db7763ca7b
Status:
- And it works!
- We have an extensive test based on decoding a rich EK certficate.
This test exercises all of:
- decoding
- encoding with and without decoded open types
- copying of decoded values with decoded open types
- freeing of decoded values with decoded open types
Valgrind finds no memory errors.
- Added a manual page for the compiler.
- rfc2459.asn1 now has all three primary PKIX types that we care about
defined as in RFC5912, with IOS constraints and parameterization:
- `Extension` (embeds open type in an `OCTET STRING`)
- `OtherName` (embeds open type in an `ANY`-like type)
- `SingleAttribute` (embeds open type in an `ANY`-like type)
- `AttributeSet` (embeds open type in a `SET OF ANY`-like type)
All of these use OIDs as the open type type ID field, but integer
open type type ID fields are also supported (and needed, for
Kerberos).
That will cover every typed hole pattern in all our ASN.1 modules.
With this we'll be able to automatically and recursively decode
through all subject DN attributes even when the subject DN is a
directoryName SAN, and subjectDirectoryAttributes, and all
extensions, and all SANs, and all authorization-data elements, and
PA-data, and...
We're not really using `SingleAttribute` and `AttributeSet` yet
because various changes are needed in `lib/hx509` for that.
- `asn1_compile` builds and recognizes the subset of X.681/682/683 that
we need for, and now use in, rfc2459.asn1. It builds the necessary
AST, generates the correct C types, and generates templating for
object sets and open types!
- See READMEs for details.
- Codegen backend not tested; I won't make it implement automatic open
type handling, but it should at least not crash by substituting
`heim_any` for open types not embedded in `OCTET STRING`.
- We're _really_ starting to have problems with the ITU-T ASN.1
grammar and our version of it...
Type names have to start with upper-case, value names with
lower-case, but it's not enough to disambiguate.
The fact the we've allowed value and type names to violate their
respective start-with case rules is causing us trouble now that we're
adding grammar from X.681/682/683, and we're going to have to undo
that.
In preparation for that I'm capitalizing the `heim_any` and
`heim_any_set` types, and doing some additional cleanup, which
requires changes to other parts of Heimdal (all in this same commit
for now).
Problems we have because of this:
- We cannot IMPORT values into modules because we have no idea if a
symbol being imported refers to a value or a type because the only
clue we would have is the symbol's name, so we assume IMPORTed
symbols are for types.
This means we can't import OIDs, for example, which is super
annoying.
One thing we might be able to do here is mark imported symbols as
being of an undetermined-but-not-undefined type, then coerce the
symbol's type the first time it's used in a context where its type
is inferred as type, value, object, object set, or class. (Though
since we don't generate C symbols for objects or classes, we won't
be able to import them, especially since we need to know them at
compile time and cannot defer their handling to link- or
run-time.)
- The `NULL` type name, and the `NULL` value name now cause two
reduce/reduce conflicts via the `FieldSetting` production.
- Various shift/reduce conflicts involving `NULL` values in
non-top-level contexts (in constraints, for example).
- Currently I have a bug where to disambiguate the grammar I have a
CLASS_IDENTIFIER token that is all caps, while TYPE_IDENTIFIER must
start with a capital but not be all caps, but this breaks Kerberos
since all its types are all capitalized -- oof!
To fix this I made it so class names have to be all caps and
start with an underscore (ick).
TBD:
- Check all the XXX comments and address them
- Apply this treatment to Kerberos! Automatic handling of authz-data
sounds useful :)
- Apply this treatment to PKCS#10 (CSRs) and other ASN.1 modules too.
- Replace various bits of code in `lib/hx509/` with uses of this
feature.
- Add JER.
- Enhance `hxtool` and `asn1_print`.
Getting there!
1149 lines
31 KiB
C
1149 lines
31 KiB
C
/*
|
|
* Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
|
|
* (Royal Institute of Technology, Stockholm, Sweden).
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
*
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* 3. Neither the name of the Institute nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
|
|
#include "hx_locl.h"
|
|
#include <vis.h>
|
|
|
|
/**
|
|
* @page page_print Hx509 printing functions
|
|
*
|
|
* See the library functions here: @ref hx509_print
|
|
*/
|
|
|
|
struct hx509_validate_ctx_data {
|
|
hx509_context context;
|
|
int flags;
|
|
hx509_vprint_func vprint_func;
|
|
void *ctx;
|
|
};
|
|
|
|
struct cert_status {
|
|
unsigned int selfsigned:1;
|
|
unsigned int isca:1;
|
|
unsigned int isproxy:1;
|
|
unsigned int haveSAN:1;
|
|
unsigned int haveIAN:1;
|
|
unsigned int haveSKI:1;
|
|
unsigned int haveAKI:1;
|
|
unsigned int haveCRLDP:1;
|
|
};
|
|
|
|
|
|
/*
|
|
*
|
|
*/
|
|
|
|
static int
|
|
Time2string(const Time *T, char **str)
|
|
{
|
|
time_t t;
|
|
char *s;
|
|
struct tm *tm;
|
|
|
|
*str = NULL;
|
|
t = _hx509_Time2time_t(T);
|
|
tm = gmtime (&t);
|
|
s = malloc(30);
|
|
if (s == NULL)
|
|
return ENOMEM;
|
|
strftime(s, 30, "%Y-%m-%d %H:%M:%S", tm);
|
|
*str = s;
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* Helper function to print on stdout for:
|
|
* - hx509_oid_print(),
|
|
* - hx509_bitstring_print(),
|
|
* - hx509_validate_ctx_set_print().
