/*
* Returns: 0 if successfully matching certificate to TLSA record bytes
* -1 if there was no match
*/
int ca_constraint(const SSL *con, const X509 *tlsa_cert, int usage) {
STACK_OF(X509) *cert_chain = NULL;
cert_chain = SSL_get_peer_cert_chain(con);
BIO_printf(b_err, "DANE ca_constraint() chain of %d length\n",
sk_X509_num(cert_chain));
int ret_val;
ret_val = 0;
if (cert_chain != NULL) {
int i;
for (i = 0; i < sk_X509_num(cert_chain); i++) {
BIO_printf(b_err, "DANE ca_constraint() cert %d of %d.\n",
i, sk_X509_num(cert_chain));
/*
BIO_printf(b_err, "DANE CXN Certificate\n");
PEM_write_bio_X509(b_err, sk_X509_value(cert_chain, i));
BIO_printf(b_err, "DANE TLSA Certificate\n");
PEM_write_bio_X509(b_err, tlsa_cert);
*/
if (X509_cmp(tlsa_cert, sk_X509_value(cert_chain, i)) < 0) {
ret_val = -1;
BIO_printf(b_err, "DANE ca_constraint() certificates didn't match\n");
} else {
BIO_printf(b_err, "DANE ca_constraint() certificates matches\n");
if (usage == 0)
return 0;
/* For this to be a trust anchor, the following characteristics applies:
* 1. Issuer name is the same as Subject name
* 2. Either or both
* a) the Key Usage field is set to keyCertSign (KU_KEY_CERT_SIGN)
* b) the basicConstraints field has the attribute cA set to True (EXFLAG_CA)
*/
X509_NAME *issuer_name, *subject_name;
issuer_name = X509_get_issuer_name(tlsa_cert);
subject_name = X509_get_subject_name(tlsa_cert);
if (X509_name_cmp(issuer_name, subject_name) == 0) {
BIO_printf(b_err, "DANE issuer == subject\n");
if (tlsa_cert->ex_flags & EXFLAG_CA) {
BIO_printf(b_err, "DANE ca_constraint() EXFLAG_CA set\n");
return 0;
}
/* Left unimplemented since I don't have a CA certificate to work with.*/
int ext_count, j;
ext_count = X509_get_ext_count(tlsa_cert);
BIO_printf(b_err, "DANE ca_constraint() %d certificate extensions\n");
} else {
return 0;
}
}
}
}
return ret_val;
}
RTDECL(int) RTX509CertificateVerify(void *pvBuf, unsigned int cbSize)
{
int rc = VINF_SUCCESS;
X509 *certificate = NULL;
X509_NAME * subject = NULL;
X509_NAME * issuer = NULL;
EVP_PKEY * evp_key = NULL;
unsigned char* strBasicConstraints = NULL;
while(1)
{
rc = rtX509ReadCertificateFromPEM(pvBuf, cbSize, &certificate);
if (RT_FAILURE(rc))
{
break;
}
rc = RTX509GetBasicConstraints(pvBuf, cbSize, &strBasicConstraints);
if (RT_FAILURE(rc))
{
break;
}
issuer = X509_get_issuer_name(certificate);
if(strcmp("CA:TRUE", (const char*)strBasicConstraints) == 0)
{
subject = X509_get_subject_name(certificate);
int ki=0;
if(X509_name_cmp(issuer, subject) == 0)
{
evp_key = X509_get_pubkey(certificate);
ki=X509_verify(certificate,evp_key);
if(ki>0)
{
/* if it's needed will do something with the verified certificate */
}
else
rc = VERR_X509_CERTIFICATE_VERIFICATION_FAILURE;
}
else
{
rc = VINF_X509_NOT_SELFSIGNED_CERTIFICATE;
}
}
else
{
rc = VINF_X509_NOT_SELFSIGNED_CERTIFICATE;
}
break;
}
if(certificate)
X509_free(certificate);
if(evp_key)
EVP_PKEY_free(evp_key);
RTMemFree(strBasicConstraints);
return rc;
}
int
x509_cert_validate(void *scert)
{
X509_STORE_CTX csc;
X509_NAME *issuer, *subject;
X509 *cert = (X509 *) scert;
EVP_PKEY *key;
int res, err;
/*
* Validate the peer certificate by checking with the CA certificates
* we trust.
