Line data Source code
1 : /*
2 : * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 : * (Royal Institute of Technology, Stockholm, Sweden).
4 : * All rights reserved.
5 : *
6 : * Redistribution and use in source and binary forms, with or without
7 : * modification, are permitted provided that the following conditions
8 : * are met:
9 : *
10 : * 1. Redistributions of source code must retain the above copyright
11 : * notice, this list of conditions and the following disclaimer.
12 : *
13 : * 2. Redistributions in binary form must reproduce the above copyright
14 : * notice, this list of conditions and the following disclaimer in the
15 : * documentation and/or other materials provided with the distribution.
16 : *
17 : * 3. Neither the name of the Institute nor the names of its contributors
18 : * may be used to endorse or promote products derived from this software
19 : * without specific prior written permission.
20 : *
21 : * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 : * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 : * SUCH DAMAGE.
32 : */
33 :
34 : #include "hx_locl.h"
35 : #include <vis.h>
36 : #include <vis-extras.h>
37 :
38 : /**
39 : * @page page_print Hx509 printing functions
40 : *
41 : * See the library functions here: @ref hx509_print
42 : */
43 :
44 : struct hx509_validate_ctx_data {
45 : hx509_context context;
46 : int flags;
47 : hx509_vprint_func vprint_func;
48 : void *ctx;
49 : };
50 :
51 : struct cert_status {
52 : unsigned int selfsigned:1;
53 : unsigned int isca:1;
54 : unsigned int isproxy:1;
55 : unsigned int haveSAN:1;
56 : unsigned int haveIAN:1;
57 : unsigned int haveSKI:1;
58 : unsigned int haveAKI:1;
59 : unsigned int haveCRLDP:1;
60 : };
61 :
62 :
63 : /*
64 : *
65 : */
66 :
67 : static int
68 0 : Time2string(const Time *T, char **str)
69 : {
70 0 : time_t t;
71 0 : char *s;
72 0 : struct tm *tm;
73 :
74 0 : *str = NULL;
75 0 : t = _hx509_Time2time_t(T);
76 0 : tm = gmtime (&t);
77 0 : s = malloc(30);
78 0 : if (s == NULL)
79 0 : return ENOMEM;
80 0 : strftime(s, 30, "%Y-%m-%d %H:%M:%S", tm);
81 0 : *str = s;
82 0 : return 0;
83 : }
84 :
85 : /**
86 : * Helper function to print on stdout for:
87 : * - hx509_oid_print(),
88 : * - hx509_bitstring_print(),
89 : * - hx509_validate_ctx_set_print().
90 : *
91 : * @param ctx the context to the print function. If the ctx is NULL,
92 : * stdout is used.
93 : * @param fmt the printing format.
94 : * @param va the argumet list.
95 : *
96 : * @ingroup hx509_print
97 : */
98 :
99 : HX509_LIB_FUNCTION void
100 0 : hx509_print_stdout(void *ctx, const char *fmt, va_list va)
101 : {
102 0 : FILE *f = ctx;
103 0 : if (f == NULL)
104 0 : f = stdout;
105 0 : vfprintf(f, fmt, va);
106 0 : }
107 :
108 : static void
109 0 : print_func(hx509_vprint_func func, void *ctx, const char *fmt, ...)
110 : {
111 0 : va_list va;
112 0 : va_start(va, fmt);
113 0 : (*func)(ctx, fmt, va);
114 0 : va_end(va);
115 0 : }
116 :
117 : /**
118 : * Print a oid to a string.
119 : *
120 : * @param oid oid to print
121 : * @param str allocated string, free with hx509_xfree().
122 : *
123 : * @return An hx509 error code, see hx509_get_error_string().
124 : *
125 : * @ingroup hx509_print
126 : */
127 :
128 : HX509_LIB_FUNCTION int HX509_LIB_CALL
129 0 : hx509_oid_sprint(const heim_oid *oid, char **str)
130 : {
131 0 : return der_print_heim_oid(oid, '.', str);
132 : }
133 :
134 : /**
135 : * Print a oid using a hx509_vprint_func function. To print to stdout
136 : * use hx509_print_stdout().
137 : *
138 : * @param oid oid to print
139 : * @param func hx509_vprint_func to print with.
140 : * @param ctx context variable to hx509_vprint_func function.
141 : *
142 : * @ingroup hx509_print
143 : */
144 :
145 : HX509_LIB_FUNCTION void HX509_LIB_CALL
146 0 : hx509_oid_print(const heim_oid *oid, hx509_vprint_func func, void *ctx)
147 : {
148 0 : char *str;
149 0 : hx509_oid_sprint(oid, &str);
150 0 : print_func(func, ctx, "%s", str);
151 0 : free(str);
152 0 : }
153 :
154 : /**
155 : * Print a bitstring using a hx509_vprint_func function. To print to
156 : * stdout use hx509_print_stdout().
157 : *
158 : * @param b bit string to print.
159 : * @param func hx509_vprint_func to print with.
