/**
* Get X509 certificate basic constraints
*
* @returns iprt status code.
*
* @param pvBuf string representation
* containing X509 certificate
* in PEM format
* @param cbSize The amount of data (in bytes)
* @param pBasicConstraintsOut memory buffer where the
* extracted basic constraints
* will be stored in string
* representation
*/
static int RTX509GetBasicConstraints(void *pvBuf, unsigned int cbSize, unsigned char** pBasicConstraintsOut)
{
int rc = VINF_SUCCESS;
BUF_MEM *bptr = NULL;
X509 *certificate = NULL;
char *errDesc = NULL;
BIO *bio_memory = NULL;
for (;;)
{
rc = rtX509ReadCertificateFromPEM(pvBuf, cbSize, &certificate);
int loc = X509_get_ext_by_NID(certificate, NID_basic_constraints,-1);
if(loc == -1)
{
rc = VERR_X509_NO_BASIC_CONSTARAINTS;
break;
}
X509_EXTENSION *ext = X509_get_ext(certificate, loc);
if(!ext)
{
rc = VERR_X509_GETTING_EXTENSION_FROM_CERT;
break;
}
ASN1_OCTET_STRING *extdata = X509_EXTENSION_get_data(ext);
if(!extdata)
{
rc = VERR_X509_GETTING_DATA_FROM_EXTENSION;
break;
}
bio_memory = BIO_new(BIO_s_mem());
if(!X509V3_EXT_print(bio_memory, ext, 0, 0))
{
rc = VERR_X509_PRINT_EXTENSION_TO_BIO;
break;
}
BIO_ctrl(bio_memory,BIO_CTRL_FLUSH,0,NULL);
BIO_ctrl(bio_memory,BIO_C_GET_BUF_MEM_PTR,0,(void *)&bptr);
// now bptr contains the strings of the key_usage
unsigned char *buf = (unsigned char *)RTMemAlloc((bptr->length + 1)*sizeof(char));
memcpy(buf, bptr->data, bptr->length);
// take care that bptr->data is NOT NULL terminated, so add '\0'
buf[bptr->length] = '\0';
*pBasicConstraintsOut = buf;
break;
}
if(certificate)
X509_free(certificate);
BIO_free(bio_memory);
return rc;
}
static size_t
get_extension_by_object (X509 *x509, ASN1_OBJECT *obj, char **output)
{
int pos = X509_get_ext_by_OBJ (x509, obj, -1);
if (pos < 0) {
return 0;
}
X509_EXTENSION *ext = X509_get_ext (x509, pos);
int tag;
long len;
int tc;
const unsigned char *p = ext->value->data;
ASN1_get_object (&p, &len, &tag, &tc, ext->value->length);
size_t size;
switch (tag) {
case V_ASN1_UTF8STRING:
{
ASN1_UTF8STRING *str =
ASN1_item_unpack (ext->value,
ASN1_ITEM_rptr
(ASN1_UTF8STRING));
*output = strndup ((const char *)
ASN1_STRING_data (str),
str->length);
size = str->length;
ASN1_UTF8STRING_free (str);
return size;
}
case V_ASN1_OCTET_STRING:
{
ASN1_OCTET_STRING *octstr =
ASN1_item_unpack (ext->value,
ASN1_ITEM_rptr
(ASN1_OCTET_STRING));
*output = malloc (octstr->length);
memcpy (*output, octstr->data, octstr->length);
size = octstr->length;
ASN1_OCTET_STRING_free (octstr);
return size;
}
default:
{
BIO *bio = BIO_new (BIO_s_mem ());
X509V3_EXT_print (bio, ext, 0, 0);
size_t size = BIO_ctrl_pending (bio);
char *buf = malloc (sizeof (char) * size);
BIO_read (bio, buf, size);
*output = buf;
BIO_free (bio);
return size;
}
}
}
void
x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, X509 *x509)
{
X509_NAME *x509_name = X509_get_subject_name (x509);
const char nullc = '\0';
int i;
while (xt)
{
if (depth == 0 || (xt->flags & XT_FULL_CHAIN))
{
i = X509_NAME_get_index_by_NID(x509_name, xt->nid, -1);
if (i >= 0)
{
X509_NAME_ENTRY *ent = X509_NAME_get_entry(x509_name, i);
if (ent)
{
ASN1_STRING *val = X509_NAME_ENTRY_get_data (ent);
unsigned char *buf;
buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
if (ASN1_STRING_to_UTF8 (&buf, val) > 0)
{
do_setenv_x509(es, xt->name, (char *)buf, depth);
OPENSSL_free (buf);
}
}
}
else
{
i = X509_get_ext_by_NID(x509, xt->nid, -1);
if (i >= 0)
{
X509_EXTENSION *ext = X509_get_ext(x509, i);
if (ext)
{
BIO *bio = BIO_new(BIO_s_mem());
if (bio)
{
if (X509V3_EXT_print(bio, ext, 0, 0))
{
if (BIO_write(bio, &nullc, 1) == 1)
{
char *str;
BIO_get_mem_data(bio, &str);
do_setenv_x509(es, xt->name, str, depth);
}
}
BIO_free(bio);
}
}
}
}
}
xt = xt->next;
}
}
static void ext_print(BIO *out, X509_EXTENSION *ex)
{
ASN1_OBJECT *obj;
int j;
BIO_printf(out,"%12s","");
obj=X509_EXTENSION_get_object(ex);
i2a_ASN1_OBJECT(out,obj);
j=X509_EXTENSION_get_critical(ex);
BIO_printf(out, ": %s\n", j ? "critical":"","");
if(!X509V3_EXT_print(out, ex, 0, 16)) {
BIO_printf(out, "%16s", "");
M_ASN1_OCTET_STRING_print(out,ex->value);
}
BIO_write(out,"\n",1);
}
/*
* Print a nice text representation of the certificate request.