*/
X509_STORE_CTX_init(&csc, x509_cas, cert, NULL);
#if OPENSSL_VERSION_NUMBER >= 0x00908000L
/* XXX See comment in x509_read_crls_from_dir. */
if (x509_cas->param->flags & X509_V_FLAG_CRL_CHECK) {
X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK);
X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL);
}
#elif OPENSSL_VERSION_NUMBER >= 0x00907000L
/* XXX See comment in x509_read_crls_from_dir. */
if (x509_cas->flags & X509_V_FLAG_CRL_CHECK) {
X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK);
X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL);
}
#endif
res = X509_verify_cert(&csc);
err = csc.error;
X509_STORE_CTX_cleanup(&csc);
/*
* Return if validation succeeded or self-signed certs are not
* accepted.
*
* XXX X509_verify_cert seems to return -1 if the validation should be
* retried somehow. We take this as an error and give up.
*/
if (res > 0)
return 1;
else if (res < 0 ||
(res == 0 && err != X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
if (err)
log_print("x509_cert_validate: %.100s",
X509_verify_cert_error_string(err));
return 0;
} else if (!conf_get_str("X509-certificates", "Accept-self-signed")) {
if (err)
log_print("x509_cert_validate: %.100s",
X509_verify_cert_error_string(err));
return 0;
}
issuer = X509_get_issuer_name(cert);
subject = X509_get_subject_name(cert);
if (!issuer || !subject || X509_name_cmp(issuer, subject))
return 0;
key = X509_get_pubkey(cert);
if (!key) {
log_print("x509_cert_validate: could not get public key from "
"self-signed cert");
return 0;
}
if (X509_verify(cert, key) == -1) {
log_print("x509_cert_validate: self-signed cert is bad");
return 0;
}
return 1;
}
/*
* Given an X509 certificate, create a KeyNote assertion where
* Issuer/Subject -> Authorizer/Licensees.
* XXX RSA-specific.
*/
int
x509_generate_kn(int id, X509 *cert)
{
static const char fmt[] = "Authorizer: \"rsa-hex:%s\"\nLicensees: \"rsa-hex:%s"
"\"\nConditions: %s >= \"%s\" && %s <= \"%s\";\n";
char *ikey = NULL, *skey = NULL, *buf = NULL;
char isname[256], subname[256];
static const char fmt2[] = "Authorizer: \"DN:%s\"\nLicensees: \"DN:%s\"\n"
"Conditions: %s >= \"%s\" && %s <= \"%s\";\n";
X509_NAME *issuer, *subject;
struct keynote_deckey dc;
X509_STORE_CTX csc;
X509_OBJECT obj;
X509 *icert;
RSA *key = NULL;
time_t tt;
char before[15], after[15], *timecomp, *timecomp2;
ASN1_TIME *tm;
int i;
LOG_DBG((LOG_POLICY, 90,
"x509_generate_kn: generating KeyNote policy for certificate %p",
cert));
issuer = X509_get_issuer_name(cert);
subject = X509_get_subject_name(cert);
/* Missing or self-signed, ignore cert but don't report failure. */
if (!issuer || !subject || !X509_name_cmp(issuer, subject))
return 1;
if (!x509_cert_get_key(cert, &key)) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: failed to get public key from cert"));
return 0;
}
dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA;
dc.dec_key = key;
ikey = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, ENCODING_HEX,
KEYNOTE_PUBLIC_KEY);
if (keynote_errno == ERROR_MEMORY) {
log_print("x509_generate_kn: failed to get memory for "
"public key");
LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get "
"subject key"));
goto fail;
}
if (!ikey) {
LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get "
"subject key"));
goto fail;
}
RSA_free(key);
key = NULL;
/* Now find issuer's certificate so we can get the public key. */
X509_STORE_CTX_init(&csc, x509_cas, cert, NULL);
if (X509_STORE_get_by_subject(&csc, X509_LU_X509, issuer, &obj) !=
X509_LU_X509) {