160 : * @param ctx context variable to hx509_vprint_func function.
161 : *
162 : * @ingroup hx509_print
163 : */
164 :
165 : HX509_LIB_FUNCTION void HX509_LIB_CALL
166 0 : hx509_bitstring_print(const heim_bit_string *b,
167 : hx509_vprint_func func, void *ctx)
168 : {
169 0 : size_t i;
170 0 : print_func(func, ctx, "\tlength: %d\n\t", b->length);
171 0 : for (i = 0; i < (b->length + 7) / 8; i++)
172 0 : print_func(func, ctx, "%02x%s%s",
173 0 : ((unsigned char *)b->data)[i],
174 0 : i < (b->length - 7) / 8
175 0 : && (i == 0 || (i % 16) != 15) ? ":" : "",
176 0 : i != 0 && (i % 16) == 15 ?
177 0 : (i <= ((b->length + 7) / 8 - 2) ? "\n\t" : "\n"):"");
178 0 : }
179 :
180 : /**
181 : * Print certificate usage for a certificate to a string.
182 : *
183 : * @param context A hx509 context.
184 : * @param c a certificate print the keyusage for.
185 : * @param s the return string with the keysage printed in to, free
186 : * with hx509_xfree().
187 : *
188 : * @return An hx509 error code, see hx509_get_error_string().
189 : *
190 : * @ingroup hx509_print
191 : */
192 :
193 : HX509_LIB_FUNCTION int HX509_LIB_CALL
194 0 : hx509_cert_keyusage_print(hx509_context context, hx509_cert c, char **s)
195 : {
196 0 : KeyUsage ku;
197 0 : char buf[256];
198 0 : int ret;
199 :
200 0 : *s = NULL;
201 :
202 0 : ret = _hx509_cert_get_keyusage(context, c, &ku);
203 0 : if (ret)
204 0 : return ret;
205 0 : unparse_flags(KeyUsage2int(ku), asn1_KeyUsage_units(), buf, sizeof(buf));
206 0 : *s = strdup(buf);
207 0 : if (*s == NULL) {
208 0 : hx509_set_error_string(context, 0, ENOMEM, "out of memory");
209 0 : return ENOMEM;
210 : }
211 :
212 0 : return 0;
213 : }
214 :
215 : /*
216 : *
217 : */
218 :
219 : static void
220 0 : validate_vprint(void *c, const char *fmt, va_list va)
221 : {
222 0 : hx509_validate_ctx ctx = c;
223 0 : if (ctx->vprint_func == NULL)
224 0 : return;
225 0 : (ctx->vprint_func)(ctx->ctx, fmt, va);
226 : }
227 :
228 : static void
229 0 : validate_print(hx509_validate_ctx ctx, int flags, const char *fmt, ...)
230 : {
231 0 : va_list va;
232 0 : if ((ctx->flags & flags) == 0)
233 0 : return;
234 0 : va_start(va, fmt);
235 0 : validate_vprint(ctx, fmt, va);
236 0 : va_end(va);
237 : }
238 :
239 : /*
240 : * Don't Care, SHOULD critical, SHOULD NOT critical, MUST critical,
241 : * MUST NOT critical
242 : */
243 : enum critical_flag { D_C = 0, S_C, S_N_C, M_C, M_N_C };
244 :
245 : static int
246 0 : check_Null(hx509_validate_ctx ctx,
247 : struct cert_status *status,
248 : enum critical_flag cf, const Extension *e)
249 : {
250 0 : switch(cf) {
251 0 : case D_C:
252 0 : break;
253 0 : case S_C:
254 0 : if (!e->critical)
255 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
256 : "\tCritical not set on SHOULD\n");
257 0 : break;
258 0 : case S_N_C:
259 0 : if (e->critical)
260 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
261 : "\tCritical set on SHOULD NOT\n");
262 0 : break;
263 0 : case M_C:
264 0 : if (!e->critical)
265 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
266 : "\tCritical not set on MUST\n");
267 0 : break;
268 0 : case M_N_C:
269 0 : if (e->critical)
270 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
271 : "\tCritical set on MUST NOT\n");
272 0 : break;
273 0 : default:
274 0 : _hx509_abort("internal check_Null state error");
275 : }
276 0 : return 0;
277 : }
278 :
279 : static int
280 0 : check_subjectKeyIdentifier(hx509_validate_ctx ctx,
281 : struct cert_status *status,
282 : enum critical_flag cf,
283 : const Extension *e)
284 : {
285 0 : SubjectKeyIdentifier si;
286 0 : size_t size;
287 0 : int ret;
288 :
289 0 : status->haveSKI = 1;
290 0 : check_Null(ctx, status, cf, e);
291 :
292 0 : ret = decode_SubjectKeyIdentifier(e->extnValue.data,
293 0 : e->extnValue.length,
294 : &si, &size);
295 0 : if (ret) {
296 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
297 : "Decoding SubjectKeyIdentifier failed: %d", ret);
298 0 : return 1;
299 : }
300 0 : if (size != e->extnValue.length) {
301 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
302 : "Decoding SKI ahve extra bits on the end");
303 0 : return 1;
304 : }
305 0 : if (si.length == 0)
306 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
307 : "SKI is too short (0 bytes)");
308 0 : if (si.length > 20)
309 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