*/
static PyObject *
crypto_X509Extension_str(crypto_X509ExtensionObj *self)
{
int str_len;
char *tmp_str;
PyObject *str;
BIO *bio = BIO_new(BIO_s_mem());
if (!X509V3_EXT_print(bio, self->x509_extension, 0, 0))
{
BIO_free(bio);
exception_from_error_queue(crypto_Error);
return NULL;
}
str_len = BIO_get_mem_data(bio, &tmp_str);
str = PyText_FromStringAndSize(tmp_str, str_len);
BIO_free(bio);
return str;
}
static int compare_extension_printout(X509_EXTENSION *extension,
const char *expected_output)
{
BIO *text_buffer = NULL;
char *actual_output = NULL;
int result = 1;
text_buffer = BIO_new(BIO_s_mem());
if (text_buffer == NULL) {
fprintf(stderr, "Unable to allocate buffer\n");
goto end;
}
if (!X509V3_EXT_print(text_buffer, extension, X509V3_EXT_DEFAULT, 0)) {
fprintf(stderr, "Failed to print extension\n");
goto end;
}
/* Append null terminator because we're about to use the buffer contents
* as a string. */
if (BIO_write(text_buffer, "\0", 1) != 1) {
fprintf(stderr, "Failed to append null terminator to extension text\n");
goto end;
}
BIO_get_mem_data(text_buffer, &actual_output);
result = strcmp(actual_output, expected_output);
if (result != 0) {
fprintf(stderr,
"Expected SCT printout:\n%s\nActual SCT printout:\n%s\n",
expected_output, actual_output);
}
end:
BIO_free(text_buffer);
return result;
}
static PyObject *
X509_EXTENSION_value_to_PyString(X509_EXTENSION *ex) {
BIO *bio = NULL;
PyObject *str = NULL;
int str_len;
char *tmp_str;
/* Create a openssl BIO buffer */
bio = BIO_new(BIO_s_mem());
if (bio == NULL) {
goto err;
}
/* These are not the droids you are looking for. */
if (!X509V3_EXT_print(bio, ex, 0, 0)) {
if (M_ASN1_OCTET_STRING_print(bio, ex->value) == 0) {
goto err;
}
}
/* Convert to a Python string. */
str_len = BIO_get_mem_data(bio, &tmp_str);
str = PyBytes_FromStringAndSize(tmp_str, str_len);
/* Cleanup */
BIO_free(bio);
return str;
err:
if (bio) {
BIO_free(bio);
}
if (str) {
Py_DECREF(str);
}
return NULL;
}
int X509_REQ_print_ex(BIO *bio, X509_REQ *x, unsigned long nmflags,
unsigned long cflag) {
long l;
EVP_PKEY *pkey;
STACK_OF(X509_ATTRIBUTE) * sk;
char mlch = ' ';
int nmindent = 0;
if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
mlch = '\n';
nmindent = 12;
}
if (nmflags == X509_FLAG_COMPAT) {
nmindent = 16;
}
X509_REQ_INFO *ri = x->req_info;
if (!(cflag & X509_FLAG_NO_HEADER)) {
if (BIO_write(bio, "Certificate Request:\n", 21) <= 0 ||
BIO_write(bio, " Data:\n", 10) <= 0) {
goto err;
}
}
if (!(cflag & X509_FLAG_NO_VERSION)) {
l = X509_REQ_get_version(x);
if (BIO_printf(bio, "%8sVersion: %ld (0x%lx)\n", "", l + 1, l) <= 0) {
goto err;
}
}
if (!(cflag & X509_FLAG_NO_SUBJECT)) {
if (BIO_printf(bio, " Subject:%c", mlch) <= 0 ||
X509_NAME_print_ex(bio, ri->subject, nmindent, nmflags) < 0 ||
BIO_write(bio, "\n", 1) <= 0) {
goto err;
}
}
if (!(cflag & X509_FLAG_NO_PUBKEY)) {
if (BIO_write(bio, " Subject Public Key Info:\n", 33) <= 0 ||
BIO_printf(bio, "%12sPublic Key Algorithm: ", "") <= 0 ||
i2a_ASN1_OBJECT(bio, ri->pubkey->algor->algorithm) <= 0 ||
BIO_puts(bio, "\n") <= 0) {
goto err;
}
pkey = X509_REQ_get_pubkey(x);
if (pkey == NULL) {
BIO_printf(bio, "%12sUnable to load Public Key\n", "");
ERR_print_errors(bio);
} else {
EVP_PKEY_print_public(bio, pkey, 16, NULL);
EVP_PKEY_free(pkey);
}
}
if (!(cflag & X509_FLAG_NO_ATTRIBUTES)) {
if (BIO_printf(bio, "%8sAttributes:\n", "") <= 0) {
goto err;
}
sk = x->req_info->attributes;
if (sk_X509_ATTRIBUTE_num(sk) == 0) {
if (BIO_printf(bio, "%12sa0:00\n", "") <= 0) {
goto err;
}
} else {
size_t i;
for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
X509_ATTRIBUTE *a = sk_X509_ATTRIBUTE_value(sk, i);
ASN1_OBJECT *aobj = X509_ATTRIBUTE_get0_object(a);
if (X509_REQ_extension_nid(OBJ_obj2nid(aobj))) {
continue;
}
if (BIO_printf(bio, "%12s", "") <= 0) {
goto err;
}
const int num_attrs = X509_ATTRIBUTE_count(a);
const int obj_str_len = i2a_ASN1_OBJECT(bio, aobj);
if (obj_str_len <= 0) {
if (BIO_puts(bio, "(Unable to print attribute ID.)\n") < 0) {
goto err;
} else {
continue;
}
}
int j;
for (j = 0; j < num_attrs; j++) {
const ASN1_TYPE *at = X509_ATTRIBUTE_get0_type(a, j);
const int type = at->type;
ASN1_BIT_STRING *bs = at->value.asn1_string;
int k;