|
|
*
|
|
* @param ctx the context to the print function. If the ctx is NULL,
|
|
* stdout is used.
|
|
* @param fmt the printing format.
|
|
* @param va the argumet list.
|
|
*
|
|
* @ingroup hx509_print
|
|
*/
|
|
|
|
HX509_LIB_FUNCTION void
|
|
hx509_print_stdout(void *ctx, const char *fmt, va_list va)
|
|
{
|
|
FILE *f = ctx;
|
|
if (f == NULL)
|
|
f = stdout;
|
|
vfprintf(f, fmt, va);
|
|
}
|
|
|
|
static void
|
|
print_func(hx509_vprint_func func, void *ctx, const char *fmt, ...)
|
|
{
|
|
va_list va;
|
|
va_start(va, fmt);
|
|
(*func)(ctx, fmt, va);
|
|
va_end(va);
|
|
}
|
|
|
|
/**
|
|
* Print a oid to a string.
|
|
*
|
|
* @param oid oid to print
|
|
* @param str allocated string, free with hx509_xfree().
|
|
*
|
|
* @return An hx509 error code, see hx509_get_error_string().
|
|
*
|
|
* @ingroup hx509_print
|
|
*/
|
|
|
|
HX509_LIB_FUNCTION int HX509_LIB_CALL
|
|
hx509_oid_sprint(const heim_oid *oid, char **str)
|
|
{
|
|
return der_print_heim_oid(oid, '.', str);
|
|
}
|
|
|
|
/**
|
|
* Print a oid using a hx509_vprint_func function. To print to stdout
|
|
* use hx509_print_stdout().
|
|
*
|
|
* @param oid oid to print
|
|
* @param func hx509_vprint_func to print with.
|
|
* @param ctx context variable to hx509_vprint_func function.
|
|
*
|
|
* @ingroup hx509_print
|
|
*/
|
|
|
|
HX509_LIB_FUNCTION void HX509_LIB_CALL
|
|
hx509_oid_print(const heim_oid *oid, hx509_vprint_func func, void *ctx)
|
|
{
|
|
char *str;
|
|
hx509_oid_sprint(oid, &str);
|
|
print_func(func, ctx, "%s", str);
|
|
free(str);
|
|
}
|
|
|
|
/**
|
|
* Print a bitstring using a hx509_vprint_func function. To print to
|
|
* stdout use hx509_print_stdout().
|
|
*
|
|
* @param b bit string to print.
|
|
* @param func hx509_vprint_func to print with.
|
|
* @param ctx context variable to hx509_vprint_func function.
|
|
*
|
|
* @ingroup hx509_print
|
|
*/
|
|
|
|
HX509_LIB_FUNCTION void HX509_LIB_CALL
|
|
hx509_bitstring_print(const heim_bit_string *b,
|
|
hx509_vprint_func func, void *ctx)
|
|
{
|
|
size_t i;
|
|
print_func(func, ctx, "\tlength: %d\n\t", b->length);
|
|
for (i = 0; i < (b->length + 7) / 8; i++)
|
|
print_func(func, ctx, "%02x%s%s",
|
|
((unsigned char *)b->data)[i],
|
|
i < (b->length - 7) / 8
|
|
&& (i == 0 || (i % 16) != 15) ? ":" : "",
|
|
i != 0 && (i % 16) == 15 ?
|
|
(i <= ((b->length + 7) / 8 - 2) ? "\n\t" : "\n"):"");
|
|
}
|
|
|
|
/**
|
|
* Print certificate usage for a certificate to a string.
|
|
*
|
|
* @param context A hx509 context.
|
|
* @param c a certificate print the keyusage for.
|
|
* @param s the return string with the keysage printed in to, free
|
|
* with hx509_xfree().
|
|
*
|
|
* @return An hx509 error code, see hx509_get_error_string().
|
|
*
|
|
* @ingroup hx509_print
|
|
*/
|
|
|
|
HX509_LIB_FUNCTION int HX509_LIB_CALL
|
|
hx509_cert_keyusage_print(hx509_context context, hx509_cert c, char **s)
|
|
{
|
|
KeyUsage ku;
|
|
char buf[256];
|
|
int ret;
|
|
|
|
*s = NULL;
|
|
|
|
ret = _hx509_cert_get_keyusage(context, c, &ku);
|
|
if (ret)
|
|
return ret;
|
|
unparse_flags(KeyUsage2int(ku), asn1_KeyUsage_units(), buf, sizeof(buf));
|
|
*s = strdup(buf);
|
|
if (*s == NULL) {
|
|
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
|
|
return ENOMEM;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
*
|
|
*/
|
|
|
|
static void
|
|
validate_vprint(void *c, const char *fmt, va_list va)
|
|
{
|
|
hx509_validate_ctx ctx = c;
|
|
if (ctx->vprint_func == NULL)
|
|
return;
|
|
(ctx->vprint_func)(ctx->ctx, fmt, va);
|
|
}
|
|
|
|
static void
|
|
validate_print(hx509_validate_ctx ctx, int flags, const char *fmt, ...)