310 : "SKI is too long");
311 :
312 : {
313 0 : char *id;
314 0 : hex_encode(si.data, si.length, &id);
315 0 : if (id) {
316 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
317 : "\tsubject key id: %s\n", id);
318 0 : free(id);
319 : }
320 : }
321 :
322 0 : free_SubjectKeyIdentifier(&si);
323 :
324 0 : return 0;
325 : }
326 :
327 : static int
328 0 : check_authorityKeyIdentifier(hx509_validate_ctx ctx,
329 : struct cert_status *status,
330 : enum critical_flag cf,
331 : const Extension *e)
332 : {
333 0 : AuthorityKeyIdentifier ai;
334 0 : size_t size;
335 0 : int ret;
336 :
337 0 : status->haveAKI = 1;
338 0 : check_Null(ctx, status, cf, e);
339 :
340 0 : ret = decode_AuthorityKeyIdentifier(e->extnValue.data,
341 0 : e->extnValue.length,
342 : &ai, &size);
343 0 : if (ret) {
344 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
345 : "Decoding AuthorityKeyIdentifier failed: %d", ret);
346 0 : return 1;
347 : }
348 0 : if (size != e->extnValue.length) {
349 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
350 : "Decoding SKI ahve extra bits on the end");
351 0 : return 1;
352 : }
353 :
354 0 : if (ai.keyIdentifier) {
355 0 : char *id;
356 0 : hex_encode(ai.keyIdentifier->data, ai.keyIdentifier->length, &id);
357 0 : if (id) {
358 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
359 : "\tauthority key id: %s\n", id);
360 0 : free(id);
361 : }
362 : }
363 :
364 0 : free_AuthorityKeyIdentifier(&ai);
365 0 : return 0;
366 : }
367 :
368 : static int
369 0 : check_extKeyUsage(hx509_validate_ctx ctx,
370 : struct cert_status *status,
371 : enum critical_flag cf,
372 : const Extension *e)
373 : {
374 0 : ExtKeyUsage eku;
375 0 : size_t size, i;
376 0 : int ret;
377 :
378 0 : check_Null(ctx, status, cf, e);
379 :
380 0 : ret = decode_ExtKeyUsage(e->extnValue.data,
381 0 : e->extnValue.length,
382 : &eku, &size);
383 0 : if (ret) {
384 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
385 : "Decoding ExtKeyUsage failed: %d", ret);
386 0 : return 1;
387 : }
388 0 : if (size != e->extnValue.length) {
389 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
390 : "Padding data in EKU");
391 0 : free_ExtKeyUsage(&eku);
392 0 : return 1;
393 : }
394 0 : if (eku.len == 0) {
395 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
396 : "ExtKeyUsage length is 0");
397 0 : return 1;
398 : }
399 :
400 0 : for (i = 0; i < eku.len; i++) {
401 0 : char *str;
402 0 : ret = der_print_heim_oid (&eku.val[i], '.', &str);
403 0 : if (ret) {
404 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
405 : "\tEKU: failed to print oid %d", i);
406 0 : free_ExtKeyUsage(&eku);
407 0 : return 1;
408 : }
409 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
410 0 : "\teku-%d: %s\n", i, str);;
411 0 : free(str);
412 : }
413 :
414 0 : free_ExtKeyUsage(&eku);
415 :
416 0 : return 0;
417 : }
418 :
419 : static int
420 0 : check_CRLDistributionPoints(hx509_validate_ctx ctx,
421 : struct cert_status *status,
422 : enum critical_flag cf,
423 : const Extension *e)
424 : {
425 0 : CRLDistributionPoints dp;
426 0 : size_t size;
427 0 : int ret;
428 0 : size_t i;
429 :
430 0 : check_Null(ctx, status, cf, e);
431 :
432 0 : ret = decode_CRLDistributionPoints(e->extnValue.data,
433 0 : e->extnValue.length,
434 : &dp, &size);
435 0 : if (ret) {
436 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
437 : "Decoding CRL Distribution Points failed: %d\n", ret);
438 0 : return 1;
439 : }
440 :
441 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "CRL Distribution Points:\n");
442 0 : for (i = 0 ; i < dp.len; i++) {
443 0 : if (dp.val[i].distributionPoint) {
444 0 : DistributionPointName dpname = dp.val[i].distributionPoint[0];
445 0 : size_t j;
446 :
447 0 : switch (dpname.element) {
448 0 : case choice_DistributionPointName_fullName:
449 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n");
450 :
451 0 : for (j = 0 ; j < dpname.u.fullName.len; j++) {
452 0 : char *s;
453 0 : GeneralName *name = &dpname.u.fullName.val[j];
454 :
455 0 : ret = hx509_general_name_unparse2(ctx->context, name, &s);
456 0 : if (ret) {
457 0 : s = hx509_get_error_string(ctx->context, ret);
458 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
459 : "Unknown DistributionPointName: %s", s);
460 0 : hx509_free_error_string(s);
461 : } else {
462 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " %s\n", s);
