static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
int ca)
{
int i_ext;
/* If ca is true we must return if this is a valid CA certificate. */
if (ca) return check_ca(x);
/*
* Check the optional key usage field:
* if Key Usage is present, it must be one of digitalSignature
* and/or nonRepudiation (other values are not consistent and shall
* be rejected).
*/
if ((x->ex_flags & EXFLAG_KUSAGE)
&& ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
!(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
return 0;
/* Only time stamp key usage is permitted and it's required. */
if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP)
return 0;
/* Extended Key Usage MUST be critical */
i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
if (i_ext >= 0)
{
X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
if (!X509_EXTENSION_get_critical(ext))
return 0;
}
return 1;
}
Extension::Extension(X509_EXTENSION *ext) throw (CertificationException)
{
if (ext == NULL)
{
throw CertificationException(CertificationException::INVALID_EXTENSION, "Extension::Extension");
}
this->objectIdentifier = ObjectIdentifier(OBJ_dup(ext->object));
this->critical = X509_EXTENSION_get_critical(ext)?true:false;
this->value = ByteArray(ext->value->data, ext->value->length);
}
static int openssl_xext_critical(lua_State* L)
{
X509_EXTENSION *x = CHECK_OBJECT(1, X509_EXTENSION, "openssl.x509_extension");
if(lua_isnone(L, 2)){
lua_pushboolean(L, X509_EXTENSION_get_critical(x));
return 1;
} else {
int ret = X509_EXTENSION_set_critical(x, lua_toboolean(L, 2));
return openssl_pushresult(L, ret);
}
};
static void ext_print(BIO *out, X509_EXTENSION *ex)
{
ASN1_OBJECT *obj;
int j;
BIO_printf(out,"%12s","");
obj=X509_EXTENSION_get_object(ex);
i2a_ASN1_OBJECT(out,obj);
j=X509_EXTENSION_get_critical(ex);
BIO_printf(out, ": %s\n", j ? "critical":"","");
if(!X509V3_EXT_print(out, ex, 0, 16)) {
BIO_printf(out, "%16s", "");
M_ASN1_OCTET_STRING_print(out,ex->value);
}
BIO_write(out,"\n",1);
}
IoObject *IoCertificate_extensions(IoCertificate *self, IoObject *locals, IoMessage *m)
{
IoObject *map = IoObject_new(IoObject_state(self));
int i;
for(i = 0; i < X509_get_ext_count(X509(self)); i++)
{
IoObject *ioext = IoObject_new(IoObject_state(self));
X509_EXTENSION *ext = X509_get_ext(X509(self), i);
const char *key = (const char *)OBJ_nid2ln(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
const char *value = (const char *)ASN1_STRING_data(X509_EXTENSION_get_data(ext));
int isCritical = X509_EXTENSION_get_critical(ext);
IoObject_setSlot_to_(ioext, IOSYMBOL("value"), IoSeq_newWithCString_(IoObject_state(self), value));
IoObject_setSlot_to_(ioext, IOSYMBOL("isCritical"), IONUMBER(isCritical));
IoObject_setSlot_to_(map, IOSYMBOL(key), ioext);
}
return map;
}
/*
* Check if a x509 extension is critical
*/
static int is_x509_ext_critical(X509 *cert, int nid)
{
X509_EXTENSION *ex;
ASN1_OBJECT *obj;
int n, i;
n = X509_get_ext_count(cert);
for (i = 0; i < n; i++) {
ex = X509_get_ext(cert, i);
if (!ex) {
continue;
}
obj = X509_EXTENSION_get_object(ex);
if (!obj) {
continue;
}
if (OBJ_obj2nid(obj) == nid && X509_EXTENSION_get_critical(ex)) {
debug("Certificate nid %d is critical\n", nid);
return 1;
}
}
return 0;
}
static void x509v3_cache_extensions(X509 *x)
{
BASIC_CONSTRAINTS *bs;
PROXY_CERT_INFO_EXTENSION *pci;
ASN1_BIT_STRING *usage;
ASN1_BIT_STRING *ns;
EXTENDED_KEY_USAGE *extusage;
X509_EXTENSION *ex;
int i;
if(x->ex_flags & EXFLAG_SET) return;
#ifndef OPENSSL_NO_SHA
X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
#endif
/* Does subject name match issuer ? */
if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
x->ex_flags |= EXFLAG_SS;
/* V1 should mean no extensions ... */
if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
/* Handle basic constraints */
if((bs=X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
if(bs->ca) x->ex_flags |= EXFLAG_CA;
if(bs->pathlen) {
if((bs->pathlen->type == V_ASN1_NEG_INTEGER)
|| !bs->ca) {
x->ex_flags |= EXFLAG_INVALID;
x->ex_pathlen = 0;
} else x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
} else x->ex_pathlen = -1;
BASIC_CONSTRAINTS_free(bs);
x->ex_flags |= EXFLAG_BCONS;
}
/* Handle proxy certificates */
if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
if (x->ex_flags & EXFLAG_CA
|| X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
|| X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
x->ex_flags |= EXFLAG_INVALID;
}
if (pci->pcPathLengthConstraint) {
x->ex_pcpathlen =
ASN1_INTEGER_get(pci->pcPathLengthConstraint);
} else x->ex_pcpathlen = -1;
PROXY_CERT_INFO_EXTENSION_free(pci);
x->ex_flags |= EXFLAG_PROXY;
}
/* Handle key usage */
if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
if(usage->length > 0) {
x->ex_kusage = usage->data[0];
