static int check_hostname(X509 *cert, const char *hostname) { int ret, i; X509_NAME *subject; ASN1_STRING *name; /* check by subject */ ret = check_alt_names(cert, hostname); if (ret >= 0) return ret; /* check by common name (old method) */ subject= X509_get_subject_name(cert); if (!subject) return 0; i = -1; while (X509_NAME_get_index_by_NID(subject, NID_commonName, i) >=0) i = X509_NAME_get_index_by_NID(subject, NID_commonName, i); if (i < 0) return 0; name = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, i)); if (!name) return 0; return check_name_match(name, hostname); }
void OpenSSLCertificate::parse() { if (!cert) { return; } // Subject name X509_NAME* subjectName = X509_get_subject_name(cert.get()); if (subjectName) { // Subject name ByteArray subjectNameData; subjectNameData.resize(256); X509_NAME_oneline(X509_get_subject_name(cert.get()), reinterpret_cast<char*>(subjectNameData.getData()), subjectNameData.getSize()); this->subjectName = std::string(reinterpret_cast<const char*>(subjectNameData.getData())); // Common name int cnLoc = X509_NAME_get_index_by_NID(subjectName, NID_commonName, -1); while (cnLoc != -1) { X509_NAME_ENTRY* cnEntry = X509_NAME_get_entry(subjectName, cnLoc); ASN1_STRING* cnData = X509_NAME_ENTRY_get_data(cnEntry); commonNames.push_back(ByteArray(cnData->data, cnData->length).toString()); cnLoc = X509_NAME_get_index_by_NID(subjectName, NID_commonName, cnLoc); } } // subjectAltNames int subjectAltNameLoc = X509_get_ext_by_NID(cert.get(), NID_subject_alt_name, -1); if(subjectAltNameLoc != -1) { X509_EXTENSION* extension = X509_get_ext(cert.get(), subjectAltNameLoc); boost::shared_ptr<GENERAL_NAMES> generalNames(reinterpret_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(extension)), GENERAL_NAMES_free); boost::shared_ptr<ASN1_OBJECT> xmppAddrObject(OBJ_txt2obj(ID_ON_XMPPADDR_OID, 1), ASN1_OBJECT_free); boost::shared_ptr<ASN1_OBJECT> dnsSRVObject(OBJ_txt2obj(ID_ON_DNSSRV_OID, 1), ASN1_OBJECT_free); for (int i = 0; i < sk_GENERAL_NAME_num(generalNames.get()); ++i) { GENERAL_NAME* generalName = sk_GENERAL_NAME_value(generalNames.get(), i); if (generalName->type == GEN_OTHERNAME) { OTHERNAME* otherName = generalName->d.otherName; if (OBJ_cmp(otherName->type_id, xmppAddrObject.get()) == 0) { // XmppAddr if (otherName->value->type != V_ASN1_UTF8STRING) { continue; } ASN1_UTF8STRING* xmppAddrValue = otherName->value->value.utf8string; addXMPPAddress(ByteArray(ASN1_STRING_data(xmppAddrValue), ASN1_STRING_length(xmppAddrValue)).toString()); } else if (OBJ_cmp(otherName->type_id, dnsSRVObject.get()) == 0) { // SRVName if (otherName->value->type != V_ASN1_IA5STRING) { continue; } ASN1_IA5STRING* srvNameValue = otherName->value->value.ia5string; addSRVName(ByteArray(ASN1_STRING_data(srvNameValue), ASN1_STRING_length(srvNameValue)).toString()); } } else if (generalName->type == GEN_DNS) { // DNSName addDNSName(ByteArray(ASN1_STRING_data(generalName->d.dNSName), ASN1_STRING_length(generalName->d.dNSName)).toString()); } } } }
int eventer_ssl_get_local_commonname(eventer_ssl_ctx_t *ctx, char *buff, int len) { char *out = NULL; X509_NAME *name; X509 *cert = SSL_get_certificate(ctx->ssl); if(cert == NULL) return -1; name = X509_get_subject_name(cert); if(name) { int pos; if(-1 != (pos = X509_NAME_get_index_by_NID(name, NID_commonName, -1))) { X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, pos); if(entry) { ASN1_STRING *entryData = X509_NAME_ENTRY_get_data( entry ); unsigned char *utf8; int length = ASN1_STRING_to_UTF8( &utf8, entryData ); strlcpy(buff, (const char *)utf8, MIN(length+1,len)); out = buff; OPENSSL_free( utf8 ); } } } X509_free(cert); if(out) return strlen(out); return -1; }