X509_STORE_CTX_cleanup(&csc);
X509_STORE_CTX_init(&csc, x509_certs, cert, NULL);
if (X509_STORE_get_by_subject(&csc, X509_LU_X509, issuer, &obj)
!= X509_LU_X509) {
X509_STORE_CTX_cleanup(&csc);
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: no certificate found for "
"issuer"));
goto fail;
}
}
X509_STORE_CTX_cleanup(&csc);
icert = obj.data.x509;
if (icert == NULL) {
LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: "
"missing certificates, cannot construct X509 chain"));
goto fail;
}
if (!x509_cert_get_key(icert, &key)) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: failed to get public key from cert"));
goto fail;
}
X509_OBJECT_free_contents(&obj);
dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA;
dc.dec_key = key;
skey = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, ENCODING_HEX,
KEYNOTE_PUBLIC_KEY);
if (keynote_errno == ERROR_MEMORY) {
log_error("x509_generate_kn: failed to get memory for public "
"key");
LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer "
"key"));
goto fail;
}
if (!skey) {
LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer "
"key"));
goto fail;
}
RSA_free(key);
key = NULL;
if (((tm = X509_get_notBefore(cert)) == NULL) ||
(tm->type != V_ASN1_UTCTIME &&
tm->type != V_ASN1_GENERALIZEDTIME)) {
tt = time(0);
strftime(before, 14, "%Y%m%d%H%M%S", localtime(&tt));
timecomp = "LocalTimeOfDay";
} else {
if (tm->data[tm->length - 1] == 'Z') {
timecomp = "GMTTimeOfDay";
i = tm->length - 2;
} else {
timecomp = "LocalTimeOfDay";
i = tm->length - 1;
}
for (; i >= 0; i--) {
if (tm->data[i] < '0' || tm->data[i] > '9') {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid data in "
"NotValidBefore time field"));
goto fail;
}
}
if (tm->type == V_ASN1_UTCTIME) {
if ((tm->length < 10) || (tm->length > 13)) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid length "
"of NotValidBefore time field (%d)",
tm->length));
goto fail;
}
/* Validity checks. */
if ((tm->data[2] != '0' && tm->data[2] != '1') ||
(tm->data[2] == '0' && tm->data[3] == '0') ||
(tm->data[2] == '1' && tm->data[3] > '2') ||
(tm->data[4] > '3') ||
(tm->data[4] == '0' && tm->data[5] == '0') ||
(tm->data[4] == '3' && tm->data[5] > '1') ||
(tm->data[6] > '2') ||
(tm->data[6] == '2' && tm->data[7] > '3') ||
(tm->data[8] > '5')) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid value in "
"NotValidBefore time field"));
goto fail;
}
/* Stupid UTC tricks. */
if (tm->data[0] < '5')
snprintf(before, sizeof before, "20%s",
tm->data);
else
snprintf(before, sizeof before, "19%s",
tm->data);
} else { /* V_ASN1_GENERICTIME */
if ((tm->length < 12) || (tm->length > 15)) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid length of "
"NotValidBefore time field (%d)",
tm->length));
goto fail;
}
/* Validity checks. */
if ((tm->data[4] != '0' && tm->data[4] != '1') ||
(tm->data[4] == '0' && tm->data[5] == '0') ||
(tm->data[4] == '1' && tm->data[5] > '2') ||
(tm->data[6] > '3') ||
(tm->data[6] == '0' && tm->data[7] == '0') ||
(tm->data[6] == '3' && tm->data[7] > '1') ||
(tm->data[8] > '2') ||
(tm->data[8] == '2' && tm->data[9] > '3') ||
(tm->data[10] > '5')) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid value in "
"NotValidBefore time field"));
goto fail;
}
snprintf(before, sizeof before, "%s", tm->data);
}
/* Fix missing seconds. */
if (tm->length < 12) {
before[12] = '0';
before[13] = '0';
}
/* This will overwrite trailing 'Z'. */
before[14] = '\0';
}
tm = X509_get_notAfter(cert);
if (tm == NULL &&
(tm->type != V_ASN1_UTCTIME &&