if(usage->length > 1)
x->ex_kusage |= usage->data[1] << 8;
} else x->ex_kusage = 0;
x->ex_flags |= EXFLAG_KUSAGE;
ASN1_BIT_STRING_free(usage);
}
x->ex_xkusage = 0;
if((extusage=X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
x->ex_flags |= EXFLAG_XKUSAGE;
for(i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
switch(OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage,i))) {
case NID_server_auth:
x->ex_xkusage |= XKU_SSL_SERVER;
break;
case NID_client_auth:
x->ex_xkusage |= XKU_SSL_CLIENT;
break;
case NID_email_protect:
x->ex_xkusage |= XKU_SMIME;
break;
case NID_code_sign:
x->ex_xkusage |= XKU_CODE_SIGN;
break;
case NID_ms_sgc:
case NID_ns_sgc:
x->ex_xkusage |= XKU_SGC;
break;
case NID_OCSP_sign:
x->ex_xkusage |= XKU_OCSP_SIGN;
break;
case NID_time_stamp:
x->ex_xkusage |= XKU_TIMESTAMP;
break;
case NID_dvcs:
x->ex_xkusage |= XKU_DVCS;
break;
}
}
sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
}
if((ns=X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
if(ns->length > 0) x->ex_nscert = ns->data[0];
else x->ex_nscert = 0;
x->ex_flags |= EXFLAG_NSCERT;
ASN1_BIT_STRING_free(ns);
}
x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
for (i = 0; i < X509_get_ext_count(x); i++)
{
ex = X509_get_ext(x, i);
if (!X509_EXTENSION_get_critical(ex))
continue;
if (!X509_supported_extension(ex))
{
x->ex_flags |= EXFLAG_CRITICAL;
break;
}
}
x->ex_flags |= EXFLAG_SET;
}
int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
unsigned long cflag)
{
long l;
int i;
EVP_PKEY *pkey;
STACK_OF(X509_EXTENSION) *exts;
char mlch = ' ';
int nmindent = 0;
if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
mlch = '\n';
nmindent = 12;
}
if (nmflags == X509_FLAG_COMPAT)
nmindent = 16;
if (!(cflag & X509_FLAG_NO_HEADER)) {
if (BIO_write(bp, "Certificate Request:\n", 21) <= 0)
goto err;
if (BIO_write(bp, " Data:\n", 10) <= 0)
goto err;
}
if (!(cflag & X509_FLAG_NO_VERSION)) {
l = X509_REQ_get_version(x);
if (l >= 0 && l <= 2) {
if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1, (unsigned long)l) <= 0)
goto err;
} else {
if (BIO_printf(bp, "%8sVersion: Unknown (%ld)\n", "", l) <= 0)
goto err;
}
}
if (!(cflag & X509_FLAG_NO_SUBJECT)) {
if (BIO_printf(bp, " Subject:%c", mlch) <= 0)
goto err;
if (X509_NAME_print_ex(bp, X509_REQ_get_subject_name(x),
nmindent, nmflags) < 0)
goto err;
if (BIO_write(bp, "\n", 1) <= 0)
goto err;
}
if (!(cflag & X509_FLAG_NO_PUBKEY)) {
X509_PUBKEY *xpkey;
ASN1_OBJECT *koid;
if (BIO_write(bp, " Subject Public Key Info:\n", 33) <= 0)
goto err;
if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0)
goto err;
xpkey = X509_REQ_get_X509_PUBKEY(x);
X509_PUBKEY_get0_param(&koid, NULL, NULL, NULL, xpkey);
if (i2a_ASN1_OBJECT(bp, koid) <= 0)
goto err;
if (BIO_puts(bp, "\n") <= 0)
goto err;
pkey = X509_REQ_get0_pubkey(x);
if (pkey == NULL) {
if (BIO_printf(bp, "%12sUnable to load Public Key\n", "") <= 0)
goto err;
ERR_print_errors(bp);
} else {
if (EVP_PKEY_print_public(bp, pkey, 16, NULL) <= 0)
goto err;
}
}
if (!(cflag & X509_FLAG_NO_ATTRIBUTES)) {
/* may not be */
if (BIO_printf(bp, "%8sAttributes:\n", "") <= 0)
goto err;
if (X509_REQ_get_attr_count(x) == 0) {
if (BIO_printf(bp, "%12sa0:00\n", "") <= 0)
goto err;
} else {
for (i = 0; i < X509_REQ_get_attr_count(x); i++) {
ASN1_TYPE *at;
X509_ATTRIBUTE *a;
ASN1_BIT_STRING *bs = NULL;
ASN1_OBJECT *aobj;
int j, type = 0, count = 1, ii = 0;
a = X509_REQ_get_attr(x, i);
aobj = X509_ATTRIBUTE_get0_object(a);
if (X509_REQ_extension_nid(OBJ_obj2nid(aobj)))
continue;
if (BIO_printf(bp, "%12s", "") <= 0)
goto err;
if ((j = i2a_ASN1_OBJECT(bp, aobj)) > 0) {
ii = 0;
count = X509_ATTRIBUTE_count(a);
get_next:
at = X509_ATTRIBUTE_get0_type(a, ii);
type = at->type;
bs = at->value.asn1_string;
}
for (j = 25 - j; j > 0; j--)
if (BIO_write(bp, " ", 1) != 1)
goto err;
if (BIO_puts(bp, ":") <= 0)
goto err;
switch (type) {
case V_ASN1_PRINTABLESTRING:
case V_ASN1_T61STRING:
case V_ASN1_NUMERICSTRING:
case V_ASN1_UTF8STRING:
case V_ASN1_IA5STRING:
if (BIO_write(bp, (char *)bs->data, bs->length)
!= bs->length)
goto err;
if (BIO_puts(bp, "\n") <= 0)
goto err;
break;
default:
if (BIO_puts(bp, "unable to print attribute\n") <= 0)
goto err;
break;
}
if (++ii < count)
goto get_next;
}
}
}
if (!(cflag & X509_FLAG_NO_EXTENSIONS)) {
exts = X509_REQ_get_extensions(x);
if (exts) {
if (BIO_printf(bp, "%8sRequested Extensions:\n", "") <= 0)
goto err;
for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
ASN1_OBJECT *obj;
X509_EXTENSION *ex;
int critical;
ex = sk_X509_EXTENSION_value(exts, i);
if (BIO_printf(bp, "%12s", "") <= 0)
goto err;
obj = X509_EXTENSION_get_object(ex);
if (i2a_ASN1_OBJECT(bp, obj) <= 0)
goto err;
critical = X509_EXTENSION_get_critical(ex);
if (BIO_printf(bp, ": %s\n", critical ? "critical" : "") <= 0)
goto err;
