/* * Returns: 0 if successfully matching certificate to TLSA record bytes * -1 if there was no match */ int ca_constraint(const SSL *con, const X509 *tlsa_cert, int usage) { STACK_OF(X509) *cert_chain = NULL; cert_chain = SSL_get_peer_cert_chain(con); BIO_printf(b_err, "DANE ca_constraint() chain of %d length\n", sk_X509_num(cert_chain)); int ret_val; ret_val = 0; if (cert_chain != NULL) { int i; for (i = 0; i < sk_X509_num(cert_chain); i++) { BIO_printf(b_err, "DANE ca_constraint() cert %d of %d.\n", i, sk_X509_num(cert_chain)); /* BIO_printf(b_err, "DANE CXN Certificate\n"); PEM_write_bio_X509(b_err, sk_X509_value(cert_chain, i)); BIO_printf(b_err, "DANE TLSA Certificate\n"); PEM_write_bio_X509(b_err, tlsa_cert); */ if (X509_cmp(tlsa_cert, sk_X509_value(cert_chain, i)) < 0) { ret_val = -1; BIO_printf(b_err, "DANE ca_constraint() certificates didn't match\n"); } else { BIO_printf(b_err, "DANE ca_constraint() certificates matches\n"); if (usage == 0) return 0; /* For this to be a trust anchor, the following characteristics applies: * 1. Issuer name is the same as Subject name * 2. Either or both * a) the Key Usage field is set to keyCertSign (KU_KEY_CERT_SIGN) * b) the basicConstraints field has the attribute cA set to True (EXFLAG_CA) */ X509_NAME *issuer_name, *subject_name; issuer_name = X509_get_issuer_name(tlsa_cert); subject_name = X509_get_subject_name(tlsa_cert); if (X509_name_cmp(issuer_name, subject_name) == 0) { BIO_printf(b_err, "DANE issuer == subject\n"); if (tlsa_cert->ex_flags & EXFLAG_CA) { BIO_printf(b_err, "DANE ca_constraint() EXFLAG_CA set\n"); return 0; } /* Left unimplemented since I don't have a CA certificate to work with.*/ int ext_count, j; ext_count = X509_get_ext_count(tlsa_cert); BIO_printf(b_err, "DANE ca_constraint() %d certificate extensions\n"); } else { return 0; } } } } return ret_val; }
RTDECL(int) RTX509CertificateVerify(void *pvBuf, unsigned int cbSize) { int rc = VINF_SUCCESS; X509 *certificate = NULL; X509_NAME * subject = NULL; X509_NAME * issuer = NULL; EVP_PKEY * evp_key = NULL; unsigned char* strBasicConstraints = NULL; while(1) { rc = rtX509ReadCertificateFromPEM(pvBuf, cbSize, &certificate); if (RT_FAILURE(rc)) { break; } rc = RTX509GetBasicConstraints(pvBuf, cbSize, &strBasicConstraints); if (RT_FAILURE(rc)) { break; } issuer = X509_get_issuer_name(certificate); if(strcmp("CA:TRUE", (const char*)strBasicConstraints) == 0) { subject = X509_get_subject_name(certificate); int ki=0; if(X509_name_cmp(issuer, subject) == 0) { evp_key = X509_get_pubkey(certificate); ki=X509_verify(certificate,evp_key); if(ki>0) { /* if it's needed will do something with the verified certificate */ } else rc = VERR_X509_CERTIFICATE_VERIFICATION_FAILURE; } else { rc = VINF_X509_NOT_SELFSIGNED_CERTIFICATE; } } else { rc = VINF_X509_NOT_SELFSIGNED_CERTIFICATE; } break; } if(certificate) X509_free(certificate); if(evp_key) EVP_PKEY_free(evp_key); RTMemFree(strBasicConstraints); return rc; }
