/** * Get X509 certificate basic constraints * * @returns iprt status code. * * @param pvBuf string representation * containing X509 certificate * in PEM format * @param cbSize The amount of data (in bytes) * @param pBasicConstraintsOut memory buffer where the * extracted basic constraints * will be stored in string * representation */ static int RTX509GetBasicConstraints(void *pvBuf, unsigned int cbSize, unsigned char** pBasicConstraintsOut) { int rc = VINF_SUCCESS; BUF_MEM *bptr = NULL; X509 *certificate = NULL; char *errDesc = NULL; BIO *bio_memory = NULL; for (;;) { rc = rtX509ReadCertificateFromPEM(pvBuf, cbSize, &certificate); int loc = X509_get_ext_by_NID(certificate, NID_basic_constraints,-1); if(loc == -1) { rc = VERR_X509_NO_BASIC_CONSTARAINTS; break; } X509_EXTENSION *ext = X509_get_ext(certificate, loc); if(!ext) { rc = VERR_X509_GETTING_EXTENSION_FROM_CERT; break; } ASN1_OCTET_STRING *extdata = X509_EXTENSION_get_data(ext); if(!extdata) { rc = VERR_X509_GETTING_DATA_FROM_EXTENSION; break; } bio_memory = BIO_new(BIO_s_mem()); if(!X509V3_EXT_print(bio_memory, ext, 0, 0)) { rc = VERR_X509_PRINT_EXTENSION_TO_BIO; break; } BIO_ctrl(bio_memory,BIO_CTRL_FLUSH,0,NULL); BIO_ctrl(bio_memory,BIO_C_GET_BUF_MEM_PTR,0,(void *)&bptr); // now bptr contains the strings of the key_usage unsigned char *buf = (unsigned char *)RTMemAlloc((bptr->length + 1)*sizeof(char)); memcpy(buf, bptr->data, bptr->length); // take care that bptr->data is NOT NULL terminated, so add '\0' buf[bptr->length] = '\0'; *pBasicConstraintsOut = buf; break; } if(certificate) X509_free(certificate); BIO_free(bio_memory); return rc; }
static size_t get_extension_by_object (X509 *x509, ASN1_OBJECT *obj, char **output) { int pos = X509_get_ext_by_OBJ (x509, obj, -1); if (pos < 0) { return 0; } X509_EXTENSION *ext = X509_get_ext (x509, pos); int tag; long len; int tc; const unsigned char *p = ext->value->data; ASN1_get_object (&p, &len, &tag, &tc, ext->value->length); size_t size; switch (tag) { case V_ASN1_UTF8STRING: { ASN1_UTF8STRING *str = ASN1_item_unpack (ext->value, ASN1_ITEM_rptr (ASN1_UTF8STRING)); *output = strndup ((const char *) ASN1_STRING_data (str), str->length); size = str->length; ASN1_UTF8STRING_free (str); return size; } case V_ASN1_OCTET_STRING: { ASN1_OCTET_STRING *octstr = ASN1_item_unpack (ext->value, ASN1_ITEM_rptr (ASN1_OCTET_STRING)); *output = malloc (octstr->length); memcpy (*output, octstr->data, octstr->length); size = octstr->length; ASN1_OCTET_STRING_free (octstr); return size; } default: { BIO *bio = BIO_new (BIO_s_mem ()); X509V3_EXT_print (bio, ext, 0, 0); size_t size = BIO_ctrl_pending (bio); char *buf = malloc (sizeof (char) * size); BIO_read (bio, buf, size); *output = buf; BIO_free (bio); return size; } } }
void x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, X509 *x509) { X509_NAME *x509_name = X509_get_subject_name (x509); const char nullc = '\0'; int i; while (xt) { if (depth == 0 || (xt->flags & XT_FULL_CHAIN)) { i = X509_NAME_get_index_by_NID(x509_name, xt->nid, -1); if (i >= 0) { X509_NAME_ENTRY *ent = X509_NAME_get_entry(x509_name, i); if (ent) { ASN1_STRING *val = X509_NAME_ENTRY_get_data (ent); unsigned char *buf; buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ if (ASN1_STRING_to_UTF8 (&buf, val) > 0) { do_setenv_x509(es, xt->name, (char *)buf, depth); OPENSSL_free (buf); } } } else { i = X509_get_ext_by_NID(x509, xt->nid, -1); if (i >= 0) { X509_EXTENSION *ext = X509_get_ext(x509, i); if (ext) { BIO *bio = BIO_new(BIO_s_mem()); if (bio) { if (X509V3_EXT_print(bio, ext, 0, 0)) { if (BIO_write(bio, &nullc, 1) == 1) { char *str; BIO_get_mem_data(bio, &str); do_setenv_x509(es, xt->name, str, depth); } } BIO_free(bio); } } } } } xt = xt->next; } }
static void ext_print(BIO *out, X509_EXTENSION *ex) { ASN1_OBJECT *obj; int j; BIO_printf(out,"%12s",""); obj=X509_EXTENSION_get_object(ex); i2a_ASN1_OBJECT(out,obj); j=X509_EXTENSION_get_critical(ex); BIO_printf(out, ": %s\n", j ? "critical":"",""); if(!X509V3_EXT_print(out, ex, 0, 16)) { BIO_printf(out, "%16s", ""); M_ASN1_OCTET_STRING_print(out,ex->value); } BIO_write(out,"\n",1); }
/* * Print a nice text representation of the certificate request. */ static PyObject * crypto_X509Extension_str(crypto_X509ExtensionObj *self) { int str_len; char *tmp_str; PyObject *str; BIO *bio = BIO_new(BIO_s_mem()); if (!X509V3_EXT_print(bio, self->x509_extension, 0, 0)) { BIO_free(bio); exception_from_error_queue(crypto_Error); return NULL; } str_len = BIO_get_mem_data(bio, &tmp_str); str = PyText_FromStringAndSize(tmp_str, str_len); BIO_free(bio); return str; }
