Bool CheckHostnameInCertificate(X509 *cert, const char *hostname) { X509_EXTENSION *ext; ASN1_OBJECT *extobj; int ext_count, i, oid; Bool should_check_cn = TRUE; Bool ok = FALSE; char *cn; if (cert == NULL) return FALSE; if (strcasecmp(hostname, "localhost") == 0) return TRUE; if (strcasecmp(hostname, "127.0.0.1") == 0) return TRUE; if (strcasecmp(hostname, "::1") == 0) return TRUE; /* check dNSName in subjectAltName extension */ if ((ext_count = X509_get_ext_count(cert)) > 0){ for (i = 0; i < ext_count; i++){ if ((ext = X509_get_ext(cert, i)) == NULL) break; if ((extobj = X509_EXTENSION_get_object(ext)) == NULL) break; if ((oid = OBJ_obj2nid(extobj)) == NID_subject_alt_name){ ok = CheckSubjectAltName(ext, hostname); } } } /* check commonName */ if (ok != TRUE && should_check_cn == TRUE){ if ((cn = GetCommonNameFromCertificate(cert)) != NULL){ if (strcasecmp(cn, hostname) == 0) ok = TRUE; xfree(cn); } } return ok; }
static PyObject * get_all_extensions (certificate_x509 *self, PyObject *args) { if (!PyArg_ParseTuple (args, "")) { return NULL; } int i; int ext_count = X509_get_ext_count (self->x509); char oid[MAX_BUF]; PyObject *dict = PyDict_New (); for (i = 0; i < ext_count; i++) { X509_EXTENSION *ext = X509_get_ext (self->x509, i); OBJ_obj2txt (oid, MAX_BUF, ext->object, 1); PyObject *key = PyString_FromString (oid); char *value = NULL; size_t length = get_extension_by_object (self->x509, ext->object, &value); PyObject *dict_value = PyString_FromStringAndSize (value, length); free (value); PyDict_SetItem (dict, key, dict_value); Py_DECREF (key); Py_DECREF (dict_value); } return dict; }
int main(int argc, char **argv) { X509 *cert; FILE *inf; int i, count; X509_EXTENSION *ext; X509V3_add_standard_extensions(); ERR_load_crypto_strings(); if(!argv[1]) { fprintf(stderr, "Usage v3prin cert.pem\n"); exit(1); } if(!(inf = fopen(argv[1], "r"))) { fprintf(stderr, "Can't open %s\n", argv[1]); exit(1); } if(!(cert = PEM_read_X509(inf, NULL, NULL))) { fprintf(stderr, "Can't read certificate %s\n", argv[1]); ERR_print_errors_fp(stderr); exit(1); } fclose(inf); count = X509_get_ext_count(cert); printf("%d extensions\n", count); for(i = 0; i < count; i++) { ext = X509_get_ext(cert, i); printf("%s\n", OBJ_nid2ln(OBJ_obj2nid(ext->object))); if(!X509V3_EXT_print_fp(stdout, ext, 0, 0)) ERR_print_errors_fp(stderr); printf("\n"); } return 0; }
int main(int argc, char **argv) { LHASH *conf; X509 *cert; FILE *inf; char *conf_file; int i; int count; X509_EXTENSION *ext; X509V3_add_standard_extensions(); ERR_load_crypto_strings(); if(!argv[1]) { fprintf(stderr, "Usage: v3conf cert.pem [file.cnf]\n"); exit(1); } conf_file = argv[2]; if(!conf_file) conf_file = "test.cnf"; conf = CONF_load(NULL, "test.cnf", NULL); if(!conf) { fprintf(stderr, "Error opening Config file %s\n", conf_file); ERR_print_errors_fp(stderr); exit(1); } inf = fopen(argv[1], "r"); if(!inf) { fprintf(stderr, "Can't open certificate file %s\n", argv[1]); exit(1); } cert = PEM_read_X509(inf, NULL, NULL); if(!cert) { fprintf(stderr, "Error reading certificate file %s\n", argv[1]); exit(1); } fclose(inf); sk_pop_free(cert->cert_info->extensions, X509_EXTENSION_free); cert->cert_info->extensions = NULL; if(!X509V3_EXT_add_conf(conf, NULL, "test_section", cert)) { fprintf(stderr, "Error adding extensions\n"); ERR_print_errors_fp(stderr); exit(1); } count = X509_get_ext_count(cert); printf("%d extensions\n", count); for(i = 0; i < count; i++) { ext = X509_get_ext(cert, i); printf("%s", OBJ_nid2ln(OBJ_obj2nid(ext->object))); if(ext->critical) printf(",critical:\n"); else printf(":\n"); X509V3_EXT_print_fp(stdout, ext, 0, 0); printf("\n"); } return 0; }
/* * Returns: 0 if successfully matching certificate to TLSA record bytes * -1 if there was no match */ int ca_constraint(const SSL *con, const X509 *tlsa_cert, int usage) { STACK_OF(X509) *cert_chain = NULL; cert_chain = SSL_get_peer_cert_chain(con); BIO_printf(b_err, "DANE ca_constraint() chain of %d length\n", sk_X509_num(cert_chain)); int ret_val; ret_val = 0; if (cert_chain != NULL) { int i; for (i = 0; i < sk_X509_num(cert_chain); i++) { BIO_printf(b_err, "DANE ca_constraint() cert %d of %d.\n", i, sk_X509_num(cert_chain)); /* BIO_printf(b_err, "DANE CXN Certificate\n"); PEM_write_bio_X509(b_err, sk_X509_value(cert_chain, i)); BIO_printf(b_err, "DANE TLSA Certificate\n"); PEM_write_bio_X509(b_err, tlsa_cert); */ if (X509_cmp(tlsa_cert, sk_X509_value(cert_chain, i)) < 0) { ret_val = -1; BIO_printf(b_err, "DANE ca_constraint() certificates didn't match\n"); } else { BIO_printf(b_err, "DANE ca_constraint() certificates matches\n"); if (usage == 0) return 0; /* For this to be a trust anchor, the following characteristics applies: * 1. Issuer name is the same as Subject name * 2. Either or both * a) the Key Usage field is set to keyCertSign (KU_KEY_CERT_SIGN) * b) the basicConstraints field has the attribute cA set to True (EXFLAG_CA) */ X509_NAME *issuer_name, *subject_name; issuer_name = X509_get_issuer_name(tlsa_cert); subject_name = X509_get_subject_name(tlsa_cert); if (X509_name_cmp(issuer_name, subject_name) == 0) { BIO_printf(b_err, "DANE issuer == subject\n"); if (tlsa_cert->ex_flags & EXFLAG_CA) { BIO_printf(b_err, "DANE ca_constraint() EXFLAG_CA set\n"); return 0; } /* Left unimplemented since I don't have a CA certificate to work with.*/ int ext_count, j; ext_count = X509_get_ext_count(tlsa_cert); BIO_printf(b_err, "DANE ca_constraint() %d certificate extensions\n"); } else { return 0; } } } } return ret_val; }