463 0 : free(s);
464 : }
465 : }
466 0 : break;
467 0 : case choice_DistributionPointName_nameRelativeToCRLIssuer:
468 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
469 : "Unknown nameRelativeToCRLIssuer");
470 0 : break;
471 0 : default:
472 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
473 : "Unknown DistributionPointName");
474 0 : break;
475 : }
476 : }
477 : }
478 0 : free_CRLDistributionPoints(&dp);
479 :
480 0 : status->haveCRLDP = 1;
481 :
482 0 : return 0;
483 : }
484 :
485 : static int
486 0 : check_altName(hx509_validate_ctx ctx,
487 : struct cert_status *status,
488 : const char *name,
489 : enum critical_flag cf,
490 : const Extension *e)
491 : {
492 0 : GeneralNames gn;
493 0 : size_t size;
494 0 : int ret;
495 0 : size_t i;
496 :
497 0 : check_Null(ctx, status, cf, e);
498 :
499 0 : if (e->extnValue.length == 0) {
500 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
501 : "%sAltName empty, not allowed", name);
502 0 : return 1;
503 : }
504 0 : ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length,
505 : &gn, &size);
506 0 : if (ret) {
507 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
508 : "\tret = %d while decoding %s GeneralNames\n",
509 : ret, name);
510 0 : return 1;
511 : }
512 0 : if (gn.len == 0) {
513 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
514 : "%sAltName generalName empty, not allowed\n", name);
515 0 : return 1;
516 : }
517 :
518 0 : for (i = 0; i < gn.len; i++) {
519 0 : char *s;
520 :
521 0 : ret = hx509_general_name_unparse2(ctx->context, &gn.val[i], &s);
522 0 : if (ret) {
523 0 : s = hx509_get_error_string(ctx->context, ret);
524 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
525 : "Error unparsing GeneralName: %s\n", s);
526 0 : hx509_free_error_string(s);
527 0 : return 1;
528 : }
529 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\t%s\n", s);
530 0 : free(s);
531 : }
532 :
533 0 : free_GeneralNames(&gn);
534 0 : return 0;
535 : }
536 :
537 : static int
538 0 : check_subjectAltName(hx509_validate_ctx ctx,
539 : struct cert_status *status,
540 : enum critical_flag cf,
541 : const Extension *e)
542 : {
543 0 : status->haveSAN = 1;
544 0 : return check_altName(ctx, status, "subject", cf, e);
545 : }
546 :
547 : static int
548 0 : check_issuerAltName(hx509_validate_ctx ctx,
549 : struct cert_status *status,
550 : enum critical_flag cf,
551 : const Extension *e)
552 : {
553 0 : status->haveIAN = 1;
554 0 : return check_altName(ctx, status, "issuer", cf, e);
555 : }
556 :
557 :
558 : static int
559 0 : check_basicConstraints(hx509_validate_ctx ctx,
560 : struct cert_status *status,
561 : enum critical_flag cf,
562 : const Extension *e)
563 : {
564 0 : BasicConstraints b;
565 0 : size_t size;
566 0 : int ret;
567 :
568 0 : check_Null(ctx, status, cf, e);
569 :
570 0 : ret = decode_BasicConstraints(e->extnValue.data, e->extnValue.length,
571 : &b, &size);
572 0 : if (ret) {
573 0 : printf("\tret = %d while decoding BasicConstraints\n", ret);
574 0 : return 0;
575 : }
576 0 : if (size != e->extnValue.length)
577 0 : printf("\tlength of der data isn't same as extension\n");
578 :
579 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
580 0 : "\tis %sa CA\n", b.cA ? "" : "NOT ");
581 0 : if (b.pathLenConstraint)
582 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
583 0 : "\tpathLenConstraint: %d\n", *b.pathLenConstraint);
584 :
585 0 : if (b.cA) {
586 0 : if (!e->critical)
587 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
588 : "Is a CA and not BasicConstraints CRITICAL\n");
589 0 : status->isca = 1;
590 : }
591 0 : free_BasicConstraints(&b);
592 :
593 0 : return 0;
594 : }
595 :
596 : static int
597 0 : check_proxyCertInfo(hx509_validate_ctx ctx,
598 : struct cert_status *status,
599 : enum critical_flag cf,
600 : const Extension *e)
601 : {
602 0 : check_Null(ctx, status, cf, e);
603 0 : status->isproxy = 1;
604 0 : return 0;
605 : }
606 :
607 : static int
608 0 : check_authorityInfoAccess(hx509_validate_ctx ctx,
609 : struct cert_status *status,
610 : enum critical_flag cf,
611 : const Extension *e)
612 : {
613 0 : AuthorityInfoAccessSyntax aia;
614 0 : size_t size;
615 0 : int ret;
616 0 : size_t i;
617 :
618 0 : check_Null(ctx, status, cf, e);
619 :
620 0 : ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data,
