diff options
| author | stas <stas@FreeBSD.org> | 2011-09-29 05:23:57 +0000 |
|---|---|---|
| committer | stas <stas@FreeBSD.org> | 2011-09-29 05:23:57 +0000 |
| commit | f6e720bf7e3d09d00d73f389a5dac8efdce0eb8c (patch) | |
| tree | cf5b65423910d126fddaaf04b885d0de3507d692 /crypto/heimdal/lib/hx509/print.c | |
| parent | 51b6601db456e699ea5d4843cbc7239ee92d9c13 (diff) | |
| download | FreeBSD-src-f6e720bf7e3d09d00d73f389a5dac8efdce0eb8c.zip FreeBSD-src-f6e720bf7e3d09d00d73f389a5dac8efdce0eb8c.tar.gz | |
- Flatten the vendor heimdal tree.
Diffstat (limited to 'crypto/heimdal/lib/hx509/print.c')
| -rw-r--r-- | crypto/heimdal/lib/hx509/print.c | 990 |
1 files changed, 0 insertions, 990 deletions
diff --git a/crypto/heimdal/lib/hx509/print.c b/crypto/heimdal/lib/hx509/print.c deleted file mode 100644 index 78ebbaf..0000000 --- a/crypto/heimdal/lib/hx509/print.c +++ /dev/null @@ -1,990 +0,0 @@ -/* - * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "hx_locl.h" -RCSID("$Id: print.c 22420 2008-01-13 09:42:35Z lha $"); - -/** - * @page page_print Hx509 printing functions - * - * See the library functions here: @ref hx509_print - */ - -struct hx509_validate_ctx_data { - int flags; - hx509_vprint_func vprint_func; - void *ctx; -}; - -struct cert_status { - unsigned int selfsigned:1; - unsigned int isca:1; - unsigned int isproxy:1; - unsigned int haveSAN:1; - unsigned int haveIAN:1; - unsigned int haveSKI:1; - unsigned int haveAKI:1; - unsigned int haveCRLDP:1; -}; - - -/* - * - */ - -static int -Time2string(const Time *T, char **str) -{ - time_t t; - char *s; - struct tm *tm; - - *str = NULL; - t = _hx509_Time2time_t(T); - tm = gmtime (&t); - s = malloc(30); - if (s == NULL) - return ENOMEM; - strftime(s, 30, "%Y-%m-%d %H:%M:%S", tm); - *str = s; - return 0; -} - -/** - * Helper function to print on stdout for: - * - hx509_oid_print(), - * - hx509_bitstring_print(), - * - hx509_validate_ctx_set_print(). - * - * @param ctx the context to the print function. If the ctx is NULL, - * stdout is used. - * @param fmt the printing format. - * @param va the argumet list. - * - * @ingroup hx509_print - */ - -void -hx509_print_stdout(void *ctx, const char *fmt, va_list va) -{ - FILE *f = ctx; - if (f == NULL) - f = stdout; - vfprintf(f, fmt, va); -} - -static void -print_func(hx509_vprint_func func, void *ctx, const char *fmt, ...) -{ - va_list va; - va_start(va, fmt); - (*func)(ctx, fmt, va); - va_end(va); -} - -/** - * Print a oid to a string. - * - * @param oid oid to print - * @param str allocated string, free with hx509_xfree(). - * - * @return An hx509 error code, see hx509_get_error_string(). - * - * @ingroup hx509_print - */ - -int -hx509_oid_sprint(const heim_oid *oid, char **str) -{ - return der_print_heim_oid(oid, '.', str); -} - -/** - * Print a oid using a hx509_vprint_func function. To print to stdout - * use hx509_print_stdout(). - * - * @param oid oid to print - * @param func hx509_vprint_func to print with. - * @param ctx context variable to hx509_vprint_func function. - * - * @ingroup hx509_print - */ - -void -hx509_oid_print(const heim_oid *oid, hx509_vprint_func func, void *ctx) -{ - char *str; - hx509_oid_sprint(oid, &str); - print_func(func, ctx, "%s", str); - free(str); -} - -/** - * Print a bitstring using a hx509_vprint_func function. To print to - * stdout use hx509_print_stdout(). - * - * @param b bit string to print. - * @param func hx509_vprint_func to print with. - * @param ctx context variable to hx509_vprint_func function. - * - * @ingroup hx509_print - */ - -void -hx509_bitstring_print(const heim_bit_string *b, - hx509_vprint_func func, void *ctx) -{ - int i; - print_func(func, ctx, "\tlength: %d\n\t", b->length); - for (i = 0; i < (b->length + 7) / 8; i++) - print_func(func, ctx, "%02x%s%s", - ((unsigned char *)b->data)[i], - i < (b->length - 7) / 8 - && (i == 0 || (i % 16) != 15) ? ":" : "", - i != 0 && (i % 16) == 15 ? - (i <= ((b->length + 7) / 8 - 2) ? "\n\t" : "\n"):""); -} - -/** - * Print certificate usage for a certificate to a string. - * - * @param