for (k = 25 - obj_str_len; k > 0; k--) {
if (BIO_write(bio, " ", 1) != 1) {
goto err;
}
}
if (BIO_puts(bio, ":") <= 0) {
goto err;
}
if (type == V_ASN1_PRINTABLESTRING ||
type == V_ASN1_UTF8STRING ||
type == V_ASN1_IA5STRING ||
type == V_ASN1_T61STRING) {
if (BIO_write(bio, (char *)bs->data, bs->length) != bs->length) {
goto err;
}
BIO_puts(bio, "\n");
} else {
BIO_puts(bio, "unable to print attribute\n");
}
}
}
}
}
if (!(cflag & X509_FLAG_NO_EXTENSIONS)) {
STACK_OF(X509_EXTENSION) *exts = X509_REQ_get_extensions(x);
if (exts) {
BIO_printf(bio, "%8sRequested Extensions:\n", "");
size_t i;
for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
X509_EXTENSION *ex = sk_X509_EXTENSION_value(exts, i);
if (BIO_printf(bio, "%12s", "") <= 0) {
goto err;
}
ASN1_OBJECT *obj = X509_EXTENSION_get_object(ex);
i2a_ASN1_OBJECT(bio, obj);
const int is_critical = X509_EXTENSION_get_critical(ex);
if (BIO_printf(bio, ": %s\n", is_critical ? "critical" : "") <= 0) {
goto err;
}
if (!X509V3_EXT_print(bio, ex, cflag, 16)) {
BIO_printf(bio, "%16s", "");
ASN1_STRING_print(bio, X509_EXTENSION_get_data(ex));
}
if (BIO_write(bio, "\n", 1) <= 0) {
goto err;
}
}
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
}
}
if (!(cflag & X509_FLAG_NO_SIGDUMP) &&
!X509_signature_print(bio, x->sig_alg, x->signature)) {
goto err;
}
return 1;
err:
OPENSSL_PUT_ERROR(X509, ERR_R_BUF_LIB);
return 0;
}
extern "C" int32_t X509V3ExtPrint(BIO* out, X509_EXTENSION* ext)
{
return X509V3_EXT_print(out, ext, X509V3_EXT_DEFAULT, /*indent*/ 0);
}
int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long cflag)
{
unsigned long l;
int i;
const char *neg;
X509_REQ_INFO *ri;
EVP_PKEY *pkey;
STACK_OF(X509_ATTRIBUTE) *sk;
STACK_OF(X509_EXTENSION) *exts;
char mlch = ' ';
int nmindent = 0;
if((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
mlch = '\n';
nmindent = 12;
}
if(nmflags == X509_FLAG_COMPAT)
nmindent = 16;
ri=x->req_info;
if(!(cflag & X509_FLAG_NO_HEADER))
{
if (BIO_write(bp,"Certificate Request:\n",21) <= 0) goto err;
if (BIO_write(bp," Data:\n",10) <= 0) goto err;
}
if(!(cflag & X509_FLAG_NO_VERSION))
{
neg=(ri->version->type == V_ASN1_NEG_INTEGER)?"-":"";
l=0;
for (i=0; i<ri->version->length; i++)
{ l<<=8; l+=ri->version->data[i]; }
if(BIO_printf(bp,"%8sVersion: %s%lu (%s0x%lx)\n","",neg,l,neg,
l) <= 0)
goto err;
}
if(!(cflag & X509_FLAG_NO_SUBJECT))
{
if (BIO_printf(bp," Subject:%c",mlch) <= 0) goto err;
if (X509_NAME_print_ex(bp,ri->subject,nmindent, nmflags) < 0) goto err;
if (BIO_write(bp,"\n",1) <= 0) goto err;
}
if(!(cflag & X509_FLAG_NO_PUBKEY))
{
if (BIO_write(bp," Subject Public Key Info:\n",33) <= 0)
goto err;
if (BIO_printf(bp,"%12sPublic Key Algorithm: ","") <= 0)
goto err;
if (i2a_ASN1_OBJECT(bp, ri->pubkey->algor->algorithm) <= 0)
goto err;
if (BIO_puts(bp, "\n") <= 0)
goto err;
pkey=X509_REQ_get_pubkey(x);
if (pkey == NULL)
{
BIO_printf(bp,"%12sUnable to load Public Key\n","");
ERR_print_errors(bp);
}
else
#ifndef OPENSSL_NO_RSA
if (pkey->type == EVP_PKEY_RSA)
{
BIO_printf(bp,"%12sRSA Public Key: (%d bit)\n","",
BN_num_bits(pkey->pkey.rsa->n));
RSA_print(bp,pkey->pkey.rsa,16);
}
else
#endif
#ifndef OPENSSL_NO_DSA
if (pkey->type == EVP_PKEY_DSA)
{
BIO_printf(bp,"%12sDSA Public Key:\n","");
DSA_print(bp,pkey->pkey.dsa,16);
}
else
#endif
#ifndef OPENSSL_NO_EC
if (pkey->type == EVP_PKEY_EC)
{
BIO_printf(bp, "%12sEC Public Key: \n","");
EC_KEY_print(bp, pkey->pkey.ec, 16);
}
else
#endif
BIO_printf(bp,"%12sUnknown Public Key:\n","");
EVP_PKEY_free(pkey);
}
if(!(cflag & X509_FLAG_NO_ATTRIBUTES))
{
/* may not be */
if(BIO_printf(bp,"%8sAttributes:\n","") <= 0)
goto err;
sk=x->req_info->attributes;
if (sk_X509_ATTRIBUTE_num(sk) == 0)
{
if(BIO_printf(bp,"%12sa0:00\n","") <= 0)
goto err;
}
else
{
for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++)
{
ASN1_TYPE *at;
X509_ATTRIBUTE *a;
ASN1_BIT_STRING *bs=NULL;
ASN1_TYPE *t;
int j,type=0,count=1,ii=0;
a=sk_X509_ATTRIBUTE_value(sk,i);
if(X509_REQ_extension_nid(OBJ_obj2nid(a->object)))
continue;
if(BIO_printf(bp,"%12s","") <= 0)
goto err;
if ((j=i2a_ASN1_OBJECT(bp,a->object)) > 0)
{
if (a->single)
{
t=a->value.single;
type=t->type;
bs=t->value.bit_string;
}
else
{
ii=0;
count=sk_ASN1_TYPE_num(a->value.set);
get_next:
at=sk_ASN1_TYPE_value(a->value.set,ii);
type=at->type;
bs=at->value.asn1_string;
}
}
for (j=25-j; j>0; j--)
if (BIO_write(bp," ",1) != 1) goto err;
if (BIO_puts(bp,":") <= 0) goto err;
if ( (type == V_ASN1_PRINTABLESTRING) ||
(type == V_ASN1_T61STRING) ||
(type == V_ASN1_IA5STRING))
{
if (BIO_write(bp,(char *)bs->data,bs->length)
!= bs->length)
goto err;
BIO_puts(bp,"\n");
}
else
{
BIO_puts(bp,"unable to print attribute\n");
}
if (++ii < count) goto get_next;
}
}
}
if(!(cflag & X509_FLAG_NO_EXTENSIONS))
{
exts = X509_REQ_get_extensions(x);
if(exts)
{
BIO_printf(bp,"%8sRequested Extensions:\n","");
for (i=0; i<sk_X509_EXTENSION_num(exts); i++)
{
ASN1_OBJECT *obj;
X509_EXTENSION *ex;
int j;
ex=sk_X509_EXTENSION_value(exts, i);
if (BIO_printf(bp,"%12s","") <= 0) goto err;
obj=X509_EXTENSION_get_object(ex);
i2a_ASN1_OBJECT(bp,obj);
j=X509_EXTENSION_get_critical(ex);
if (BIO_printf(bp,": %s\n",j?"critical":"") <= 0)
goto err;
if(!X509V3_EXT_print(bp, ex, cflag, 16))
{
BIO_printf(bp, "%16s", "");
M_ASN1_OCTET_STRING_print(bp,ex->value);
}
if (BIO_write(bp,"\n",1) <= 0) goto err;
}
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
}
}
if(!(cflag & X509_FLAG_NO_SIGDUMP))
{
if(!X509_signature_print(bp, x->sig_alg, x->signature)) goto err;
}
return(1);
err:
X509err(X509_F_X509_REQ_PRINT_EX,ERR_R_BUF_LIB);
return(0);
}
int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
unsigned long cflag)
{
long l;
int i;
X509_REQ_INFO *ri;
EVP_PKEY *pkey;
STACK_OF(X509_ATTRIBUTE) *sk;
STACK_OF(X509_EXTENSION) *exts;
char mlch = ' ';
int nmindent = 0;
if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
mlch = '\n';
nmindent = 12;
}
if (nmflags == X509_FLAG_COMPAT)
nmindent = 16;
ri = x->req_info;
if (!(cflag & X509_FLAG_NO_HEADER)) {
if (BIO_write(bp, "Certificate Request:\n", 21) <= 0)
goto err;
if (BIO_write(bp, " Data:\n", 10) <= 0)
goto err;
}
if (!(cflag & X509_FLAG_NO_VERSION)) {
l = X509_REQ_get_version(x);
if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1, l) <= 0)
goto err;
}
if (!(cflag & X509_FLAG_NO_SUBJECT)) {
if (BIO_printf(bp, " Subject:%c", mlch) <= 0)
goto err;
if (X509_NAME_print_ex(bp, ri->subject, nmindent, nmflags) < 0)
goto err;
if (BIO_write(bp, "\n", 1) <= 0)
goto err;
}
if (!(cflag & X509_FLAG_NO_PUBKEY)) {
if (BIO_write(bp, " Subject Public Key Info:\n", 33) <= 0)
goto err;
if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0)
goto err;
if (i2a_ASN1_OBJECT(bp, ri->pubkey->algor->algorithm) <= 0)
goto err;
if (BIO_puts(bp, "\n") <= 0)
goto err;
pkey = X509_REQ_get_pubkey(x);
if (pkey == NULL) {
BIO_printf(bp, "%12sUnable to load Public Key\n", "");
ERR_print_errors(bp);
} else {
EVP_PKEY_print_public(bp, pkey, 16, NULL);
EVP_PKEY_free(pkey);
}
}
if (!(cflag & X509_FLAG_NO_ATTRIBUTES)) {
/* may not be */
if (BIO_printf(bp, "%8sAttributes:\n", "") <= 0)
goto err;
sk = x->req_info->attributes;
if (sk_X509_ATTRIBUTE_num(sk) == 0) {
if (BIO_printf(bp, "%12sa0:00\n", "") <= 0)
goto err;
} else {
for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
ASN1_TYPE *at;
X509_ATTRIBUTE *a;
ASN1_BIT_STRING *bs = NULL;
ASN1_OBJECT *aobj;
int j, type = 0, count = 1, ii = 0;
a = sk_X509_ATTRIBUTE_value(sk, i);
aobj = X509_ATTRIBUTE_get0_object(a);
if (X509_REQ_extension_nid(OBJ_obj2nid(aobj)))
continue;
if (BIO_printf(bp, "%12s", "") <= 0)
goto err;
if ((j = i2a_ASN1_OBJECT(bp, aobj)) > 0) {
ii = 0;
count = X509_ATTRIBUTE_count(a);
get_next:
at = X509_ATTRIBUTE_get0_type(a, ii);
type = at->type;
bs = at->value.asn1_string;
}
for (j = 25 - j; j > 0; j--)
if (BIO_write(bp, " ", 1) != 1)
goto err;
if (BIO_puts(bp, ":") <= 0)
goto err;
if ((type == V_ASN1_PRINTABLESTRING) ||
(type == V_ASN1_T61STRING) ||
(type == V_ASN1_IA5STRING)) {
if (BIO_write(bp, (char *)bs->data, bs->length)
!= bs->length)
goto err;
BIO_puts(bp, "\n");
} else {
BIO_puts(bp, "unable to print attribute\n");
}
if (++ii < count)
goto get_next;
}
}
}
if (!(cflag & X509_FLAG_NO_EXTENSIONS)) {
exts = X509_REQ_get_extensions(x);
if (exts) {
BIO_printf(bp, "%8sRequested Extensions:\n", "");
for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
ASN1_OBJECT *obj;
X509_EXTENSION *ex;
int j;
ex = sk_X509_EXTENSION_value(exts, i);
if (BIO_printf(bp, "%12s", "") <= 0)