static int matches_common_name(const char *hostname, const X509 *server_cert) { int common_name_loc = -1; X509_NAME_ENTRY *common_name_entry = 0; ASN1_STRING *common_name_asn1 = 0; char *common_name_str = 0; common_name_loc = X509_NAME_get_index_by_NID(X509_get_subject_name( (X509 *) server_cert), NID_commonName, -1); if (common_name_loc < 0) { return Error; } common_name_entry = X509_NAME_get_entry( X509_get_subject_name( (X509 *) server_cert), common_name_loc); if (!common_name_entry) { return Error; } common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry); if (!common_name_asn1) { return Error; } common_name_str = (char *) ASN1_STRING_data(common_name_asn1); if (ASN1_STRING_length(common_name_asn1) != strlen(common_name_str)) { return MalformedCertificate; } if (!strcasecmp(hostname, common_name_str)) { return MatchFound; } else { return MatchNotFound; } }
static inline int tls_check_host(X509 *cert, const char *hostname) { char common_name[256] = ""; X509_NAME *xname = X509_get_subject_name(cert); X509_NAME_ENTRY *xentry; ASN1_STRING *sdata; int i, j; int ret; ret = X509_NAME_get_text_by_NID(xname, NID_commonName, common_name, sizeof(common_name)); if (ret < 1 || (size_t)ret >= (sizeof(common_name)-1)) return SHOUTERR_TLSBADCERT; if (!tls_check_pattern(hostname, common_name)) return SHOUTERR_TLSBADCERT; /* check for inlined \0, see https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike */ for (i = -1; ; i = j) { j = X509_NAME_get_index_by_NID(xname, NID_commonName, i); if (j == -1) break; } xentry = X509_NAME_get_entry(xname, i); sdata = X509_NAME_ENTRY_get_data(xentry); if ((size_t)ASN1_STRING_length(sdata) != strlen(common_name)) return SHOUTERR_TLSBADCERT; return SHOUTERR_SUCCESS; }
char* crypto_cert_subject_common_name(X509* xcert, int* length) { int index; uint8* common_name; X509_NAME* subject_name; X509_NAME_ENTRY* entry; ASN1_STRING* entry_data; subject_name = X509_get_subject_name(xcert); if (subject_name == NULL) return NULL; index = X509_NAME_get_index_by_NID(subject_name, NID_commonName, -1); if (index < 0) return NULL; entry = X509_NAME_get_entry(subject_name, index); if (entry == NULL) return NULL; entry_data = X509_NAME_ENTRY_get_data(entry); if (entry_data == NULL) return NULL; *length = ASN1_STRING_to_UTF8(&common_name, entry_data); if (*length < 0) return NULL; return (char*) common_name; }
static char * get_peer_common_name(const struct ssl_stream *sslv) { X509 *peer_cert = SSL_get_peer_certificate(sslv->ssl); if (!peer_cert) { return NULL; } int cn_index = X509_NAME_get_index_by_NID(X509_get_subject_name(peer_cert), NID_commonName, -1); if (cn_index < 0) { return NULL; } X509_NAME_ENTRY *cn_entry = X509_NAME_get_entry( X509_get_subject_name(peer_cert), cn_index); if (!cn_entry) { return NULL; } ASN1_STRING *cn_data = X509_NAME_ENTRY_get_data(cn_entry); if (!cn_data) { return NULL; } const char *cn; #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER) /* ASN1_STRING_data() is deprecated as of OpenSSL version 1.1 */ cn = (const char *)ASN1_STRING_data(cn_data); #else cn = (const char *)ASN1_STRING_get0_data(cn_data); #endif return xstrdup(cn); }