/* * post_connection_check */ long post_connection_check(SSL *ssl, const char *host) { X509 *cert; X509_NAME * subj; char data[256]; int extcount; if ( !(cert = SSL_get_peer_certificate(ssl)) || !host ) { int_error("Failed to get peer certificate or host"); return 0; //SSL_get_verify_result(ssl); } // // get the extension in the certificate // if ( extcount = X509_get_ext_count(cert) > 0 ) { int i; for (i = 0; i < extcount; i++) { const char * extstr; X509_EXTENSION * ext; ext = X509_get_ext(cert, i); extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext))); fprintf(stderr, " %s\n",extstr); } }// extension // // Get the CN // memset(data, 0, 256); if ((subj = X509_get_subject_name(cert)) && (X509_NAME_get_text_by_NID(subj, NID_commonName, data, 256)) > 0) { time_t now; time(&now); data[255] = '\n'; fprintf(stderr," CN = %s\n", data); // Record in file fprintf(student_file,"%s CN = %s\n", ctime(&now), data); // Record in db record_in_db(data, ctime(&now)); fflush(student_file); } X509_free(cert); return SSL_get_verify_result(ssl); }
:return: Number of extensions as a Python integer\n\ "; static PyObject * crypto_X509_get_extension_count(crypto_X509Obj *self, PyObject *args) { if (!PyArg_ParseTuple(args, ":get_extension_count")) { return NULL; } return PyLong_FromLong((long)X509_get_ext_count(self->x509)); }
int ssl_cert_type(X509 *x, EVP_PKEY *pkey) { EVP_PKEY *pk; int ret= -1,i,j; if (pkey == NULL) pk=X509_get_pubkey(x); else pk=pkey; if (pk == NULL) goto err; i=pk->type; if (i == EVP_PKEY_RSA) { ret=SSL_PKEY_RSA_ENC; if (x != NULL) { j=X509_get_ext_count(x); /* check to see if this is a signing only certificate */ /* EAY EAY EAY EAY */ } } else if (i == EVP_PKEY_DSA) { ret=SSL_PKEY_DSA_SIGN; } else if (i == EVP_PKEY_DH) { /* if we just have a key, we needs to be guess */ if (x == NULL) ret=SSL_PKEY_DH_DSA; else { j=X509_get_signature_type(x); if (j == EVP_PKEY_RSA) ret=SSL_PKEY_DH_RSA; else if (j== EVP_PKEY_DSA) ret=SSL_PKEY_DH_DSA; else ret= -1; } } else ret= -1; err: if(!pkey) EVP_PKEY_free(pk); return(ret); }
IoObject *IoCertificate_extensions(IoCertificate *self, IoObject *locals, IoMessage *m) { IoObject *map = IoObject_new(IoObject_state(self)); int i; for(i = 0; i < X509_get_ext_count(X509(self)); i++) { IoObject *ioext = IoObject_new(IoObject_state(self)); X509_EXTENSION *ext = X509_get_ext(X509(self), i); const char *key = (const char *)OBJ_nid2ln(OBJ_obj2nid(X509_EXTENSION_get_object(ext))); const char *value = (const char *)ASN1_STRING_data(X509_EXTENSION_get_data(ext)); int isCritical = X509_EXTENSION_get_critical(ext); IoObject_setSlot_to_(ioext, IOSYMBOL("value"), IoSeq_newWithCString_(IoObject_state(self), value)); IoObject_setSlot_to_(ioext, IOSYMBOL("isCritical"), IONUMBER(isCritical)); IoObject_setSlot_to_(map, IOSYMBOL(key), ioext); } return map; }
int verify_cert_hostname(X509 *cert, char *hostname) { int extcount, i, j, ok = 0; char name[256]; X509_NAME *subj; const char *extstr; unsigned char *data; X509_EXTENSION *ext; X509V3_EXT_METHOD *meth; int l = strlen(hostname); char hostname_end[256]; strncpy(hostname_end, hostname, sizeof(hostname_end)); hostname_end[l+1]=hostname[l]; hostname_end[l]='.'; //update meĀ [WIP] - feel free to edit if ((extcount = X509_get_ext_count(cert)) > 0) { for (i = 0; !ok && i < extcount; i++) { ext = X509_get_ext(cert, i); extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext))); if (!strcasecmp(extstr, "subjectAltName")) { if (!(meth = X509V3_EXT_get(ext))) break; data = ext->value->data; int i; if (/*i = */strstr(data, hostname) != NULL){ //printf("dada: %d\n", i); if (strstr(data, hostname_end) == NULL) { ok = 1; break; } } } } } if (!ok && (subj = X509_get_subject_name(cert)) && X509_NAME_get_text_by_NID(subj, NID_commonName, name, sizeof(name)) > 0) { name[sizeof(name) - 1] = '\0'; if (!strcasecmp(name, hostname)) { ok = 1; } } return ok; }
PKI_X509_EXTENSION_STACK *PKI_X509_CERT_get_extensions(const PKI_X509_CERT *x) { PKI_X509_EXTENSION_STACK *ret = NULL; int i = 0; int ext_count = 0; if (!x) return NULL; if ((ext_count = X509_get_ext_count (x->value)) <= 0 ) return NULL; for ( i=0; i < ext_count; i++ ) { LIBPKI_X509_EXTENSION *ext = NULL; // PKI_X509_EXTENSION_VALUE *ext = NULL; PKI_X509_EXTENSION *pki_ext = NULL; if((ext = X509_get_ext ( x->value, i )) == NULL ) { continue; } if((pki_ext = PKI_X509_EXTENSION_new()) == NULL ) { PKI_log_err ( "Memory Allocation"); continue; } if( ext->object == NULL ) { PKI_X509_EXTENSION_free ( pki_ext ); continue; } pki_ext->oid = PKI_OID_dup ( ext->object ); pki_ext->critical = ext->critical; if((pki_ext->value = X509V3_EXT_d2i ( ext )) == NULL ) { PKI_log_debug( "Extension %d -- not parsable", i); PKI_X509_EXTENSION_free ( pki_ext ); continue; } } return ret; }