goto err;
obj = X509_EXTENSION_get_object(ex);
i2a_ASN1_OBJECT(bp, obj);
j = X509_EXTENSION_get_critical(ex);
if (BIO_printf(bp, ": %s\n", j ? "critical" : "") <= 0)
goto err;
if (!X509V3_EXT_print(bp, ex, cflag, 16)) {
BIO_printf(bp, "%16s", "");
ASN1_STRING_print(bp, X509_EXTENSION_get_data(ex));
}
if (BIO_write(bp, "\n", 1) <= 0)
goto err;
}
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
}
}
if (!(cflag & X509_FLAG_NO_SIGDUMP)) {
if (!X509_signature_print(bp, x->sig_alg, x->signature))
goto err;
}
return (1);
err:
X509err(X509_F_X509_REQ_PRINT_EX, ERR_R_BUF_LIB);
return (0);
}
void anubis_dump_server_certificate(SSL *ssl) {
X509 *x509Cert = SSL_get_peer_certificate(ssl);
char buffer[1024];
BIO *bio = NULL;
char *buf = NULL;
if(!x509Cert) {
anubis_ssl_perror("SSL_get_peer_certificate()");
return;
}
bio = BIO_new(BIO_s_mem());
if(!bio) {
anubis_ssl_perror("BIO_new()");
X509_free(x509Cert);
return;
}//end if
BIO_reset(bio);
if(!PEM_write_bio_X509(bio, x509Cert)) {
anubis_ssl_perror("PEM_write_bio_X509()");
BIO_free(bio);
X509_free(x509Cert);
return;
}
BIO_get_mem_data(bio, &buf);
anubis_out("Server certificate:\n%s", buf);
// Cert Version
long version = 0;
if (!(X509_FLAG_COMPAT & X509_FLAG_NO_VERSION)) {
version = X509_get_version(x509Cert);
fprintf(out_stream, "Version: %ld\n", version);
}//end if
// Cert Serial No. - Code adapted from OpenSSL's crypto/asn1/t_x509.c
if (!(X509_FLAG_COMPAT & X509_FLAG_NO_SERIAL)) {
ASN1_INTEGER *bs;
long l;
int i;
const char *neg;
bs = X509_get_serialNumber(x509Cert);
if (bs->length <= 4) {
l = ASN1_INTEGER_get(bs);
if (l < 0) {
l= -l;
neg = "-";
}
else
neg = "";
fprintf(out_stream, "Serial Number: %lu (%#lx)\n", l, l);
}
else {
neg = (bs->type == V_ASN1_NEG_INTEGER)?" (Negative)":"";
fprintf(out_stream, "Serial Number: %s", neg);
for (i = 0; i < bs->length; i++) {
fprintf(out_stream, "%02x%c", bs->data[i], (i+1 == bs->length)?'\n':':');
}
}
}
// Signature Algo...
if (!(X509_FLAG_COMPAT & X509_FLAG_NO_SIGNAME)) {
i2a_ASN1_OBJECT(bio, x509Cert->cert_info->signature->algorithm);
BIO_get_mem_data(bio, &buf);
fprintf(out_stream, "Signature Algorithm:\n%s\n", buf);
}
// SSL Certificate Issuer...
if (!(X509_FLAG_COMPAT & X509_FLAG_NO_ISSUER)) {
X509_NAME_oneline(X509_get_issuer_name(x509Cert), buffer, sizeof(buffer) - 1);
fprintf(out_stream, "Issuer: %s\n", buffer);
}
// Validity...
if (!(X509_FLAG_COMPAT & X509_FLAG_NO_VALIDITY)) {
BIO_reset(bio);
ASN1_TIME_print(bio, X509_get_notBefore(x509Cert));
BIO_get_mem_data(bio, &buf);
fprintf(out_stream, "Not Valid Before: %s\n", buf);
BIO_reset(bio);
ASN1_TIME_print(bio, X509_get_notAfter(x509Cert));
BIO_get_mem_data(bio, &buf);
fprintf(out_stream, "Not Valid After: %s\n", buf);
}
// SSL Certificate Subject...
if (!(X509_FLAG_COMPAT & X509_FLAG_NO_SUBJECT)) {
X509_NAME_oneline(X509_get_subject_name(x509Cert), buffer, sizeof(buffer) - 1);
fprintf(out_stream, "Subject: %s\n", buffer);
}
// Public Key Algo...
if (!(X509_FLAG_COMPAT & X509_FLAG_NO_PUBKEY)) {
BIO_reset(bio);
i2a_ASN1_OBJECT(bio, x509Cert->cert_info->key->algor->algorithm);
BIO_get_mem_data(bio, &buf);
fprintf(out_stream, "Public Key Algorithm: %s\n", buf);
// Public Key...
EVP_PKEY *publicKey = NULL;
publicKey = X509_get_pubkey(x509Cert);
if (publicKey == NULL) {
anubis_err("Public Key Could not load\n");
}
else {
BIO_reset(bio);
char *publicKeyType = NULL;
int publicKeyLength = -1;
switch (publicKey->type) {
case EVP_PKEY_RSA:
publicKeyType = "RSA";
if (publicKey->pkey.rsa) {
publicKeyLength = BN_num_bits(publicKey->pkey.rsa->n);
RSA_print(bio, publicKey->pkey.rsa, 0);
BIO_get_mem_data(bio, &buf);
}
break;
case EVP_PKEY_DSA:
publicKeyType = "DSA";
if (publicKey->pkey.dsa) {
DSA_print(bio, publicKey->pkey.dsa, 0);
BIO_get_mem_data(bio, &buf);
}
break;
case EVP_PKEY_EC:
publicKeyType = "EC";
if (publicKey->pkey.ec) {
EC_KEY_print(bio, publicKey->pkey.ec, 0);
BIO_get_mem_data(bio, &buf);
}
break;
default:
publicKeyType = "Unknown";
break;
}
EVP_PKEY_free(publicKey);
fprintf(out_stream, "%d Public Key: ", publicKeyLength);
if(!strcasecmp(publicKeyType, "RSA")) {
fprintf(out_stream, "(%d bits)", publicKeyLength);
}
fprintf(out_stream, "\n");
fprintf(out_stream, "%s\n", buf);
}
}
// X509 v3...