static int compare_extension_printout(X509_EXTENSION *extension, const char *expected_output) { BIO *text_buffer = NULL; char *actual_output = NULL; int result = 1; text_buffer = BIO_new(BIO_s_mem()); if (text_buffer == NULL) { fprintf(stderr, "Unable to allocate buffer\n"); goto end; } if (!X509V3_EXT_print(text_buffer, extension, X509V3_EXT_DEFAULT, 0)) { fprintf(stderr, "Failed to print extension\n"); goto end; } /* Append null terminator because we're about to use the buffer contents * as a string. */ if (BIO_write(text_buffer, "\0", 1) != 1) { fprintf(stderr, "Failed to append null terminator to extension text\n"); goto end; } BIO_get_mem_data(text_buffer, &actual_output); result = strcmp(actual_output, expected_output); if (result != 0) { fprintf(stderr, "Expected SCT printout:\n%s\nActual SCT printout:\n%s\n", expected_output, actual_output); } end: BIO_free(text_buffer); return result; }
static PyObject * X509_EXTENSION_value_to_PyString(X509_EXTENSION *ex) { BIO *bio = NULL; PyObject *str = NULL; int str_len; char *tmp_str; /* Create a openssl BIO buffer */ bio = BIO_new(BIO_s_mem()); if (bio == NULL) { goto err; } /* These are not the droids you are looking for. */ if (!X509V3_EXT_print(bio, ex, 0, 0)) { if (M_ASN1_OCTET_STRING_print(bio, ex->value) == 0) { goto err; } } /* Convert to a Python string. */ str_len = BIO_get_mem_data(bio, &tmp_str); str = PyBytes_FromStringAndSize(tmp_str, str_len); /* Cleanup */ BIO_free(bio); return str; err: if (bio) { BIO_free(bio); } if (str) { Py_DECREF(str); } return NULL; }
int X509_REQ_print_ex(BIO *bio, X509_REQ *x, unsigned long nmflags, unsigned long cflag) { long l; EVP_PKEY *pkey; STACK_OF(X509_ATTRIBUTE) * sk; char mlch = ' '; int nmindent = 0; if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { mlch = '\n'; nmindent = 12; } if (nmflags == X509_FLAG_COMPAT) { nmindent = 16; } X509_REQ_INFO *ri = x->req_info; if (!(cflag & X509_FLAG_NO_HEADER)) { if (BIO_write(bio, "Certificate Request:\n", 21) <= 0 || BIO_write(bio, " Data:\n", 10) <= 0) { goto err; } } if (!(cflag & X509_FLAG_NO_VERSION)) { l = X509_REQ_get_version(x); if (BIO_printf(bio, "%8sVersion: %ld (0x%lx)\n", "", l + 1, l) <= 0) { goto err; } } if (!(cflag & X509_FLAG_NO_SUBJECT)) { if (BIO_printf(bio, " Subject:%c", mlch) <= 0 || X509_NAME_print_ex(bio, ri->subject, nmindent, nmflags) < 0 || BIO_write(bio, "\n", 1) <= 0) { goto err; } } if (!(cflag & X509_FLAG_NO_PUBKEY)) { if (BIO_write(bio, " Subject Public Key Info:\n", 33) <= 0 || BIO_printf(bio, "%12sPublic Key Algorithm: ", "") <= 0 || i2a_ASN1_OBJECT(bio, ri->pubkey->algor->algorithm) <= 0 || BIO_puts(bio, "\n") <= 0) { goto err; } pkey = X509_REQ_get_pubkey(x); if (pkey == NULL) { BIO_printf(bio, "%12sUnable to load Public Key\n", ""); ERR_print_errors(bio); } else { EVP_PKEY_print_public(bio, pkey, 16, NULL); EVP_PKEY_free(pkey); } } if (!(cflag & X509_FLAG_NO_ATTRIBUTES)) { if (BIO_printf(bio, "%8sAttributes:\n", "") <= 0) { goto err; } sk = x->req_info->attributes; if (sk_X509_ATTRIBUTE_num(sk) == 0) { if (BIO_printf(bio, "%12sa0:00\n", "") <= 0) { goto err; } } else { size_t i; for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { X509_ATTRIBUTE *a = sk_X509_ATTRIBUTE_value(sk, i); ASN1_OBJECT *aobj = X509_ATTRIBUTE_get0_object(a); if (X509_REQ_extension_nid(OBJ_obj2nid(aobj))) { continue; } if (BIO_printf(bio, "%12s", "") <= 0) { goto err; } const int num_attrs = X509_ATTRIBUTE_count(a); const int obj_str_len = i2a_ASN1_OBJECT(bio, aobj); if (obj_str_len <= 0) { if (BIO_puts(bio, "(Unable to print attribute ID.)\n") < 0) { goto err; } else { continue; } } int j; for (j = 0; j < num_attrs; j++) { const ASN1_TYPE *at = X509_ATTRIBUTE_get0_type(a, j); const int type = at->type; ASN1_BIT_STRING *bs = at->value.asn1_string; int k; for (k = 25 - obj_str_len; k > 0; k--) { if (BIO_write(bio, " ", 1) != 1) { goto err; } } if (BIO_puts(bio, ":") <= 0) { goto err; } if (type == V_ASN1_PRINTABLESTRING || type == V_ASN1_UTF8STRING || type == V_ASN1_IA5STRING || type == V_ASN1_T61STRING) { if (BIO_write(bio, (char *)bs->data, bs->length) != bs->length) { goto err; } BIO_puts(bio, "\n"); } else { BIO_puts(bio, "unable to print attribute\n"); } } } } } if (!