/** * Converts individual X.509 subject entry to string. * * @param ln Long name of the requested entry (see openssl/objects.h) * @return subject name entry converted to string. * @throws IOException exception is throws if the conversion failed. */ std::string digidoc::X509Cert::getSubjectInfo(const std::string& ln) const throw(IOException) { X509_NAME* name = X509_get_subject_name(cert); if(name == NULL) { THROW_IOEXCEPTION("Failed to convert X.509 certificate subject: %s", ERR_reason_error_string(ERR_get_error())); } int idx = X509_NAME_get_index_by_NID(name, OBJ_ln2nid(ln.c_str()), -1); if(idx < 0) { THROW_IOEXCEPTION("Failed to retrieve X.509 certificate info: field '%s' not found", ln.c_str()); } X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, idx); if(!entry) { THROW_IOEXCEPTION("Failed to convert X.509 certificate field: %s", ERR_reason_error_string(ERR_get_error())); } ASN1_STRING *asnstr = X509_NAME_ENTRY_get_data(entry); unsigned char *data = NULL; int len = ASN1_STRING_to_UTF8(&data, asnstr); if(len < 0) { THROW_IOEXCEPTION("Failed to convert X.509 certificate field: %s", ERR_reason_error_string(ERR_get_error())); } std::string result(reinterpret_cast<const char *>(data)); OPENSSL_free(data); return result; }
static int get_comp(str* res, int local, int issuer, int nid, sip_msg_t* msg) { static char buf[1024]; X509* cert; struct tcp_connection* c; X509_NAME* name; X509_NAME_ENTRY* e; ASN1_STRING* asn1; int index, text_len; char* elem; unsigned char* text_s; text_s = 0; if (get_cert(&cert, &c, msg, local) < 0) return -1; name = issuer ? X509_get_issuer_name(cert) : X509_get_subject_name(cert); if (!name) { ERR("Cannot extract subject or issuer name from peer certificate\n"); goto err; } index = X509_NAME_get_index_by_NID(name, nid, -1); if (index == -1) { switch(nid) { case NID_commonName: elem = "CommonName"; break; case NID_organizationName: elem = "OrganizationName"; break; case NID_organizationalUnitName: elem = "OrganizationalUnitUname"; break; case NID_countryName: elem = "CountryName"; break; case NID_stateOrProvinceName: elem = "StateOrProvinceName"; break; case NID_localityName: elem = "LocalityName"; break; case NID_userId: elem = "UserID"; break; default: elem = "Unknown"; break; } DBG("Element %s not found in certificate subject/issuer\n", elem); goto err; } e = X509_NAME_get_entry(name, index); asn1 = X509_NAME_ENTRY_get_data(e); text_len = ASN1_STRING_to_UTF8(&text_s, asn1); if (text_len < 0 || text_len >= 1024) { ERR("Error converting ASN1 string\n"); goto err; } memcpy(buf, text_s, text_len); res->s = buf; res->len = text_len; OPENSSL_free(text_s); if (!local) X509_free(cert); tcpconn_put(c); return 0; err: if (text_s) OPENSSL_free(text_s); if (!local) X509_free(cert); tcpconn_put(c); return -1; }
std::string genCommonName(X509* cert) { if (cert == nullptr) { return ""; } auto subject_name = X509_get_subject_name(cert); if (subject_name == nullptr) { return ""; } auto nid = OBJ_txt2nid("CN"); auto index = X509_NAME_get_index_by_NID(subject_name, nid, -1); if (index == -1) { return ""; } auto commonNameEntry = X509_NAME_get_entry(subject_name, index); if (commonNameEntry == nullptr) { return ""; } auto commonNameData = X509_NAME_ENTRY_get_data(commonNameEntry); auto data = ASN1_STRING_data(commonNameData); return std::string(reinterpret_cast<char*>(data)); }
/* * Returns specified field of specified X509_NAME structure * * Common part of ssl_client_dn and ssl_issuer_dn functions. * * Parameter: X509_NAME *name - either subject or issuer of certificate * Parameter: text fieldName - field name string like 'CN' or commonName * to be looked up in the OpenSSL ASN1 OID database * * Returns result of ASN1_STRING_to_text applied to appropriate * part of name */ Datum X509_NAME_field_to_text(X509_NAME *name, text *fieldName) { char *sp; char *string_fieldname; char *dp; size_t name_len = VARSIZE(fieldName) - VARHDRSZ; int nid, index, i; ASN1_STRING *data; string_fieldname = palloc(name_len + 1); sp = VARDATA(fieldName); dp = string_fieldname; for (i = 0; i < name_len; i++) *dp++ = *sp++; *dp = '\0'; nid = OBJ_txt2nid(string_fieldname); if (nid == NID_undef) ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE), errmsg("invalid X.509 field name: \"%s\"", string_fieldname))); pfree(string_fieldname); index = X509_NAME_get_index_by_NID(name, nid, -1); if (index < 0) return (Datum) 0; data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, index)); return ASN1_STRING_to_text(data); }
