int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag) { long l; int ret = 0, i; char *m = NULL, mlch = ' '; int nmindent = 0; ASN1_INTEGER *bs; EVP_PKEY *pkey = NULL; const char *neg; if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { mlch = '\n'; nmindent = 12; } if (nmflags == X509_FLAG_COMPAT) nmindent = 16; if (!(cflag & X509_FLAG_NO_HEADER)) { if (BIO_write(bp, "Certificate:\n", 13) <= 0) goto err; if (BIO_write(bp, " Data:\n", 10) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_VERSION)) { l = X509_get_version(x); if (BIO_printf(bp, "%8sVersion: %lu (0x%lx)\n", "", l + 1, l) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_SERIAL)) { if (BIO_write(bp, " Serial Number:", 22) <= 0) goto err; bs = X509_get_serialNumber(x); if (bs->length <= (int)sizeof(long)) { ERR_set_mark(); l = ASN1_INTEGER_get(bs); ERR_pop_to_mark(); } else { l = -1; } if (l != -1) { if (bs->type == V_ASN1_NEG_INTEGER) { l = -l; neg = "-"; } else neg = ""; if (BIO_printf(bp, " %s%lu (%s0x%lx)\n", neg, l, neg, l) <= 0) goto err; } else { neg = (bs->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : ""; if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0) goto err; for (i = 0; i < bs->length; i++) { if (BIO_printf(bp, "%02x%c", bs->data[i], ((i + 1 == bs->length) ? '\n' : ':')) <= 0) goto err; } } } if (!(cflag & X509_FLAG_NO_SIGNAME)) { X509_ALGOR *tsig_alg = X509_get0_tbs_sigalg(x); if (X509_signature_print(bp, tsig_alg, NULL) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_ISSUER)) { if (BIO_printf(bp, " Issuer:%c", mlch) <= 0) goto err; if (X509_NAME_print_ex(bp, X509_get_issuer_name(x), nmindent, nmflags) < 0) goto err; if (BIO_write(bp, "\n", 1) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_VALIDITY)) { if (BIO_write(bp, " Validity\n", 17) <= 0) goto err; if (BIO_write(bp, " Not Before: ", 24) <= 0) goto err; if (!ASN1_TIME_print(bp, X509_get_notBefore(x))) goto err; if (BIO_write(bp, "\n Not After : ", 25) <= 0) goto err; if (!ASN1_TIME_print(bp, X509_get_notAfter(x))) goto err; if (BIO_write(bp, "\n", 1) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_SUBJECT)) { if (BIO_printf(bp, " Subject:%c", mlch) <= 0) goto err; if (X509_NAME_print_ex (bp, X509_get_subject_name(x), nmindent, nmflags) < 0) goto err; if (BIO_write(bp, "\n", 1) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_PUBKEY)) { X509_PUBKEY *xpkey = X509_get_X509_PUBKEY(x); ASN1_OBJECT *xpoid; X509_PUBKEY_get0_param(&xpoid, NULL, NULL, NULL, xpkey); if (BIO_write(bp, " Subject Public Key Info:\n", 33) <= 0) goto err; if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0) goto err; if (i2a_ASN1_OBJECT(bp, xpoid) <= 0) goto err; if (BIO_puts(bp, "\n") <= 0) goto err; pkey = X509_get_pubkey(x); if (pkey == NULL) { BIO_printf(bp, "%12sUnable to load Public Key\n", ""); ERR_print_errors(bp); } else { EVP_PKEY_print_public(bp, pkey, 16, NULL); EVP_PKEY_free(pkey); } } if (!(cflag & X509_FLAG_NO_IDS)) { ASN1_BIT_STRING *iuid, *suid; X509_get0_uids(&iuid, &suid, x); if (iuid != NULL) { if (BIO_printf(bp, "%8sIssuer Unique ID: ", "") <= 0) goto err; if (!X509_signature_dump(bp, iuid, 12)) goto err; } if (suid != NULL) { if (BIO_printf(bp, "%8sSubject Unique ID: ", "") <= 0) goto err; if (!X509_signature_dump(bp, suid, 12)) goto err; } } if (!