PKI_X509_EXTENSION_STACK *PKI_X509_EXTENSION_get_list ( void *x, PKI_X509_DATA type ) { PKI_X509_EXTENSION_STACK *ret = NULL; int i = 0; int ext_count = 0; if (!x) return NULL; if ((ext_count = X509_get_ext_count (x)) <= 0 ) return NULL; if(( ret = PKI_STACK_X509_EXTENSION_new()) == NULL ) return NULL; for ( i=0; i < ext_count; i++ ) { PKI_X509_EXTENSION_VALUE *ext = NULL; PKI_X509_EXTENSION *pki_ext = NULL; if((ext = X509_get_ext ( x, i )) == NULL ) { continue; } if((pki_ext = PKI_X509_EXTENSION_new()) == NULL ) { PKI_log_err ( "Memory Allocation"); continue; } pki_ext->oid = ext->object; pki_ext->critical = ext->critical; if((pki_ext->value = X509V3_EXT_d2i ( ext )) == NULL ) { PKI_log_debug( "Extension %d -- not parsable", i); PKI_X509_EXTENSION_free ( pki_ext ); continue; } PKI_STACK_X509_EXTENSION_push ( ret, pki_ext ); } return ret; }
/* self sign */ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, CONF *conf, char *section) { EVP_PKEY *pktmp; pktmp = X509_get_pubkey(x); EVP_PKEY_copy_parameters(pktmp,pkey); EVP_PKEY_save_parameters(pktmp,1); EVP_PKEY_free(pktmp); if (!X509_set_issuer_name(x,X509_get_subject_name(x))) goto err; if (X509_gmtime_adj(X509_get_notBefore(x),0) == NULL) goto err; /* Lets just make it 12:00am GMT, Jan 1 1970 */ /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */ /* 28 days to be certified */ if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) goto err; if (!X509_set_pubkey(x,pkey)) goto err; if (clrext) { while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0); } if (conf) { X509V3_CTX ctx; X509_set_version(x,2); /* version 3 certificate */ X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0); X509V3_set_nconf(&ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) goto err; } if (!X509_sign(x,pkey,digest)) goto err; return 1; err: ERR_print_errors(bio_err); return 0; }
static int verify_cert_hostname(X509 *cert, char *hostname) { int extcount, i, j, ok = 0; char name[256]; X509_NAME *subj; const char *extstr; CONF_VALUE *nval; const unsigned char *data; X509_EXTENSION *ext; X509V3_EXT_METHOD *meth; STACK_OF(CONF_VALUE) *val; if ((extcount = X509_get_ext_count(cert)) > 0) { for (i = 0; !ok && i < extcount; i++) { ext = X509_get_ext(cert, i); extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext))); if (!strcasecmp(extstr, "subjectAltName")) { if (!(meth = (X509V3_EXT_METHOD *)X509V3_EXT_get(ext))) break; data = ext->value->data; val = meth->i2v(meth, meth->d2i(0, &data, ext->value->length), 0); for (j = 0; j < sk_CONF_VALUE_num(val); j++) { nval = sk_CONF_VALUE_value(val, j); if (!strcasecmp(nval->name, "DNS") && !strcasecmp(nval->value, hostname)) { ok = 1; break; } } } } } if (!ok && (subj = X509_get_subject_name(cert)) && X509_NAME_get_text_by_NID(subj, NID_commonName, name, sizeof(name)) > 0) { name[sizeof(name) - 1] = '\0'; if (!strcasecmp(name, hostname)) ok = 1; } return ok; }
static void CheckDuplicateExtensions(X509 *x509) { STACK_OF(ASN1_OBJECT) *stack = sk_ASN1_OBJECT_new(obj_cmp); for (int i = 0; i < X509_get_ext_count(x509); i++) { X509_EXTENSION *ext = X509_get_ext(x509, i); if (ext == NULL) { SetError(ERR_INVALID); continue; } ASN1_OBJECT *obj = X509_EXTENSION_get_object(ext); if (sk_ASN1_OBJECT_find(stack, obj) >= 0) { SetError(ERR_DUPLICATE_EXTENSION); } else { sk_ASN1_OBJECT_push(stack, obj); } } sk_ASN1_OBJECT_free(stack); }
/* * Check if a x509 extension is critical */ static int is_x509_ext_critical(X509 *cert, int nid) { X509_EXTENSION *ex; ASN1_OBJECT *obj; int n, i; n = X509_get_ext_count(cert); for (i = 0; i < n; i++) { ex = X509_get_ext(cert, i); if (!ex) { continue; } obj = X509_EXTENSION_get_object(ex); if (!obj) { continue; } if (OBJ_obj2nid(obj) == nid && X509_EXTENSION_get_critical(ex)) { debug("Certificate nid %d is critical\n", nid); return 1; } } return 0; }