if (!X509V3_EXT_print(bp, ex, cflag, 16)) {
if (BIO_printf(bp, "%16s", "") <= 0
|| ASN1_STRING_print(bp,
X509_EXTENSION_get_data(ex)) <= 0)
goto err;
}
if (BIO_write(bp, "\n", 1) <= 0)
goto err;
}
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
}
}
if (!(cflag & X509_FLAG_NO_SIGDUMP)) {
const X509_ALGOR *sig_alg;
const ASN1_BIT_STRING *sig;
X509_REQ_get0_signature(x, &sig, &sig_alg);
if (!X509_signature_print(bp, sig_alg, sig))
goto err;
}
return 1;
err:
X509err(X509_F_X509_REQ_PRINT_EX, ERR_R_BUF_LIB);
return 0;
}
int X509_REQ_print_ex(BIO *bio, X509_REQ *x, unsigned long nmflags,
unsigned long cflag) {
long l;
EVP_PKEY *pkey;
STACK_OF(X509_ATTRIBUTE) * sk;
char mlch = ' ';
int nmindent = 0;
if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
mlch = '\n';
nmindent = 12;
}
if (nmflags == X509_FLAG_COMPAT) {
nmindent = 16;
}
X509_REQ_INFO *ri = x->req_info;
if (!(cflag & X509_FLAG_NO_HEADER)) {
if (BIO_write(bio, "Certificate Request:\n", 21) <= 0 ||
BIO_write(bio, " Data:\n", 10) <= 0) {
goto err;
}
}
if (!(cflag & X509_FLAG_NO_VERSION)) {
l = X509_REQ_get_version(x);
if (BIO_printf(bio, "%8sVersion: %ld (0x%lx)\n", "", l + 1, l) <= 0) {
goto err;
}
}
if (!(cflag & X509_FLAG_NO_SUBJECT)) {
if (BIO_printf(bio, " Subject:%c", mlch) <= 0 ||
X509_NAME_print_ex(bio, ri->subject, nmindent, nmflags) < 0 ||
BIO_write(bio, "\n", 1) <= 0) {
goto err;
}
}
if (!(cflag & X509_FLAG_NO_PUBKEY)) {
if (BIO_write(bio, " Subject Public Key Info:\n", 33) <= 0 ||
BIO_printf(bio, "%12sPublic Key Algorithm: ", "") <= 0 ||
i2a_ASN1_OBJECT(bio, ri->pubkey->algor->algorithm) <= 0 ||
BIO_puts(bio, "\n") <= 0) {
goto err;
}
pkey = X509_REQ_get_pubkey(x);
if (pkey == NULL) {
BIO_printf(bio, "%12sUnable to load Public Key\n", "");
ERR_print_errors(bio);
} else {
EVP_PKEY_print_public(bio, pkey, 16, NULL);
EVP_PKEY_free(pkey);
}
}
if (!(cflag & X509_FLAG_NO_ATTRIBUTES)) {
if (BIO_printf(bio, "%8sAttributes:\n", "") <= 0) {
goto err;
}
sk = x->req_info->attributes;
if (sk_X509_ATTRIBUTE_num(sk) == 0) {
if (BIO_printf(bio, "%12sa0:00\n", "") <= 0) {
goto err;
}
} else {
size_t i;
for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
X509_ATTRIBUTE *a = sk_X509_ATTRIBUTE_value(sk, i);
ASN1_OBJECT *aobj = X509_ATTRIBUTE_get0_object(a);
if (X509_REQ_extension_nid(OBJ_obj2nid(aobj))) {
continue;
}
if (BIO_printf(bio, "%12s", "") <= 0) {
goto err;
}
const int num_attrs = X509_ATTRIBUTE_count(a);
const int obj_str_len = i2a_ASN1_OBJECT(bio, aobj);
if (obj_str_len <= 0) {
if (BIO_puts(bio, "(Unable to print attribute ID.)\n") < 0) {
goto err;
} else {
continue;
}
}
int j;
for (j = 0; j < num_attrs; j++) {
const ASN1_TYPE *at = X509_ATTRIBUTE_get0_type(a, j);
const int type = at->type;
ASN1_BIT_STRING *bs = at->value.asn1_string;
int k;
for (k = 25 - obj_str_len; k > 0; k--) {
if (BIO_write(bio, " ", 1) != 1) {
goto err;
}
}
if (BIO_puts(bio, ":") <= 0) {
goto err;
}
if (type == V_ASN1_PRINTABLESTRING ||
type == V_ASN1_UTF8STRING ||
type == V_ASN1_IA5STRING ||
type == V_ASN1_T61STRING) {
if (BIO_write(bio, (char *)bs->data, bs->length) != bs->length) {
goto err;
}
BIO_puts(bio, "\n");
} else {
BIO_puts(bio, "unable to print attribute\n");
}
}
}
}
}
if (!(cflag & X509_FLAG_NO_EXTENSIONS)) {
STACK_OF(X509_EXTENSION) *exts = X509_REQ_get_extensions(x);
if (exts) {
BIO_printf(bio, "%8sRequested Extensions:\n", "");
size_t i;
for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
X509_EXTENSION *ex = sk_X509_EXTENSION_value(exts, i);
if (BIO_printf(bio, "%12s", "") <= 0) {
goto err;
}
ASN1_OBJECT *obj = X509_EXTENSION_get_object(ex);
i2a_ASN1_OBJECT(bio, obj);
const int is_critical = X509_EXTENSION_get_critical(ex);
if (BIO_printf(bio, ": %s\n", is_critical ? "critical" : "") <= 0) {
goto err;
}
if (!X509V3_EXT_print(bio, ex, cflag, 16)) {
BIO_printf(bio, "%16s", "");
ASN1_STRING_print(bio, X509_EXTENSION_get_data(ex));
}
if (BIO_write(bio, "\n", 1) <= 0) {
goto err;
}
}
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
}
}
if (!(cflag & X509_FLAG_NO_SIGDUMP) &&
!X509_signature_print(bio, x->sig_alg, x->signature)) {
goto err;
}
return 1;
err:
OPENSSL_PUT_ERROR(X509, ERR_R_BUF_LIB);
return 0;
}
int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long cflag)
{
unsigned long l;
int i;
const char *neg;
X509_REQ_INFO *ri;
EVP_PKEY *pkey;
STACK_OF(X509_ATTRIBUTE) *sk;
STACK_OF(X509_EXTENSION) *exts;
char mlch = ' ';
int nmindent = 0;
if((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
mlch = '\n';
nmindent = 12;
}
if(nmflags == X509_FLAG_COMPAT)
nmindent = 16;
ri=x->req_info;
if(!(cflag & X509_FLAG_NO_HEADER))
{
if (BIO_write(bp,"Certificate Request:\n",21) <= 0) goto err;
if (BIO_write(bp," Data:\n",10) <= 0) goto err;
}
if(!(cflag & X509_FLAG_NO_VERSION))
{
neg=(ri->version->type == V_ASN1_NEG_INTEGER)?"-":"";