int x509_cert_validate(void *scert) { X509_STORE_CTX csc; X509_NAME *issuer, *subject; X509 *cert = (X509 *) scert; EVP_PKEY *key; int res, err; /* * Validate the peer certificate by checking with the CA certificates * we trust. */ X509_STORE_CTX_init(&csc, x509_cas, cert, NULL); #if OPENSSL_VERSION_NUMBER >= 0x00908000L /* XXX See comment in x509_read_crls_from_dir. */ if (x509_cas->param->flags & X509_V_FLAG_CRL_CHECK) { X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK); X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL); } #elif OPENSSL_VERSION_NUMBER >= 0x00907000L /* XXX See comment in x509_read_crls_from_dir. */ if (x509_cas->flags & X509_V_FLAG_CRL_CHECK) { X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK); X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL); } #endif res = X509_verify_cert(&csc); err = csc.error; X509_STORE_CTX_cleanup(&csc); /* * Return if validation succeeded or self-signed certs are not * accepted. * * XXX X509_verify_cert seems to return -1 if the validation should be * retried somehow. We take this as an error and give up. */ if (res > 0) return 1; else if (res < 0 || (res == 0 && err != X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) { if (err) log_print("x509_cert_validate: %.100s", X509_verify_cert_error_string(err)); return 0; } else if (!conf_get_str("X509-certificates", "Accept-self-signed")) { if (err) log_print("x509_cert_validate: %.100s", X509_verify_cert_error_string(err)); return 0; } issuer = X509_get_issuer_name(cert); subject = X509_get_subject_name(cert); if (!issuer || !subject || X509_name_cmp(issuer, subject)) return 0; key = X509_get_pubkey(cert); if (!key) { log_print("x509_cert_validate: could not get public key from " "self-signed cert"); return 0; } if (X509_verify(cert, key) == -1) { log_print("x509_cert_validate: self-signed cert is bad"); return 0; } return 1; }
/* * Given an X509 certificate, create a KeyNote assertion where * Issuer/Subject -> Authorizer/Licensees. * XXX RSA-specific. */ int x509_generate_kn(int id, X509 *cert) { static const char fmt[] = "Authorizer: \"rsa-hex:%s\"\nLicensees: \"rsa-hex:%s" "\"\nConditions: %s >= \"%s\" && %s <= \"%s\";\n"; char *ikey = NULL, *skey = NULL, *buf = NULL; char isname[256], subname[256]; static const char fmt2[] = "Authorizer: \"DN:%s\"\nLicensees: \"DN:%s\"\n" "Conditions: %s >= \"%s\" && %s <= \"%s\";\n"; X509_NAME *issuer, *subject; struct keynote_deckey dc; X509_STORE_CTX csc; X509_OBJECT obj; X509 *icert; RSA *key = NULL; time_t tt; char before[15], after[15], *timecomp, *timecomp2; ASN1_TIME *tm; int i; LOG_DBG((LOG_POLICY, 90, "x509_generate_kn: generating KeyNote policy for certificate %p", cert)); issuer = X509_get_issuer_name(cert); subject = X509_get_subject_name(cert); /* Missing or self-signed, ignore cert but don't report failure. */ if (!issuer || !subject || !X509_name_cmp(issuer, subject)) return 1; if (!x509_cert_get_key(cert, &key)) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: failed to get public key from cert")); return 0; } dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA; dc.dec_key = key; ikey = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, ENCODING_HEX, KEYNOTE_PUBLIC_KEY); if (keynote_errno == ERROR_MEMORY) { log_print("x509_generate_kn: failed to get memory for " "public key"); LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get " "subject key")); goto fail; } if (!ikey) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get " "subject key")); goto fail; } RSA_free(key); key = NULL; /* Now find issuer's certificate so we can get the public key. */ X509_STORE_CTX_init(&csc, x509_cas, cert, NULL); if (X509_STORE_get_by_subject(&csc, X509_LU_X509, issuer, &obj) != X509_LU_X509) { X509_STORE_CTX_cleanup(&csc); X509_STORE_CTX_init(&csc, x509_certs, cert, NULL); if (X509_STORE_get_by_subject(&csc, X509_LU_X509, issuer, &obj) != X509_LU_X509) { X509_STORE_CTX_cleanup(&csc); LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: no certificate found for " "issuer")); goto fail; } } X509_STORE_CTX_cleanup(&csc); icert = obj.data.x509; if (icert == NULL) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: " "missing certificates, cannot construct X509 chain")); goto fail; } if (!x509_cert_get_key(icert, &key)) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: failed to get public key from cert")); goto fail; } X509_OBJECT_free_contents(&obj); dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA; dc.dec_key = key; skey = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, ENCODING_HEX, KEYNOTE_PUBLIC_KEY); if (keynote_errno == ERROR_MEMORY) { log_error("x509_generate_kn: failed to get memory for public " "key"); LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer " "key")); goto fail; } if (!skey) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer " "key")); goto fail; } RSA_free(key); key = NULL; if (((tm = X509_get_notBefore(cert)) == NULL) || (tm->type != V_ASN1_UTCTIME && tm->type != V_ASN1_GENERALIZEDTIME)) { tt = time(0); strftime(before, 14, "%Y%m%d%H%M%S", localtime(&tt)); timecomp = "LocalTimeOfDay"; } else { if (tm->data[tm->length - 1] == 'Z') { timecomp = "GMTTimeOfDay"; i = tm->length - 2; } else { timecomp = "LocalTimeOfDay"; i = tm->length - 1; } for (; i >= 0; i--) { if (tm->data[i] < '0' || tm->data[i] > '9') { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: invalid data in " "NotValidBefore time field")); goto fail; } } if (tm->type == V_ASN1_UTCTIME) { if ((tm->length < 10) || (tm->length > 13)) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: invalid length " "of NotValidBefore time field (%d)", tm->length)); goto fail; } /* Validity checks. */ if ((tm->data[2] != '0' && tm->data[2] != '1') || (tm->data[2] == '0' && tm->data[3] == '0') || (tm->data[2] == '1' && tm->data[3] > '2') || (tm->data[4] > '3') || (tm->data[4] == '0' && tm->data[5] == '0') || (tm->data[4] == '3' && tm->data[5] > '1') || (tm->data[6] > '2') || (tm->data[6] == '2' && tm->data[7] > '3') || (tm->data[8] > '5')) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: invalid value in " "NotValidBefore time field")); goto fail; } /* Stupid UTC tricks. */ if (tm->data[0] < '5') snprintf(before, sizeof before, "20%s", tm->data); else snprintf(before, sizeof before, "19%s", tm->data); } else { /* V_ASN1_GENERICTIME */ if ((tm->length < 12) || (tm->length > 15)) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: invalid length of " "NotValidBefore time field (%d)", tm->length)); goto fail; } /* Validity checks. */ if ((tm->data[4] != '0' && tm->data[4] != '1') || (tm->data[4] == '0' && tm->data[5] == '0') || (tm->data[4] == '1' && tm->data[5] > '2') || (tm->data[6] > '3') || (tm->data[6] == '0' && tm->data[7] == '0') || (tm->data[6] == '3' && tm->data[7] > '1') || (tm->data[8] > '2') || (tm->data[8] == '2' && tm->data[9] > '3') || (tm->data[10] > '5')) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: invalid value in " "NotValidBefore time field")); goto fail; } snprintf(before, sizeof before, "%s", tm->data); } /* Fix missing seconds. */ if (tm->length < 12) { before[12] = '0'; before[13] = '0'; } /* This will overwrite trailing 'Z'. */ before[14] = '\0'; } tm = X509_get_notAfter(cert); if (tm == NULL && (tm->type != V_ASN1_UTCTIME && tm->type != V_ASN1_GENERALIZEDTIME)) { tt = time(0); strftime(after, 14, "%Y%m%d%H%M%S", localtime(&tt)); timecomp2 = "LocalTimeOfDay"; } else { if (tm->data[tm->length - 1] == 'Z') { timecomp2 = "GMTTimeOfDay"; i = tm->length - 2; } else { timecomp2 = "LocalTimeOfDay"; i = tm->length - 1; } for (; i >= 0; i--) { if (tm->data[i] < '0' || tm->data[i] > '9') { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: invalid data in " "NotValidAfter time field")); goto fail; } } if (tm->type == V_ASN1_UTCTIME) { if ((tm->length < 10) || (tm->length > 13)) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: invalid length of " "NotValidAfter time field (%d)", tm->length)); goto fail; } /* Validity checks. */ if ((tm->data[2] != '0' && tm->data[2] != '1') || (tm->data[2] == '0' && tm->data[3] == '0') || (tm->data[2] == '1' && tm->data[3] > '2') || (tm->data[4] > '3') || (tm->data[4] == '0' && tm->data[5] == '0') || (tm->data[4] == '3' && tm->data[5] > '1') || (tm->data[6] > '2') || (tm->data[6] == '2' && tm->data[7] > '3') || (tm->data[8] > '5')) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: invalid value in " "NotValidAfter time field")); goto fail; } /* Stupid UTC tricks. */ if (tm->data[0] < '5') snprintf(after, sizeof after, "20%s", tm->data); else snprintf(after, sizeof after, "19%s", tm->data); } else { /* V_ASN1_GENERICTIME */ if ((tm->length < 12) || (tm->length > 15)) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: invalid length of " "NotValidAfter time field (%d)", tm->length)); goto fail; } /* Validity checks. */ if ((tm->data[4] != '0' && tm->data[4] != '1') || (tm->data[4] == '0' && tm->data[5] == '0') || (tm->data[4] == '1' && tm->data[5] > '2') || (tm->data[6] > '3') || (tm->data[6] == '0' && tm->data[7] == '0') || (tm->data[6] == '3' && tm->data[7] > '1') || (tm->data[8] > '2') || (tm->data[8] == '2' && tm->data[9] > '3') || (tm->data[10] > '5')) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: invalid value in " "NotValidAfter time field")); goto fail; } snprintf(after, sizeof after, "%s", tm->data); } /* Fix missing seconds. */ if (tm->length < 12) { after[12] = '0'; after[13] = '0'; } after[14] = '\0'; /* This will overwrite trailing 'Z' */ } if (asprintf(&buf, fmt, skey, ikey, timecomp, before, timecomp2, after) == -1) { log_error("x509_generate_kn: " "failed to allocate memory for KeyNote credential"); goto fail; } free(ikey); ikey = NULL; free(skey); skey = NULL; if (kn_add_assertion(id, buf, strlen(buf), ASSERT_FLAG_LOCAL) == -1) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: failed to add new KeyNote credential")); goto fail; } /* We could print the assertion here, but log_print() truncates... */ LOG_DBG((LOG_POLICY, 60, "x509_generate_kn: added credential")); free(buf); buf = NULL; if (!X509_NAME_oneline(issuer, isname, 256)) { LOG_DBG((LOG_POLICY, 50, "x509_generate_kn: " "X509_NAME_oneline (issuer, ...) failed")); goto fail; } if (!X509_NAME_oneline(subject, subname, 256)) { LOG_DBG((LOG_POLICY, 50, "x509_generate_kn: " "X509_NAME_oneline (subject, ...) failed")); goto fail; } if (asprintf(&buf, fmt2, isname, subname, timecomp, before, timecomp2, after) == -1) { log_error("x509_generate_kn: malloc failed"); return 0; } if (kn_add_assertion(id, buf, strlen(buf), ASSERT_FLAG_LOCAL) == -1) { LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: failed to add new KeyNote credential")); goto fail; } LOG_DBG((LOG_POLICY, 80, "x509_generate_kn: added credential:\n%s", buf)); free(buf); return 1; fail: free(buf); free(skey); free(ikey); if (key) RSA_free(key); return 0; }