static void x509v3_cache_extensions(X509 *x) { BASIC_CONSTRAINTS *bs; PROXY_CERT_INFO_EXTENSION *pci; ASN1_BIT_STRING *usage; ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; X509_EXTENSION *ex; int i; if(x->ex_flags & EXFLAG_SET) return; #ifndef OPENSSL_NO_SHA X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); #endif /* Does subject name match issuer ? */ if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) x->ex_flags |= EXFLAG_SS; /* V1 should mean no extensions ... */ if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1; /* Handle basic constraints */ if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) { if(bs->ca) x->ex_flags |= EXFLAG_CA; if(bs->pathlen) { if((bs->pathlen->type == V_ASN1_NEG_INTEGER) || !bs->ca) { x->ex_flags |= EXFLAG_INVALID; x->ex_pathlen = 0; } else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen); } else x->ex_pathlen = -1; BASIC_CONSTRAINTS_free(bs); x->ex_flags |= EXFLAG_BCONS; } /* Handle proxy certificates */ if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { if (x->ex_flags & EXFLAG_CA || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0 || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) { x->ex_flags |= EXFLAG_INVALID; } if (pci->pcPathLengthConstraint) { x->ex_pcpathlen = ASN1_INTEGER_get(pci->pcPathLengthConstraint); } else x->ex_pcpathlen = -1; PROXY_CERT_INFO_EXTENSION_free(pci); x->ex_flags |= EXFLAG_PROXY; } /* Handle key usage */ if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) { if(usage->length > 0) { x->ex_kusage = usage->data[0]; if(usage->length > 1) x->ex_kusage |= usage->data[1] << 8; } else x->ex_kusage = 0; x->ex_flags |= EXFLAG_KUSAGE; ASN1_BIT_STRING_free(usage); } x->ex_xkusage = 0; if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) { x->ex_flags |= EXFLAG_XKUSAGE; for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) { switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) { case NID_server_auth: x->ex_xkusage |= XKU_SSL_SERVER; break; case NID_client_auth: x->ex_xkusage |= XKU_SSL_CLIENT; break; case NID_email_protect: x->ex_xkusage |= XKU_SMIME; break; case NID_code_sign: x->ex_xkusage |= XKU_CODE_SIGN; break; case NID_ms_sgc: case NID_ns_sgc: x->ex_xkusage |= XKU_SGC; break; case NID_OCSP_sign: x->ex_xkusage |= XKU_OCSP_SIGN; break; case NID_time_stamp: x->ex_xkusage |= XKU_TIMESTAMP; break; case NID_dvcs: x->ex_xkusage |= XKU_DVCS; break; } } sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); } if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) { if(ns->length > 0) x->ex_nscert = ns->data[0]; else x->ex_nscert = 0; x->ex_flags |= EXFLAG_NSCERT; ASN1_BIT_STRING_free(ns); } x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); for (i = 0; i < X509_get_ext_count(x); i++) { ex = X509_get_ext(x, i); if (!X509_EXTENSION_get_critical(ex)) continue; if (!X509_supported_extension(ex)) { x->ex_flags |= EXFLAG_CRITICAL; break; } } x->ex_flags |= EXFLAG_SET; }
Datum ssl_extension_info(PG_FUNCTION_ARGS) { X509 *cert = MyProcPort->peer; FuncCallContext *funcctx; int call_cntr; int max_calls; MemoryContext oldcontext; SSLExtensionInfoContext *fctx; if (SRF_IS_FIRSTCALL()) { TupleDesc tupdesc; /* create a function context for cross-call persistence */ funcctx = SRF_FIRSTCALL_INIT(); /* * Switch to memory context appropriate for multiple function calls */ oldcontext = MemoryContextSwitchTo(funcctx->multi_call_memory_ctx); /* Create a user function context for cross-call persistence */ fctx = (SSLExtensionInfoContext *) palloc(sizeof(SSLExtensionInfoContext)); /* Construct tuple descriptor */ if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE) ereport(ERROR, (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), errmsg("function returning record called in context that cannot accept type record"))); fctx->tupdesc = BlessTupleDesc(tupdesc); /* Set max_calls as a count of extensions in certificate */ max_calls = cert != NULL ? X509_get_ext_count(cert) : 0; if (max_calls > 0) { /* got results, keep track of them */ funcctx->max_calls = max_calls; funcctx->user_fctx = fctx; } else { /* fast track when no results */ MemoryContextSwitchTo(oldcontext); SRF_RETURN_DONE(funcctx); } MemoryContextSwitchTo(oldcontext); } /* stuff done on every call of the function */ funcctx = SRF_PERCALL_SETUP(); /* * Initialize per-call variables. */ call_cntr = funcctx->call_cntr; max_calls = funcctx->max_calls; fctx = funcctx->user_fctx; /* do while there are more left to send */ if (call_cntr < max_calls) { Datum values[3]; bool nulls[3]; char *buf; HeapTuple tuple; Datum result; BIO *membuf; X509_EXTENSION *ext; ASN1_OBJECT *obj; int nid; int len; /* need a BIO for this */ membuf = BIO_new(BIO_s_mem()); if (membuf == NULL) ereport(ERROR, (errcode(ERRCODE_OUT_OF_MEMORY), errmsg("could not create OpenSSL BIO structure"))); /* Get the extension from the certificate */ ext = X509_get_ext(cert, call_cntr); obj = X509_EXTENSION_get_object(ext); /* Get the extension name */ nid = OBJ_obj2nid(obj); if (nid == NID_undef) ereport(ERROR, (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), errmsg("unknown OpenSSL extension in certificate at position %d", call_cntr))); values[0] = CStringGetTextDatum(OBJ_nid2sn(nid)); nulls[0] = false; /* Get the extension value */ if (X509V3_EXT_print(membuf, ext, 0, 0) <= 0) ereport(ERROR, (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), errmsg("could not print extension value in certificate at position %d", call_cntr))); len = BIO_get_mem_data(membuf, &buf); values[1] = PointerGetDatum(cstring_to_text_with_len(buf, len)); nulls[1] = false; /* Get critical status */ values[2] = BoolGetDatum(X509_EXTENSION_get_critical(ext)); nulls[2] = false; /* Build tuple */ tuple = heap_form_tuple(fctx->tupdesc, values, nulls); result = HeapTupleGetDatum(tuple); if (BIO_free(membuf) != 1) elog(ERROR, "could not free OpenSSL BIO structure"); SRF_RETURN_NEXT(funcctx, result); } /* All done */ SRF_RETURN_DONE(funcctx); }