l=0;
for (i=0; i<ri->version->length; i++)
{ l<<=8; l+=ri->version->data[i]; }
if(BIO_printf(bp,"%8sVersion: %s%lu (%s0x%lx)\n","",neg,l,neg,
l) <= 0)
goto err;
}
if(!(cflag & X509_FLAG_NO_SUBJECT))
{
if (BIO_printf(bp," Subject:%c",mlch) <= 0) goto err;
if (X509_NAME_print_ex(bp,ri->subject,nmindent, nmflags) < 0) goto err;
if (BIO_write(bp,"\n",1) <= 0) goto err;
}
if(!(cflag & X509_FLAG_NO_PUBKEY))
{
if (BIO_write(bp," Subject Public Key Info:\n",33) <= 0)
goto err;
if (BIO_printf(bp,"%12sPublic Key Algorithm: ","") <= 0)
goto err;
if (i2a_ASN1_OBJECT(bp, ri->pubkey->algor->algorithm) <= 0)
goto err;
if (BIO_puts(bp, "\n") <= 0)
goto err;
pkey=X509_REQ_get_pubkey(x);
if (pkey == NULL)
{
BIO_printf(bp,"%12sUnable to load Public Key\n","");
ERR_print_errors(bp);
}
else
#ifndef OPENSSL_NO_RSA
if (pkey->type == EVP_PKEY_RSA)
{
BIO_printf(bp,"%12sRSA Public Key: (%d bit)\n","",
BN_num_bits(pkey->pkey.rsa->n));
RSA_print(bp,pkey->pkey.rsa,16);
}
else
#endif
#ifndef OPENSSL_NO_DSA
if (pkey->type == EVP_PKEY_DSA)
{
BIO_printf(bp,"%12sDSA Public Key:\n","");
DSA_print(bp,pkey->pkey.dsa,16);
}
else
#endif
#ifndef OPENSSL_NO_EC
if (pkey->type == EVP_PKEY_EC)
{
BIO_printf(bp, "%12sEC Public Key: \n","");
EC_KEY_print(bp, pkey->pkey.ec, 16);
}
else
#endif
BIO_printf(bp,"%12sUnknown Public Key:\n","");
EVP_PKEY_free(pkey);
}
if(!(cflag & X509_FLAG_NO_ATTRIBUTES))
{
/* may not be */
if(BIO_printf(bp,"%8sAttributes:\n","") <= 0)
goto err;
sk=x->req_info->attributes;
if (sk_X509_ATTRIBUTE_num(sk) == 0)
{
if(BIO_printf(bp,"%12sa0:00\n","") <= 0)
goto err;
}
else
{
for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++)
{
ASN1_TYPE *at;
X509_ATTRIBUTE *a;
ASN1_BIT_STRING *bs=NULL;
ASN1_TYPE *t;
int j,type=0,count=1,ii=0;
a=sk_X509_ATTRIBUTE_value(sk,i);
if(X509_REQ_extension_nid(OBJ_obj2nid(a->object)))
continue;
if(BIO_printf(bp,"%12s","") <= 0)
goto err;
if ((j=i2a_ASN1_OBJECT(bp,a->object)) > 0)
{
if (a->single)
{
t=a->value.single;
type=t->type;
bs=t->value.bit_string;
}
else
{
ii=0;
count=sk_ASN1_TYPE_num(a->value.set);
get_next:
at=sk_ASN1_TYPE_value(a->value.set,ii);
type=at->type;
bs=at->value.asn1_string;
}
}
for (j=25-j; j>0; j--)
if (BIO_write(bp," ",1) != 1) goto err;
if (BIO_puts(bp,":") <= 0) goto err;
if ( (type == V_ASN1_PRINTABLESTRING) ||
(type == V_ASN1_T61STRING) ||
(type == V_ASN1_IA5STRING))
{
if (BIO_write(bp,(char *)bs->data,bs->length)
!= bs->length)
goto err;
BIO_puts(bp,"\n");
}
else
{
BIO_puts(bp,"unable to print attribute\n");
}
if (++ii < count) goto get_next;
}
}
}
if(!(cflag & X509_FLAG_NO_EXTENSIONS))
{
exts = X509_REQ_get_extensions(x);
if(exts)
{
BIO_printf(bp,"%8sRequested Extensions:\n","");
for (i=0; i<sk_X509_EXTENSION_num(exts); i++)
{
ASN1_OBJECT *obj;
X509_EXTENSION *ex;
int j;
ex=sk_X509_EXTENSION_value(exts, i);
if (BIO_printf(bp,"%12s","") <= 0) goto err;
obj=X509_EXTENSION_get_object(ex);
i2a_ASN1_OBJECT(bp,obj);
j=X509_EXTENSION_get_critical(ex);
if (BIO_printf(bp,": %s\n",j?"critical":"") <= 0)
goto err;
if(!X509V3_EXT_print(bp, ex, cflag, 16))
{
BIO_printf(bp, "%16s", "");
M_ASN1_OCTET_STRING_print(bp,ex->value);
}
if (BIO_write(bp,"\n",1) <= 0) goto err;
}
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
}
}
if(!(cflag & X509_FLAG_NO_SIGDUMP))
{
if(!X509_signature_print(bp, x->sig_alg, x->signature)) goto err;
}
return(1);
err:
X509err(X509_F_X509_REQ_PRINT_EX,ERR_R_BUF_LIB);
return(0);
}
/*
* The X509_CRL structure needs a bit of customisation. Cache some extensions
* and hash of the whole CRL.
*/
static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
void *exarg)
{
X509_CRL *crl = (X509_CRL *)*pval;
STACK_OF(X509_EXTENSION) *exts;
X509_EXTENSION *ext;
int idx;
switch (operation) {
case ASN1_OP_NEW_POST:
crl->idp = NULL;
crl->akid = NULL;
crl->flags = 0;
crl->idp_flags = 0;
crl->idp_reasons = CRLDP_ALL_REASONS;
crl->meth = default_crl_method;
crl->meth_data = NULL;
crl->issuers = NULL;
crl->crl_number = NULL;
crl->base_crl_number = NULL;
break;
case ASN1_OP_D2I_POST:
X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL);
crl->idp = X509_CRL_get_ext_d2i(crl,
NID_issuing_distribution_point, NULL,
NULL);
if (crl->idp)
setup_idp(crl, crl->idp);
crl->akid = X509_CRL_get_ext_d2i(crl,
NID_authority_key_identifier, NULL,
NULL);
crl->crl_number = X509_CRL_get_ext_d2i(crl,
NID_crl_number, NULL, NULL);
crl->base_crl_number = X509_CRL_get_ext_d2i(crl,
NID_delta_crl, NULL,
NULL);
/* Delta CRLs must have CRL number */
if (crl->base_crl_number && !crl->crl_number)
crl->flags |= EXFLAG_INVALID;
/*
* See if we have any unhandled critical CRL extensions and indicate
* this in a flag. We only currently handle IDP so anything else
* critical sets the flag. This code accesses the X509_CRL structure
* directly: applications shouldn't do this.