if (!(X509_FLAG_COMPAT & X509_FLAG_NO_EXTENSIONS) && sk_X509_EXTENSION_num(x509Cert->cert_info->extensions) > 0) {
X509_EXTENSION *extension = NULL;
ASN1_OBJECT *asn1Object = NULL;
int tempInt2 = 0;
BIO_reset(bio);
for (int tempInt = 0; tempInt < sk_X509_EXTENSION_num(x509Cert->cert_info->extensions); tempInt++) {
// Get Extension...
extension = sk_X509_EXTENSION_value(x509Cert->cert_info->extensions, tempInt);
asn1Object = X509_EXTENSION_get_object(extension);
i2a_ASN1_OBJECT(bio, asn1Object);
tempInt2 = X509_EXTENSION_get_critical(extension);
BIO_printf(bio, ": %s\n", tempInt2 ? "critical" : "");
// Print Extension value...
if (!X509V3_EXT_print(bio, extension, X509_FLAG_COMPAT, 8)) {
M_ASN1_OCTET_STRING_print(bio, extension->value);
}
BIO_printf(bio, "\n");
}//end for
BIO_get_mem_data(bio, &buf);
fprintf(out_stream, "x509v3 Extensions: %s\n", buf);
}//end if x509v3
/*
long verifyError = 0;
// Verify Certificate...
verifyError = SSL_get_verify_result(ssl);
const char *verifyCertificate = "";
if (verifyError == X509_V_OK)
verifyCertificate = "Certificate passed verification";
else
verifyCertificate = X509_verify_cert_error_string(verifyError);
fprintf(out_stream, "Validation: %s\n", verifyCertificate);
*/
BIO_free(bio);
X509_free(x509Cert);
fflush(out_stream);
}//end anubis_dump_server_certificate
Datum
ssl_extension_info(PG_FUNCTION_ARGS)
{
X509 *cert = MyProcPort->peer;
FuncCallContext *funcctx;
int call_cntr;
int max_calls;
MemoryContext oldcontext;
SSLExtensionInfoContext *fctx;
if (SRF_IS_FIRSTCALL())
{
TupleDesc tupdesc;
/* create a function context for cross-call persistence */
funcctx = SRF_FIRSTCALL_INIT();
/*
* Switch to memory context appropriate for multiple function calls
*/
oldcontext = MemoryContextSwitchTo(funcctx->multi_call_memory_ctx);
/* Create a user function context for cross-call persistence */
fctx = (SSLExtensionInfoContext *) palloc(sizeof(SSLExtensionInfoContext));
/* Construct tuple descriptor */
if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE)
ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("function returning record called in context that cannot accept type record")));
fctx->tupdesc = BlessTupleDesc(tupdesc);
/* Set max_calls as a count of extensions in certificate */
max_calls = cert != NULL ? X509_get_ext_count(cert) : 0;
if (max_calls > 0)
{
/* got results, keep track of them */
funcctx->max_calls = max_calls;
funcctx->user_fctx = fctx;
}
else
{
/* fast track when no results */
MemoryContextSwitchTo(oldcontext);
SRF_RETURN_DONE(funcctx);
}
MemoryContextSwitchTo(oldcontext);
}
/* stuff done on every call of the function */
funcctx = SRF_PERCALL_SETUP();
/*
* Initialize per-call variables.
*/
call_cntr = funcctx->call_cntr;
max_calls = funcctx->max_calls;
fctx = funcctx->user_fctx;
/* do while there are more left to send */
if (call_cntr < max_calls)
{
Datum values[3];
bool nulls[3];
char *buf;
HeapTuple tuple;
Datum result;
BIO *membuf;
X509_EXTENSION *ext;
ASN1_OBJECT *obj;
int nid;
int len;
/* need a BIO for this */
membuf = BIO_new(BIO_s_mem());
if (membuf == NULL)
ereport(ERROR,
(errcode(ERRCODE_OUT_OF_MEMORY),
errmsg("could not create OpenSSL BIO structure")));
/* Get the extension from the certificate */
ext = X509_get_ext(cert, call_cntr);
obj = X509_EXTENSION_get_object(ext);
/* Get the extension name */
nid = OBJ_obj2nid(obj);
if (nid == NID_undef)
ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("unknown OpenSSL extension in certificate at position %d",
call_cntr)));
values[0] = CStringGetTextDatum(OBJ_nid2sn(nid));
nulls[0] = false;
/* Get the extension value */
if (X509V3_EXT_print(membuf, ext, 0, 0) <= 0)
ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("could not print extension value in certificate at position %d",
call_cntr)));
len = BIO_get_mem_data(membuf, &buf);
values[1] = PointerGetDatum(cstring_to_text_with_len(buf, len));
nulls[1] = false;
/* Get critical status */
values[2] = BoolGetDatum(X509_EXTENSION_get_critical(ext));
nulls[2] = false;
/* Build tuple */
tuple = heap_form_tuple(fctx->tupdesc, values, nulls);
result = HeapTupleGetDatum(tuple);
if (BIO_free(membuf) != 1)
elog(ERROR, "could not free OpenSSL BIO structure");
SRF_RETURN_NEXT(funcctx, result);
}
/* All done */
SRF_RETURN_DONE(funcctx);
}
/** Extract attributes from an X509 certificate
*
* @param cursor to copy attributes to.
* @param ctx to allocate attributes in.
* @param session current TLS session.
* @param cert to validate.
* @param depth the certificate is in the certificate chain (0 == leaf).
* @return
* - 0 on success.
* - < 0 on failure.