(cflag & X509_FLAG_NO_EXTENSIONS)) { STACK_OF(X509_EXTENSION) *exts = X509_REQ_get_extensions(x); if (exts) { BIO_printf(bio, "%8sRequested Extensions:\n", ""); size_t i; for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) { X509_EXTENSION *ex = sk_X509_EXTENSION_value(exts, i); if (BIO_printf(bio, "%12s", "") <= 0) { goto err; } ASN1_OBJECT *obj = X509_EXTENSION_get_object(ex); i2a_ASN1_OBJECT(bio, obj); const int is_critical = X509_EXTENSION_get_critical(ex); if (BIO_printf(bio, ": %s\n", is_critical ? "critical" : "") <= 0) { goto err; } if (!X509V3_EXT_print(bio, ex, cflag, 16)) { BIO_printf(bio, "%16s", ""); ASN1_STRING_print(bio, X509_EXTENSION_get_data(ex)); } if (BIO_write(bio, "\n", 1) <= 0) { goto err; } } sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); } } if (!(cflag & X509_FLAG_NO_SIGDUMP) && !X509_signature_print(bio, x->sig_alg, x->signature)) { goto err; } return 1; err: OPENSSL_PUT_ERROR(X509, ERR_R_BUF_LIB); return 0; }
extern "C" int32_t X509V3ExtPrint(BIO* out, X509_EXTENSION* ext) { return X509V3_EXT_print(out, ext, X509V3_EXT_DEFAULT, /*indent*/ 0); }
int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long cflag) { unsigned long l; int i; const char *neg; X509_REQ_INFO *ri; EVP_PKEY *pkey; STACK_OF(X509_ATTRIBUTE) *sk; STACK_OF(X509_EXTENSION) *exts; char mlch = ' '; int nmindent = 0; if((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { mlch = '\n'; nmindent = 12; } if(nmflags == X509_FLAG_COMPAT) nmindent = 16; ri=x->req_info; if(!(cflag & X509_FLAG_NO_HEADER)) { if (BIO_write(bp,"Certificate Request:\n",21) <= 0) goto err; if (BIO_write(bp," Data:\n",10) <= 0) goto err; } if(!(cflag & X509_FLAG_NO_VERSION)) { neg=(ri->version->type == V_ASN1_NEG_INTEGER)?"-":""; l=0; for (i=0; i<ri->version->length; i++) { l<<=8; l+=ri->version->data[i]; } if(BIO_printf(bp,"%8sVersion: %s%lu (%s0x%lx)\n","",neg,l,neg, l) <= 0) goto err; } if(!(cflag & X509_FLAG_NO_SUBJECT)) { if (BIO_printf(bp," Subject:%c",mlch) <= 0) goto err; if (X509_NAME_print_ex(bp,ri->subject,nmindent, nmflags) < 0) goto err; if (BIO_write(bp,"\n",1) <= 0) goto err; } if(!(cflag & X509_FLAG_NO_PUBKEY)) { if (BIO_write(bp," Subject Public Key Info:\n",33) <= 0) goto err; if (BIO_printf(bp,"%12sPublic Key Algorithm: ","") <= 0) goto err; if (i2a_ASN1_OBJECT(bp, ri->pubkey->algor->algorithm) <= 0) goto err; if (BIO_puts(bp, "\n") <= 0) goto err; pkey=X509_REQ_get_pubkey(x); if (pkey == NULL) { BIO_printf(bp,"%12sUnable to load Public Key\n",""); ERR_print_errors(bp); } else #ifndef OPENSSL_NO_RSA if (pkey->type == EVP_PKEY_RSA) { BIO_printf(bp,"%12sRSA Public Key: (%d bit)\n","", BN_num_bits(pkey->pkey.rsa->n)); RSA_print(bp,pkey->pkey.rsa,16); } else #endif #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) { BIO_printf(bp,"%12sDSA Public Key:\n",""); DSA_print(bp,pkey->pkey.dsa,16); } else #endif #ifndef OPENSSL_NO_EC if (pkey->type == EVP_PKEY_EC) { BIO_printf(bp, "%12sEC Public Key: \n",""); EC_KEY_print(bp, pkey->pkey.ec, 16); } else #endif BIO_printf(bp,"%12sUnknown Public Key:\n",""); EVP_PKEY_free(pkey); } if(!(cflag & X509_FLAG_NO_ATTRIBUTES)) { /* may not be */ if(BIO_printf(bp,"%8sAttributes:\n","") <= 0) goto err; sk=x->req_info->attributes; if (sk_X509_ATTRIBUTE_num(sk) == 0) { if(BIO_printf(bp,"%12sa0:00\n","") <= 0) goto err; } else { for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++) { ASN1_TYPE *at; X509_ATTRIBUTE *a; ASN1_BIT_STRING *bs=NULL; ASN1_TYPE *t; int j,type=0,count=1,ii=0; a=sk_X509_ATTRIBUTE_value(sk,i); if(X509_REQ_extension_nid(OBJ_obj2nid(a->object))) continue; if(BIO_printf(bp,"%12s","") <= 0) goto err; if ((j=i2a_ASN1_OBJECT(bp,a->object)) > 0) { if (a->single) { t=a->value.single; type=t->type; bs=t->value.bit_string; } else { ii=0; count=sk_ASN1_TYPE_num(a->value.set); get_next: at=sk_ASN1_TYPE_value(a->value.set,ii); type=at->type; bs=at->value.asn1_string; } } for (j=25-j; j>0; j--) if (BIO_write(bp," ",1) != 1) goto err; if (BIO_puts(bp,":") <= 0) goto err; if ( (type == V_ASN1_PRINTABLESTRING) || (type == V_ASN1_T61STRING) || (type == V_ASN1_IA5STRING)) { if (BIO_write(bp,(char *)bs->data,bs->length) != bs->length) goto err; BIO_puts(bp,"\n"); } else { BIO_puts(bp,"unable to print attribute\n"); } if (++ii < count) goto get_next; } } } if(!