*/
exts = crl->crl.extensions;
for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) {
int nid;
ext = sk_X509_EXTENSION_value(exts, idx);
nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext));
if (nid == NID_freshest_crl)
crl->flags |= EXFLAG_FRESHEST;
if (X509_EXTENSION_get_critical(ext)) {
/* We handle IDP and deltas */
if ((nid == NID_issuing_distribution_point)
|| (nid == NID_authority_key_identifier)
|| (nid == NID_delta_crl))
break;;
crl->flags |= EXFLAG_CRITICAL;
break;
}
}
if (!crl_set_issuers(crl))
return 0;
if (crl->meth->crl_init) {
if (crl->meth->crl_init(crl) == 0)
return 0;
}
break;
case ASN1_OP_FREE_POST:
if (crl->meth->crl_free) {
if (!crl->meth->crl_free(crl))
return 0;
}
AUTHORITY_KEYID_free(crl->akid);
ISSUING_DIST_POINT_free(crl->idp);
ASN1_INTEGER_free(crl->crl_number);
ASN1_INTEGER_free(crl->base_crl_number);
sk_GENERAL_NAMES_pop_free(crl->issuers, GENERAL_NAMES_free);
break;
}
return 1;
}
static int crl_set_issuers(X509_CRL *crl)
{
int i, j;
GENERAL_NAMES *gens, *gtmp;
STACK_OF(X509_REVOKED) *revoked;
revoked = X509_CRL_get_REVOKED(crl);
gens = NULL;
for (i = 0; i < sk_X509_REVOKED_num(revoked); i++) {
X509_REVOKED *rev = sk_X509_REVOKED_value(revoked, i);
STACK_OF(X509_EXTENSION) *exts;
ASN1_ENUMERATED *reason;
X509_EXTENSION *ext;
gtmp = X509_REVOKED_get_ext_d2i(rev,
NID_certificate_issuer, &j, NULL);
if (!gtmp && (j != -1)) {
crl->flags |= EXFLAG_INVALID;
return 1;
}
if (gtmp) {
gens = gtmp;
if (!crl->issuers) {
crl->issuers = sk_GENERAL_NAMES_new_null();
if (!crl->issuers)
return 0;
}
if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp))
return 0;
}
rev->issuer = gens;
reason = X509_REVOKED_get_ext_d2i(rev, NID_crl_reason, &j, NULL);
if (!reason && (j != -1)) {
crl->flags |= EXFLAG_INVALID;
return 1;
}
if (reason) {
rev->reason = ASN1_ENUMERATED_get(reason);
ASN1_ENUMERATED_free(reason);
} else
rev->reason = CRL_REASON_NONE;
/* Check for critical CRL entry extensions */
exts = rev->extensions;
for (j = 0; j < sk_X509_EXTENSION_num(exts); j++) {
ext = sk_X509_EXTENSION_value(exts, j);
if (X509_EXTENSION_get_critical(ext)) {
if (OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == NID_certificate_issuer)
continue;
crl->flags |= EXFLAG_CRITICAL;
break;
}
}
}
return 1;
}
int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
unsigned long cflag)
{
long l;
int i;
X509_REQ_INFO *ri;
EVP_PKEY *pkey;
STACK_OF(X509_ATTRIBUTE) *sk;
STACK_OF(X509_EXTENSION) *exts;
char mlch = ' ';
int nmindent = 0;
if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
mlch = '\n';
nmindent = 12;
}
if (nmflags == X509_FLAG_COMPAT)
nmindent = 16;
ri = x->req_info;
if (!(cflag & X509_FLAG_NO_HEADER)) {
if (BIO_write(bp, "Certificate Request:\n", 21) <= 0)
goto err;
if (BIO_write(bp, " Data:\n", 10) <= 0)
goto err;
}
if (!(cflag & X509_FLAG_NO_VERSION)) {
l = X509_REQ_get_version(x);
if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1, l) <= 0)
goto err;
}
if (!(cflag & X509_FLAG_NO_SUBJECT)) {
if (BIO_printf(bp, " Subject:%c", mlch) <= 0)
goto err;
if (X509_NAME_print_ex(bp, ri->subject, nmindent, nmflags) < 0)
goto err;
if (BIO_write(bp, "\n", 1) <= 0)
goto err;
}
if (!(cflag & X509_FLAG_NO_PUBKEY)) {
if (BIO_write(bp, " Subject Public Key Info:\n", 33) <= 0)
goto err;
if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0)
goto err;
if (i2a_ASN1_OBJECT(bp, ri->pubkey->algor->algorithm) <= 0)
goto err;
if (BIO_puts(bp, "\n") <= 0)
goto err;
pkey = X509_REQ_get_pubkey(x);
if (pkey == NULL) {
BIO_printf(bp, "%12sUnable to load Public Key\n", "");
ERR_print_errors(bp);
} else {
EVP_PKEY_print_public(bp, pkey, 16, NULL);
EVP_PKEY_free(pkey);
}
}
if (!(cflag & X509_FLAG_NO_ATTRIBUTES)) {
/* may not be */
if (BIO_printf(bp, "%8sAttributes:\n", "") <= 0)
goto err;
sk = x->req_info->attributes;
if (sk_X509_ATTRIBUTE_num(sk) == 0) {
if (BIO_printf(bp, "%12sa0:00\n", "") <= 0)
goto err;
} else {
for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
ASN1_TYPE *at;
X509_ATTRIBUTE *a;
ASN1_BIT_STRING *bs = NULL;
ASN1_OBJECT *aobj;
int j, type = 0, count = 1, ii = 0;
a = sk_X509_ATTRIBUTE_value(sk, i);
aobj = X509_ATTRIBUTE_get0_object(a);
if (X509_REQ_extension_nid(OBJ_obj2nid(aobj)))
continue;
if (BIO_printf(bp, "%12s", "") <= 0)
goto err;
if ((j = i2a_ASN1_OBJECT(bp, aobj)) > 0) {
ii = 0;
count = X509_ATTRIBUTE_count(a);
get_next:
at = X509_ATTRIBUTE_get0_type(a, ii);
type = at->type;
bs = at->value.asn1_string;
}
for (j = 25 - j; j > 0; j--)
if (BIO_write(bp, " ", 1) != 1)
goto err;
if (BIO_puts(bp, ":") <= 0)
goto err;
if ((type == V_ASN1_PRINTABLESTRING) ||
(type == V_ASN1_T61STRING) ||
(type == V_ASN1_IA5STRING)) {
if (BIO_write(bp, (char *)bs->data, bs->length)
!= bs->length)
goto err;
BIO_puts(bp, "\n");
} else {
BIO_puts(bp, "unable to print attribute\n");
}
if (++ii < count)
goto get_next;
}
}
}
if (!(cflag & X509_FLAG_NO_EXTENSIONS)) {
exts = X509_REQ_get_extensions(x);
if (exts) {
BIO_printf(bp, "%8sRequested Extensions:\n", "");
for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
ASN1_OBJECT *obj;
X509_EXTENSION *ex;
int j;
ex = sk_X509_EXTENSION_value(exts, i);
if (BIO_printf(bp, "%12s", "") <= 0)
goto err;
obj = X509_EXTENSION_get_object(ex);
i2a_ASN1_OBJECT(bp, obj);
j = X509_EXTENSION_get_critical(ex);
if (BIO_printf(bp, ": %s\n", j ? "critical" : "") <= 0)
goto err;
if (!X509V3_EXT_print(bp, ex, cflag, 16)) {
BIO_printf(bp, "%16s", "");
ASN1_STRING_print(bp, X509_EXTENSION_get_data(ex));
}
if (BIO_write(bp, "\n", 1) <= 0)
goto err;
}
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
}
}
if (!(cflag & X509_FLAG_NO_SIGDUMP)) {
if (!X509_signature_print(bp, x->sig_alg, x->signature))
goto err;
}
return (1);
err:
X509err(X509_F_X509_REQ_PRINT_EX, ERR_R_BUF_LIB);
return (0);
}
inline bool extension::critical() const
{
return (X509_EXTENSION_get_critical(ptr().get()) != 0);
}
extern "C" int32_t CryptoNative_X509ExtensionGetCritical(X509_EXTENSION* x)
{
return X509_EXTENSION_get_critical(x);
}
void anubis_dump_server_certificate(SSL *ssl) {
X509 *x509Cert = SSL_get_peer_certificate(ssl);
char buffer[1024];
BIO *bio = NULL;
char *buf = NULL;
if(!x509Cert) {
anubis_ssl_perror("SSL_get_peer_certificate()");
return;
}
bio = BIO_new(BIO_s_mem());
if(!bio) {
anubis_ssl_perror("BIO_new()");
X509_free(x509Cert);
return;
}//end if
BIO_reset(bio);
if(!PEM_write_bio_X509(bio, x509Cert)) {
anubis_ssl_perror("PEM_write_bio_X509()");
BIO_free(bio);
X509_free(x509Cert);
return;
}
BIO_get_mem_data(bio, &buf);
anubis_out("Server certificate:\n%s", buf);
// Cert Version
long version = 0;
if (!(X509_FLAG_COMPAT & X509_FLAG_NO_VERSION)) {
version = X509_get_version(x509Cert);
fprintf(out_stream, "Version: %ld\n", version);
}//end if
// Cert Serial No. - Code adapted from OpenSSL's crypto/asn1/t_x509.c
if (!(X509_FLAG_COMPAT & X509_FLAG_NO_SERIAL)) {
ASN1_INTEGER *bs;
long l;
int i;
const char *neg;
bs = X509_get_serialNumber(x509Cert);
if (bs->length <= 4) {
l = ASN1_INTEGER_get(bs);
if (l < 0) {
l= -l;
neg = "-";
}
else
neg = "";
fprintf(out_stream, "Serial Number: %lu (%#lx)\n", l, l);
}
else {
neg = (bs->type == V_ASN1_NEG_INTEGER)?" (Negative)":"";
fprintf(out_stream, "Serial Number: %s", neg);
for (i = 0; i < bs->length; i++) {
fprintf(out_stream, "%02x%c", bs->data[i], (i+1 == bs->length)?'\n':':');
}
}
}
// Signature Algo...