std::string genCommonName(X509* cert) { if (cert == nullptr) { return ""; } X509_NAME* subject_name = nullptr; OSX_OPENSSL(subject_name = X509_get_subject_name(cert)); if (subject_name == nullptr) { return ""; } int nid = 0; OSX_OPENSSL(nid = OBJ_txt2nid("CN")); int index = 0; OSX_OPENSSL(index = X509_NAME_get_index_by_NID(subject_name, nid, -1)); if (index == -1) { return ""; } X509_NAME_ENTRY* commonNameEntry = nullptr; OSX_OPENSSL(commonNameEntry = X509_NAME_get_entry(subject_name, index)); if (commonNameEntry == nullptr) { return ""; } ASN1_STRING* commonNameData = nullptr; OSX_OPENSSL(commonNameData = X509_NAME_ENTRY_get_data(commonNameEntry)); unsigned char* data = nullptr; OSX_OPENSSL(data = ASN1_STRING_data(commonNameData)); return std::string(reinterpret_cast<char*>(data)); }
/* * For each name in the cert. Iterate them. Call the callback. If one returns true, then consider it validated, * if none of them return true, the cert is considered invalid. */ static uint8_t s2n_verify_host_information(struct s2n_x509_validator *validator, struct s2n_connection *conn, X509 *public_cert) { uint8_t verified = 0; uint8_t san_found = 0; /* Check SubjectAltNames before CommonName as per RFC 6125 6.4.4 */ STACK_OF(GENERAL_NAME) *names_list = X509_get_ext_d2i(public_cert, NID_subject_alt_name, NULL, NULL); int n = sk_GENERAL_NAME_num(names_list); for (int i = 0; i < n && !verified; i++) { GENERAL_NAME *current_name = sk_GENERAL_NAME_value(names_list, i); if (current_name->type == GEN_DNS) { san_found = 1; const char *name = (const char *) ASN1_STRING_data(current_name->d.ia5); size_t name_len = (size_t) ASN1_STRING_length(current_name->d.ia5); verified = conn->verify_host_fn(name, name_len, conn->data_for_verify_host); } } GENERAL_NAMES_free(names_list); /* if no SubjectAltNames of type DNS found, go to the common name. */ if (!san_found) { X509_NAME *subject_name = X509_get_subject_name(public_cert); if (subject_name) { int next_idx = 0, curr_idx = -1; while ((next_idx = X509_NAME_get_index_by_NID(subject_name, NID_commonName, curr_idx)) >= 0) { curr_idx = next_idx; } if (curr_idx >= 0) { ASN1_STRING *common_name = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, curr_idx)); if (common_name) { char peer_cn[255]; static size_t peer_cn_size = sizeof(peer_cn); memset_check(&peer_cn, 0, peer_cn_size); // X520CommonName allows the following ANSI string types per RFC 5280 Appendix A.1 if (ASN1_STRING_type(common_name) == V_ASN1_TELETEXSTRING || ASN1_STRING_type(common_name) == V_ASN1_PRINTABLESTRING || ASN1_STRING_type(common_name) == V_ASN1_UNIVERSALSTRING || ASN1_STRING_type(common_name) == V_ASN1_UTF8STRING || ASN1_STRING_type(common_name) == V_ASN1_BMPSTRING ) { size_t len = (size_t) ASN1_STRING_length(common_name); lte_check(len, sizeof(peer_cn) - 1); memcpy_check(peer_cn, ASN1_STRING_data(common_name), len); verified = conn->verify_host_fn(peer_cn, len, conn->data_for_verify_host); } } } } } return verified; }