tm->type != V_ASN1_GENERALIZEDTIME)) {
tt = time(0);
strftime(after, 14, "%Y%m%d%H%M%S", localtime(&tt));
timecomp2 = "LocalTimeOfDay";
} else {
if (tm->data[tm->length - 1] == 'Z') {
timecomp2 = "GMTTimeOfDay";
i = tm->length - 2;
} else {
timecomp2 = "LocalTimeOfDay";
i = tm->length - 1;
}
for (; i >= 0; i--) {
if (tm->data[i] < '0' || tm->data[i] > '9') {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid data in "
"NotValidAfter time field"));
goto fail;
}
}
if (tm->type == V_ASN1_UTCTIME) {
if ((tm->length < 10) || (tm->length > 13)) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid length of "
"NotValidAfter time field (%d)",
tm->length));
goto fail;
}
/* Validity checks. */
if ((tm->data[2] != '0' && tm->data[2] != '1') ||
(tm->data[2] == '0' && tm->data[3] == '0') ||
(tm->data[2] == '1' && tm->data[3] > '2') ||
(tm->data[4] > '3') ||
(tm->data[4] == '0' && tm->data[5] == '0') ||
(tm->data[4] == '3' && tm->data[5] > '1') ||
(tm->data[6] > '2') ||
(tm->data[6] == '2' && tm->data[7] > '3') ||
(tm->data[8] > '5')) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid value in "
"NotValidAfter time field"));
goto fail;
}
/* Stupid UTC tricks. */
if (tm->data[0] < '5')
snprintf(after, sizeof after, "20%s",
tm->data);
else
snprintf(after, sizeof after, "19%s",
tm->data);
} else { /* V_ASN1_GENERICTIME */
if ((tm->length < 12) || (tm->length > 15)) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid length of "
"NotValidAfter time field (%d)",
tm->length));
goto fail;
}
/* Validity checks. */
if ((tm->data[4] != '0' && tm->data[4] != '1') ||
(tm->data[4] == '0' && tm->data[5] == '0') ||
(tm->data[4] == '1' && tm->data[5] > '2') ||
(tm->data[6] > '3') ||
(tm->data[6] == '0' && tm->data[7] == '0') ||
(tm->data[6] == '3' && tm->data[7] > '1') ||
(tm->data[8] > '2') ||
(tm->data[8] == '2' && tm->data[9] > '3') ||
(tm->data[10] > '5')) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: invalid value in "
"NotValidAfter time field"));
goto fail;
}
snprintf(after, sizeof after, "%s", tm->data);
}
/* Fix missing seconds. */
if (tm->length < 12) {
after[12] = '0';
after[13] = '0';
}
after[14] = '\0'; /* This will overwrite trailing 'Z' */
}
if (asprintf(&buf, fmt, skey, ikey, timecomp, before, timecomp2,
after) == -1) {
log_error("x509_generate_kn: "
"failed to allocate memory for KeyNote credential");
goto fail;
}
free(ikey);
ikey = NULL;
free(skey);
skey = NULL;
if (kn_add_assertion(id, buf, strlen(buf), ASSERT_FLAG_LOCAL) == -1) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: failed to add new KeyNote credential"));
goto fail;
}
/* We could print the assertion here, but log_print() truncates... */
LOG_DBG((LOG_POLICY, 60, "x509_generate_kn: added credential"));
free(buf);
buf = NULL;
if (!X509_NAME_oneline(issuer, isname, 256)) {
LOG_DBG((LOG_POLICY, 50,
"x509_generate_kn: "
"X509_NAME_oneline (issuer, ...) failed"));
goto fail;
}
if (!X509_NAME_oneline(subject, subname, 256)) {
LOG_DBG((LOG_POLICY, 50,
"x509_generate_kn: "
"X509_NAME_oneline (subject, ...) failed"));
goto fail;
}
if (asprintf(&buf, fmt2, isname, subname, timecomp, before,
timecomp2, after) == -1) {
log_error("x509_generate_kn: malloc failed");
return 0;
}
if (kn_add_assertion(id, buf, strlen(buf), ASSERT_FLAG_LOCAL) == -1) {
LOG_DBG((LOG_POLICY, 30,
"x509_generate_kn: failed to add new KeyNote credential"));
goto fail;
}
LOG_DBG((LOG_POLICY, 80, "x509_generate_kn: added credential:\n%s",
buf));
free(buf);
return 1;
fail:
free(buf);
free(skey);
free(ikey);
if (key)
RSA_free(key);
return 0;
}