621 0 : e->extnValue.length,
622 : &aia, &size);
623 0 : if (ret) {
624 0 : printf("\tret = %d while decoding AuthorityInfoAccessSyntax\n", ret);
625 0 : return 0;
626 : }
627 :
628 0 : for (i = 0; i < aia.len; i++) {
629 0 : char *str;
630 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
631 : "\ttype: ");
632 0 : hx509_oid_print(&aia.val[i].accessMethod, validate_vprint, ctx);
633 0 : ret = hx509_general_name_unparse2(ctx->context,
634 0 : &aia.val[i].accessLocation, &str);
635 0 : if (ret) {
636 0 : str = hx509_get_error_string(ctx->context, ret);
637 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
638 : "Error unparsing AuthorityInfoAccessSyntax "
639 : "accessLocation: %s", str);
640 0 : hx509_free_error_string(str);
641 : } else {
642 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
643 : "\n\tdirname: %s\n", str);
644 0 : free(str);
645 : }
646 : }
647 0 : free_AuthorityInfoAccessSyntax(&aia);
648 :
649 0 : return ret;
650 : }
651 :
652 : static int
653 0 : get_display_text(DisplayText *dt, char **out)
654 : {
655 0 : int r = -1;
656 :
657 0 : *out = NULL;
658 :
659 : /*
660 : * XXX We're cheating with various string types here.
661 : *
662 : * Proper support for IA5String is a real pain, and we don't have it.
663 : *
664 : * We also don't have support for BMPString.
665 : */
666 0 : switch (dt->element) {
667 0 : case choice_DisplayText_ia5String:
668 0 : r = rk_strasvisx(out, dt->u.ia5String.data, dt->u.ia5String.length,
669 : VIS_CSTYLE | VIS_TAB | VIS_NL, "");
670 0 : break;
671 0 : case choice_DisplayText_visibleString:
672 0 : r = rk_strasvis(out, dt->u.visibleString,
673 : VIS_CSTYLE | VIS_TAB | VIS_NL, "");
674 0 : break;
675 0 : case choice_DisplayText_bmpString:
676 0 : errno = ENOTSUP; /* XXX Need a UTF-16 -> UTF-8 conversion */
677 0 : break;
678 0 : case choice_DisplayText_utf8String:
679 0 : r = rk_strasvis(out, dt->u.visibleString,
680 : VIS_CSTYLE | VIS_TAB | VIS_NL, "");
681 0 : break;
682 0 : default:
683 0 : errno = EINVAL;
684 : }
685 0 : return r < 0 ? errno : 0;
686 : }
687 :
688 : static int
689 0 : check_certificatePolicies(hx509_validate_ctx ctx,
690 : struct cert_status *status,
691 : enum critical_flag cf,
692 : const Extension *e)
693 : {
694 0 : CertificatePolicies cp;
695 0 : size_t i, size;
696 0 : int ret = 0;
697 :
698 0 : check_Null(ctx, status, cf, e);
699 :
700 0 : if (e->extnValue.length == 0) {
701 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
702 : "CertificatePolicies empty, not allowed");
703 0 : return 1;
704 : }
705 0 : ret = decode_CertificatePolicies(e->extnValue.data, e->extnValue.length,
706 : &cp, &size);
707 0 : if (ret) {
708 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
709 : "\tret = %d while decoding CertificatePolicies\n", ret);
710 0 : return 1;
711 : }
712 0 : if (cp.len == 0) {
713 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
714 : "CertificatePolicies empty, not allowed\n");
715 0 : return 1;
716 : }
717 :
718 0 : for (i = 0; ret == 0 && i < cp.len; i++) {
719 0 : size_t k;
720 0 : char *poid = NULL;
721 0 : char *qoid = NULL;
722 0 : char *dt = NULL;
723 :
724 0 : ret = der_print_heim_oid(&cp.val[i].policyIdentifier, '.', &poid);
725 0 : if (ret == 0)
726 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tPolicy: %s", poid);
727 :
728 0 : for (k = 0;
729 0 : ret == 0 && cp.val[i].policyQualifiers &&
730 0 : k < cp.val[i].policyQualifiers->len;
731 0 : k++) {
732 0 : PolicyQualifierInfo *pi = &cp.val[i].policyQualifiers->val[k];
733 :
734 0 : if (der_heim_oid_cmp(&pi->policyQualifierId,
735 : &asn1_oid_id_pkix_qt_cps) == 0) {
736 0 : CPSuri cps;
737 :
738 0 : ret = decode_CPSuri(pi->qualifier.data, pi->qualifier.length,
739 : &cps, &size);
740 0 : if (ret == 0) {
741 0 : if (cps.length > 4096)
742 0 : cps.length = 4096;
743 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
744 : ":CPSuri:%.*s",
745 0 : (int)cps.length, (char *)cps.data);
746 0 : free_CPSuri(&cps);
747 : }
748 0 : } else if (der_heim_oid_cmp(&pi->policyQualifierId,
749 : &asn1_oid_id_pkix_qt_unotice) == 0) {
750 0 : UserNotice un;
751 :
752 0 : ret = decode_UserNotice(pi->qualifier.data,
753 : pi->qualifier.length, &un, &size);
754 0 : if (ret == 0) {
755 0 : if (un.explicitText) {
756 : /*
757 : * get_display_text() will strvis to make it safer to
758 : * print.