|
|
{
|
|
va_list va;
|
|
if ((ctx->flags & flags) == 0)
|
|
return;
|
|
va_start(va, fmt);
|
|
validate_vprint(ctx, fmt, va);
|
|
va_end(va);
|
|
}
|
|
|
|
/*
|
|
* Don't Care, SHOULD critical, SHOULD NOT critical, MUST critical,
|
|
* MUST NOT critical
|
|
*/
|
|
enum critical_flag { D_C = 0, S_C, S_N_C, M_C, M_N_C };
|
|
|
|
static int
|
|
check_Null(hx509_validate_ctx ctx,
|
|
struct cert_status *status,
|
|
enum critical_flag cf, const Extension *e)
|
|
{
|
|
switch(cf) {
|
|
case D_C:
|
|
break;
|
|
case S_C:
|
|
if (!e->critical)
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"\tCritical not set on SHOULD\n");
|
|
break;
|
|
case S_N_C:
|
|
if (e->critical)
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"\tCritical set on SHOULD NOT\n");
|
|
break;
|
|
case M_C:
|
|
if (!e->critical)
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"\tCritical not set on MUST\n");
|
|
break;
|
|
case M_N_C:
|
|
if (e->critical)
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"\tCritical set on MUST NOT\n");
|
|
break;
|
|
default:
|
|
_hx509_abort("internal check_Null state error");
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int
|
|
check_subjectKeyIdentifier(hx509_validate_ctx ctx,
|
|
struct cert_status *status,
|
|
enum critical_flag cf,
|
|
const Extension *e)
|
|
{
|
|
SubjectKeyIdentifier si;
|
|
size_t size;
|
|
int ret;
|
|
|
|
status->haveSKI = 1;
|
|
check_Null(ctx, status, cf, e);
|
|
|
|
ret = decode_SubjectKeyIdentifier(e->extnValue.data,
|
|
e->extnValue.length,
|
|
&si, &size);
|
|
if (ret) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Decoding SubjectKeyIdentifier failed: %d", ret);
|
|
return 1;
|
|
}
|
|
if (size != e->extnValue.length) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Decoding SKI ahve extra bits on the end");
|
|
return 1;
|
|
}
|
|
if (si.length == 0)
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"SKI is too short (0 bytes)");
|
|
if (si.length > 20)
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"SKI is too long");
|
|
|
|
{
|
|
char *id;
|
|
hex_encode(si.data, si.length, &id);
|
|
if (id) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
"\tsubject key id: %s\n", id);
|
|
free(id);
|
|
}
|
|
}
|
|
|
|
free_SubjectKeyIdentifier(&si);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int
|
|
check_authorityKeyIdentifier(hx509_validate_ctx ctx,
|
|
struct cert_status *status,
|
|
enum critical_flag cf,
|
|
const Extension *e)
|
|
{
|
|
AuthorityKeyIdentifier ai;
|
|
size_t size;
|
|
int ret;
|
|
|
|
status->haveAKI = 1;
|
|
check_Null(ctx, status, cf, e);
|
|
|
|
ret = decode_AuthorityKeyIdentifier(e->extnValue.data,
|
|
e->extnValue.length,
|
|
&ai, &size);
|
|
if (ret) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Decoding AuthorityKeyIdentifier failed: %d", ret);
|
|
return 1;
|
|
}
|
|
if (size != e->extnValue.length) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Decoding SKI ahve extra bits on the end");
|
|
return 1;
|
|
}
|
|
|
|
if (ai.keyIdentifier) {
|
|
char *id;
|
|
hex_encode(ai.keyIdentifier->data, ai.keyIdentifier->length, &id);
|
|
if (id) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
"\tauthority key id: %s\n", id);
|
|
free(id);
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int
|
|
check_extKeyUsage(hx509_validate_ctx ctx,
|
|
struct cert_status *status,
|
|
enum critical_flag cf,
|
|
const Extension *e)
|
|
{
|
|
ExtKeyUsage eku;
|
|
size_t size, i;
|
|
int ret;
|
|
|
|
check_Null(ctx, status, cf, e);
|
|
|
|
ret = decode_ExtKeyUsage(e->extnValue.data,
|
|
e->extnValue.length,
|
|
&eku, &size);
|
|
if (ret) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Decoding ExtKeyUsage failed: %d", ret);
|
|
return 1;
|
|
}
|
|
if (size != e->extnValue.length) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Padding data in EKU");
|
|
free_ExtKeyUsage(&eku);
|
|
return 1;
|
|
}
|
|
if (eku.len == 0) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"ExtKeyUsage length is 0");
|
|
return 1;
|
|
}
|
|
|
|