(cflag & X509_FLAG_NO_EXTENSIONS)) { exts = X509_REQ_get_extensions(x); if(exts) { BIO_printf(bp,"%8sRequested Extensions:\n",""); for (i=0; i<sk_X509_EXTENSION_num(exts); i++) { ASN1_OBJECT *obj; X509_EXTENSION *ex; int j; ex=sk_X509_EXTENSION_value(exts, i); if (BIO_printf(bp,"%12s","") <= 0) goto err; obj=X509_EXTENSION_get_object(ex); i2a_ASN1_OBJECT(bp,obj); j=X509_EXTENSION_get_critical(ex); if (BIO_printf(bp,": %s\n",j?"critical":"") <= 0) goto err; if(!X509V3_EXT_print(bp, ex, cflag, 16)) { BIO_printf(bp, "%16s", ""); M_ASN1_OCTET_STRING_print(bp,ex->value); } if (BIO_write(bp,"\n",1) <= 0) goto err; } sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); } } if(!(cflag & X509_FLAG_NO_SIGDUMP)) { if(!X509_signature_print(bp, x->sig_alg, x->signature)) goto err; } return(1); err: X509err(X509_F_X509_REQ_PRINT_EX,ERR_R_BUF_LIB); return(0); }
int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long cflag) { long l; int i; X509_REQ_INFO *ri; EVP_PKEY *pkey; STACK_OF(X509_ATTRIBUTE) *sk; STACK_OF(X509_EXTENSION) *exts; char mlch = ' '; int nmindent = 0; if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { mlch = '\n'; nmindent = 12; } if (nmflags == X509_FLAG_COMPAT) nmindent = 16; ri = x->req_info; if (!(cflag & X509_FLAG_NO_HEADER)) { if (BIO_write(bp, "Certificate Request:\n", 21) <= 0) goto err; if (BIO_write(bp, " Data:\n", 10) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_VERSION)) { l = X509_REQ_get_version(x); if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1, l) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_SUBJECT)) { if (BIO_printf(bp, " Subject:%c", mlch) <= 0) goto err; if (X509_NAME_print_ex(bp, ri->subject, nmindent, nmflags) < 0) goto err; if (BIO_write(bp, "\n", 1) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_PUBKEY)) { if (BIO_write(bp, " Subject Public Key Info:\n", 33) <= 0) goto err; if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0) goto err; if (i2a_ASN1_OBJECT(bp, ri->pubkey->algor->algorithm) <= 0) goto err; if (BIO_puts(bp, "\n") <= 0) goto err; pkey = X509_REQ_get_pubkey(x); if (pkey == NULL) { BIO_printf(bp, "%12sUnable to load Public Key\n", ""); ERR_print_errors(bp); } else { EVP_PKEY_print_public(bp, pkey, 16, NULL); EVP_PKEY_free(pkey); } } if (!(cflag & X509_FLAG_NO_ATTRIBUTES)) { /* may not be */ if (BIO_printf(bp, "%8sAttributes:\n", "") <= 0) goto err; sk = x->req_info->attributes; if (sk_X509_ATTRIBUTE_num(sk) == 0) { if (BIO_printf(bp, "%12sa0:00\n", "") <= 0) goto err; } else { for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { ASN1_TYPE *at; X509_ATTRIBUTE *a; ASN1_BIT_STRING *bs = NULL; ASN1_OBJECT *aobj; int j, type = 0, count = 1, ii = 0; a = sk_X509_ATTRIBUTE_value(sk, i); aobj = X509_ATTRIBUTE_get0_object(a); if (X509_REQ_extension_nid(OBJ_obj2nid(aobj))) continue; if (BIO_printf(bp, "%12s", "") <= 0) goto err; if ((j = i2a_ASN1_OBJECT(bp, aobj)) > 0) { ii = 0; count = X509_ATTRIBUTE_count(a); get_next: at = X509_ATTRIBUTE_get0_type(a, ii); type = at->type; bs = at->value.asn1_string; } for (j = 25 - j; j > 0; j--) if (BIO_write(bp, " ", 1) != 1) goto err; if (BIO_puts(bp, ":") <= 0) goto err; if ((type == V_ASN1_PRINTABLESTRING) || (type == V_ASN1_T61STRING) || (type == V_ASN1_IA5STRING)) { if (BIO_write(bp, (char *)bs->data, bs->length) != bs->length) goto err; BIO_puts(bp, "\n"); } else { BIO_puts(bp, "unable to print attribute\n"); } if (++ii < count) goto get_next; } } } if (!(cflag & X509_FLAG_NO_EXTENSIONS)) { exts = X509_REQ_get_extensions(x); if (exts) { BIO_printf(bp, "%8sRequested Extensions:\n", ""); for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) { ASN1_OBJECT *obj; X509_EXTENSION *ex; int j; ex = sk_X509_EXTENSION_value(exts, i); if (BIO_printf(bp, "%12s", "") <= 0) goto err; obj = X509_EXTENSION_get_object(ex); i2a_ASN1_OBJECT(bp, obj); j = X509_EXTENSION_get_critical(ex); if (BIO_printf(bp, ": %s\n", j ? "critical" : "") <= 0) goto err; if (!X509V3_EXT_print(bp, ex, cflag, 16)) { BIO_printf(bp, "%16s", ""); ASN1_STRING_print(bp, X509_EXTENSION_get_data(ex)); } if (BIO_write(bp, "\n", 1) <= 0) goto err; } sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); } } if (!(cflag & X509_FLAG_NO_SIGDUMP)) { if (!X509_signature_print(bp, x->sig_alg, x->signature)) goto err; } return (1); err: X509err(X509_F_X509_REQ_PRINT_EX, ERR_R_BUF_LIB); return (0); }