if (!(X509_FLAG_COMPAT & X509_FLAG_NO_SIGNAME)) {
i2a_ASN1_OBJECT(bio, x509Cert->cert_info->signature->algorithm);
BIO_get_mem_data(bio, &buf);
fprintf(out_stream, "Signature Algorithm:\n%s\n", buf);
}
// SSL Certificate Issuer...
if (!(X509_FLAG_COMPAT & X509_FLAG_NO_ISSUER)) {
X509_NAME_oneline(X509_get_issuer_name(x509Cert), buffer, sizeof(buffer) - 1);
fprintf(out_stream, "Issuer: %s\n", buffer);
}
// Validity...
if (!(X509_FLAG_COMPAT & X509_FLAG_NO_VALIDITY)) {
BIO_reset(bio);
ASN1_TIME_print(bio, X509_get_notBefore(x509Cert));
BIO_get_mem_data(bio, &buf);
fprintf(out_stream, "Not Valid Before: %s\n", buf);
BIO_reset(bio);
ASN1_TIME_print(bio, X509_get_notAfter(x509Cert));
BIO_get_mem_data(bio, &buf);
fprintf(out_stream, "Not Valid After: %s\n", buf);
}
// SSL Certificate Subject...
if (!(X509_FLAG_COMPAT & X509_FLAG_NO_SUBJECT)) {
X509_NAME_oneline(X509_get_subject_name(x509Cert), buffer, sizeof(buffer) - 1);
fprintf(out_stream, "Subject: %s\n", buffer);
}
// Public Key Algo...
if (!(X509_FLAG_COMPAT & X509_FLAG_NO_PUBKEY)) {
BIO_reset(bio);
i2a_ASN1_OBJECT(bio, x509Cert->cert_info->key->algor->algorithm);
BIO_get_mem_data(bio, &buf);
fprintf(out_stream, "Public Key Algorithm: %s\n", buf);
// Public Key...
EVP_PKEY *publicKey = NULL;
publicKey = X509_get_pubkey(x509Cert);
if (publicKey == NULL) {
anubis_err("Public Key Could not load\n");
}
else {
BIO_reset(bio);
char *publicKeyType = NULL;
int publicKeyLength = -1;
switch (publicKey->type) {
case EVP_PKEY_RSA:
publicKeyType = "RSA";
if (publicKey->pkey.rsa) {
publicKeyLength = BN_num_bits(publicKey->pkey.rsa->n);
RSA_print(bio, publicKey->pkey.rsa, 0);
BIO_get_mem_data(bio, &buf);
}
break;
case EVP_PKEY_DSA:
publicKeyType = "DSA";
if (publicKey->pkey.dsa) {
DSA_print(bio, publicKey->pkey.dsa, 0);
BIO_get_mem_data(bio, &buf);
}
break;
case EVP_PKEY_EC:
publicKeyType = "EC";
if (publicKey->pkey.ec) {
EC_KEY_print(bio, publicKey->pkey.ec, 0);
BIO_get_mem_data(bio, &buf);
}
break;
default:
publicKeyType = "Unknown";
break;
}
EVP_PKEY_free(publicKey);
fprintf(out_stream, "%d Public Key: ", publicKeyLength);
if(!strcasecmp(publicKeyType, "RSA")) {
fprintf(out_stream, "(%d bits)", publicKeyLength);
}
fprintf(out_stream, "\n");
fprintf(out_stream, "%s\n", buf);
}
}
// X509 v3...
if (!(X509_FLAG_COMPAT & X509_FLAG_NO_EXTENSIONS) && sk_X509_EXTENSION_num(x509Cert->cert_info->extensions) > 0) {
X509_EXTENSION *extension = NULL;
ASN1_OBJECT *asn1Object = NULL;
int tempInt2 = 0;
BIO_reset(bio);
for (int tempInt = 0; tempInt < sk_X509_EXTENSION_num(x509Cert->cert_info->extensions); tempInt++) {
// Get Extension...
extension = sk_X509_EXTENSION_value(x509Cert->cert_info->extensions, tempInt);
asn1Object = X509_EXTENSION_get_object(extension);
i2a_ASN1_OBJECT(bio, asn1Object);
tempInt2 = X509_EXTENSION_get_critical(extension);
BIO_printf(bio, ": %s\n", tempInt2 ? "critical" : "");
// Print Extension value...
if (!X509V3_EXT_print(bio, extension, X509_FLAG_COMPAT, 8)) {
M_ASN1_OCTET_STRING_print(bio, extension->value);
}
BIO_printf(bio, "\n");
}//end for
BIO_get_mem_data(bio, &buf);
fprintf(out_stream, "x509v3 Extensions: %s\n", buf);
}//end if x509v3
/*
long verifyError = 0;
// Verify Certificate...
verifyError = SSL_get_verify_result(ssl);
const char *verifyCertificate = "";
if (verifyError == X509_V_OK)
verifyCertificate = "Certificate passed verification";
else
verifyCertificate = X509_verify_cert_error_string(verifyError);
fprintf(out_stream, "Validation: %s\n", verifyCertificate);
*/
BIO_free(bio);
X509_free(x509Cert);
fflush(out_stream);
}//end anubis_dump_server_certificate
/**
* Returns type of proxy certificate.