for (i = 0; i < eku.len; i++) {
|
|
char *str;
|
|
ret = der_print_heim_oid (&eku.val[i], '.', &str);
|
|
if (ret) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"\tEKU: failed to print oid %d", i);
|
|
free_ExtKeyUsage(&eku);
|
|
return 1;
|
|
}
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
"\teku-%d: %s\n", i, str);;
|
|
free(str);
|
|
}
|
|
|
|
free_ExtKeyUsage(&eku);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int
|
|
check_CRLDistributionPoints(hx509_validate_ctx ctx,
|
|
struct cert_status *status,
|
|
enum critical_flag cf,
|
|
const Extension *e)
|
|
{
|
|
CRLDistributionPoints dp;
|
|
size_t size;
|
|
int ret;
|
|
size_t i;
|
|
|
|
check_Null(ctx, status, cf, e);
|
|
|
|
ret = decode_CRLDistributionPoints(e->extnValue.data,
|
|
e->extnValue.length,
|
|
&dp, &size);
|
|
if (ret) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Decoding CRL Distribution Points failed: %d\n", ret);
|
|
return 1;
|
|
}
|
|
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "CRL Distribution Points:\n");
|
|
for (i = 0 ; i < dp.len; i++) {
|
|
if (dp.val[i].distributionPoint) {
|
|
DistributionPointName dpname;
|
|
heim_any *data = dp.val[i].distributionPoint;
|
|
size_t j;
|
|
|
|
ret = decode_DistributionPointName(data->data, data->length,
|
|
&dpname, NULL);
|
|
if (ret) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Failed to parse CRL Distribution Point Name: %d\n", ret);
|
|
continue;
|
|
}
|
|
|
|
switch (dpname.element) {
|
|
case choice_DistributionPointName_fullName:
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n");
|
|
|
|
for (j = 0 ; j < dpname.u.fullName.len; j++) {
|
|
char *s;
|
|
GeneralName *name = &dpname.u.fullName.val[j];
|
|
|
|
ret = hx509_general_name_unparse2(ctx->context, name, &s);
|
|
if (ret) {
|
|
s = hx509_get_error_string(ctx->context, ret);
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Unknown DistributionPointName: %s", s);
|
|
hx509_free_error_string(s);
|
|
} else {
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " %s\n", s);
|
|
free(s);
|
|
}
|
|
}
|
|
break;
|
|
case choice_DistributionPointName_nameRelativeToCRLIssuer:
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
"Unknown nameRelativeToCRLIssuer");
|
|
break;
|
|
default:
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Unknown DistributionPointName");
|
|
break;
|
|
}
|
|
free_DistributionPointName(&dpname);
|
|
}
|
|
}
|
|
free_CRLDistributionPoints(&dp);
|
|
|
|
status->haveCRLDP = 1;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int
|
|
check_altName(hx509_validate_ctx ctx,
|
|
struct cert_status *status,
|
|
const char *name,
|
|
enum critical_flag cf,
|
|
const Extension *e)
|
|
{
|
|
GeneralNames gn;
|
|
size_t size;
|
|
int ret;
|
|
size_t i;
|
|
|
|
check_Null(ctx, status, cf, e);
|
|
|
|
if (e->extnValue.length == 0) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"%sAltName empty, not allowed", name);
|
|
return 1;
|
|
}
|
|
ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length,
|
|
&gn, &size);
|
|
if (ret) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"\tret = %d while decoding %s GeneralNames\n",
|
|
ret, name);
|
|
return 1;
|
|
}
|
|
if (gn.len == 0) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"%sAltName generalName empty, not allowed\n", name);
|
|
return 1;
|
|
}
|
|
|
|
for (i = 0; i < gn.len; i++) {
|
|
char *s;
|
|
|
|
ret = hx509_general_name_unparse2(ctx->context, &gn.val[i], &s);
|
|
if (ret) {
|
|
s = hx509_get_error_string(ctx->context, ret);
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Error unparsing GeneralName: %s\n", s);
|
|
hx509_free_error_string(s);
|
|
return 1;
|
|
}
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\t%s\n", s);
|
|
free(s);
|
|
}
|
|
|
|
free_GeneralNames(&gn);
|
|
return 0;
|
|
}
|
|
|
|
static int
|
|
check_subjectAltName(hx509_validate_ctx ctx,
|
|
struct cert_status *status,
|
|
enum critical_flag cf,
|
|
const Extension *e)
|
|
{
|
|
status->haveSAN = 1;
|
|
return check_altName(ctx, status, "subject", cf, e);
|
|
}
