diff options
Diffstat (limited to 'lib/hx509/print.c')
| -rw-r--r-- | lib/hx509/print.c | 273 |
1 files changed, 161 insertions, 112 deletions
diff --git a/lib/hx509/print.c b/lib/hx509/print.c index 78ebbafb2f67..1e8bcabfa7e9 100644 --- a/lib/hx509/print.c +++ b/lib/hx509/print.c @@ -1,38 +1,37 @@ /* - * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "hx_locl.h" -RCSID("$Id: print.c 22420 2008-01-13 09:42:35Z lha $"); /** * @page page_print Hx509 printing functions @@ -114,7 +113,7 @@ print_func(hx509_vprint_func func, void *ctx, const char *fmt, ...) /** * Print a oid to a string. - * + * * @param oid oid to print * @param str allocated string, free with hx509_xfree(). * @@ -132,7 +131,7 @@ hx509_oid_sprint(const heim_oid *oid, char **str) /** * Print a oid using a hx509_vprint_func function. To print to stdout * use hx509_print_stdout(). - * + * * @param oid oid to print * @param func hx509_vprint_func to print with. * @param ctx context variable to hx509_vprint_func function. @@ -152,7 +151,7 @@ hx509_oid_print(const heim_oid *oid, hx509_vprint_func func, void *ctx) /** * Print a bitstring using a hx509_vprint_func function. To print to * stdout use hx509_print_stdout(). - * + * * @param b bit string to print. * @param func hx509_vprint_func to print with. * @param ctx context variable to hx509_vprint_func function. @@ -164,11 +163,11 @@ void hx509_bitstring_print(const heim_bit_string *b, hx509_vprint_func func, void *ctx) { - int i; + size_t i; print_func(func, ctx, "\tlength: %d\n\t", b->length); for (i = 0; i < (b->length + 7) / 8; i++) print_func(func, ctx, "%02x%s%s", - ((unsigned char *)b->data)[i], + ((unsigned char *)b->data)[i], i < (b->length - 7) / 8 && (i == 0 || (i % 16) != 15) ? ":" : "", i != 0 && (i % 16) == 15 ? @@ -177,7 +176,7 @@ hx509_bitstring_print(const heim_bit_string *b, /** * Print certificate usage for a certificate to a string. - * + * * @param context A hx509 context. * @param c a certificate print the keyusage for. * @param s the return string with the keysage printed in to, free @@ -234,7 +233,7 @@ validate_print(hx509_validate_ctx ctx, int flags, const char *fmt, ...) va_end(va); } -/* +/* * Dont Care, SHOULD critical, SHOULD NOT critical, MUST critical, * MUST NOT critical */ @@ -275,7 +274,7 @@ check_Null(hx509_validate_ctx ctx, } static int -check_subjectKeyIdentifier(hx509_validate_ctx ctx, +check_subjectKeyIdentifier(hx509_validate_ctx ctx, struct cert_status *status, enum critical_flag cf, const Extension *e) @@ -287,7 +286,7 @@ check_subjectKeyIdentifier(hx509_validate_ctx ctx, status->haveSKI = 1; check_Null(ctx, status, cf, e); - ret = decode_SubjectKeyIdentifier(e->extnValue.data, + ret = decode_SubjectKeyIdentifier(e->extnValue.data, e->extnValue.length, &si, &size); if (ret) { @@ -323,7 +322,7 @@ check_subjectKeyIdentifier(hx509_validate_ctx ctx, } static int -check_authorityKeyIdentifier(hx509_validate_ctx ctx, +check_authorityKeyIdentifier(hx509_validate_ctx ctx, struct cert_status *status, enum critical_flag cf, const Extension *e) @@ -335,10 +334,7 @@ check_authorityKeyIdentifier(hx509_validate_ctx ctx, status->haveAKI = 1; check_Null(ctx, status, cf, e); - status->haveSKI = 1; - check_Null(ctx, status, cf, e); - - ret = decode_AuthorityKeyIdentifier(e->extnValue.data, + ret = decode_AuthorityKeyIdentifier(e->extnValue.data, e->extnValue.length, &ai, &size); if (ret) { @@ -365,6 +361,56 @@ check_authorityKeyIdentifier(hx509_validate_ctx ctx, return 0; } +static int +check_extKeyUsage(hx509_validate_ctx ctx, + struct cert_status *status, + enum critical_flag cf, + const Extension *e) +{ + ExtKeyUsage eku; + size_t size, i; + int ret; + + check_Null(ctx, status, cf, e); + + ret = decode_ExtKeyUsage(e->extnValue.data, + e->extnValue.length, + &eku, &size); + if (ret) { + validate_print(ctx, HX509_VALIDATE_F_VALIDATE, + "Decoding ExtKeyUsage failed: %d", ret); + return 1; + } + if (size != e->extnValue.length) { + validate_print(ctx, HX509_VALIDATE_F_VALIDATE, + "Padding data in EKU"); + free_ExtKeyUsage(&eku); + return 1; + } + if (eku.len == 0) { + validate_print(ctx, HX509_VALIDATE_F_VALIDATE, + "ExtKeyUsage length is 0"); + return 1; + } + + for (i = 0; i < eku.len; i++) { + char *str; + ret = der_print_heim_oid (&eku.val[i], '.', &str); + if (ret) { + validate_print(ctx, HX509_VALIDATE_F_VALIDATE, + "\tEKU: failed to print oid %d", i); + free_ExtKeyUsage(&eku); + return 