su_inline int tls_post_connection_check(tport_t *self, tls_t *tls) { X509 *cert; int extcount; int i, j, error; if (!tls) return -1; cert = SSL_get_peer_certificate(tls->con); if (!cert) { SU_DEBUG_7(("%s(%p): Peer did not provide X.509 Certificate.\n", __func__, (void *) self)); if (self->tp_accepted && tls->verify_incoming) return X509_V_ERR_CERT_UNTRUSTED; else if (!self->tp_accepted && tls->verify_outgoing) return X509_V_ERR_CERT_UNTRUSTED; else return X509_V_OK; } tls->subjects = su_strlst_create(tls->home); if (!tls->subjects) return X509_V_ERR_OUT_OF_MEM; extcount = X509_get_ext_count(cert); /* Find matching subjectAltName.DNS */ for (i = 0; i < extcount; i++) { X509_EXTENSION *ext; char const *name; #if OPENSSL_VERSION_NUMBER > 0x10000000L const X509V3_EXT_METHOD *vp; #else X509V3_EXT_METHOD *vp; #endif STACK_OF(CONF_VALUE) *values; CONF_VALUE *value; void *d2i; ext = X509_get_ext(cert, i); name = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext))); if (strcmp(name, "subjectAltName") != 0) continue; vp = X509V3_EXT_get(ext); if (!vp) continue; d2i = X509V3_EXT_d2i(ext); values = vp->i2v(vp, d2i, NULL); for (j = 0; j < sk_CONF_VALUE_num(values); j++) { value = sk_CONF_VALUE_value(values, j); if (strcmp(value->name, "DNS") == 0) su_strlst_dup_append(tls->subjects, value->value); if (strcmp(value->name, "IP") == 0) su_strlst_dup_append(tls->subjects, value->value); else if (strcmp(value->name, "URI") == 0) su_strlst_dup_append(tls->subjects, value->value); } } { X509_NAME *subject; char name[256]; subject = X509_get_subject_name(cert); if (subject) { if (X509_NAME_get_text_by_NID(subject, NID_commonName, name, sizeof name) > 0) { usize_t k, N = su_strlst_len(tls->subjects); name[(sizeof name) - 1] = '\0'; for (k = 0; k < N; k++) if (su_casematch(su_strlst_item(tls->subjects, k), name) == 0) break; if (k >= N) su_strlst_dup_append(tls->subjects, name); } } } X509_free(cert); error = SSL_get_verify_result(tls->con); if (cert && error == X509_V_OK) tls->x509_verified = 1; if (tport_log->log_level >= 7) { int i, len = su_strlst_len(tls->subjects); for (i=0; i < len; i++) SU_DEBUG_7(("%s(%p): Peer Certificate Subject %i: %s\n", \ __func__, (void *)self, i, su_strlst_item(tls->subjects, i))); if (i == 0) SU_DEBUG_7(("%s(%p): Peer Certificate provided no usable subjects.\n", __func__, (void *)self)); } /* Verify incoming connections */ if (self->tp_accepted) { if (!tls->verify_incoming) return X509_V_OK; if (!tls->x509_verified) return error; if (tls->verify_subj_in) { su_strlst_t const *subjects = self->tp_pri->pri_primary->tp_subjects; int i, items; items = subjects ? su_strlst_len(subjects) : 0; if (items == 0) return X509_V_OK; for (i=0; i < items; i++) { if (tport_subject_search(su_strlst_item(subjects, i), tls->subjects)) return X509_V_OK; } SU_DEBUG_3(("%s(%p): Peer Subject Mismatch (incoming connection)\n", \ __func__, (void *)self)); return X509_V_ERR_CERT_UNTRUSTED; } } /* Verify outgoing connections */ else { char const *subject = self->tp_canon; if (!tls->verify_outgoing) return X509_V_OK; if (!tls->x509_verified || !subject) return error; if (tls->verify_subj_out) { if (tport_subject_search(subject, tls->subjects)) return X509_V_OK; /* Subject match found in verified certificate chain */ SU_DEBUG_3(("%s(%p): Peer Subject Mismatch (%s)\n", \ __func__, (void *)self, subject)); return X509_V_ERR_CERT_UNTRUSTED; } } return error; }
long ipfix_ssl_post_connection_check(SSL *ssl, char *host) { X509 *cert; X509_NAME *subj; char data[256]; int extcount; int ok = 0; /* Checking the return from SSL_get_peer_certificate here is not strictly * necessary. */ if (!(cert = SSL_get_peer_certificate(ssl)) || !host) goto err_occured; if ((extcount = X509_get_ext_count(cert)) > 0) { int i; for (i = 0; i < extcount; i++) { char *extstr; X509_EXTENSION *ext; ext = X509_get_ext(cert, i); extstr = (char*) OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext))); if (!strcmp(extstr, "subjectAltName")) { int j; const unsigned char *data; STACK_OF(CONF_VALUE) *val; CONF_VALUE *nval; X509V3_EXT_METHOD *meth; void *ext_str = NULL; if (!(meth = X509V3_EXT_get(ext))) break; data = ext->value->data; #if (OPENSSL_VERSION_NUMBER > 0x00907000L) if (meth->it) ext_str = ASN1_item_d2i(NULL, &data, ext->value->length, ASN1_ITEM_ptr(meth->it)); else ext_str = meth->d2i(NULL, &data, ext->value->length); #else ext_str = meth->d2i(NULL, &data, ext->value->length); #endif val = meth->i2v(meth, ext_str, NULL); for (j = 0; j < sk_CONF_VALUE_num(val); j++) { nval = sk_CONF_VALUE_value(val, j); if (!strcmp(nval->name, "DNS") && !strcmp(nval->value, host)) { ok = 1; break; } } } if (ok) break; } } if (!ok && (subj = X509_get_subject_name(cert)) && X509_NAME_get_text_by_NID(subj, NID_commonName, data, 256) > 0) { data[255] = 0; if (strcasecmp(data, host) != 0) goto err_occured; } X509_free(cert); return SSL_get_verify_result(ssl); err_occured: if (cert) X509_free(cert); return X509_V_ERR_APPLICATION_VERIFICATION; }