* Valid values are:
* NONE
* CA
* EEC
* GT2_PROXY
* RFC_PROXY
* GT2_LIMITED_PROXY
* RFC_LIMITED_PROXY
* GT3_PROXY
* GT3_LIMITED_PROXY
*/
proxy_type_t verify_type_of_proxy(X509 * cert) {
#ifdef __func__
const char *logstr=__func__;
#else
const char *logstr="verify_type_of_proxy";
#endif
proxy_type_t pt = NONE;
char * cert_subjectdn = NULL;
char * cert_issuerdn = NULL;
char * tail_str = NULL;
size_t len_subject_dn;
size_t len_issuer_dn;
X509_EXTENSION * pci_ext = NULL;
PROXYCERTINFO * pci = NULL;
PROXYPOLICY * policy = NULL;
ASN1_OBJECT * policy_lang = NULL;
int policy_nid;
int myindex = -1;
int i;
char s[EXT_TEXT_LEN];
X509_EXTENSION *ex;
/* Is it a CA certificate */
if (verify_x509IsCA(cert)) {
/* verify_log (L_DEBUG, "%s: Detected CA certificate", logstr); */
pt = CA;
goto finalize;
}
/* Check by OID */
for (i = 0; i < X509_get_ext_count(cert); ++i) {
ex = X509_get_ext(cert, i);
if (X509_EXTENSION_get_object(ex)) {
OBJ_obj2txt(s, EXT_TEXT_LEN, X509_EXTENSION_get_object(ex), 1);
if (strcmp(s, OID_RFC_PROXY) == 0) {
pt = RFC_PROXY;
/* Find index of OID_RFC_PROXY */
if((myindex = X509_get_ext_by_NID(cert, OBJ_txt2nid(OID_RFC_PROXY), -1)) != -1 &&
(pci_ext = X509_get_ext(cert,myindex)) && X509_EXTENSION_get_critical(pci_ext)) {
if((pci = X509V3_EXT_d2i(pci_ext)) == NULL) {
verify_error(logstr, "Can't convert DER encoded PROXYCERTINFO extension to internal form");
goto failure;
}
/* Pull a certificate policy from the extension, note:
* pci!=NULL since we've checked that */
if( (policy = pci->policy) == NULL) {
verify_error(logstr, "Can't get policy from PROXYCERTINFO extension");
goto failure;
}
/* Get policy language */
if( (policy_lang = policy->policy_language) == NULL) {
verify_error(logstr, "Can't get policy language from PROXYCERTINFO extension");
goto failure;
}
/* Lang to NID, lang's NID holds RFC Proxy type, like limited. Impersonation is the default */
policy_nid = OBJ_obj2nid(policy_lang);
if(policy_nid == OBJ_txt2nid(IMPERSONATION_PROXY_OID)) {
pt = RFC_PROXY;
} else if(policy_nid == OBJ_txt2nid(INDEPENDENT_PROXY_OID)) {
pt = RFC_PROXY;
} else if(policy_nid == OBJ_txt2nid(LIMITED_PROXY_OID)) {
pt = RFC_LIMITED_PROXY;
} else {
/* RFC_RESTRICTED_PROXY */
pt = RFC_PROXY;
}
if(X509_get_ext_by_NID(cert, OBJ_txt2nid(OID_RFC_PROXY), myindex) != -1) {
verify_error(logstr, "Found more than one PCI extension");
goto failure;
}
}
goto finalize;
}
if (strcmp(s, OID_GLOBUS_PROXY_V3) == 0) {
pt = GT3_PROXY;
/* Find index of OID_GT3_PROXY - Don't make it search for critical extentions... VOMS doesn't set those. */
if((myindex = X509_get_ext_by_NID(cert, OBJ_txt2nid(OID_GLOBUS_PROXY_V3), -1)) != -1 &&
(pci_ext = X509_get_ext(cert,myindex))) {
if((pci = X509V3_EXT_d2i(pci_ext)) == NULL) {
verify_error(logstr, "Can't convert DER encoded PROXYCERTINFO extension to internal form");
goto failure;
}
/* Pull a certificate policy from the extension. Note: pci
* != NULL since we've checked that */
if( (policy = pci->policy) == NULL) {
verify_error(logstr, "Can't get policy from PROXYCERTINFO extension");
goto failure;
}
/* Get policy language */
if( (policy_lang = policy->policy_language) == NULL) {
verify_error(logstr, "Can't get policy language from PROXYCERTINFO extension");
goto failure;
}
/* Lang to NID, lang's NID holds RFC Proxy type, like limited. Impersonation is the default */
policy_nid = OBJ_obj2nid(policy_lang);
if(policy_nid == OBJ_txt2nid(IMPERSONATION_PROXY_OID)) {
pt = GT3_PROXY;
} else if(policy_nid == OBJ_txt2nid(INDEPENDENT_PROXY_OID)) {
pt = GT3_PROXY;
} else if(policy_nid == OBJ_txt2nid(LIMITED_PROXY_OID)) {
pt = GT3_LIMITED_PROXY;
} else {
/* GT3_RESTRICTED_PROXY */
pt = GT3_PROXY;
}
if(X509_get_ext_by_NID(cert, OBJ_txt2nid(OID_GLOBUS_PROXY_V3), myindex) != -1) {
verify_error(logstr, "Found more than one PCI extension");
goto failure;
}
}
goto finalize;
}
if (strcmp(s, OID_GLOBUS_PROXY_V2) == 0) {
pt = GT3_PROXY;
/* Check for GT2_PROXY tail */
if (cert_subjectdn
&& (strlen(cert_subjectdn) > strlen("/cn=proxy"))
&& (tail_str = &cert_subjectdn[strlen(cert_subjectdn) - strlen("/cn=proxy")])
&& (strcasecmp(tail_str, "/cn=proxy") == 0)
) {
/* verify_log (L_DEBUG, "%s: Detected GT2 proxy certificate", logstr); */
pt = GT2_PROXY;
goto finalize;
}
/* Check for GT2_LIMITED_PROXY tail */
if (cert_subjectdn
&& (strlen(cert_subjectdn) > strlen("/cn=limited proxy"))
&& (tail_str = &cert_subjectdn[strlen(cert_subjectdn) - strlen("/cn=limited proxy")])
&& (strcasecmp(tail_str, "/cn=limited proxy") == 0)
) {
/* verify_log (L_DEBUG, "%s: Detected GT2 limited proxy certificate", logstr); */
pt = GT2_LIMITED_PROXY;
goto finalize;
}
verify_error(logstr, "Detected the Globus GT2 OID in the certificate, "
"but seems to have a malformed Subject DN: \"%s\"", cert_subjectdn);
goto failure;
}
}
}
/* Options left: GT2_PROXY, GT2_LIMITED_PROXY, EEC */
/* Extract Subject DN - Needs free */
if (!(cert_subjectdn = X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0))) {
verify_error (logstr, "Error in %s: Couldn't get the subject DN from the certificate.", logstr);
goto failure;
}
if (!(cert_issuerdn = X509_NAME_oneline (X509_get_issuer_name (cert), NULL, 0))) {
verify_error (logstr, "Error in %s: Couldn't get the issuer DN from the certificate.", logstr);