|
|
|
|
static int
|
|
check_issuerAltName(hx509_validate_ctx ctx,
|
|
struct cert_status *status,
|
|
enum critical_flag cf,
|
|
const Extension *e)
|
|
{
|
|
status->haveIAN = 1;
|
|
return check_altName(ctx, status, "issuer", cf, e);
|
|
}
|
|
|
|
|
|
static int
|
|
check_basicConstraints(hx509_validate_ctx ctx,
|
|
struct cert_status *status,
|
|
enum critical_flag cf,
|
|
const Extension *e)
|
|
{
|
|
BasicConstraints b;
|
|
size_t size;
|
|
int ret;
|
|
|
|
check_Null(ctx, status, cf, e);
|
|
|
|
ret = decode_BasicConstraints(e->extnValue.data, e->extnValue.length,
|
|
&b, &size);
|
|
if (ret) {
|
|
printf("\tret = %d while decoding BasicConstraints\n", ret);
|
|
return 0;
|
|
}
|
|
if (size != e->extnValue.length)
|
|
printf("\tlength of der data isn't same as extension\n");
|
|
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
"\tis %sa CA\n", b.cA ? "" : "NOT ");
|
|
if (b.pathLenConstraint)
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
"\tpathLenConstraint: %d\n", *b.pathLenConstraint);
|
|
|
|
if (b.cA) {
|
|
if (!e->critical)
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Is a CA and not BasicConstraints CRITICAL\n");
|
|
status->isca = 1;
|
|
}
|
|
free_BasicConstraints(&b);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int
|
|
check_proxyCertInfo(hx509_validate_ctx ctx,
|
|
struct cert_status *status,
|
|
enum critical_flag cf,
|
|
const Extension *e)
|
|
{
|
|
check_Null(ctx, status, cf, e);
|
|
status->isproxy = 1;
|
|
return 0;
|
|
}
|
|
|
|
static int
|
|
check_authorityInfoAccess(hx509_validate_ctx ctx,
|
|
struct cert_status *status,
|
|
enum critical_flag cf,
|
|
const Extension *e)
|
|
{
|
|
AuthorityInfoAccessSyntax aia;
|
|
size_t size;
|
|
int ret;
|
|
size_t i;
|
|
|
|
check_Null(ctx, status, cf, e);
|
|
|
|
ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data,
|
|
e->extnValue.length,
|
|
&aia, &size);
|
|
if (ret) {
|
|
printf("\tret = %d while decoding AuthorityInfoAccessSyntax\n", ret);
|
|
return 0;
|
|
}
|
|
|
|
for (i = 0; i < aia.len; i++) {
|
|
char *str;
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
"\ttype: ");
|
|
hx509_oid_print(&aia.val[i].accessMethod, validate_vprint, ctx);
|
|
ret = hx509_general_name_unparse2(ctx->context,
|
|
&aia.val[i].accessLocation, &str);
|
|
if (ret) {
|
|
str = hx509_get_error_string(ctx->context, ret);
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Error unparsing AuthorityInfoAccessSyntax "
|
|
"accessLocation: %s", str);
|
|
hx509_free_error_string(str);
|
|
} else {
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
"\n\tdirname: %s\n", str);
|
|
free(str);
|
|
}
|
|
}
|
|
free_AuthorityInfoAccessSyntax(&aia);
|
|
|
|
return ret;
|
|
}
|
|
|
|
static int
|
|
get_display_text(DisplayText *dt, char **out)
|
|
{
|
|
int r = -1;
|
|
|
|
*out = NULL;
|
|
|
|
/*
|
|
* XXX We're cheating with various string types here.
|
|
*
|
|
* Proper support for IA5String is a real pain, and we don't have it.
|
|
*
|
|
* We also don't have support for BMPString.
|
|
*/
|
|
switch (dt->element) {
|
|
case choice_DisplayText_ia5String:
|
|
r = rk_strasvisx(out, dt->u.ia5String.data, dt->u.ia5String.length,
|
|
VIS_CSTYLE | VIS_TAB | VIS_NL, "");
|
|
break;
|
|
case choice_DisplayText_visibleString:
|
|
r = rk_strasvis(out, dt->u.visibleString,
|
|
VIS_CSTYLE | VIS_TAB | VIS_NL, "");
|
|
break;
|
|
case choice_DisplayText_bmpString:
|
|
errno = ENOTSUP; /* XXX Need a UTF-16 -> UTF-8 conversion */
|
|
break;
|
|
case choice_DisplayText_utf8String:
|
|
r = rk_strasvis(out, dt->u.visibleString,
|
|
VIS_CSTYLE | VIS_TAB | VIS_NL, "");
|
|
break;
|
|
default:
|
|
errno = EINVAL;
|
|
}
|
|
return r < 0 ? errno : 0;
|
|
}
|
|
|
|
static int
|
|
check_certificatePolicies(hx509_validate_ctx ctx,
|
|
struct cert_status *status,
|
|
enum critical_flag cf,
|
|
const Extension *e)
|
|
{
|
|
CertificatePolicies cp;
|
|
size_t i, size;
|
|
int ret = 0;
|
|
|
|
check_Null(ctx, status, cf, e);
|
|
|
|
if (e->extnValue.length == 0) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"CertificatePolicies empty, not allowed");