context A hx509 context. - * @param c a certificate print the keyusage for. - * @param s the return string with the keysage printed in to, free - * with hx509_xfree(). - * - * @return An hx509 error code, see hx509_get_error_string(). - * - * @ingroup hx509_print - */ - -int -hx509_cert_keyusage_print(hx509_context context, hx509_cert c, char **s) -{ - KeyUsage ku; - char buf[256]; - int ret; - - *s = NULL; - - ret = _hx509_cert_get_keyusage(context, c, &ku); - if (ret) - return ret; - unparse_flags(KeyUsage2int(ku), asn1_KeyUsage_units(), buf, sizeof(buf)); - *s = strdup(buf); - if (*s == NULL) { - hx509_set_error_string(context, 0, ENOMEM, "out of memory"); - return ENOMEM; - } - - return 0; -} - -/* - * - */ - -static void -validate_vprint(void *c, const char *fmt, va_list va) -{ - hx509_validate_ctx ctx = c; - if (ctx->vprint_func == NULL) - return; - (ctx->vprint_func)(ctx->ctx, fmt, va); -} - -static void -validate_print(hx509_validate_ctx ctx, int flags, const char *fmt, ...) -{ - va_list va; - if ((ctx->flags & flags) == 0) - return; - va_start(va, fmt); - validate_vprint(ctx, fmt, va); - va_end(va); -} - -/* - * Dont Care, SHOULD critical, SHOULD NOT critical, MUST critical, - * MUST NOT critical - */ -enum critical_flag { D_C = 0, S_C, S_N_C, M_C, M_N_C }; - -static int -check_Null(hx509_validate_ctx ctx, - struct cert_status *status, - enum critical_flag cf, const Extension *e) -{ - switch(cf) { - case D_C: - break; - case S_C: - if (!e->critical) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "\tCritical not set on SHOULD\n"); - break; - case S_N_C: - if (e->critical) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "\tCritical set on SHOULD NOT\n"); - break; - case M_C: - if (!e->critical) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "\tCritical not set on MUST\n"); - break; - case M_N_C: - if (e->critical) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "\tCritical set on MUST NOT\n"); - break; - default: - _hx509_abort("internal check_Null state error"); - } - return 0; -} - -static int -check_subjectKeyIdentifier(hx509_validate_ctx ctx, - struct cert_status *status, - enum critical_flag cf, - const Extension *e) -{ - SubjectKeyIdentifier si; - size_t size; - int ret; - - status->haveSKI = 1; - check_Null(ctx, status, cf, e); - - ret = decode_SubjectKeyIdentifier(e->extnValue.data, - e->extnValue.length, - &si, &size); - if (ret) { - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Decoding SubjectKeyIdentifier failed: %d", ret); - return 1; - } - if (size != e->extnValue.length) { - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Decoding SKI ahve extra bits on the end"); - return 1; - } - if (si.length == 0) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "SKI is too short (0 bytes)"); - if (si.length > 20) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "SKI is too long"); - - { - char *id; - hex_encode(si.data, si.length, &id); - if (id) { - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, - "\tsubject key id: %s\n", id); - free(id); - } - } - - free_SubjectKeyIdentifier(&si); - - return 0; -} - -static int -check_authorityKeyIdentifier(hx509_validate_ctx ctx, - struct cert_status *status, - enum critical_flag cf, - const Extension *e) -{ - AuthorityKeyIdentifier ai; - size_t size; - int ret; - - status->haveAKI = 1; - check_Null(ctx, status, cf, e); - - status->haveSKI = 1; - check_Null(ctx, status, cf, e); - - ret = decode_AuthorityKeyIdentifier(e->extnValue.data, - e->extnValue.length, - &ai, &size); - if (ret) { - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Decoding AuthorityKeyIdentifier failed: %d", ret); - return 1; - } - if (size != e->extnValue.length) { - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Decoding SKI ahve extra bits on the end"); - return 1; - } - - if (ai.keyIdentifier) { - char *id; - hex_encode(ai.keyIdentifier->data, ai.keyIdentifier->length, &id); - if (id) { - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, - "\tauthority key id: %s\n", id); - free(id); - } - } - - return 