goto failure;
}
/* Check length of the DNs */
len_subject_dn = strlen(cert_subjectdn);
len_issuer_dn = strlen(cert_issuerdn);
/* Lower case the Subject DN */
/* for (j = 0; j < strlen(cert_subjectdn); j++) { cert_subjectdn[j] = tolower(cert_subjectdn[j]); } */
/* Proxies always has a longer subject_dn then a issuer_dn and
* the issuer_dn is a substring of the subject_dn
*/
if ( (len_issuer_dn < len_subject_dn)
&& (strncmp(cert_subjectdn, cert_issuerdn, len_issuer_dn) == 0)
) {
/* Check for GT2_PROXY tail */
if (cert_subjectdn
&& (strlen(cert_subjectdn) > strlen("/cn=proxy"))
&& (tail_str = &cert_subjectdn[strlen(cert_subjectdn) - strlen("/cn=proxy")])
&& (strcasecmp(tail_str, "/cn=proxy") == 0)
) {
/* verify_log (L_DEBUG, "%s: Detected GT2 proxy certificate", logstr); */
pt = GT2_PROXY;
goto finalize;
}
/* Check for GT2_LIMITED_PROXY tail */
if (cert_subjectdn
&& (strlen(cert_subjectdn) > strlen("/cn=limited proxy"))
&& (tail_str = &cert_subjectdn[strlen(cert_subjectdn) - strlen("/cn=limited proxy")])
&& (strcasecmp(tail_str, "/cn=limited proxy") == 0)
) {
/* verify_log (L_DEBUG, "%s: Detected GT2 limited proxy certificate", logstr); */
pt = GT2_LIMITED_PROXY;
goto finalize;
}
/* Check for RFC_PROXY, without the need for OpenSSL proxy support */
/* Method: Check if the subject_dn is long enough, grab its tail and
* snip of the 10 characters. Then check if the 10 characters are
* numbers. */
if (cert_subjectdn
&& (strlen(cert_subjectdn) > strlen("/cn=0123456789"))
&& (tail_str = strrchr(cert_subjectdn, '='))
&& (tail_str = &tail_str[1])
&& (strtol(tail_str, NULL, 10))
&& (errno != ERANGE)
) {
/* verify_log (L_DEBUG, "%s: Detected RFC proxy certificate", logstr); */
pt = RFC_PROXY;
goto finalize;
}
/* Don't know the type of proxy, could be an RFC proxy with
* improper/incomplete implementation in the active OpenSSL version or
* a mistake in the client software */
goto failure;
}
/* I have no idea what else it is, so I conclude that it's an EEC */
pt = EEC;
goto finalize;
failure:
/* On failure, or non-distinct selections of the certificate, indicate NONE */
pt = NONE;
finalize:
if (cert_subjectdn)
free(cert_subjectdn);
if (cert_issuerdn)
free(cert_issuerdn);
return pt;
}
Datum
ssl_extension_info(PG_FUNCTION_ARGS)
{
X509 *cert = MyProcPort->peer;
FuncCallContext *funcctx;
int call_cntr;
int max_calls;
MemoryContext oldcontext;
SSLExtensionInfoContext *fctx;
if (SRF_IS_FIRSTCALL())
{
TupleDesc tupdesc;
/* create a function context for cross-call persistence */
funcctx = SRF_FIRSTCALL_INIT();
/*
* Switch to memory context appropriate for multiple function calls
*/
oldcontext = MemoryContextSwitchTo(funcctx->multi_call_memory_ctx);
/* Create a user function context for cross-call persistence */
fctx = (SSLExtensionInfoContext *) palloc(sizeof(SSLExtensionInfoContext));
/* Construct tuple descriptor */
if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE)
ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("function returning record called in context that cannot accept type record")));
fctx->tupdesc = BlessTupleDesc(tupdesc);
/* Set max_calls as a count of extensions in certificate */
max_calls = cert != NULL ? X509_get_ext_count(cert) : 0;
if (max_calls > 0)
{
/* got results, keep track of them */
funcctx->max_calls = max_calls;
funcctx->user_fctx = fctx;
}
else
{
/* fast track when no results */
MemoryContextSwitchTo(oldcontext);
SRF_RETURN_DONE(funcctx);
}
MemoryContextSwitchTo(oldcontext);
}
/* stuff done on every call of the function */
funcctx = SRF_PERCALL_SETUP();
/*
* Initialize per-call variables.
*/
call_cntr = funcctx->call_cntr;
max_calls = funcctx->max_calls;
fctx = funcctx->user_fctx;
/* do while there are more left to send */
if (call_cntr < max_calls)
{
Datum values[3];
bool nulls[3];
char *buf;
HeapTuple tuple;
Datum result;
BIO *membuf;
X509_EXTENSION *ext;
ASN1_OBJECT *obj;
int nid;
int len;
/* need a BIO for this */
membuf = BIO_new(BIO_s_mem());
if (membuf == NULL)
ereport(ERROR,
(errcode(ERRCODE_OUT_OF_MEMORY),
errmsg("could not create OpenSSL BIO structure")));
/* Get the extension from the certificate */
ext = X509_get_ext(cert, call_cntr);
obj = X509_EXTENSION_get_object(ext);
/* Get the extension name */
nid = OBJ_obj2nid(obj);
if (nid == NID_undef)
ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("unknown OpenSSL extension in certificate at position %d",
call_cntr)));
values[0] = CStringGetTextDatum(OBJ_nid2sn(nid));
nulls[0] = false;
/* Get the extension value */
if (X509V3_EXT_print(membuf, ext, 0, 0) <= 0)
ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("could not print extension value in certificate at position %d",
call_cntr)));
len = BIO_get_mem_data(membuf, &buf);
values[1] = PointerGetDatum(cstring_to_text_with_len(buf, len));
nulls[1] = false;
/* Get critical status */
values[2] = BoolGetDatum(X509_EXTENSION_get_critical(ext));
nulls[2] = false;
/* Build tuple */
tuple = heap_form_tuple(fctx->tupdesc, values, nulls);
result = HeapTupleGetDatum(tuple);
if (BIO_free(membuf) != 1)
elog(ERROR, "could not free OpenSSL BIO structure");
SRF_RETURN_NEXT(funcctx, result);
}
/* All done */
SRF_RETURN_DONE(funcctx);
}