|
|
return 1;
|
|
}
|
|
ret = decode_CertificatePolicies(e->extnValue.data, e->extnValue.length,
|
|
&cp, &size);
|
|
if (ret) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"\tret = %d while decoding CertificatePolicies\n", ret);
|
|
return 1;
|
|
}
|
|
if (cp.len == 0) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"CertificatePolicies empty, not allowed\n");
|
|
return 1;
|
|
}
|
|
|
|
for (i = 0; ret == 0 && i < cp.len; i++) {
|
|
size_t k;
|
|
char *poid = NULL;
|
|
char *qoid = NULL;
|
|
char *dt = NULL;
|
|
|
|
ret = der_print_heim_oid(&cp.val[i].policyIdentifier, '.', &poid);
|
|
if (ret == 0)
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tPolicy: %s", poid);
|
|
|
|
for (k = 0;
|
|
ret == 0 && cp.val[i].policyQualifiers &&
|
|
k < cp.val[i].policyQualifiers->len;
|
|
k++) {
|
|
PolicyQualifierInfo *pi = &cp.val[i].policyQualifiers->val[k];
|
|
|
|
if (der_heim_oid_cmp(&pi->policyQualifierId,
|
|
&asn1_oid_id_pkix_qt_cps) == 0) {
|
|
CPSuri cps;
|
|
|
|
ret = decode_CPSuri(pi->qualifier.data, pi->qualifier.length,
|
|
&cps, &size);
|
|
if (ret == 0) {
|
|
if (cps.length > 4096)
|
|
cps.length = 4096;
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
":CPSuri:%.*s",
|
|
(int)cps.length, (char *)cps.data);
|
|
free_CPSuri(&cps);
|
|
}
|
|
} else if (der_heim_oid_cmp(&pi->policyQualifierId,
|
|
&asn1_oid_id_pkix_qt_unotice) == 0) {
|
|
UserNotice un;
|
|
|
|
ret = decode_UserNotice(pi->qualifier.data,
|
|
pi->qualifier.length, &un, &size);
|
|
if (ret == 0) {
|
|
if (un.explicitText) {
|
|
/*
|
|
* get_display_text() will strvis to make it safer to
|
|
* print.
|
|
*/
|
|
ret = get_display_text(un.explicitText, &dt);
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
" UserNotice:DistplayText:%s", dt);
|
|
} else if (un.noticeRef) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
" UserNotice:NoticeRef:<noticeRef-not-supported>",
|
|
qoid);
|
|
} else {
|
|
ret = der_print_heim_oid(&pi->policyQualifierId, '.',
|
|
&qoid);
|
|
if (ret)
|
|
break;
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
" Unknown:%s", qoid);
|
|
}
|
|
}
|
|
} else {
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
", qualifier %s:<unknown>", qoid);
|
|
}
|
|
free(qoid);
|
|
free(dt);
|
|
qoid = dt = 0;
|
|
}
|
|
if (ret == 0) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\n");
|
|
} else {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"\nOut of memory formatting certificate policy");
|
|
ret = ENOMEM;
|
|
}
|
|
free(poid);
|
|
free(qoid);
|
|
free(dt);
|
|
poid = qoid = dt = 0;
|
|
}
|
|
|
|
free_CertificatePolicies(&cp);
|
|
|
|
return ret ? 1 : 0;
|
|
}
|
|
|
|
static int
|
|
check_policyMappings(hx509_validate_ctx ctx,
|
|
struct cert_status *status,
|
|
enum critical_flag cf,
|
|
const Extension *e)
|
|
{
|
|
PolicyMappings pm;
|
|
size_t i, size;
|
|
int ret = 0;
|
|
|
|
check_Null(ctx, status, cf, e);
|
|
|
|
if (e->extnValue.length == 0) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"PolicyMappings empty, not allowed");
|
|
return 1;
|
|
}
|
|
ret = decode_PolicyMappings(e->extnValue.data, e->extnValue.length,
|
|
&pm, &size);
|
|
if (ret) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"\tret = %d while decoding PolicyMappings\n", ret);
|
|
return 1;
|
|
}
|
|
if (pm.len == 0) {
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"PolicyMappings empty, not allowed\n");
|
|
return 1;
|
|
}
|
|
|
|
for (i = 0; ret == 0 && i < pm.len; i++) {
|
|
char *idpoid = NULL;
|
|
char *sdpoid = NULL;
|
|
|
|
ret = der_print_heim_oid(&pm.val[i].issuerDomainPolicy, '.', &idpoid);
|
|
if (ret == 0)
|
|
ret = der_print_heim_oid(&pm.val[i].subjectDomainPolicy, '.',
|
|
&sdpoid);
|
|
if (ret == 0)
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
"\tPolicy mapping %s -> %s\n", idpoid, sdpoid);
|
|
else
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"ret=%d while decoding PolicyMappings\n", ret);
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