0; -} - - -static int -check_pkinit_san(hx509_validate_ctx ctx, heim_any *a) -{ - KRB5PrincipalName kn; - unsigned i; - size_t size; - int ret; - - ret = decode_KRB5PrincipalName(a->data, a->length, &kn, &size); - if (ret) { - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Decoding kerberos name in SAN failed: %d", ret); - return 1; - } - - if (size != a->length) { - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Decoding kerberos name have extra bits on the end"); - return 1; - } - - /* print kerberos principal, add code to quote / within components */ - for (i = 0; i < kn.principalName.name_string.len; i++) { - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", - kn.principalName.name_string.val[i]); - if (i + 1 < kn.principalName.name_string.len) - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "/"); - } - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "@"); - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", kn.realm); - - free_KRB5PrincipalName(&kn); - return 0; -} - -static int -check_utf8_string_san(hx509_validate_ctx ctx, heim_any *a) -{ - PKIXXmppAddr jid; - size_t size; - int ret; - - ret = decode_PKIXXmppAddr(a->data, a->length, &jid, &size); - if (ret) { - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Decoding JID in SAN failed: %d", ret); - return 1; - } - - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", jid); - free_PKIXXmppAddr(&jid); - - return 0; -} - -static int -check_altnull(hx509_validate_ctx ctx, heim_any *a) -{ - return 0; -} - -static int -check_CRLDistributionPoints(hx509_validate_ctx ctx, - struct cert_status *status, - enum critical_flag cf, - const Extension *e) -{ - CRLDistributionPoints dp; - size_t size; - int ret, i; - - check_Null(ctx, status, cf, e); - - ret = decode_CRLDistributionPoints(e->extnValue.data, - e->extnValue.length, - &dp, &size); - if (ret) { - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Decoding CRL Distribution Points failed: %d\n", ret); - return 1; - } - - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "CRL Distribution Points:\n"); - for (i = 0 ; i < dp.len; i++) { - if (dp.val[i].distributionPoint) { - DistributionPointName dpname; - heim_any *data = dp.val[i].distributionPoint; - int j; - - ret = decode_DistributionPointName(data->data, data->length, - &dpname, NULL); - if (ret) { - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Failed to parse CRL Distribution Point Name: %d\n", ret); - continue; - } - - switch (dpname.element) { - case choice_DistributionPointName_fullName: - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n"); - - for (j = 0 ; j < dpname.u.fullName.len; j++) { - char *s; - GeneralName *name = &dpname.u.fullName.val[j]; - - ret = hx509_general_name_unparse(name, &s); - if (ret == 0 && s != NULL) { - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " %s\n", s); - free(s); - } - } - break; - case choice_DistributionPointName_nameRelativeToCRLIssuer: - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, - "Unknown nameRelativeToCRLIssuer"); - break; - default: - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Unknown DistributionPointName"); - break; - } - free_DistributionPointName(&dpname); - } - } - free_CRLDistributionPoints(&dp); - - status->haveCRLDP = 1; - - return 0; -} - - -struct { - const char *name; - const heim_oid *(*oid)(void); - int (*func)(hx509_validate_ctx, heim_any *); -} check_altname[] = { - { "pk-init", oid_id_pkinit_san, check_pkinit_san }, - { "jabber", oid_id_pkix_on_xmppAddr, check_utf8_string_san }, - { "dns-srv", oid_id_pkix_on_dnsSRV, check_altnull }, - { "card-id", oid_id_uspkicommon_card_id, check_altnull }, - { "Microsoft NT-PRINCIPAL-NAME", oid_id_pkinit_ms_san, check_utf8_string_san } -}; - -static int -check_altName(hx509_validate_ctx ctx, - struct cert_status *status, - const char *name, - enum critical_flag cf, - const Extension *e) -{ - GeneralNames gn; - size_t size; - int ret, i; - - check_Null(ctx, status, cf, e); - - if (e->extnValue.length == 0) { - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "%sAltName