759 : */
760 0 : ret = get_display_text(un.explicitText, &dt);
761 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
762 : " UserNotice:DistplayText:%s", dt);
763 0 : } else if (un.noticeRef) {
764 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
765 : " UserNotice:NoticeRef:<noticeRef-not-supported>",
766 : qoid);
767 : } else {
768 0 : ret = der_print_heim_oid(&pi->policyQualifierId, '.',
769 : &qoid);
770 0 : if (ret)
771 0 : break;
772 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
773 : " Unknown:%s", qoid);
774 : }
775 0 : free_UserNotice(&un);
776 : }
777 : } else {
778 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
779 : ", qualifier %s:<unknown>", qoid);
780 : }
781 0 : free(qoid);
782 0 : free(dt);
783 0 : qoid = dt = 0;
784 : }
785 0 : if (ret == 0) {
786 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\n");
787 : } else {
788 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
789 : "\nOut of memory formatting certificate policy");
790 0 : ret = ENOMEM;
791 : }
792 0 : free(poid);
793 0 : free(qoid);
794 0 : free(dt);
795 0 : poid = qoid = dt = 0;
796 : }
797 :
798 0 : free_CertificatePolicies(&cp);
799 :
800 0 : return ret ? 1 : 0;
801 : }
802 :
803 : static int
804 0 : check_policyMappings(hx509_validate_ctx ctx,
805 : struct cert_status *status,
806 : enum critical_flag cf,
807 : const Extension *e)
808 : {
809 0 : PolicyMappings pm;
810 0 : size_t i, size;
811 0 : int ret = 0;
812 :
813 0 : check_Null(ctx, status, cf, e);
814 :
815 0 : if (e->extnValue.length == 0) {
816 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
817 : "PolicyMappings empty, not allowed");
818 0 : return 1;
819 : }
820 0 : ret = decode_PolicyMappings(e->extnValue.data, e->extnValue.length,
821 : &pm, &size);
822 0 : if (ret) {
823 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
824 : "\tret = %d while decoding PolicyMappings\n", ret);
825 0 : return 1;
826 : }
827 0 : if (pm.len == 0) {
828 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
829 : "PolicyMappings empty, not allowed\n");
830 0 : return 1;
831 : }
832 :
833 0 : for (i = 0; ret == 0 && i < pm.len; i++) {
834 0 : char *idpoid = NULL;
835 0 : char *sdpoid = NULL;
836 :
837 0 : ret = der_print_heim_oid(&pm.val[i].issuerDomainPolicy, '.', &idpoid);
838 0 : if (ret == 0)
839 0 : ret = der_print_heim_oid(&pm.val[i].subjectDomainPolicy, '.',
840 : &sdpoid);
841 0 : if (ret == 0)
842 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
843 : "\tPolicy mapping %s -> %s\n", idpoid, sdpoid);
844 : else
845 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
846 : "ret=%d while decoding PolicyMappings\n", ret);
847 0 : free(sdpoid);
848 0 : free(idpoid);
849 : }
850 :
851 0 : free_PolicyMappings(&pm);
852 0 : return 0;
853 : }
854 :
855 : /*
856 : *
857 : */
858 :
859 : struct {
860 : const char *name;
861 : const heim_oid *oid;
862 : int (*func)(hx509_validate_ctx ctx,
863 : struct cert_status *status,
864 : enum critical_flag cf,
865 : const Extension *);
866 : enum critical_flag cf;
867 : } check_extension[] = {
868 : #define ext(name, checkname) #name, &asn1_oid_id_x509_ce_##name, check_##checkname
869 : { ext(subjectDirectoryAttributes, Null), M_N_C },
870 : { ext(subjectKeyIdentifier, subjectKeyIdentifier), M_N_C },
871 : { ext(keyUsage, Null), S_C },
872 : { ext(subjectAltName, subjectAltName), M_N_C },
873 : { ext(issuerAltName, issuerAltName), S_N_C },
874 : { ext(basicConstraints, basicConstraints), D_C },
875 : { ext(cRLNumber, Null), M_N_C },
876 : { ext(cRLReason, Null), M_N_C },
877 : { ext(holdInstructionCode, Null), M_N_C },
878 : { ext(invalidityDate, Null), M_N_C },
879 : { ext(deltaCRLIndicator, Null), M_C },
880 : { ext(issuingDistributionPoint, Null), M_C },
881 : { ext(certificateIssuer, Null), M_C },
882 : { ext(nameConstraints, Null), M_C },
883 : { ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C },
884 : { ext(certificatePolicies, certificatePolicies), 0 },
885 : { ext(policyMappings, policyMappings), M_N_C },
886 : { ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C },
887 : { ext(policyConstraints, Null), D_C },
888 : { ext(extKeyUsage, extKeyUsage), D_C },
889 : { ext(freshestCRL, Null), M_N_C },
890 : { ext(inhibitAnyPolicy, Null), M_C },
891 : #undef ext
892 : #define ext(name, checkname) #name, &asn1_oid_id_pkix_pe_##name, check_##checkname
893 : { ext(proxyCertInfo, proxyCertInfo), M_C },
894 : { ext(authorityInfoAccess, authorityInfoAccess), M_C },
895 : #undef ext
896 : { "US Fed PKI - PIV Interim", &asn1_oid_id_uspkicommon_piv_interim,
897 : check_Null, D_C },
898 : { "Netscape cert comment", &asn1_oid_id_netscape_cert_comment,
899 : check_Null, D_C },
900 : { NULL, NULL, NULL, 0 }
901 : };
902 :
903 : /**
904 : * Allocate a hx509 validation/printing context.