/** * Returns type of proxy certificate. * Valid values are: * NONE * CA * EEC * GT2_PROXY * RFC_PROXY * GT2_LIMITED_PROXY * RFC_LIMITED_PROXY * GT3_PROXY * GT3_LIMITED_PROXY */ proxy_type_t verify_type_of_proxy(X509 * cert) { #ifdef __func__ const char *logstr=__func__; #else const char *logstr="verify_type_of_proxy"; #endif proxy_type_t pt = NONE; char * cert_subjectdn = NULL; char * cert_issuerdn = NULL; char * tail_str = NULL; size_t len_subject_dn; size_t len_issuer_dn; X509_EXTENSION * pci_ext = NULL; PROXYCERTINFO * pci = NULL; PROXYPOLICY * policy = NULL; ASN1_OBJECT * policy_lang = NULL; int policy_nid; int myindex = -1; int i; char s[EXT_TEXT_LEN]; X509_EXTENSION *ex; /* Is it a CA certificate */ if (verify_x509IsCA(cert)) { /* verify_log (L_DEBUG, "%s: Detected CA certificate", logstr); */ pt = CA; goto finalize; } /* Check by OID */ for (i = 0; i < X509_get_ext_count(cert); ++i) { ex = X509_get_ext(cert, i); if (X509_EXTENSION_get_object(ex)) { OBJ_obj2txt(s, EXT_TEXT_LEN, X509_EXTENSION_get_object(ex), 1); if (strcmp(s, OID_RFC_PROXY) == 0) { pt = RFC_PROXY; /* Find index of OID_RFC_PROXY */ if((myindex = X509_get_ext_by_NID(cert, OBJ_txt2nid(OID_RFC_PROXY), -1)) != -1 && (pci_ext = X509_get_ext(cert,myindex)) && X509_EXTENSION_get_critical(pci_ext)) { if((pci = X509V3_EXT_d2i(pci_ext)) == NULL) { verify_error(logstr, "Can't convert DER encoded PROXYCERTINFO extension to internal form"); goto failure; } /* Pull a certificate policy from the extension, note: * pci!=NULL since we've checked that */ if( (policy = pci->policy) == NULL) { verify_error(logstr, "Can't get policy from PROXYCERTINFO extension"); goto failure; } /* Get policy language */ if( (policy_lang = policy->policy_language) == NULL) { verify_error(logstr, "Can't get policy language from PROXYCERTINFO extension"); goto failure; } /* Lang to NID, lang's NID holds RFC Proxy type, like limited. Impersonation is the default */ policy_nid = OBJ_obj2nid(policy_lang); if(policy_nid == OBJ_txt2nid(IMPERSONATION_PROXY_OID)) { pt = RFC_PROXY; } else if(policy_nid == OBJ_txt2nid(INDEPENDENT_PROXY_OID)) { pt = RFC_PROXY; } else if(policy_nid == OBJ_txt2nid(LIMITED_PROXY_OID)) { pt = RFC_LIMITED_PROXY; } else { /* RFC_RESTRICTED_PROXY */ pt = RFC_PROXY; } if(X509_get_ext_by_NID(cert, OBJ_txt2nid(OID_RFC_PROXY), myindex) != -1) { verify_error(logstr, "Found more than one PCI extension"); goto failure; } } goto finalize; } if (strcmp(s, OID_GLOBUS_PROXY_V3) == 0) { pt = GT3_PROXY; /* Find index of OID_GT3_PROXY - Don't make it search for critical extentions... VOMS doesn't set those. */ if((myindex = X509_get_ext_by_NID(cert, OBJ_txt2nid(OID_GLOBUS_PROXY_V3), -1)) != -1 && (pci_ext = X509_get_ext(cert,myindex))) { if((pci = X509V3_EXT_d2i(pci_ext)) == NULL) { verify_error(logstr, "Can't convert DER encoded PROXYCERTINFO extension to internal form"); goto failure; } /* Pull a certificate policy from the extension. Note: pci * != NULL since we've checked that */ if( (policy = pci->policy) == NULL) { verify_error(logstr, "Can't get policy from PROXYCERTINFO extension"); goto failure; } /* Get policy language */ if( (policy_lang = policy->policy_language) == NULL) { verify_error(logstr, "Can't get policy language from PROXYCERTINFO extension"); goto failure; } /* Lang to NID, lang's NID holds RFC Proxy type, like limited. Impersonation is the default */ policy_nid = OBJ_obj2nid(policy_lang); if(policy_nid == OBJ_txt2nid(IMPERSONATION_PROXY_OID)) { pt = GT3_PROXY; } else if(policy_nid == OBJ_txt2nid(INDEPENDENT_PROXY_OID)) { pt = GT3_PROXY; } else if(policy_nid == OBJ_txt2nid(LIMITED_PROXY_OID)) { pt = GT3_LIMITED_PROXY; } else { /* GT3_RESTRICTED_PROXY */ pt = GT3_PROXY; } if(X509_get_ext_by_NID(cert, OBJ_txt2nid(OID_GLOBUS_PROXY_V3), myindex) != -1) { verify_error(logstr, "Found more than one PCI extension"); goto failure; } } goto finalize; } if (strcmp(s, OID_GLOBUS_PROXY_V2) == 0) { pt = GT3_PROXY; /* Check for GT2_PROXY tail */ if (cert_subjectdn && (strlen(cert_subjectdn) > strlen("/cn=proxy")) && (tail_str = &cert_subjectdn[strlen(cert_subjectdn) - strlen("/cn=proxy")]) && (strcasecmp(tail_str, "/cn=proxy") == 0) ) { /* verify_log (L_DEBUG, "%s: Detected GT2 proxy certificate", logstr); */ pt = GT2_PROXY; goto finalize; } /* Check for GT2_LIMITED_PROXY tail */ if (cert_subjectdn && (strlen(cert_subjectdn) > strlen("/cn=limited proxy")) && (tail_str = &cert_subjectdn[strlen(cert_subjectdn) - strlen("/cn=limited proxy")]) && (strcasecmp(tail_str, "/cn=limited proxy") == 0) ) { /* verify_log (L_DEBUG, "%s: Detected GT2 limited proxy certificate", logstr); */ pt = GT2_LIMITED_PROXY; goto finalize; } verify_error(logstr, "Detected the Globus GT2 OID in the certificate, " "but seems to have a malformed Subject DN: \"%s\"", cert_subjectdn); goto failure; } } } /* Options left: GT2_PROXY, GT2_LIMITED_PROXY, EEC */ /* Extract Subject DN - Needs free */ if (!