empty, not allowed", name); - return 1; - } - ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length, - &gn, &size); - if (ret) { - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "\tret = %d while decoding %s GeneralNames\n", - ret, name); - return 1; - } - if (gn.len == 0) { - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "%sAltName generalName empty, not allowed\n", name); - return 1; - } - - for (i = 0; i < gn.len; i++) { - switch (gn.val[i].element) { - case choice_GeneralName_otherName: { - unsigned j; - - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, - "%sAltName otherName ", name); - - for (j = 0; j < sizeof(check_altname)/sizeof(check_altname[0]); j++) { - if (der_heim_oid_cmp((*check_altname[j].oid)(), - &gn.val[i].u.otherName.type_id) != 0) - continue; - - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ", - check_altname[j].name); - (*check_altname[j].func)(ctx, &gn.val[i].u.otherName.value); - break; - } - if (j == sizeof(check_altname)/sizeof(check_altname[0])) { - hx509_oid_print(&gn.val[i].u.otherName.type_id, - validate_vprint, ctx); - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " unknown"); - } - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\n"); - break; - } - default: { - char *s; - ret = hx509_general_name_unparse(&gn.val[i], &s); - if (ret) { - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "ret = %d unparsing GeneralName\n", ret); - return 1; - } - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s\n", s); - free(s); - break; - } - } - } - - free_GeneralNames(&gn); - - return 0; -} - -static int -check_subjectAltName(hx509_validate_ctx ctx, - struct cert_status *status, - enum critical_flag cf, - const Extension *e) -{ - status->haveSAN = 1; - return check_altName(ctx, status, "subject", cf, e); -} - -static int -check_issuerAltName(hx509_validate_ctx ctx, - struct cert_status *status, - enum critical_flag cf, - const Extension *e) -{ - status->haveIAN = 1; - return check_altName(ctx, status, "issuer", cf, e); -} - - -static int -check_basicConstraints(hx509_validate_ctx ctx, - struct cert_status *status, - enum critical_flag cf, - const Extension *e) -{ - BasicConstraints b; - size_t size; - int ret; - - check_Null(ctx, status, cf, e); - - ret = decode_BasicConstraints(e->extnValue.data, e->extnValue.length, - &b, &size); - if (ret) { - printf("\tret = %d while decoding BasicConstraints\n", ret); - return 0; - } - if (size != e->extnValue.length) - printf("\tlength of der data isn't same as extension\n"); - - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, - "\tis %sa CA\n", b.cA && *b.cA ? "" : "NOT "); - if (b.pathLenConstraint) - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, - "\tpathLenConstraint: %d\n", *b.pathLenConstraint); - - if (b.cA) { - if (*b.cA) { - if (!e->critical) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Is a CA and not BasicConstraints CRITICAL\n"); - status->isca = 1; - } - else - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "cA is FALSE, not allowed to be\n"); - } - free_BasicConstraints(&b); - - return 0; -} - -static int -check_proxyCertInfo(hx509_validate_ctx ctx, - struct cert_status *status, - enum critical_flag cf, - const Extension *e) -{ - check_Null(ctx, status, cf, e); - status->isproxy = 1; - return 0; -} - -static int -check_authorityInfoAccess(hx509_validate_ctx ctx, - struct cert_status *status, - enum critical_flag cf, - const Extension *e) -{ - AuthorityInfoAccessSyntax aia; - size_t size; - int ret, i; - - check_Null(ctx, status, cf, e); - - ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data, - e->extnValue.length, - &aia, &size); - if (ret) { - printf("\tret = %d while decoding AuthorityInfoAccessSyntax\n", ret); - return 0; - } - - for (i = 0; i < aia.len; i++) { - char *str; - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, - "\ttype: "); - hx509_oid_print(&aia.val[i].accessMethod, validate_vprint, ctx); - hx509_general_name_unparse(&aia.val[i].accessLocation, &str); - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, - "\n\tdirname: %s\n", str); - free(str); - } - free_AuthorityInfoAccessSyntax(&aia); - - return 0; -} - -/* - * - */ - -struct { - const char *name; - const heim_oid *(*oid)(void); - int (*func)(hx509_validate_ctx ctx, - struct cert_status *status, - enum critical_flag cf, - const Extension *); - enum critical_flag cf; -} check_extension[] = { -#define ext(name, checkname) #name, &oid_id_x509_ce_##name, check_##checkname - { ext(subjectDirectoryAttributes, Null), M_N_C }, - { ext(subjectKeyIdentifier, subjectKeyIdentifier), M_N_C }, - { ext(keyUsage, Null), S_C }, - { ext(subjectAltName, subjectAltName), M_N_C }, - { ext(issuerAltName, issuerAltName), S_N_C }, - { ext(basicConstraints, basicConstraints), D_C }, - { ext(cRLNumber, Null), M_N_C }, - { ext(cRLReason, Null), M_N_C }, - { ext(holdInstructionCode, Null), M_N_C }, - { ext(invalidityDate, Null), M_N_C }, - { ext(deltaCRLIndicator, Null), M_C }, - { ext(issuingDistributionPoint, Null), M_C }, - { ext(certificateIssuer, Null), M_C }, - { ext(nameConstraints, Null), M_C }, - { ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C }, - { ext(certificatePolicies, Null) }, - { ext(policyMappings, Null), M_N_C }, - { ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C }, - { ext(policyConstraints, Null), D_C }, - { ext(extKeyUsage, Null), D_C }, - { ext(freshestCRL, Null), M_N_C }, - { ext(inhibitAnyPolicy, Null), M_C }, -#undef ext -#define ext(name, checkname) #name, &oid_id_pkix_pe_##name, check_##checkname - { ext(proxyCertInfo, proxyCertInfo), M_C }, - { ext(authorityInfoAccess, authorityInfoAccess), M_C }, -#undef ext - { "US Fed PKI - PIV Interim", oid_id_uspkicommon_piv_interim, - check_Null, D_C }, - { "Netscape cert comment", oid_id_netscape_cert_comment, - check_Null, D_C }, - { NULL } -}; - -/** - * Allocate a hx509 validation/printing context. - * - * @param context A hx509 context. - * @param ctx a new allocated hx509 validation context, free with - * hx509_validate_ctx_free(). - - * @return An hx509 error code, see hx509_get_error_string(). - * - * @ingroup hx509_print - */ - -int -hx509_validate_ctx_init(hx509_context context, hx509_validate_ctx *ctx) -{ - *ctx = malloc(sizeof(**ctx)); - if (*ctx == NULL) - return ENOMEM; - memset(*ctx, 0, sizeof(**ctx)); - return 0; -} - -/** - * Set the printing functions for the validation context. - * - * @param ctx a hx509 valication context. - * @param func the printing function to usea. - * @param c the context variable to the printing function. - * - * @return An hx509 error code, see hx509_get_error_string(). - * - * @ingroup hx509_print - */ - -void -hx509_validate_ctx_set_print(hx509_validate_ctx ctx, - hx509_vprint_func func, - void *c) -{ - ctx->vprint_func = func; - ctx->ctx = c; -} - -/** - * Add flags to control the behaivor of the hx509_validate_cert() - * function. - * - * @param ctx A hx509 validation context. - * @param flags flags to add to the validation context. - * - * @return An hx509 error code, see hx509_get_error_string(). - * - * @ingroup hx509_print - */ - -void -hx509_validate_ctx_add_flags(hx509_validate_ctx ctx, int flags) -{ - ctx->flags |= flags; -} - -/** - * Free an hx509 validate context. - * - * @param ctx the hx509 validate context to free. - * - * @ingroup hx509_print - */ - -void -hx509_validate_ctx_free(hx509_validate_ctx ctx) -{ - free(ctx); -} - -/** - * Validate/Print the status of the certificate. - * - * @param context A hx509 context. - * @param ctx A hx509 validation context. - * @param cert the cerificate to validate/print. - - * @return An hx509 error code, see hx509_get_error_string(). - * - * @ingroup hx509_print - */ - -int -hx509_validate_cert(hx509_context context, - hx509_validate_ctx ctx, - hx509_cert cert) -{ - Certificate *c = _hx509_get_cert(cert); - TBSCertificate *t = &c->tbsCertificate; - hx509_name issuer, subject; - char *str; - struct cert_status status; - int ret; - - memset(&status, 0, sizeof(status)); - - if (_hx509_cert_get_version(c) != 3) - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, - "Not