static int amqp_ssl_socket_verify_hostname(void *base, const char *host) { struct amqp_ssl_socket_t *self = (struct amqp_ssl_socket_t *)base; unsigned char *utf8_value = NULL, *cp, ch; int pos, utf8_length, status = 0; ASN1_STRING *entry_string; X509_NAME_ENTRY *entry; X509_NAME *name; X509 *peer; peer = SSL_get_peer_certificate(self->ssl); if (!peer) { goto error; } name = X509_get_subject_name(peer); if (!name) { goto error; } pos = X509_NAME_get_index_by_NID(name, NID_commonName, -1); if (0 > pos) { goto error; } entry = X509_NAME_get_entry(name, pos); if (!entry) { goto error; } entry_string = X509_NAME_ENTRY_get_data(entry); if (!entry_string) { goto error; } utf8_length = ASN1_STRING_to_UTF8(&utf8_value, entry_string); if (0 > utf8_length) { goto error; } while (utf8_length > 0 && utf8_value[utf8_length - 1] == 0) { --utf8_length; } if (utf8_length >= 256) { goto error; } if ((size_t)utf8_length != strlen((char *)utf8_value)) { goto error; } for (cp = utf8_value; (ch = *cp) != '\0'; ++cp) { if (isascii(ch) && !isprint(ch)) { goto error; } } if (!amqp_hostcheck((char *)utf8_value, host)) { goto error; } exit: OPENSSL_free(utf8_value); return status; error: status = -1; goto exit; }
/* check the identity in a certificate against a hostname */ RD_BOOL crypto_cert_verify_peer_identity(CryptoCert cert, const char * peer) { X509_NAME *subject_name = NULL; X509_NAME_ENTRY *entry = NULL; ASN1_STRING *asn1str = NULL; //GENERAL_NAMES *subjectAltNames = NULL; unsigned char *ustr = NULL; char *str = NULL; int i, len; #if 0 /* Check cert for subjectAltName extensions */ /* things to check: ipv4/ipv6 address, hostname in normal form and in DC= form */ i = -1; for (;;) { subjectAltNames = X509_get_ext_d2i(cert->px509, NID_subject_alt_name, NULL, NULL); if (ext == NULL) break; }n /* Check against ip address of server */ #endif /* Check commonName */ subject_name = X509_get_subject_name(cert->px509); if (!subject_name) { printf("crypto_cert_verify_peer_identity: failed to get subject name\n"); goto exit; } /* try to find a common name that matches the peer hostname */ /* TODO: cn migth also be in DC=www,DC=redhat,DC=com format? */ i = -1; for (;;) { entry = NULL; i = X509_NAME_get_index_by_NID(subject_name, NID_commonName, i); if (i == -1) break; entry = X509_NAME_get_entry(subject_name, i); asn1str = X509_NAME_ENTRY_get_data(entry); len = ASN1_STRING_to_UTF8(&ustr, asn1str); str = (char *)ustr; if (strcmp(str, peer) == 0) break; /* found a match */ } if (!entry) { printf("crypto_cert_verify_peer_identity: certificate belongs to %s, " "but connection is to %s\n", str ? str : "unknown id", peer); return False; } exit: return True; }
void x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, X509 *x509) { X509_NAME *x509_name = X509_get_subject_name (x509); const char nullc = '\0'; int i; while (xt) { if (depth == 0 || (xt->flags & XT_FULL_CHAIN)) { i = X509_NAME_get_index_by_NID(x509_name, xt->nid, -1); if (i >= 0) { X509_NAME_ENTRY *ent = X509_NAME_get_entry(x509_name, i); if (ent) { ASN1_STRING *val = X509_NAME_ENTRY_get_data (ent); unsigned char *buf; buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ if (ASN1_STRING_to_UTF8 (&buf, val) > 0) { do_setenv_x509(es, xt->name, (char *)buf, depth); OPENSSL_free (buf); } } } else { i = X509_get_ext_by_NID(x509, xt->nid, -1); if (i >= 0) { X509_EXTENSION *ext = X509_get_ext(x509, i); if (ext) { BIO *bio = BIO_new(BIO_s_mem()); if (bio) { if (X509V3_EXT_print(bio, ext, 0, 0)) { if (BIO_write(bio, &nullc, 1) == 1) { char *str; BIO_get_mem_data(bio, &str); do_setenv_x509(es, xt->name, str, depth); } } BIO_free(bio); } } } } } xt = xt->next; } }
static char *__apn_cert_entry_value_string_by_nib(X509_NAME *name, const char * const nid_str) { int nid = OBJ_txt2nid(nid_str); int index = X509_NAME_get_index_by_NID(name, nid, -1); if(index != -1) { X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, index); const unsigned char *entry_value = ASN1_STRING_data(X509_NAME_ENTRY_get_data(entry)); if(entry_value) { return apn_strndup((const char *)entry_value, strlen((const char *)entry_value)); } } return NULL; }