*
|
|
*/
|
|
|
|
struct {
|
|
const char *name;
|
|
const heim_oid *oid;
|
|
int (*func)(hx509_validate_ctx ctx,
|
|
struct cert_status *status,
|
|
enum critical_flag cf,
|
|
const Extension *);
|
|
enum critical_flag cf;
|
|
} check_extension[] = {
|
|
#define ext(name, checkname) #name, &asn1_oid_id_x509_ce_##name, check_##checkname
|
|
{ ext(subjectDirectoryAttributes, Null), M_N_C },
|
|
{ ext(subjectKeyIdentifier, subjectKeyIdentifier), M_N_C },
|
|
{ ext(keyUsage, Null), S_C },
|
|
{ ext(subjectAltName, subjectAltName), M_N_C },
|
|
{ ext(issuerAltName, issuerAltName), S_N_C },
|
|
{ ext(basicConstraints, basicConstraints), D_C },
|
|
{ ext(cRLNumber, Null), M_N_C },
|
|
{ ext(cRLReason, Null), M_N_C },
|
|
{ ext(holdInstructionCode, Null), M_N_C },
|
|
{ ext(invalidityDate, Null), M_N_C },
|
|
{ ext(deltaCRLIndicator, Null), M_C },
|
|
{ ext(issuingDistributionPoint, Null), M_C },
|
|
{ ext(certificateIssuer, Null), M_C },
|
|
{ ext(nameConstraints, Null), M_C },
|
|
{ ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C },
|
|
{ ext(certificatePolicies, certificatePolicies), 0 },
|
|
{ ext(policyMappings, policyMappings), M_N_C },
|
|
{ ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C },
|
|
{ ext(policyConstraints, Null), D_C },
|
|
{ ext(extKeyUsage, extKeyUsage), D_C },
|
|
{ ext(freshestCRL, Null), M_N_C },
|
|
{ ext(inhibitAnyPolicy, Null), M_C },
|
|
#undef ext
|
|
#define ext(name, checkname) #name, &asn1_oid_id_pkix_pe_##name, check_##checkname
|
|
{ ext(proxyCertInfo, proxyCertInfo), M_C },
|
|
{ ext(authorityInfoAccess, authorityInfoAccess), M_C },
|
|
#undef ext
|
|
{ "US Fed PKI - PIV Interim", &asn1_oid_id_uspkicommon_piv_interim,
|
|
check_Null, D_C },
|
|
{ "Netscape cert comment", &asn1_oid_id_netscape_cert_comment,
|
|
check_Null, D_C },
|
|
{ NULL, NULL, NULL, 0 }
|
|
};
|
|
|
|
/**
|
|
* Allocate a hx509 validation/printing context.
|
|
*
|
|
* @param context A hx509 context.
|
|
* @param ctx a new allocated hx509 validation context, free with
|
|
* hx509_validate_ctx_free().
|
|
|
|
* @return An hx509 error code, see hx509_get_error_string().
|
|
*
|
|
* @ingroup hx509_print
|
|
*/
|
|
|
|
HX509_LIB_FUNCTION int HX509_LIB_CALL
|
|
hx509_validate_ctx_init(hx509_context context, hx509_validate_ctx *ctx)
|
|
{
|
|
*ctx = calloc(1, sizeof(**ctx));
|
|
if (*ctx == NULL)
|
|
return hx509_enomem(context);
|
|
(*ctx)->context = context;
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* Set the printing functions for the validation context.
|
|
*
|
|
* @param ctx a hx509 valication context.
|
|
* @param func the printing function to usea.
|
|
* @param c the context variable to the printing function.
|
|
*
|
|
* @return An hx509 error code, see hx509_get_error_string().
|
|
*
|
|
* @ingroup hx509_print
|
|
*/
|
|
|
|
HX509_LIB_FUNCTION void HX509_LIB_CALL
|
|
hx509_validate_ctx_set_print(hx509_validate_ctx ctx,
|
|
hx509_vprint_func func,
|
|
void *c)
|
|
{
|
|
ctx->vprint_func = func;
|
|
ctx->ctx = c;
|
|
}
|
|
|
|
/**
|
|
* Add flags to control the behaivor of the hx509_validate_cert()
|
|
* function.
|
|
*
|
|
* @param ctx A hx509 validation context.
|
|
* @param flags flags to add to the validation context.
|
|
*
|
|
* @return An hx509 error code, see hx509_get_error_string().
|
|
*
|
|
* @ingroup hx509_print
|
|
*/
|
|
|
|
HX509_LIB_FUNCTION void HX509_LIB_CALL
|
|
hx509_validate_ctx_add_flags(hx509_validate_ctx ctx, int flags)
|
|
{
|
|
ctx->flags |= flags;
|
|
}
|
|
|
|
/**
|
|
* Free an hx509 validate context.
|
|
*
|
|
* @param ctx the hx509 validate context to free.
|
|
*
|
|
* @ingroup hx509_print
|
|
*/
|
|
|
|
HX509_LIB_FUNCTION void HX509_LIB_CALL
|
|
hx509_validate_ctx_free(hx509_validate_ctx ctx)
|
|
{
|
|
free(ctx);
|
|
}
|
|
|
|
/**
|
|
* Validate/Print the status of the certificate.
|
|
*
|
|
* @param context A hx509 context.
|
|
* @param ctx A hx509 validation context.
|
|
* @param cert the cerificate to validate/print.
|
|
|
|
* @return An hx509 error code, see hx509_get_error_string().