version 3 certificate\n"); - - if ((t->version == NULL || *t->version < 2) && t->extensions) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Not version 3 certificate with extensions\n"); - - if (_hx509_cert_get_version(c) >= 3 && t->extensions == NULL) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Version 3 certificate without extensions\n"); - - ret = hx509_cert_get_subject(cert, &subject); - if (ret) abort(); - hx509_name_to_string(subject, &str); - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, - "subject name: %s\n", str); - free(str); - - ret = hx509_cert_get_issuer(cert, &issuer); - if (ret) abort(); - hx509_name_to_string(issuer, &str); - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, - "issuer name: %s\n", str); - free(str); - - if (hx509_name_cmp(subject, issuer) == 0) { - status.selfsigned = 1; - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, - "\tis a self-signed certificate\n"); - } - - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, - "Validity:\n"); - - Time2string(&t->validity.notBefore, &str); - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotBefore %s\n", str); - free(str); - Time2string(&t->validity.notAfter, &str); - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotAfter %s\n", str); - free(str); - - if (t->extensions) { - int i, j; - - if (t->extensions->len == 0) { - validate_print(ctx, - HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE, - "The empty extensions list is not " - "allowed by PKIX\n"); - } - - for (i = 0; i < t->extensions->len; i++) { - - for (j = 0; check_extension[j].name; j++) - if (der_heim_oid_cmp((*check_extension[j].oid)(), - &t->extensions->val[i].extnID) == 0) - break; - if (check_extension[j].name == NULL) { - int flags = HX509_VALIDATE_F_VERBOSE; - if (t->extensions->val[i].critical) - flags |= HX509_VALIDATE_F_VALIDATE; - validate_print(ctx, flags, "don't know what "); - if (t->extensions->val[i].critical) - validate_print(ctx, flags, "and is CRITICAL "); - if (ctx->flags & flags) - hx509_oid_print(&t->extensions->val[i].extnID, - validate_vprint, ctx); - validate_print(ctx, flags, " is\n"); - continue; - } - validate_print(ctx, - HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE, - "checking extention: %s\n", - check_extension[j].name); - (*check_extension[j].func)(ctx, - &status, - check_extension[j].cf, - &t->extensions->val[i]); - } - } else - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extentions\n"); - - if (status.isca) { - if (!status.haveSKI) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "CA certificate have no SubjectKeyIdentifier\n"); - - } else { - if (!status.haveAKI) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Is not CA and doesn't have " - "AuthorityKeyIdentifier\n"); - } - - - if (!status.haveSKI) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Doesn't have SubjectKeyIdentifier\n"); - - if (status.isproxy && status.isca) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Proxy and CA at the same time!\n"); - - if (status.isproxy) { - if (status.haveSAN) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Proxy and have SAN\n"); - if (status.haveIAN) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Proxy and have IAN\n"); - } - - if (hx509_name_is_null_p(subject) && !status.haveSAN) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "NULL subject DN and doesn't have a SAN\n"); - - if (!status.selfsigned && !status.haveCRLDP) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Not a CA nor PROXY and doesn't have" - "CRL Dist Point\n"); - - if (status.selfsigned) { - ret = _hx509_verify_signature_bitstring(context, - c, - &c->signatureAlgorithm, - &c->tbsCertificate._save, - &c->signatureValue); - if (ret == 0) - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, - "Self-signed certificate was self-signed\n"); - else - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "Self-signed certificate NOT really self-signed!\n"); - } - - hx509_name_free(&subject); - hx509_name_free(&issuer); - - return 0; -} |