void genCommonName(X509* cert, std::string& subject, std::string& common_name, std::string& issuer) { if (cert == nullptr) { return; } { X509_NAME* issuerName = X509_get_issuer_name(cert); if (issuerName != nullptr) { // Generate the string representation of the issuer. char* issuerBytes = X509_NAME_oneline(issuerName, nullptr, 0); if (issuerBytes != nullptr) { issuer = std::string(issuerBytes); OPENSSL_free(issuerBytes); } } } X509_NAME* subjectName = X509_get_subject_name(cert); if (subjectName == nullptr) { return; } { // Generate the string representation of the subject. char* subjectBytes = X509_NAME_oneline(subjectName, nullptr, 0); if (subjectBytes != nullptr) { subject = std::string(subjectBytes); OPENSSL_free(subjectBytes); } } int nid = OBJ_txt2nid("CN"); int index = X509_NAME_get_index_by_NID(subjectName, nid, -1); if (index == -1) { return; } X509_NAME_ENTRY* commonNameEntry = X509_NAME_get_entry(subjectName, index); if (commonNameEntry == nullptr) { return; } ASN1_STRING* commonNameData = X509_NAME_ENTRY_get_data(commonNameEntry); unsigned char* data = ASN1_STRING_data(commonNameData); common_name = std::string(reinterpret_cast<char*>(data)); }
/* Server certificate name check, logic adapted from libcurl */ static int _SSL_check_server_cert(SSL *ssl, const char *hostname) { X509 *cert; X509_NAME *subject; const GENERAL_NAME *altname; STACK_OF(GENERAL_NAME) *altnames; ASN1_STRING *tmp; int i, n, match = -1; const char *p; if (SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE || (cert = SSL_get_peer_certificate(ssl)) == NULL) { return (1); } /* Check subjectAltName */ if ((altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL)) != NULL) { n = sk_GENERAL_NAME_num(altnames); for (i = 0; i < n && match != 1; i++) { altname = sk_GENERAL_NAME_value(altnames, i); p = (char *)ASN1_STRING_data(altname->d.ia5); if (altname->type == GEN_DNS) { match = (ASN1_STRING_length(altname->d.ia5) == strlen(p) && match_pattern(hostname, p)); } } GENERAL_NAMES_free(altnames); } /* No subjectAltName, try CN */ if (match == -1 && (subject = X509_get_subject_name(cert)) != NULL) { for (i = -1; (n = X509_NAME_get_index_by_NID(subject, NID_commonName, i)) >= 0; ) { i = n; } if (i >= 0) { if ((tmp = X509_NAME_ENTRY_get_data( X509_NAME_get_entry(subject, i))) != NULL && ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) { p = (char *)ASN1_STRING_data(tmp); match = (ASN1_STRING_length(tmp) == strlen(p) && match_pattern(hostname, p)); } } } X509_free(cert); return (match > 0); }
std::string Certificate::GetCommonName() const { if(!ssl_cert) return ""; X509_NAME *subject; int pos; X509_NAME_ENTRY *entry; ASN1_STRING *entry_str; int len; unsigned char *utf; std::string output; subject = X509_get_subject_name(ssl_cert); pos = X509_NAME_get_index_by_NID(subject, NID_commonName, -1); if (pos < 0) return ""; if (X509_NAME_get_index_by_NID(subject, NID_commonName, pos) >= 0) return ""; if ((entry = X509_NAME_get_entry(subject, pos)) == 0) throw BadCertificate("Unable to get common name"); if ((entry_str = X509_NAME_ENTRY_get_data(entry)) == 0) throw BadCertificate("Unable to get common name"); /* Canonicalize to UTF-8 and validate */ len = ASN1_STRING_to_UTF8(&utf, entry_str); output = TypToStr(utf); if(utf) OPENSSL_free(utf); return output; }
static char *extract_cn(X509_NAME *subj) { int nid; int index; ASN1_STRING *d; X509_NAME_ENTRY *e; nid=OBJ_txt2nid("CN"); if((index=X509_NAME_get_index_by_NID(subj, nid, -1))<0 || !(e=X509_NAME_get_entry(subj, index)) || !(d=X509_NAME_ENTRY_get_data(e))) return NULL; return (char *)ASN1_STRING_data(d); }