*/
int tls_session_pairs_from_x509_cert(fr_cursor_t *cursor, TALLOC_CTX *ctx,
tls_session_t *session, X509 *cert, int depth)
{
char buffer[1024];
char attribute[256];
char **identity;
int attr_index, loc;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
STACK_OF(X509_EXTENSION) const *ext_list = NULL;
#else
STACK_OF(X509_EXTENSION) *ext_list = NULL;
#endif
ASN1_INTEGER *sn = NULL;
ASN1_TIME *asn_time = NULL;
VALUE_PAIR *vp = NULL;
REQUEST *request;
#define CERT_ATTR_ADD(_attr, _attr_index, _value) tls_session_cert_attr_add(ctx, request, cursor, _attr, _attr_index, _value)
attr_index = depth;
if (attr_index > 1) attr_index = 1;
request = (REQUEST *)SSL_get_ex_data(session->ssl, FR_TLS_EX_INDEX_REQUEST);
rad_assert(request != NULL);
identity = (char **)SSL_get_ex_data(session->ssl, FR_TLS_EX_INDEX_IDENTITY);
if (RDEBUG_ENABLED3) {
buffer[0] = '\0';
X509_NAME_oneline(X509_get_subject_name(cert), buffer, sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
RDEBUG3("Creating attributes for \"%s\":", buffer[0] ? buffer : "Cert missing subject OID");
}
/*
* Get the Serial Number
*/
sn = X509_get_serialNumber(cert);
if (sn && ((size_t) sn->length < (sizeof(buffer) / 2))) {
char *p = buffer;
int i;
for (i = 0; i < sn->length; i++) {
sprintf(p, "%02x", (unsigned int)sn->data[i]);
p += 2;
}
CERT_ATTR_ADD(IDX_SERIAL, attr_index, buffer);
}
/*
* Get the Expiration Date
*/
buffer[0] = '\0';
asn_time = X509_get_notAfter(cert);
if (identity && asn_time && (asn_time->length < (int)sizeof(buffer))) {
time_t expires;
/*
* Add expiration as a time since the epoch
*/
if (tls_utils_asn1time_to_epoch(&expires, asn_time) < 0) {
RPWDEBUG("Failed parsing certificate expiry time");
} else {
vp = CERT_ATTR_ADD(IDX_EXPIRATION, attr_index, NULL);
vp->vp_date = expires;
}
}
/*
* Get the Subject & Issuer
*/
buffer[0] = '\0';
X509_NAME_oneline(X509_get_subject_name(cert), buffer, sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
if (identity && buffer[0]) {
CERT_ATTR_ADD(IDX_SUBJECT, attr_index, buffer);
/*
* Get the Common Name, if there is a subject.
*/
X509_NAME_get_text_by_NID(X509_get_subject_name(cert),
NID_commonName, buffer, sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
if (buffer[0]) {
CERT_ATTR_ADD(IDX_COMMON_NAME, attr_index, buffer);
}
}
X509_NAME_oneline(X509_get_issuer_name(cert), buffer, sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
if (identity && buffer[0]) {
CERT_ATTR_ADD(IDX_ISSUER, attr_index, buffer);
}
/*
* Get the RFC822 Subject Alternative Name
*/
loc = X509_get_ext_by_NID(cert, NID_subject_alt_name, 0);
if (loc >= 0) {
X509_EXTENSION *ext = NULL;
GENERAL_NAMES *names = NULL;
int i;
ext = X509_get_ext(cert, loc);
if (ext && (names = X509V3_EXT_d2i(ext))) {
for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
switch (name->type) {
#ifdef GEN_EMAIL
case GEN_EMAIL: {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
char const *rfc822Name = (char const *)ASN1_STRING_get0_data(name->d.rfc822Name);
#else
char *rfc822Name = (char *)ASN1_STRING_data(name->d.rfc822Name);
#endif
CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_EMAIL, attr_index, rfc822Name);
break;
}
#endif /* GEN_EMAIL */
#ifdef GEN_DNS
case GEN_DNS: {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
char const *dNSName = (char const *)ASN1_STRING_get0_data(name->d.dNSName);
#else
char *dNSName = (char *)ASN1_STRING_data(name->d.dNSName);
#endif
CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_DNS, attr_index, dNSName);
break;
}
#endif /* GEN_DNS */
#ifdef GEN_OTHERNAME
case GEN_OTHERNAME:
/* look for a MS UPN */
if (NID_ms_upn != OBJ_obj2nid(name->d.otherName->type_id)) break;
/* we've got a UPN - Must be ASN1-encoded UTF8 string */
if (name->d.otherName->value->type == V_ASN1_UTF8STRING) {
CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_UPN, attr_index,
(char *)name->d.otherName->value->value.utf8string);
break;
}
RWARN("Invalid UPN in Subject Alt Name (should be UTF-8)");
break;
#endif /* GEN_OTHERNAME */
default:
/* XXX TODO handle other SAN types */
break;
}
}
}
if (names != NULL) GENERAL_NAMES_free(names);
}
/*
* Only add extensions for the actual client certificate
*/
if (attr_index == 0) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
ext_list = X509_get0_extensions(cert);
#else
ext_list = cert->cert_info->extensions;
#endif
/*
* Grab the X509 extensions, and create attributes out of them.