void anubis_dump_server_certificate(SSL *ssl) { X509 *x509Cert = SSL_get_peer_certificate(ssl); char buffer[1024]; BIO *bio = NULL; char *buf = NULL; if(!x509Cert) { anubis_ssl_perror("SSL_get_peer_certificate()"); return; } bio = BIO_new(BIO_s_mem()); if(!bio) { anubis_ssl_perror("BIO_new()"); X509_free(x509Cert); return; }//end if BIO_reset(bio); if(!PEM_write_bio_X509(bio, x509Cert)) { anubis_ssl_perror("PEM_write_bio_X509()"); BIO_free(bio); X509_free(x509Cert); return; } BIO_get_mem_data(bio, &buf); anubis_out("Server certificate:\n%s", buf); // Cert Version long version = 0; if (!(X509_FLAG_COMPAT & X509_FLAG_NO_VERSION)) { version = X509_get_version(x509Cert); fprintf(out_stream, "Version: %ld\n", version); }//end if // Cert Serial No. - Code adapted from OpenSSL's crypto/asn1/t_x509.c if (!(X509_FLAG_COMPAT & X509_FLAG_NO_SERIAL)) { ASN1_INTEGER *bs; long l; int i; const char *neg; bs = X509_get_serialNumber(x509Cert); if (bs->length <= 4) { l = ASN1_INTEGER_get(bs); if (l < 0) { l= -l; neg = "-"; } else neg = ""; fprintf(out_stream, "Serial Number: %lu (%#lx)\n", l, l); } else { neg = (bs->type == V_ASN1_NEG_INTEGER)?" (Negative)":""; fprintf(out_stream, "Serial Number: %s", neg); for (i = 0; i < bs->length; i++) { fprintf(out_stream, "%02x%c", bs->data[i], (i+1 == bs->length)?'\n':':'); } } } // Signature Algo... if (!(X509_FLAG_COMPAT & X509_FLAG_NO_SIGNAME)) { i2a_ASN1_OBJECT(bio, x509Cert->cert_info->signature->algorithm); BIO_get_mem_data(bio, &buf); fprintf(out_stream, "Signature Algorithm:\n%s\n", buf); } // SSL Certificate Issuer... if (!(X509_FLAG_COMPAT & X509_FLAG_NO_ISSUER)) { X509_NAME_oneline(X509_get_issuer_name(x509Cert), buffer, sizeof(buffer) - 1); fprintf(out_stream, "Issuer: %s\n", buffer); } // Validity... if (!(X509_FLAG_COMPAT & X509_FLAG_NO_VALIDITY)) { BIO_reset(bio); ASN1_TIME_print(bio, X509_get_notBefore(x509Cert)); BIO_get_mem_data(bio, &buf); fprintf(out_stream, "Not Valid Before: %s\n", buf); BIO_reset(bio); ASN1_TIME_print(bio, X509_get_notAfter(x509Cert)); BIO_get_mem_data(bio, &buf); fprintf(out_stream, "Not Valid After: %s\n", buf); } // SSL Certificate Subject... if (!(X509_FLAG_COMPAT & X509_FLAG_NO_SUBJECT)) { X509_NAME_oneline(X509_get_subject_name(x509Cert), buffer, sizeof(buffer) - 1); fprintf(out_stream, "Subject: %s\n", buffer); } // Public Key Algo... if (!(X509_FLAG_COMPAT & X509_FLAG_NO_PUBKEY)) { BIO_reset(bio); i2a_ASN1_OBJECT(bio, x509Cert->cert_info->key->algor->algorithm); BIO_get_mem_data(bio, &buf); fprintf(out_stream, "Public Key Algorithm: %s\n", buf); // Public Key... EVP_PKEY *publicKey = NULL; publicKey = X509_get_pubkey(x509Cert); if (publicKey == NULL) { anubis_err("Public Key Could not load\n"); } else { BIO_reset(bio); char *publicKeyType = NULL; int publicKeyLength = -1; switch (publicKey->type) { case EVP_PKEY_RSA: publicKeyType = "RSA"; if (publicKey->pkey.rsa) { publicKeyLength = BN_num_bits(publicKey->pkey.rsa->n); RSA_print(bio, publicKey->pkey.rsa, 0); BIO_get_mem_data(bio, &buf); } break; case EVP_PKEY_DSA: publicKeyType = "DSA"; if (publicKey->pkey.dsa) { DSA_print(bio, publicKey->pkey.dsa, 0); BIO_get_mem_data(bio, &buf); } break; case EVP_PKEY_EC: publicKeyType = "EC"; if (publicKey->pkey.ec) { EC_KEY_print(bio, publicKey->pkey.ec, 0); BIO_get_mem_data(bio, &buf); } break; default: publicKeyType = "Unknown"; break; } EVP_PKEY_free(publicKey); fprintf(out_stream, "%d Public Key: ", publicKeyLength); if(!strcasecmp(publicKeyType, "RSA")) { fprintf(out_stream, "(%d bits)", publicKeyLength); } fprintf(out_stream, "\n"); fprintf(out_stream, "%s\n", buf); } } // X509 v3... if (!(X509_FLAG_COMPAT & X509_FLAG_NO_EXTENSIONS) && sk_X509_EXTENSION_num(x509Cert->cert_info->extensions) > 0) { X509_EXTENSION *extension = NULL; ASN1_OBJECT *asn1Object = NULL; int tempInt2 = 0; BIO_reset(bio); for (int tempInt = 0; tempInt < sk_X509_EXTENSION_num(x509Cert->cert_info->extensions); tempInt++) { // Get Extension... extension = sk_X509_EXTENSION_value(x509Cert->cert_info->extensions, tempInt); asn1Object = X509_EXTENSION_get_object(extension); i2a_ASN1_OBJECT(bio, asn1Object); tempInt2 = X509_EXTENSION_get_critical(extension); BIO_printf(bio, ": %s\n", tempInt2 ? "critical" : ""); // Print Extension value... if (!X509V3_EXT_print(bio, extension, X509_FLAG_COMPAT, 8)) { M_ASN1_OCTET_STRING_print(bio, extension->value); } BIO_printf(bio, "\n"); }//end for BIO_get_mem_data(bio, &buf); fprintf(out_stream, "x509v3 Extensions: %s\n", buf); }//end if x509v3 /* long verifyError = 0; // Verify Certificate... verifyError = SSL_get_verify_result(ssl); const char *verifyCertificate = ""; if (verifyError == X509_V_OK) verifyCertificate = "Certificate passed verification"; else verifyCertificate = X509_verify_cert_error_string(verifyError); fprintf(out_stream, "Validation: %s\n", verifyCertificate); */ BIO_free(bio); X509_free(x509Cert); fflush(out_stream); }//end anubis_dump_server_certificate