(cert_subjectdn = X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0))) { verify_error (logstr, "Error in %s: Couldn't get the subject DN from the certificate.", logstr); goto failure; } if (!(cert_issuerdn = X509_NAME_oneline (X509_get_issuer_name (cert), NULL, 0))) { verify_error (logstr, "Error in %s: Couldn't get the issuer DN from the certificate.", logstr); goto failure; } /* Check length of the DNs */ len_subject_dn = strlen(cert_subjectdn); len_issuer_dn = strlen(cert_issuerdn); /* Lower case the Subject DN */ /* for (j = 0; j < strlen(cert_subjectdn); j++) { cert_subjectdn[j] = tolower(cert_subjectdn[j]); } */ /* Proxies always has a longer subject_dn then a issuer_dn and * the issuer_dn is a substring of the subject_dn */ if ( (len_issuer_dn < len_subject_dn) && (strncmp(cert_subjectdn, cert_issuerdn, len_issuer_dn) == 0) ) { /* Check for GT2_PROXY tail */ if (cert_subjectdn && (strlen(cert_subjectdn) > strlen("/cn=proxy")) && (tail_str = &cert_subjectdn[strlen(cert_subjectdn) - strlen("/cn=proxy")]) && (strcasecmp(tail_str, "/cn=proxy") == 0) ) { /* verify_log (L_DEBUG, "%s: Detected GT2 proxy certificate", logstr); */ pt = GT2_PROXY; goto finalize; } /* Check for GT2_LIMITED_PROXY tail */ if (cert_subjectdn && (strlen(cert_subjectdn) > strlen("/cn=limited proxy")) && (tail_str = &cert_subjectdn[strlen(cert_subjectdn) - strlen("/cn=limited proxy")]) && (strcasecmp(tail_str, "/cn=limited proxy") == 0) ) { /* verify_log (L_DEBUG, "%s: Detected GT2 limited proxy certificate", logstr); */ pt = GT2_LIMITED_PROXY; goto finalize; } /* Check for RFC_PROXY, without the need for OpenSSL proxy support */ /* Method: Check if the subject_dn is long enough, grab its tail and * snip of the 10 characters. Then check if the 10 characters are * numbers. */ if (cert_subjectdn && (strlen(cert_subjectdn) > strlen("/cn=0123456789")) && (tail_str = strrchr(cert_subjectdn, '=')) && (tail_str = &tail_str[1]) && (strtol(tail_str, NULL, 10)) && (errno != ERANGE) ) { /* verify_log (L_DEBUG, "%s: Detected RFC proxy certificate", logstr); */ pt = RFC_PROXY; goto finalize; } /* Don't know the type of proxy, could be an RFC proxy with * improper/incomplete implementation in the active OpenSSL version or * a mistake in the client software */ goto failure; } /* I have no idea what else it is, so I conclude that it's an EEC */ pt = EEC; goto finalize; failure: /* On failure, or non-distinct selections of the certificate, indicate NONE */ pt = NONE; finalize: if (cert_subjectdn) free(cert_subjectdn); if (cert_issuerdn) free(cert_issuerdn); return pt; }
/** Search for a hostname match in the SubjectAlternativeNames. */ uint32_t check_san (SSL *ssl, const char *hostname) { X509 *cert; int extcount, ok = 0; /* What an OpenSSL mess ... */ if (NULL == (cert = SSL_get_peer_certificate(ssl))) { die ("Getting certificate failed"); } if ((extcount = X509_get_ext_count(cert)) > 0) { int i; for (i = 0; i < extcount; ++i) { const char *extstr; X509_EXTENSION *ext; ext = X509_get_ext(cert, i); extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext))); if (!strcmp(extstr, "subjectAltName")) { int j; void *extvalstr; const unsigned char *tmp; STACK_OF(CONF_VALUE) *val; CONF_VALUE *nval; #if OPENSSL_VERSION_NUMBER >= 0x10000000L const #endif X509V3_EXT_METHOD *method; if (!(method = X509V3_EXT_get(ext))) { break; } tmp = ext->value->data; if (method->it) { extvalstr = ASN1_item_d2i(NULL, &tmp, ext->value->length, ASN1_ITEM_ptr(method->it)); } else { extvalstr = method->d2i(NULL, &tmp, ext->value->length); } if (!extvalstr) { break; } if (method->i2v) { val = method->i2v(method, extvalstr, NULL); for (j = 0; j < sk_CONF_VALUE_num(val); ++j) { nval = sk_CONF_VALUE_value(val, j); if ((!strcasecmp(nval->name, "DNS") && !strcasecmp(nval->value, hostname) ) || (!strcasecmp(nval->name, "iPAddress") && !strcasecmp(nval->value, hostname))) { verb ("V: subjectAltName matched: %s, type: %s", nval->value, nval->name); // We matched this; so it's safe to print ok = 1; break; } // Attempt to match subjectAltName DNS names if (!strcasecmp(nval->name, "DNS")) { ok = check_wildcard_match_rfc2595(hostname, nval->value); if (ok) { break; } } verb_debug ("V: subjectAltName found but not matched: %s, type: %s", nval->value, sanitize_string(nval->name)); } } } else { verb_debug ("V: found non subjectAltName extension"); } if (ok) { break; } } } else { verb_debug ("V: no X509_EXTENSION field(s) found"); } X509_free(cert); return ok; }