/* Loop through all the common name entries until we find a match or * an error occurs. */ int check_subject_cn(X509 *cert, const char *manager) { X509_NAME *name = NULL; int result = VERIFY_FALSE; int i = 0; if ((name = X509_get_subject_name(cert))) { while ((i = X509_NAME_get_index_by_NID(name, NID_commonName, i)) >= 0 && result == VERIFY_FALSE) { X509_NAME_ENTRY *ne = X509_NAME_get_entry(name, i); result = check_hostname(X509_NAME_ENTRY_get_data(ne), manager); } } return result; }
const char* pn_ssl_get_remote_subject_subfield(pn_ssl_t *ssl0, pn_ssl_cert_subject_subfield field) { int openssl_field = 0; // Assign openssl internal representations of field values to openssl_field switch (field) { case PN_SSL_CERT_SUBJECT_COUNTRY_NAME : openssl_field = NID_countryName; break; case PN_SSL_CERT_SUBJECT_STATE_OR_PROVINCE : openssl_field = NID_stateOrProvinceName; break; case PN_SSL_CERT_SUBJECT_CITY_OR_LOCALITY : openssl_field = NID_localityName; break; case PN_SSL_CERT_SUBJECT_ORGANIZATION_NAME : openssl_field = NID_organizationName; break; case PN_SSL_CERT_SUBJECT_ORGANIZATION_UNIT : openssl_field = NID_organizationalUnitName; break; case PN_SSL_CERT_SUBJECT_COMMON_NAME : openssl_field = NID_commonName; break; default: ssl_log_error("Unknown or unhandled certificate subject subfield %i \n", field); return NULL; } pni_ssl_t *ssl = get_ssl_internal(ssl0); X509 *cert = get_peer_certificate(ssl); X509_NAME *subject_name = X509_get_subject_name(cert); // TODO (gmurthy) - A server side cert subject field can have more than one common name like this - Subject: CN=www.domain1.com, CN=www.domain2.com, see https://bugzilla.mozilla.org/show_bug.cgi?id=380656 // For now, we will only return the first common name if there is more than one common name in the cert int index = X509_NAME_get_index_by_NID(subject_name, openssl_field, -1); if (index > -1) { X509_NAME_ENTRY *ne = X509_NAME_get_entry(subject_name, index); if(ne) { ASN1_STRING *name_asn1 = X509_NAME_ENTRY_get_data(ne); return (char *) name_asn1->data; } } return NULL; }
/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */ BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids) { STACK_OF(GENERAL_NAME) *names; BIO *bio; X509_NAME *subj; char **cpp; int i, n; if (!x509 || !(*ids = apr_array_make(p, 0, sizeof(char *)))) { *ids = NULL; return FALSE; } /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */ if ((names = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL)) && (bio = BIO_new(BIO_s_mem()))) { GENERAL_NAME *name; for (i = 0; i < sk_GENERAL_NAME_num(names); i++) { name = sk_GENERAL_NAME_value(names, i); if (name->type == GEN_DNS) { ASN1_STRING_print_ex(bio, name->d.ia5, ASN1_STRFLGS_ESC_CTRL| ASN1_STRFLGS_UTF8_CONVERT); n = BIO_pending(bio); if (n > 0) { cpp = (char **)apr_array_push(*ids); *cpp = apr_palloc(p, n+1); n = BIO_read(bio, *cpp, n); (*cpp)[n] = NUL; } } } BIO_free(bio); } if (names) sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); /* Second, the CN-IDs (commonName attributes in the subject DN) */ subj = X509_get_subject_name(x509); i = -1; while ((i = X509_NAME_get_index_by_NID(subj, NID_commonName, i)) != -1) { cpp = (char **)apr_array_push(*ids); *cpp = SSL_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i)); } return apr_is_empty_array(*ids) ? FALSE : TRUE; }
/* * 这个类呢,是用来实现和 JACK 实现的那个 AVROUTER 对接的。也就是 JACK 版本的 AV NETWORK SERVICE PROVIDER */ void avjackif::set_pki(boost::shared_ptr<RSA> _key, boost::shared_ptr<X509> cert) { _rsa = _key; _x509 = cert; unsigned char * CN = NULL; auto cert_name = X509_get_subject_name(cert.get()); auto cert_entry = X509_NAME_get_entry(cert_name, X509_NAME_get_index_by_NID(cert_name, NID_commonName, 0) ); ASN1_STRING *entryData = X509_NAME_ENTRY_get_data( cert_entry ); auto strlengh = ASN1_STRING_to_UTF8(&CN, entryData); printf("%s\n",CN); std::string commonname((char*)CN, strlengh); m_local_addr.reset(new proto::avAddress(av_address_from_string(commonname))); OPENSSL_free(CN); }