Datum ssl_extension_info(PG_FUNCTION_ARGS) { X509 *cert = MyProcPort->peer; FuncCallContext *funcctx; int call_cntr; int max_calls; MemoryContext oldcontext; SSLExtensionInfoContext *fctx; if (SRF_IS_FIRSTCALL()) { TupleDesc tupdesc; /* create a function context for cross-call persistence */ funcctx = SRF_FIRSTCALL_INIT(); /* * Switch to memory context appropriate for multiple function calls */ oldcontext = MemoryContextSwitchTo(funcctx->multi_call_memory_ctx); /* Create a user function context for cross-call persistence */ fctx = (SSLExtensionInfoContext *) palloc(sizeof(SSLExtensionInfoContext)); /* Construct tuple descriptor */ if (get_call_result_type(fcinfo, NULL, &tupdesc) != TYPEFUNC_COMPOSITE) ereport(ERROR, (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), errmsg("function returning record called in context that cannot accept type record"))); fctx->tupdesc = BlessTupleDesc(tupdesc); /* Set max_calls as a count of extensions in certificate */ max_calls = cert != NULL ? X509_get_ext_count(cert) : 0; if (max_calls > 0) { /* got results, keep track of them */ funcctx->max_calls = max_calls; funcctx->user_fctx = fctx; } else { /* fast track when no results */ MemoryContextSwitchTo(oldcontext); SRF_RETURN_DONE(funcctx); } MemoryContextSwitchTo(oldcontext); } /* stuff done on every call of the function */ funcctx = SRF_PERCALL_SETUP(); /* * Initialize per-call variables. */ call_cntr = funcctx->call_cntr; max_calls = funcctx->max_calls; fctx = funcctx->user_fctx; /* do while there are more left to send */ if (call_cntr < max_calls) { Datum values[3]; bool nulls[3]; char *buf; HeapTuple tuple; Datum result; BIO *membuf; X509_EXTENSION *ext; ASN1_OBJECT *obj; int nid; int len; /* need a BIO for this */ membuf = BIO_new(BIO_s_mem()); if (membuf == NULL) ereport(ERROR, (errcode(ERRCODE_OUT_OF_MEMORY), errmsg("could not create OpenSSL BIO structure"))); /* Get the extension from the certificate */ ext = X509_get_ext(cert, call_cntr); obj = X509_EXTENSION_get_object(ext); /* Get the extension name */ nid = OBJ_obj2nid(obj); if (nid == NID_undef) ereport(ERROR, (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), errmsg("unknown OpenSSL extension in certificate at position %d", call_cntr))); values[0] = CStringGetTextDatum(OBJ_nid2sn(nid)); nulls[0] = false; /* Get the extension value */ if (X509V3_EXT_print(membuf, ext, 0, 0) <= 0) ereport(ERROR, (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), errmsg("could not print extension value in certificate at position %d", call_cntr))); len = BIO_get_mem_data(membuf, &buf); values[1] = PointerGetDatum(cstring_to_text_with_len(buf, len)); nulls[1] = false; /* Get critical status */ values[2] = BoolGetDatum(X509_EXTENSION_get_critical(ext)); nulls[2] = false; /* Build tuple */ tuple = heap_form_tuple(fctx->tupdesc, values, nulls); result = HeapTupleGetDatum(tuple); if (BIO_free(membuf) != 1) elog(ERROR, "could not free OpenSSL BIO structure"); SRF_RETURN_NEXT(funcctx, result); } /* All done */ SRF_RETURN_DONE(funcctx); }
/** Extract attributes from an X509 certificate * * @param cursor to copy attributes to. * @param ctx to allocate attributes in. * @param session current TLS session. * @param cert to validate. * @param depth the certificate is in the certificate chain (0 == leaf). * @return * - 0 on success. * - < 0 on failure. */ int tls_session_pairs_from_x509_cert(fr_cursor_t *cursor, TALLOC_CTX *ctx, tls_session_t *session, X509 *cert, int depth) { char buffer[1024]; char attribute[256]; char **identity; int attr_index, loc; #if OPENSSL_VERSION_NUMBER >= 0x10100000L STACK_OF(X509_EXTENSION) const *ext_list = NULL; #else STACK_OF(X509_EXTENSION) *ext_list = NULL; #endif ASN1_INTEGER *sn = NULL; ASN1_TIME *asn_time = NULL; VALUE_PAIR *vp = NULL; REQUEST *request; #define CERT_ATTR_ADD(_attr, _attr_index, _value) tls_session_cert_attr_add(ctx, request, cursor, _attr, _attr_index, _value) attr_index = depth; if (attr_index > 1) attr_index = 1; request = (REQUEST *)SSL_get_ex_data(session->ssl, FR_TLS_EX_INDEX_REQUEST); rad_assert(request != NULL); identity = (char **)SSL_get_ex_data(session->ssl, FR_TLS_EX_INDEX_IDENTITY); if (RDEBUG_ENABLED3) { buffer[0] = '\0'; X509_NAME_oneline(X509_get_subject_name(cert), buffer, sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; RDEBUG3("Creating attributes for \"%s\":", buffer[0] ? buffer : "Cert missing subject OID"); } /* * Get the Serial Number */ sn = X509_get_serialNumber(cert); if (sn && ((size_t) sn->length < (sizeof(buffer) / 2))) { char *p = buffer; int i; for (i = 0; i < sn->length; i++) { sprintf(p, "%02x", (unsigned int)sn->data[i]); p += 2; } CERT_ATTR_ADD(IDX_SERIAL, attr_index, buffer); } /* * Get the Expiration Date */ buffer[0] = '\0'; asn_time = X509_get_notAfter(cert); if (identity && asn_time && (asn_time->length < (int)sizeof(buffer))) { time_t expires; /* * Add expiration as a time since the epoch */ if (tls_utils_asn1time_to_epoch(&expires, asn_time) < 0) { RPWDEBUG("Failed parsing certificate expiry time"); } else { vp = CERT_ATTR_ADD(IDX_EXPIRATION, attr_index, NULL); vp->vp_date = expires; } } /* * Get the Subject & Issuer */ buffer[0] = '\0'; X509_NAME_oneline(X509_get_subject_name(cert), buffer, sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; if (identity && buffer[0]) { CERT_ATTR_ADD(IDX_SUBJECT, attr_index, buffer); /* * Get the Common Name, if there is a subject. */ X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, buffer, sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; if (buffer[0]) { CERT_ATTR_ADD(IDX_COMMON_NAME, attr_index, buffer); } } X509_NAME_oneline(X509_get_issuer_name(cert), buffer, sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; if (identity && buffer[0]) { CERT_ATTR_ADD(IDX_ISSUER, attr_index, buffer); } /* * Get the RFC822 Subject Alternative Name */ loc = X509_get_ext_by_NID(cert, NID_subject_alt_name, 0); if (loc >= 0) { X509_EXTENSION *ext = NULL; GENERAL_NAMES *names = NULL; int i; ext = X509_get_ext(cert, loc); if (ext && (names = X509V3_EXT_d2i(ext))) { for (i = 0; i < sk_GENERAL_NAME_num(names); i++) { GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i); switch (name->type) { #ifdef GEN_EMAIL case GEN_EMAIL: { #if OPENSSL_VERSION_NUMBER >= 0x10100000L char const *rfc822Name = (char const *)ASN1_STRING_get0_data(name->d.rfc822Name); #else char *rfc822Name = (char *)ASN1_STRING_data(name->d.rfc822Name); #endif CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_EMAIL, attr_index, rfc822Name); break; } #endif /* GEN_EMAIL */ #ifdef GEN_DNS case GEN_DNS: { #if OPENSSL_VERSION_NUMBER >= 0x10100000L char const *dNSName = (char const *)ASN1_STRING_get0_data(name->d.dNSName); #else char *dNSName = (char *)ASN1_STRING_data(name->d.dNSName); #endif CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_DNS, attr_index, dNSName); break; } #endif /* GEN_DNS */ #ifdef GEN_OTHERNAME case GEN_OTHERNAME: /* look for a MS UPN */ if (NID_ms_upn != OBJ_obj2nid(name->d.otherName->type_id)) break; /* we've got a UPN - Must be ASN1-encoded UTF8 string */ if (name->d.otherName->value->type == V_ASN1_UTF8STRING) { CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_UPN, attr_index, (char *)name->d.otherName->value->value.utf8string); break; } RWARN("Invalid UPN in Subject Alt Name (should be UTF-8)"); break; #endif /* GEN_OTHERNAME */ default: /* XXX TODO handle other SAN types */ break; } } } if (names != NULL) GENERAL_NAMES_free(names); } /* * Only add extensions for the actual client certificate */ if (attr_index == 0) { #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ext_list = X509_get0_extensions(cert); #else ext_list = cert->cert_info->extensions; #endif /* * Grab the X509 extensions, and create attributes out of them. * For laziness, we re-use the OpenSSL names */ if (sk_X509_EXTENSION_num(ext_list) > 0) { int i, len; char *p; BIO *out; out = BIO_new(BIO_s_mem()); strlcpy(attribute, "TLS-Client-Cert-", sizeof(attribute)); for (i = 0; i < sk_X509_EXTENSION_num(ext_list); i++) { char value[1024]; ASN1_OBJECT *obj; X509_EXTENSION *ext; fr_dict_attr_t const *da; ext = sk_X509_EXTENSION_value(ext_list, i); obj = X509_EXTENSION_get_object(ext); i2a_ASN1_OBJECT(out, obj); len = BIO_read(out, attribute + 16 , sizeof(attribute) - 16 - 1); if (len <= 0) continue; attribute[16 + len] = '\0'; for (p = attribute + 16; *p != '\0'; p++) if (*p == ' ') *p = '-'; X509V3_EXT_print(out, ext, 0, 0); len = BIO_read(out, value , sizeof(value) - 1); if (len <= 0) continue; value[len] = '\0'; da = fr_dict_attr_by_name(dict_freeradius, attribute); if (!da) { RWDEBUG3("Skipping attribute %s: " "Add dictionary definition if you want to access it", attribute); continue; } MEM(vp = fr_pair_afrom_da(request, da)); if (fr_pair_value_from_str(vp, value, -1, '\0', true) < 0) { RPWDEBUG3("Skipping: %s += '%s'", attribute, value); talloc_free(vp); continue; } fr_cursor_append(cursor, vp); } BIO_free_all(out); } } return 0; }
