ossl_x509(void)
      * certificate chain, search the Store first for the issuer certificate.
      * Enabled by default in OpenSSL >= 1.1.0. */
     DefX509Const(V_FLAG_TRUSTED_FIRST);
-#if defined(X509_V_FLAG_SUITEB_128_LOS_ONLY)
+#if defined(X509_V_FLAG_SUITEB_128_LOS_ONLY) /* OpenSSL 1.1.0, missing in LibreSSL */
     /* Set by Store#flags= and StoreContext#flags=.
      * Enables Suite B 128 bit only mode. */
     DefX509Const(V_FLAG_SUITEB_128_LOS_ONLY);
-#endif
-#if defined(X509_V_FLAG_SUITEB_192_LOS)
     /* Set by Store#flags= and StoreContext#flags=.
      * Enables Suite B 192 bit only mode. */
     DefX509Const(V_FLAG_SUITEB_192_LOS);
-#endif
-#if defined(X509_V_FLAG_SUITEB_128_LOS)
     /* Set by Store#flags= and StoreContext#flags=.
      * Enables Suite B 128 bit mode allowing 192 bit algorithms. */
     DefX509Const(V_FLAG_SUITEB_128_LOS);
@@ -207,17 +192,13 @@ Init_ossl_x509(void)
     /* Set by Store#flags= and StoreContext#flags=.
      * Allows partial chains if at least one certificate is in trusted store. */
     DefX509Const(V_FLAG_PARTIAL_CHAIN);
-#if defined(X509_V_FLAG_NO_ALT_CHAINS)
     /* Set by Store#flags= and StoreContext#flags=. Suppresses searching for
      * a alternative chain. No effect in OpenSSL >= 1.1.0. */
     DefX509Const(V_FLAG_NO_ALT_CHAINS);
-#endif
-#if defined(X509_V_FLAG_NO_CHECK_TIME)
     /* Set by Store#flags= and StoreContext#flags=. Suppresses checking the
      * validity period of certificates and CRLs. No effect when the current
      * time is explicitly set by Store#time= or StoreContext#time=. */
     DefX509Const(V_FLAG_NO_CHECK_TIME);
-#endif
 
     /* Set by Store#purpose=. SSL/TLS client. */
     DefX509Const(PURPOSE_SSL_CLIENT);

data/ext/openssl/ossl_x509attr.c

@@ -13,14 +13,14 @@
     TypedData_Wrap_Struct((klass), &ossl_x509attr_type, 0)
 #define SetX509Attr(obj, attr) do { \
     if (!(attr)) { \
-	ossl_raise(rb_eRuntimeError, "ATTR wasn't initialized!"); \
+        ossl_raise(rb_eRuntimeError, "ATTR wasn't initialized!"); \
     } \
     RTYPEDDATA_DATA(obj) = (attr); \
 } while (0)
 #define GetX509Attr(obj, attr) do { \
     TypedData_Get_Struct((obj), X509_ATTRIBUTE, &ossl_x509attr_type, (attr)); \
     if (!(attr)) { \
-	ossl_raise(rb_eRuntimeError, "ATTR wasn't initialized!"); \
+        ossl_raise(rb_eRuntimeError, "ATTR wasn't initialized!"); \
     } \
 } while (0)
 
@@ -39,7 +39,7 @@ ossl_x509attr_free(void *ptr)
 static const rb_data_type_t ossl_x509attr_type = {
     "OpenSSL/X509/ATTRIBUTE",
     {
-	0, ossl_x509attr_free,
+        0, ossl_x509attr_free,
     },
     0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
 };
@@ -54,14 +54,9 @@ ossl_x509attr_new(X509_ATTRIBUTE *attr)
     VALUE obj;
 
     obj = NewX509Attr(cX509Attr);
-    if (!attr) {
-	new = X509_ATTRIBUTE_new();
-    } else {
-	new = X509_ATTRIBUTE_dup(attr);
-    }
-    if (!new) {
-	ossl_raise(eX509AttrError, NULL);
-    }
+    new = X509_ATTRIBUTE_dup(attr);
+    if (!new)
+        ossl_raise(eX509AttrError, "X509_ATTRIBUTE_dup");
     SetX509Attr(obj, new);
 
     return obj;
@@ -88,7 +83,7 @@ ossl_x509attr_alloc(VALUE klass)
 
     obj = NewX509Attr(klass);
     if (!(attr = X509_ATTRIBUTE_new()))
-	ossl_raise(eX509AttrError, NULL);
+        ossl_raise(eX509AttrError, NULL);
     SetX509Attr(obj, attr);
 
     return obj;
@@ -107,15 +102,15 @@ ossl_x509attr_initialize(int argc, VALUE *argv, VALUE self)
 
     GetX509Attr(self, attr);
     if(rb_scan_args(argc, argv, "11", &oid, &value) == 1){
-	oid = ossl_to_der_if_possible(oid);
-	StringValue(oid);
-	p = (unsigned char *)RSTRING_PTR(oid);
-	x = d2i_X509_ATTRIBUTE(&attr, &p, RSTRING_LEN(oid));
-	DATA_PTR(self) = attr;
-	if(!x){
-	    ossl_raise(eX509AttrError, NULL);
-	}
-	return self;
+        oid = ossl_to_der_if_possible(oid);
+        StringValue(oid);
+        p = (unsigned char *)RSTRING_PTR(oid);
+        x = d2i_X509_ATTRIBUTE(&attr, &p, RSTRING_LEN(oid));
+        DATA_PTR(self) = attr;
+        if(!x){
+            ossl_raise(eX509AttrError, NULL);
+        }
+        return self;
     }
     rb_funcall(self, rb_intern("oid="), 1, oid);
     rb_funcall(self, rb_intern("value="), 1, value);
@@ -123,6 +118,7 @@ ossl_x509attr_initialize(int argc, VALUE *argv, VALUE self)
     return self;
 }
 