(cflag & X509_FLAG_NO_EXTENSIONS)) X509V3_extensions_print(bp, "X509v3 extensions", X509_get0_extensions(x), cflag, 8); if (!(cflag & X509_FLAG_NO_SIGDUMP)) { X509_ALGOR *sig_alg; ASN1_BIT_STRING *sig; X509_get0_signature(&sig, &sig_alg, x); if (X509_signature_print(bp, sig_alg, sig) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_AUX)) { if (!X509_aux_print(bp, x, 0)) goto err; } ret = 1; err: OPENSSL_free(m); return (ret); }
/** Extract attributes from an X509 certificate * * @param cursor to copy attributes to. * @param ctx to allocate attributes in. * @param session current TLS session. * @param cert to validate. * @param depth the certificate is in the certificate chain (0 == leaf). * @return * - 0 on success. * - < 0 on failure. */ int tls_session_pairs_from_x509_cert(fr_cursor_t *cursor, TALLOC_CTX *ctx, tls_session_t *session, X509 *cert, int depth) { char buffer[1024]; char attribute[256]; char **identity; int attr_index, loc; #if OPENSSL_VERSION_NUMBER >= 0x10100000L STACK_OF(X509_EXTENSION) const *ext_list = NULL; #else STACK_OF(X509_EXTENSION) *ext_list = NULL; #endif ASN1_INTEGER *sn = NULL; ASN1_TIME *asn_time = NULL; VALUE_PAIR *vp = NULL; REQUEST *request; #define CERT_ATTR_ADD(_attr, _attr_index, _value) tls_session_cert_attr_add(ctx, request, cursor, _attr, _attr_index, _value) attr_index = depth; if (attr_index > 1) attr_index = 1; request = (REQUEST *)SSL_get_ex_data(session->ssl, FR_TLS_EX_INDEX_REQUEST); rad_assert(request != NULL); identity = (char **)SSL_get_ex_data(session->ssl, FR_TLS_EX_INDEX_IDENTITY); if (RDEBUG_ENABLED3) { buffer[0] = '\0'; X509_NAME_oneline(X509_get_subject_name(cert), buffer, sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; RDEBUG3("Creating attributes for \"%s\":", buffer[0] ? buffer : "Cert missing subject OID"); } /* * Get the Serial Number */ sn = X509_get_serialNumber(cert); if (sn && ((size_t) sn->length < (sizeof(buffer) / 2))) { char *p = buffer; int i; for (i = 0; i < sn->length; i++) { sprintf(p, "%02x", (unsigned int)sn->data[i]); p += 2; } CERT_ATTR_ADD(IDX_SERIAL, attr_index, buffer); } /* * Get the Expiration Date */ buffer[0] = '\0'; asn_time = X509_get_notAfter(cert); if (identity && asn_time && (asn_time->length < (int)sizeof(buffer))) { time_t expires; /* * Add expiration as a time since the epoch */ if (tls_utils_asn1time_to_epoch(&expires, asn_time) < 0) { RPWDEBUG("Failed parsing certificate expiry time"); } else { vp = CERT_ATTR_ADD(IDX_EXPIRATION, attr_index, NULL); vp->vp_date = expires; } } /* * Get the Subject & Issuer */ buffer[0] = '\0'; X509_NAME_oneline(X509_get_subject_name(cert), buffer, sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; if (identity && buffer[0]) { CERT_ATTR_ADD(IDX_SUBJECT, attr_index, buffer); /* * Get the Common Name, if there is a subject. */ X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, buffer, sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; if (buffer[0]) { CERT_ATTR_ADD(IDX_COMMON_NAME, attr_index, buffer); } } X509_NAME_oneline(X509_get_issuer_name(cert), buffer, sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; if (identity && buffer[0]) { CERT_ATTR_ADD(IDX_ISSUER, attr_index, buffer); } /* * Get the RFC822 Subject Alternative Name */ loc = X509_get_ext_by_NID(cert, NID_subject_alt_name, 0); if (loc >= 0) { X509_EXTENSION *ext = NULL; GENERAL_NAMES *names = NULL; int i; ext = X509_get_ext(cert, loc); if (ext && (names = X509V3_EXT_d2i(ext))) { for (i = 0; i < sk_GENERAL_NAME_num(names); i++) { GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i); switch (name->type) { #ifdef GEN_EMAIL case GEN_EMAIL: { #if OPENSSL_VERSION_NUMBER >= 0x10100000L char const *rfc822Name = (char const *)ASN1_STRING_get0_data(name->d.rfc822Name); #else char *rfc822Name = (char *)ASN1_STRING_data(name->d.rfc822Name); #endif CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_EMAIL, attr_index, rfc822Name); break; } #endif /* GEN_EMAIL */ #ifdef GEN_DNS case GEN_DNS: { #if OPENSSL_VERSION_NUMBER >= 0x10100000L char const *dNSName = (char const *)ASN1_STRING_get0_data(name->d.dNSName); #else char *dNSName = (char *)ASN1_STRING_data(name->d.dNSName); #endif CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_DNS, attr_index, dNSName); break; } #endif /* GEN_DNS */ #ifdef GEN_OTHERNAME case GEN_OTHERNAME: /* look for a MS UPN */ if (NID_ms_upn != OBJ_obj2nid(name->d.otherName->type_id)) break; /* we've got a UPN - Must be ASN1-encoded UTF8 string */ if (name->d.otherName->value->type == V_ASN1_UTF8STRING) { CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_UPN, attr_index, (char *)name->d.otherName->value->value.utf8string); break; } RWARN("Invalid UPN in Subject Alt Name (should be UTF-8)"); break; #endif /* GEN_OTHERNAME */ default: /* XXX TODO handle other SAN types */ break; } } } if (names != NULL) GENERAL_NAMES_free(names); } /* * Only add extensions for the actual client certificate */ if (attr_index == 0) { #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ext_list = X509_get0_extensions(cert); #else ext_list = cert->cert_info->extensions; #endif /* * Grab the X509 extensions, and create attributes out of them. * For laziness, we re-use the OpenSSL names */ if (sk_X509_EXTENSION_num(ext_list) > 0) { int i, len; char *p; BIO *out; out = BIO_new(BIO_s_mem()); strlcpy(attribute, "TLS-Client-Cert-", sizeof(attribute)); for (i = 0; i < sk_X509_EXTENSION_num(ext_list); i++) { char value[1024]; ASN1_OBJECT *obj; X509_EXTENSION *ext; fr_dict_attr_t const *da; ext = sk_X509_EXTENSION_value(ext_list, i); obj = X509_EXTENSION_get_object(ext); i2a_ASN1_OBJECT(out, obj); len = BIO_read(out, attribute + 16 , sizeof(attribute) - 16 - 1); if (len <= 0) continue; attribute[16 + len] = '\0'; for (p = attribute + 16; *p != '\0'; p++) if (*p == ' ') *p = '-'; X509V3_EXT_print(out, ext, 0, 0); len = BIO_read(out, value , sizeof(value) - 1); if (len <= 0) continue; value[len] = '\0'; da = fr_dict_attr_by_name(dict_freeradius, attribute); if (!da) { RWDEBUG3("Skipping attribute %s: " "Add dictionary definition if you want to access it", attribute); continue; } MEM(vp = fr_pair_afrom_da(request, da)); if (fr_pair_value_from_str(vp, value, -1, '\0', true) < 0) { RPWDEBUG3("Skipping: %s += '%s'", attribute, value); talloc_free(vp); continue; } fr_cursor_append(cursor, vp); } BIO_free_all(out); } } return 0; }