int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long cflag) { long l; int i; EVP_PKEY *pkey; STACK_OF(X509_EXTENSION) *exts; char mlch = ' '; int nmindent = 0; if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { mlch = '\n'; nmindent = 12; } if (nmflags == X509_FLAG_COMPAT) nmindent = 16; if (!(cflag & X509_FLAG_NO_HEADER)) { if (BIO_write(bp, "Certificate Request:\n", 21) <= 0) goto err; if (BIO_write(bp, " Data:\n", 10) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_VERSION)) { l = X509_REQ_get_version(x); if (l >= 0 && l <= 2) { if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1, (unsigned long)l) <= 0) goto err; } else { if (BIO_printf(bp, "%8sVersion: Unknown (%ld)\n", "", l) <= 0) goto err; } } if (!(cflag & X509_FLAG_NO_SUBJECT)) { if (BIO_printf(bp, " Subject:%c", mlch) <= 0) goto err; if (X509_NAME_print_ex(bp, X509_REQ_get_subject_name(x), nmindent, nmflags) < 0) goto err; if (BIO_write(bp, "\n", 1) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_PUBKEY)) { X509_PUBKEY *xpkey; ASN1_OBJECT *koid; if (BIO_write(bp, " Subject Public Key Info:\n", 33) <= 0) goto err; if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0) goto err; xpkey = X509_REQ_get_X509_PUBKEY(x); X509_PUBKEY_get0_param(&koid, NULL, NULL, NULL, xpkey); if (i2a_ASN1_OBJECT(bp, koid) <= 0) goto err; if (BIO_puts(bp, "\n") <= 0) goto err; pkey = X509_REQ_get0_pubkey(x); if (pkey == NULL) { if (BIO_printf(bp, "%12sUnable to load Public Key\n", "") <= 0) goto err; ERR_print_errors(bp); } else { if (EVP_PKEY_print_public(bp, pkey, 16, NULL) <= 0) goto err; } } if (!(cflag & X509_FLAG_NO_ATTRIBUTES)) { /* may not be */ if (BIO_printf(bp, "%8sAttributes:\n", "") <= 0) goto err; if (X509_REQ_get_attr_count(x) == 0) { if (BIO_printf(bp, "%12sa0:00\n", "") <= 0) goto err; } else { for (i = 0; i < X509_REQ_get_attr_count(x); i++) { ASN1_TYPE *at; X509_ATTRIBUTE *a; ASN1_BIT_STRING *bs = NULL; ASN1_OBJECT *aobj; int j, type = 0, count = 1, ii = 0; a = X509_REQ_get_attr(x, i); aobj = X509_ATTRIBUTE_get0_object(a); if (X509_REQ_extension_nid(OBJ_obj2nid(aobj))) continue; if (BIO_printf(bp, "%12s", "") <= 0) goto err; if ((j = i2a_ASN1_OBJECT(bp, aobj)) > 0) { ii = 0; count = X509_ATTRIBUTE_count(a); get_next: at = X509_ATTRIBUTE_get0_type(a, ii); type = at->type; bs = at->value.asn1_string; } for (j = 25 - j; j > 0; j--) if (BIO_write(bp, " ", 1) != 1) goto err; if (BIO_puts(bp, ":") <= 0) goto err; switch (type) { case V_ASN1_PRINTABLESTRING: case V_ASN1_T61STRING: case V_ASN1_NUMERICSTRING: case V_ASN1_UTF8STRING: case V_ASN1_IA5STRING: if (BIO_write(bp, (char *)bs->data, bs->length) != bs->length) goto err; if (BIO_puts(bp, "\n") <= 0) goto err; break; default: if (BIO_puts(bp, "unable to print attribute\n") <= 0) goto err; break; } if (++ii < count) goto get_next; } } } if (!(cflag & X509_FLAG_NO_EXTENSIONS)) { exts = X509_REQ_get_extensions(x); if (exts) { if (BIO_printf(bp, "%8sRequested Extensions:\n", "") <= 0) goto err; for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) { ASN1_OBJECT *obj; X509_EXTENSION *ex; int critical; ex = sk_X509_EXTENSION_value(exts, i); if (BIO_printf(bp, "%12s", "") <= 0) goto err; obj = X509_EXTENSION_get_object(ex); if (i2a_ASN1_OBJECT(bp, obj) <= 0) goto err; critical = X509_EXTENSION_get_critical(ex); if (BIO_printf(bp, ": %s\n", critical ? "critical" : "") <= 0) goto err; if (!X509V3_EXT_print(bp, ex, cflag, 16)) { if (BIO_printf(bp, "%16s", "") <= 0 || ASN1_STRING_print(bp, X509_EXTENSION_get_data(ex)) <= 0) goto err; } if (BIO_write(bp, "\n", 1) <= 0) goto err; } sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); } } if (!(cflag & X509_FLAG_NO_SIGDUMP)) { const X509_ALGOR *sig_alg; const ASN1_BIT_STRING *sig; X509_REQ_get0_signature(x, &sig, &sig_alg); if (!X509_signature_print(bp, sig_alg, sig)) goto err; } return 1; err: X509err(X509_F_X509_REQ_PRINT_EX, ERR_R_BUF_LIB); return 0; }