+/* :nodoc: */
 static VALUE
 ossl_x509attr_initialize_copy(VALUE self, VALUE other)
 {
@@ -134,7 +130,7 @@ ossl_x509attr_initialize_copy(VALUE self, VALUE other)
 
     attr_new = X509_ATTRIBUTE_dup(attr_other);
     if (!attr_new)
-	ossl_raise(eX509AttrError, "X509_ATTRIBUTE_dup");
+        ossl_raise(eX509AttrError, "X509_ATTRIBUTE_dup");
 
     SetX509Attr(self, attr_new);
     X509_ATTRIBUTE_free(attr);
@@ -158,8 +154,8 @@ ossl_x509attr_set_oid(VALUE self, VALUE oid)
     obj = OBJ_txt2obj(s, 0);
     if(!obj) ossl_raise(eX509AttrError, NULL);
     if (!X509_ATTRIBUTE_set1_object(attr, obj)) {
-	ASN1_OBJECT_free(obj);
-	ossl_raise(eX509AttrError, "X509_ATTRIBUTE_set1_object");
+        ASN1_OBJECT_free(obj);
+        ossl_raise(eX509AttrError, "X509_ATTRIBUTE_set1_object");
     }
     ASN1_OBJECT_free(obj);
 
@@ -168,29 +164,18 @@ ossl_x509attr_set_oid(VALUE self, VALUE oid)
 
 /*
  * call-seq:
- *    attr.oid => string
+ *    attr.oid -> string
+ *
+ * Returns the OID of the attribute. Returns the short name or the dotted
+ * decimal notation.
  */
 static VALUE
 ossl_x509attr_get_oid(VALUE self)
 {
     X509_ATTRIBUTE *attr;
-    ASN1_OBJECT *oid;
-    BIO *out;
-    VALUE ret;
-    int nid;
 
     GetX509Attr(self, attr);
-    oid = X509_ATTRIBUTE_get0_object(attr);
-    if ((nid = OBJ_obj2nid(oid)) != NID_undef)
-	ret = rb_str_new2(OBJ_nid2sn(nid));
-    else{
-	if (!(out = BIO_new(BIO_s_mem())))
-	    ossl_raise(eX509AttrError, NULL);
-	i2a_ASN1_OBJECT(out, oid);
-	ret = ossl_membio2str(out);
-    }
-
-    return ret;
+    return ossl_asn1obj_to_string(X509_ATTRIBUTE_get0_object(attr));
 }
 
 /*
@@ -251,21 +236,21 @@ ossl_x509attr_get_value(VALUE self)
     GetX509Attr(self, attr);
     /* there is no X509_ATTRIBUTE_get0_set() :( */
     if (!(sk = sk_ASN1_TYPE_new_null()))
-	ossl_raise(eX509AttrError, "sk_new");
+        ossl_raise(eX509AttrError, "sk_new");
 
     count = X509_ATTRIBUTE_count(attr);
     for (i = 0; i < count; i++)
-	sk_ASN1_TYPE_push(sk, X509_ATTRIBUTE_get0_type(attr, i));
+        sk_ASN1_TYPE_push(sk, X509_ATTRIBUTE_get0_type(attr, i));
 
     if ((len = i2d_ASN1_SET_ANY(sk, NULL)) <= 0) {
-	sk_ASN1_TYPE_free(sk);
-	ossl_raise(eX509AttrError, NULL);
+        sk_ASN1_TYPE_free(sk);
+        ossl_raise(eX509AttrError, NULL);
     }
     str = rb_str_new(0, len);
     p = (unsigned char *)RSTRING_PTR(str);
     if (i2d_ASN1_SET_ANY(sk, &p) <= 0) {
-	sk_ASN1_TYPE_free(sk);
-	ossl_raise(eX509AttrError, NULL);
+        sk_ASN1_TYPE_free(sk);
+        ossl_raise(eX509AttrError, NULL);
     }
     ossl_str_adjust(str, p);
     sk_ASN1_TYPE_free(sk);
@@ -287,11 +272,11 @@ ossl_x509attr_to_der(VALUE self)
 
     GetX509Attr(self, attr);
     if((len = i2d_X509_ATTRIBUTE(attr, NULL)) <= 0)
-	ossl_raise(eX509AttrError, NULL);
+        ossl_raise(eX509AttrError, NULL);
     str = rb_str_new(0, len);
     p = (unsigned char *)RSTRING_PTR(str);
     if(i2d_X509_ATTRIBUTE(attr, &p) <= 0)
-	ossl_raise(eX509AttrError, NULL);
+        ossl_raise(eX509AttrError, NULL);
     ossl_str_adjust(str, p);
 
     return str;
@@ -303,12 +288,6 @@ ossl_x509attr_to_der(VALUE self)
 void
 Init_ossl_x509attr(void)
 {
-#if 0
-    mOSSL = rb_define_module("OpenSSL");
-    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
-    mX509 = rb_define_module_under(mOSSL, "X509");
-#endif
-
     eX509AttrError = rb_define_class_under(mX509, "AttributeError", eOSSLError);
 
     cX509Attr = rb_define_class_under(mX509, "Attribute", rb_cObject);