extern "C" int32_t X509GetExtCount(X509* x) { return X509_get_ext_count(x); }
static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create, int days, int clrext, CONF *conf, char *section, ASN1_INTEGER *sno) { int ret=0; ASN1_INTEGER *bs=NULL; X509_STORE_CTX xsc; EVP_PKEY *upkey; upkey = X509_get_pubkey(xca); EVP_PKEY_copy_parameters(upkey,pkey); EVP_PKEY_free(upkey); if(!X509_STORE_CTX_init(&xsc,ctx,x,NULL)) { BIO_printf(bio_err,"Error initialising X509 store\n"); goto end; } if (sno) bs = sno; else if (!(bs = load_serial(CAfile, serialfile, create))) goto end; if (!X509_STORE_add_cert(ctx,x)) goto end; /* NOTE: this certificate can/should be self signed, unless it was * a certificate request in which case it is not. */ X509_STORE_CTX_set_cert(&xsc,x); if (!reqfile && !X509_verify_cert(&xsc)) goto end; if (!X509_check_private_key(xca,pkey)) { BIO_printf(bio_err,"CA certificate and CA private key do not match\n"); goto end; } if (!X509_set_issuer_name(x,X509_get_subject_name(xca))) goto end; if (!X509_set_serialNumber(x,bs)) goto end; if (X509_gmtime_adj(X509_get_notBefore(x),0L) == NULL) goto end; /* hardwired expired */ if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) goto end; if (clrext) { while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0); } if (conf) { X509V3_CTX ctx2; X509_set_version(x,2); /* version 3 certificate */ X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0); X509V3_set_nconf(&ctx2, conf); if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) goto end; } if (!X509_sign(x,pkey,digest)) goto end; ret=1; end: X509_STORE_CTX_cleanup(&xsc); if (!ret) ERR_print_errors(bio_err); if (!sno) ASN1_INTEGER_free(bs); return ret; }
//extention to SSL_get_verify_result int CSSLClient::PostConnectCheck(SSL *ssl, const char *pHost) { X509 *cert; X509_NAME *subj; char data[256]; int extcount; int ret = 0; do { if (!(cert = SSL_get_peer_certificate(ssl)) || !pHost) { break; } if ((extcount = X509_get_ext_count(cert)) > 0) { int i; for (i = 0; i < extcount; i++) { const char *extstr; X509_EXTENSION *ext; ext = X509_get_ext(cert, i); extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext))); if (!strcmp(extstr, SN_subject_alt_name)) { int j; const unsigned char *pData; STACK_OF(CONF_VALUE) *val; CONF_VALUE *nval; const X509V3_EXT_METHOD *pExtMethod; if (!(pExtMethod = X509V3_EXT_get(ext))) { break; } pData = ext->value->data; val = pExtMethod->i2v(pExtMethod, pExtMethod->d2i(NULL, &pData, ext->value->length), NULL); for (j = 0; j < sk_CONF_VALUE_num(val); j++) { nval = sk_CONF_VALUE_value(val, j); if (!strcmp(nval->name, "DNS") && !strcmp(nval->value, pHost)) { ret = 1; break; } } } if (ret) { break; } }//end of for(; extentcount; ) } if (!ret && (subj = X509_get_subject_name(cert)) && X509_NAME_get_text_by_NID(subj, NID_commonName, data, 256) > 0) { data[255] = 0; if (strcmp(data, pHost) != 0) { break; } } X509_free(cert); ret = SSL_get_verify_result(ssl); return ret; } while(0); if (cert) { X509_free(cert); } return -1; }
/* * Check that the common name matches the host name */ static int check_cert_chain(conn_t * conn, SSL * ssl, ruleset_t * rs) { X509 *peer; X509_NAME *xn; static char subject[1024]; int r = FALSE, extc; if (SSL_get_verify_result(ssl) != X509_V_OK) { LOG(SPOCP_ERR) traceLog(LOG_ERR,"Certificate doesn't verify"); return FALSE; } /* * Check the cert chain. The chain length is automatically checked by * OpenSSL when we set the verify depth in the ctx */ peer = SSL_get_peer_certificate(ssl); if (!peer) { LOG(SPOCP_ERR) traceLog(LOG_ERR,"No peer certificate"); return TRUE; } /* * check subjectaltname */ if ((extc = X509_get_ext_count(peer)) > 0) { int i; for (i = 0; r == FALSE && i < extc; i++) { X509_EXTENSION *ext; const char *extstr; ext = X509_get_ext(peer, i); extstr = OBJ_nid2sn(OBJ_obj2nid (X509_EXTENSION_get_object(ext))); if (strcmp(extstr, "subjectAltName") == 0) { int j; unsigned char *data; STACK_OF(CONF_VALUE) * val; CONF_VALUE *nval; X509V3_EXT_METHOD *meth; if ((meth = X509V3_EXT_get(ext)) == 0) break; data = ext->value->data; val = meth->i2v(meth, meth->d2i(NULL, &data, ext->value->length), NULL); for (j = 0; r == FALSE && i < sk_CONF_VALUE_num(val); j++) { nval = sk_CONF_VALUE_value(val, j); if (strcasecmp(nval->name, "DNS") == 0 && strcasecmp(nval->value, conn->sri. hostname)) { r = TRUE; } } } } } if (r == FALSE) { /* * Check the subject name */ xn = X509_get_subject_name(peer); X509_NAME_get_text_by_NID(xn, NID_commonName, subject, 1024); subject[1023] = '\0'; traceLog(LOG_DEBUG,"\"%s\" = \"%s\" ?", subject, conn->sri.hostname); if (strcasecmp(subject, conn->sri.hostname) == 0) { r = TRUE; } } if (r == TRUE) { conn->subjectDN = X509_NAME_oneline(X509_get_subject_name(peer), NULL, 0); conn->issuerDN = X509_NAME_oneline(X509_get_issuer_name(peer), NULL, 0); } X509_free(peer); return r; }
extern "C" int32_t CryptoNative_X509GetExtCount(X509* x) { return X509_get_ext_count(x); }