905 : *
906 : * @param context A hx509 context.
907 : * @param ctx a new allocated hx509 validation context, free with
908 : * hx509_validate_ctx_free().
909 :
910 : * @return An hx509 error code, see hx509_get_error_string().
911 : *
912 : * @ingroup hx509_print
913 : */
914 :
915 : HX509_LIB_FUNCTION int HX509_LIB_CALL
916 0 : hx509_validate_ctx_init(hx509_context context, hx509_validate_ctx *ctx)
917 : {
918 0 : *ctx = calloc(1, sizeof(**ctx));
919 0 : if (*ctx == NULL)
920 0 : return hx509_enomem(context);
921 0 : (*ctx)->context = context;
922 0 : return 0;
923 : }
924 :
925 : /**
926 : * Set the printing functions for the validation context.
927 : *
928 : * @param ctx a hx509 valication context.
929 : * @param func the printing function to usea.
930 : * @param c the context variable to the printing function.
931 : *
932 : * @return An hx509 error code, see hx509_get_error_string().
933 : *
934 : * @ingroup hx509_print
935 : */
936 :
937 : HX509_LIB_FUNCTION void HX509_LIB_CALL
938 0 : hx509_validate_ctx_set_print(hx509_validate_ctx ctx,
939 : hx509_vprint_func func,
940 : void *c)
941 : {
942 0 : ctx->vprint_func = func;
943 0 : ctx->ctx = c;
944 0 : }
945 :
946 : /**
947 : * Add flags to control the behaivor of the hx509_validate_cert()
948 : * function.
949 : *
950 : * @param ctx A hx509 validation context.
951 : * @param flags flags to add to the validation context.
952 : *
953 : * @return An hx509 error code, see hx509_get_error_string().
954 : *
955 : * @ingroup hx509_print
956 : */
957 :
958 : HX509_LIB_FUNCTION void HX509_LIB_CALL
959 0 : hx509_validate_ctx_add_flags(hx509_validate_ctx ctx, int flags)
960 : {
961 0 : ctx->flags |= flags;
962 0 : }
963 :
964 : /**
965 : * Free an hx509 validate context.
966 : *
967 : * @param ctx the hx509 validate context to free.
968 : *
969 : * @ingroup hx509_print
970 : */
971 :
972 : HX509_LIB_FUNCTION void HX509_LIB_CALL
973 0 : hx509_validate_ctx_free(hx509_validate_ctx ctx)
974 : {
975 0 : free(ctx);
976 0 : }
977 :
978 : /**
979 : * Validate/Print the status of the certificate.
980 : *
981 : * @param context A hx509 context.
982 : * @param ctx A hx509 validation context.
983 : * @param cert the cerificate to validate/print.
984 :
985 : * @return An hx509 error code, see hx509_get_error_string().