|
|
*
|
|
* @ingroup hx509_print
|
|
*/
|
|
|
|
HX509_LIB_FUNCTION int HX509_LIB_CALL
|
|
hx509_validate_cert(hx509_context context,
|
|
hx509_validate_ctx ctx,
|
|
hx509_cert cert)
|
|
{
|
|
Certificate *c = _hx509_get_cert(cert);
|
|
TBSCertificate *t = &c->tbsCertificate;
|
|
hx509_name issuer, subject;
|
|
char *str;
|
|
struct cert_status status;
|
|
int ret;
|
|
|
|
memset(&status, 0, sizeof(status));
|
|
|
|
if (_hx509_cert_get_version(c) != 3)
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
"Not version 3 certificate\n");
|
|
|
|
if ((t->version == NULL || *t->version < 2) && t->extensions)
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Not version 3 certificate with extensions\n");
|
|
|
|
if (_hx509_cert_get_version(c) >= 3 && t->extensions == NULL)
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Version 3 certificate without extensions\n");
|
|
|
|
ret = hx509_cert_get_subject(cert, &subject);
|
|
if (ret) abort();
|
|
hx509_name_to_string(subject, &str);
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
"subject name: %s\n", str);
|
|
free(str);
|
|
|
|
ret = hx509_cert_get_issuer(cert, &issuer);
|
|
if (ret) abort();
|
|
hx509_name_to_string(issuer, &str);
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
"issuer name: %s\n", str);
|
|
free(str);
|
|
|
|
if (hx509_name_cmp(subject, issuer) == 0) {
|
|
status.selfsigned = 1;
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
"\tis a self-signed certificate\n");
|
|
}
|
|
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
"Validity:\n");
|
|
|
|
Time2string(&t->validity.notBefore, &str);
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotBefore %s\n", str);
|
|
free(str);
|
|
Time2string(&t->validity.notAfter, &str);
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotAfter %s\n", str);
|
|
free(str);
|
|
|
|
if (t->extensions) {
|
|
size_t i, j;
|
|
|
|
if (t->extensions->len == 0) {
|
|
validate_print(ctx,
|
|
HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
|
|
"The empty extensions list is not "
|
|
"allowed by PKIX\n");
|
|
}
|
|
|
|
for (i = 0; i < t->extensions->len; i++) {
|
|
|
|
for (j = 0; check_extension[j].name; j++)
|
|
if (der_heim_oid_cmp(check_extension[j].oid,
|
|
&t->extensions->val[i].extnID) == 0)
|
|
break;
|
|
if (check_extension[j].name == NULL) {
|
|
int flags = HX509_VALIDATE_F_VERBOSE;
|
|
if (t->extensions->val[i].critical)
|
|
flags |= HX509_VALIDATE_F_VALIDATE;
|
|
validate_print(ctx, flags, "don't know what ");
|
|
if (t->extensions->val[i].critical)
|
|
validate_print(ctx, flags, "and is CRITICAL ");
|
|
if (ctx->flags & flags)
|
|
hx509_oid_print(&t->extensions->val[i].extnID,
|
|
validate_vprint, ctx);
|
|
validate_print(ctx, flags, " is\n");
|
|
continue;
|
|
}
|
|
validate_print(ctx,
|
|
HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
|
|
"checking extension: %s\n",
|
|
check_extension[j].name);
|
|
(*check_extension[j].func)(ctx,
|
|
&status,
|
|
check_extension[j].cf,
|
|
&t->extensions->val[i]);
|
|
}
|
|
} else
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extensions\n");
|
|
|
|
if (status.isca) {
|
|
if (!status.haveSKI)
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"CA certificate have no SubjectKeyIdentifier\n");
|
|
|
|
} else {
|
|
if (!status.haveAKI)
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Is not CA and doesn't have "
|
|
"AuthorityKeyIdentifier\n");
|
|
}
|
|
|
|
|
|
if (!status.haveSKI)
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Doesn't have SubjectKeyIdentifier\n");
|
|
|
|
if (status.isproxy && status.isca)
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Proxy and CA at the same time!\n");
|
|
|
|
if (status.isproxy) {
|
|
if (status.haveSAN)
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Proxy and have SAN\n");
|
|
if (status.haveIAN)
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Proxy and have IAN\n");
|
|
}
|
|
|
|
if (hx509_name_is_null_p(subject) && !status.haveSAN)
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"NULL subject DN and doesn't have a SAN\n");
|
|
|
|
if (!status.selfsigned && !status.haveCRLDP)
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Not a CA nor PROXY and doesn't have"
|
|
"CRL Dist Point\n");
|
|
|
|
if (status.selfsigned) {
|
|
ret = _hx509_verify_signature_bitstring(context,
|
|
cert,
|
|
&c->signatureAlgorithm,
|
|
&c->tbsCertificate._save,
|
|
&c->signatureValue);
|
|
if (ret == 0)
|
|
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
|
"Self-signed certificate was self-signed\n");
|
|
else
|
|
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
|
|
"Self-signed certificate NOT really self-signed!\n");
|
|
}
|
|
|
|
hx509_name_free(&subject);
|
|
hx509_name_free(&issuer);
|
|
|
|
return 0;
|
|
}
|