static const char *get_cname(X509 *cert) { X509_NAME *name; X509_NAME_ENTRY *entry; ASN1_STRING *str; int cn_idx; name = X509_get_subject_name(cert); if (name == NULL) return ""; cn_idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1); if (cn_idx == -1) return ""; entry = X509_NAME_get_entry(name, cn_idx); i_assert(entry != NULL); str = X509_NAME_ENTRY_get_data(entry); i_assert(str != NULL); return asn1_string_to_c(str); }
static int openssl_xname_get_text(lua_State*L) { X509_NAME* xn = CHECK_OBJECT(1, X509_NAME, "openssl.x509_name"); int nid = openssl_get_nid(L, 2); int lastpos = luaL_optint(L, 3, -1); X509_NAME_ENTRY *e; ASN1_STRING *s; if (nid == NID_undef) return 0; lastpos = X509_NAME_get_index_by_NID(xn, nid, lastpos); if (lastpos == -1) return 0; e = X509_NAME_get_entry(xn, lastpos); s = X509_NAME_ENTRY_get_data(e); lua_pushlstring(L, (const char *)ASN1_STRING_data(s), ASN1_STRING_length(s)); lua_pushinteger(L, lastpos); return 2; };
/* * Extract a field from an X509 subject name. * * Example: * * /C=US/ST=CO/L=Denver/O=ORG/CN=First-CN/CN=Test-CA/[email protected] * * The common name is 'Test-CA' * * Return true on success, false on error (insufficient buffer size in 'out' * to contain result is grounds for error). */ static result_t extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out, int size) { int lastpos = -1; int tmp = -1; X509_NAME_ENTRY *x509ne = 0; ASN1_STRING *asn1 = 0; unsigned char *buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */ int nid = OBJ_txt2nid((char *)field_name); ASSERT (size > 0); *out = '\0'; do { lastpos = tmp; tmp = X509_NAME_get_index_by_NID(x509, nid, lastpos); } while (tmp > -1); /* Nothing found */ if (lastpos == -1) return FAILURE; x509ne = X509_NAME_get_entry(x509, lastpos); if (!x509ne) return FAILURE; asn1 = X509_NAME_ENTRY_get_data(x509ne); if (!asn1) return FAILURE; tmp = ASN1_STRING_to_UTF8(&buf, asn1); if (tmp <= 0) return FAILURE; strncpynt(out, (char *)buf, size); { const result_t ret = (strlen ((char *)buf) < size) ? SUCCESS: FAILURE; OPENSSL_free (buf); return ret; } }
/* Get the UID field from the certificate subject name. * The certificate is looked up using the socket of the connection. * * Return value: Pointer to the uid string or NULL if not found */ char *ssl_getuid(int sock) { int idx; X509 *cert; X509_NAME *subj; ASN1_STRING *name; if (!(cert = ssl_getcert(sock))) return NULL; /* Get the subject name */ if (!(subj = X509_get_subject_name(cert))) return NULL; /* Get the first UID */ idx = X509_NAME_get_index_by_NID(subj, NID_userId, -1); if (idx == -1) return NULL; name = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subj, idx)); /* Extract the contents, assuming null-terminated ASCII string */ return (char *) ASN1_STRING_data(name); }
bool PeerID::Certificate::checkCommonNames( const std::function<bool(char const*, std::size_t)> func) const { X509_NAME* name = X509_get_subject_name(x509_); int i = -1; ASN1_STRING* commonName = 0; while ((i = X509_NAME_get_index_by_NID(name, NID_commonName, i)) >= 0) { X509_NAME_ENTRY* nameEntry = X509_NAME_get_entry(name, i); commonName = X509_NAME_ENTRY_get_data(nameEntry); if (commonName && commonName->data && commonName->length) { const char* host = reinterpret_cast<const char*>(commonName->data); std::size_t len = commonName->length; if (func(host, len)) return true; } } return false; }