* For laziness, we re-use the OpenSSL names
*/
if (sk_X509_EXTENSION_num(ext_list) > 0) {
int i, len;
char *p;
BIO *out;
out = BIO_new(BIO_s_mem());
strlcpy(attribute, "TLS-Client-Cert-", sizeof(attribute));
for (i = 0; i < sk_X509_EXTENSION_num(ext_list); i++) {
char value[1024];
ASN1_OBJECT *obj;
X509_EXTENSION *ext;
fr_dict_attr_t const *da;
ext = sk_X509_EXTENSION_value(ext_list, i);
obj = X509_EXTENSION_get_object(ext);
i2a_ASN1_OBJECT(out, obj);
len = BIO_read(out, attribute + 16 , sizeof(attribute) - 16 - 1);
if (len <= 0) continue;
attribute[16 + len] = '\0';
for (p = attribute + 16; *p != '\0'; p++) if (*p == ' ') *p = '-';
X509V3_EXT_print(out, ext, 0, 0);
len = BIO_read(out, value , sizeof(value) - 1);
if (len <= 0) continue;
value[len] = '\0';
da = fr_dict_attr_by_name(dict_freeradius, attribute);
if (!da) {
RWDEBUG3("Skipping attribute %s: "
"Add dictionary definition if you want to access it", attribute);
continue;
}
MEM(vp = fr_pair_afrom_da(request, da));
if (fr_pair_value_from_str(vp, value, -1, '\0', true) < 0) {
RPWDEBUG3("Skipping: %s += '%s'", attribute, value);
talloc_free(vp);
continue;
}
fr_cursor_append(cursor, vp);
}
BIO_free_all(out);
}
}
return 0;
}
int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
unsigned long cflag)
{
long l;
int i;
EVP_PKEY *pkey;
STACK_OF(X509_EXTENSION) *exts;
char mlch = ' ';
int nmindent = 0;
if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
mlch = '\n';
nmindent = 12;
}
if (nmflags == X509_FLAG_COMPAT)
nmindent = 16;
if (!(cflag & X509_FLAG_NO_HEADER)) {
if (BIO_write(bp, "Certificate Request:\n", 21) <= 0)
goto err;
if (BIO_write(bp, " Data:\n", 10) <= 0)
goto err;
}
if (!(cflag & X509_FLAG_NO_VERSION)) {
l = X509_REQ_get_version(x);
if (l >= 0 && l <= 2) {
if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1, (unsigned long)l) <= 0)
goto err;
} else {
if (BIO_printf(bp, "%8sVersion: Unknown (%ld)\n", "", l) <= 0)
goto err;
}
}
if (!(cflag & X509_FLAG_NO_SUBJECT)) {
if (BIO_printf(bp, " Subject:%c", mlch) <= 0)
goto err;
if (X509_NAME_print_ex(bp, X509_REQ_get_subject_name(x),
nmindent, nmflags) < 0)
goto err;
if (BIO_write(bp, "\n", 1) <= 0)
goto err;
}
if (!(cflag & X509_FLAG_NO_PUBKEY)) {
X509_PUBKEY *xpkey;
ASN1_OBJECT *koid;
if (BIO_write(bp, " Subject Public Key Info:\n", 33) <= 0)
goto err;
if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0)
goto err;
xpkey = X509_REQ_get_X509_PUBKEY(x);
X509_PUBKEY_get0_param(&koid, NULL, NULL, NULL, xpkey);
if (i2a_ASN1_OBJECT(bp, koid) <= 0)
goto err;
if (BIO_puts(bp, "\n") <= 0)
goto err;
pkey = X509_REQ_get0_pubkey(x);
if (pkey == NULL) {
if (BIO_printf(bp, "%12sUnable to load Public Key\n", "") <= 0)
goto err;
ERR_print_errors(bp);
} else {
if (EVP_PKEY_print_public(bp, pkey, 16, NULL) <= 0)
goto err;
}
}
if (!(cflag & X509_FLAG_NO_ATTRIBUTES)) {
/* may not be */
if (BIO_printf(bp, "%8sAttributes:\n", "") <= 0)
goto err;
if (X509_REQ_get_attr_count(x) == 0) {
if (BIO_printf(bp, "%12sa0:00\n", "") <= 0)
goto err;
} else {
for (i = 0; i < X509_REQ_get_attr_count(x); i++) {
ASN1_TYPE *at;
X509_ATTRIBUTE *a;
ASN1_BIT_STRING *bs = NULL;
ASN1_OBJECT *aobj;
int j, type = 0, count = 1, ii = 0;
a = X509_REQ_get_attr(x, i);
aobj = X509_ATTRIBUTE_get0_object(a);
if (X509_REQ_extension_nid(OBJ_obj2nid(aobj)))
continue;
if (BIO_printf(bp, "%12s", "") <= 0)
goto err;
if ((j = i2a_ASN1_OBJECT(bp, aobj)) > 0) {
ii = 0;
count = X509_ATTRIBUTE_count(a);
get_next:
at = X509_ATTRIBUTE_get0_type(a, ii);
type = at->type;
bs = at->value.asn1_string;
}
for (j = 25 - j; j > 0; j--)
if (BIO_write(bp, " ", 1) != 1)
goto err;
if (BIO_puts(bp, ":") <= 0)
goto err;
switch (type) {
case V_ASN1_PRINTABLESTRING:
case V_ASN1_T61STRING:
case V_ASN1_NUMERICSTRING:
case V_ASN1_UTF8STRING:
case V_ASN1_IA5STRING:
if (BIO_write(bp, (char *)bs->data, bs->length)
!= bs->length)
goto err;
if (BIO_puts(bp, "\n") <= 0)
goto err;
break;
default:
if (BIO_puts(bp, "unable to print attribute\n") <= 0)
goto err;
break;
}
if (++ii < count)
goto get_next;
}
}
}
if (!(cflag & X509_FLAG_NO_EXTENSIONS)) {
exts = X509_REQ_get_extensions(x);
if (exts) {
if (BIO_printf(bp, "%8sRequested Extensions:\n", "") <= 0)
goto err;
for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
ASN1_OBJECT *obj;
X509_EXTENSION *ex;
int critical;
ex = sk_X509_EXTENSION_value(exts, i);
if (BIO_printf(bp, "%12s", "") <= 0)
goto err;
obj = X509_EXTENSION_get_object(ex);
if (i2a_ASN1_OBJECT(bp, obj) <= 0)
goto err;
critical = X509_EXTENSION_get_critical(ex);
if (BIO_printf(bp, ": %s\n", critical ? "critical" : "") <= 0)
goto err;
if (!X509V3_EXT_print(bp, ex, cflag, 16)) {
if (BIO_printf(bp, "%16s", "") <= 0
|| ASN1_STRING_print(bp,
X509_EXTENSION_get_data(ex)) <= 0)
goto err;
}
if (BIO_write(bp, "\n", 1) <= 0)
goto err;
}
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
}
}
if (!(cflag & X509_FLAG_NO_SIGDUMP)) {
const X509_ALGOR *sig_alg;
const ASN1_BIT_STRING *sig;
X509_REQ_get0_signature(x, &sig, &sig_alg);
if (!X509_signature_print(bp, sig_alg, sig))
goto err;
}
return 1;
err:
X509err(X509_F_X509_REQ_PRINT_EX, ERR_R_BUF_LIB);
return 0;
}