986 : *
987 : * @ingroup hx509_print
988 : */
989 :
990 : HX509_LIB_FUNCTION int HX509_LIB_CALL
991 0 : hx509_validate_cert(hx509_context context,
992 : hx509_validate_ctx ctx,
993 : hx509_cert cert)
994 : {
995 0 : Certificate *c = _hx509_get_cert(cert);
996 0 : TBSCertificate *t = &c->tbsCertificate;
997 0 : hx509_name issuer, subject;
998 0 : char *str;
999 0 : struct cert_status status;
1000 0 : int ret;
1001 :
1002 0 : memset(&status, 0, sizeof(status));
1003 :
1004 0 : if (_hx509_cert_get_version(c) != 3)
1005 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
1006 : "Not version 3 certificate\n");
1007 :
1008 0 : if ((t->version == NULL || *t->version < 2) && t->extensions)
1009 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1010 : "Not version 3 certificate with extensions\n");
1011 :
1012 0 : if (_hx509_cert_get_version(c) >= 3 && t->extensions == NULL)
1013 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1014 : "Version 3 certificate without extensions\n");
1015 :
1016 0 : ret = hx509_cert_get_subject(cert, &subject);
1017 0 : if (ret) abort();
1018 0 : hx509_name_to_string(subject, &str);
1019 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
1020 : "subject name: %s\n", str);
1021 0 : free(str);
1022 :
1023 0 : ret = hx509_cert_get_issuer(cert, &issuer);
1024 0 : if (ret) abort();
1025 0 : hx509_name_to_string(issuer, &str);
1026 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
1027 : "issuer name: %s\n", str);
1028 0 : free(str);
1029 :
1030 0 : if (hx509_name_cmp(subject, issuer) == 0) {
1031 0 : status.selfsigned = 1;
1032 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
1033 : "\tis a self-signed certificate\n");
1034 : }
1035 :
1036 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
1037 : "Validity:\n");
1038 :
1039 0 : Time2string(&t->validity.notBefore, &str);
1040 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotBefore %s\n", str);
1041 0 : free(str);
1042 0 : Time2string(&t->validity.notAfter, &str);
1043 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotAfter %s\n", str);
1044 0 : free(str);
1045 :
1046 0 : if (t->extensions) {
1047 0 : size_t i, j;
1048 :
1049 0 : if (t->extensions->len == 0) {
1050 0 : validate_print(ctx,
1051 : HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
1052 : "The empty extensions list is not "
1053 : "allowed by PKIX\n");
1054 : }
1055 :
1056 0 : for (i = 0; i < t->extensions->len; i++) {
1057 :
1058 0 : for (j = 0; check_extension[j].name; j++)
1059 0 : if (der_heim_oid_cmp(check_extension[j].oid,
1060 0 : &t->extensions->val[i].extnID) == 0)
1061 0 : break;
1062 0 : if (check_extension[j].name == NULL) {
1063 0 : int flags = HX509_VALIDATE_F_VERBOSE;
1064 0 : if (t->extensions->val[i].critical)
1065 0 : flags |= HX509_VALIDATE_F_VALIDATE;
1066 0 : validate_print(ctx, flags, "don't know what ");
1067 0 : if (t->extensions->val[i].critical)
1068 0 : validate_print(ctx, flags, "and is CRITICAL ");
1069 0 : if (ctx->flags & flags)
1070 0 : hx509_oid_print(&t->extensions->val[i].extnID,
1071 : validate_vprint, ctx);
1072 0 : validate_print(ctx, flags, " is\n");
1073 0 : continue;
1074 : }
1075 0 : validate_print(ctx,
1076 : HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
1077 : "checking extension: %s\n",
1078 : check_extension[j].name);
1079 0 : (*check_extension[j].func)(ctx,
1080 : &status,
1081 : check_extension[j].cf,
1082 0 : &t->extensions->val[i]);
1083 : }
1084 : } else
1085 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extensions\n");
1086 :
1087 0 : if (status.isca) {
1088 0 : if (!status.haveSKI)
1089 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1090 : "CA certificate have no SubjectKeyIdentifier\n");
1091 :
1092 : } else {
1093 0 : if (!status.haveAKI)
1094 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1095 : "Is not CA and doesn't have "
1096 : "AuthorityKeyIdentifier\n");
1097 : }
1098 :
1099 :
1100 0 : if (!status.haveSKI)
1101 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1102 : "Doesn't have SubjectKeyIdentifier\n");
1103 :
1104 0 : if (status.isproxy && status.isca)
1105 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1106 : "Proxy and CA at the same time!\n");
1107 :
1108 0 : if (status.isproxy) {
1109 0 : if (status.haveSAN)
1110 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1111 : "Proxy and have SAN\n");
1112 0 : if (status.haveIAN)
1113 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1114 : "Proxy and have IAN\n");
1115 : }
1116 :
1117 0 : if (hx509_name_is_null_p(subject) && !status.haveSAN)
1118 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1119 : "NULL subject DN and doesn't have a SAN\n");
1120 :
1121 0 : if (!status.selfsigned && !status.haveCRLDP)
1122 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1123 : "Not a CA nor PROXY and doesn't have"
1124 : "CRL Dist Point\n");
1125 :
1126 0 : if (status.selfsigned) {
1127 0 : ret = _hx509_verify_signature_bitstring(context,
1128 : cert,
1129 0 : &c->signatureAlgorithm,
1130 0 : &c->tbsCertificate._save,
1131 0 : &c->signatureValue);
1132 0 : if (ret == 0)
1133 0 : validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
1134 : "Self-signed certificate was self-signed\n");
1135 : else
1136 0 : validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1137 : "Self-signed certificate NOT really self-signed!\n");
1138 : }
1139 :
1140 0 : hx509_name_free(&subject);
1141 0 : hx509_name_free(&issuer);
1142 :
1143 0 : return 0;
1144 : }
|