1; + } + validate_print(ctx, HX509_VALIDATE_F_VERBOSE, + "\teku-%d: %s\n", i, str);; + free(str); + } + + free_ExtKeyUsage(&eku); + + return 0; +} static int check_pkinit_san(hx509_validate_ctx ctx, heim_any *a) @@ -389,7 +435,7 @@ check_pkinit_san(hx509_validate_ctx ctx, heim_any *a) /* print kerberos principal, add code to quote / within components */ for (i = 0; i < kn.principalName.name_string.len; i++) { - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", + validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", kn.principalName.name_string.val[i]); if (i + 1 < kn.principalName.name_string.len) validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "/"); @@ -428,18 +474,19 @@ check_altnull(hx509_validate_ctx ctx, heim_any *a) } static int -check_CRLDistributionPoints(hx509_validate_ctx ctx, +check_CRLDistributionPoints(hx509_validate_ctx ctx, struct cert_status *status, enum critical_flag cf, const Extension *e) { CRLDistributionPoints dp; size_t size; - int ret, i; + int ret; + size_t i; check_Null(ctx, status, cf, e); - ret = decode_CRLDistributionPoints(e->extnValue.data, + ret = decode_CRLDistributionPoints(e->extnValue.data, e->extnValue.length, &dp, &size); if (ret) { @@ -453,12 +500,12 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx, if (dp.val[i].distributionPoint) { DistributionPointName dpname; heim_any *data = dp.val[i].distributionPoint; - int j; - + size_t j; + ret = decode_DistributionPointName(data->data, data->length, &dpname, NULL); if (ret) { - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, + validate_print(ctx, HX509_VALIDATE_F_VALIDATE, "Failed to parse CRL Distribution Point Name: %d\n", ret); continue; } @@ -466,7 +513,7 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx, switch (dpname.element) { case choice_DistributionPointName_fullName: validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n"); - + for (j = 0 ; j < dpname.u.fullName.len; j++) { char *s; GeneralName *name = &dpname.u.fullName.val[j]; @@ -500,14 +547,14 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx, struct { const char *name; - const heim_oid *(*oid)(void); + const heim_oid *oid; int (*func)(hx509_validate_ctx, heim_any *); -} check_altname[] = { - { "pk-init", oid_id_pkinit_san, check_pkinit_san }, - { "jabber", oid_id_pkix_on_xmppAddr, check_utf8_string_san }, - { "dns-srv", oid_id_pkix_on_dnsSRV, check_altnull }, - { "card-id", oid_id_uspkicommon_card_id, check_altnull }, - { "Microsoft NT-PRINCIPAL-NAME", oid_id_pkinit_ms_san, check_utf8_string_san } +} altname_types[] = { + { "pk-init", &asn1_oid_id_pkinit_san, check_pkinit_san }, + { "jabber", &asn1_oid_id_pkix_on_xmppAddr, check_utf8_string_san }, + { "dns-srv", &asn1_oid_id_pkix_on_dnsSRV, check_altnull }, + { "card-id", &asn1_oid_id_uspkicommon_card_id, check_altnull }, + { "Microsoft NT-PRINCIPAL-NAME", &asn1_oid_id_pkinit_ms_san, check_utf8_string_san } }; static int @@ -519,7 +566,8 @@ check_altName(hx509_validate_ctx ctx, { GeneralNames gn; size_t size; - int ret, i; + int ret; + size_t i; check_Null(ctx, status, cf, e); @@ -532,7 +580,7 @@ check_altName(hx509_validate_ctx ctx, &gn, &size); if (ret) { validate_print(ctx, HX509_VALIDATE_F_VALIDATE, - "\tret = %d while decoding %s GeneralNames\n", + "\tret = %d while decoding %s GeneralNames\n", ret, name); return 1; } @@ -550,17 +598,17 @@ check_altName(hx509_validate_ctx ctx, validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%sAltName otherName ", name); - for (j = 0; j < sizeof(check_altname)/sizeof(check_altname[0]); j++) { - if (der_heim_oid_cmp((*check_altname[j].oid)(), + for (j = 0; j < sizeof(altname_types)/sizeof(altname_types[0]); j++) { + if (der_heim_oid_cmp(altname_types[j].oid, &gn.val[i].u.otherName.type_id) != 0) continue; - - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ", - check_altname[j].name); - (*check_altname[j].func)(ctx, &gn.val[i].u.otherName.value); + + validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ", + altname_types[j].name); + (*altname_types[j].func)(ctx, &gn.val[i].u.otherName.value); break; } - if (j == sizeof(check_altname)/sizeof(check_altname[0])) { + if (j == sizeof(altname_types)/sizeof(altname_types[0])) { hx509_oid_print(&gn.val[i].u.otherName.type_id, validate_vprint, ctx); validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " unknown"); @@ -610,9 +658,9 @@ check_issuerAltName(hx509_validate_ctx ctx, static int -check_basicConstraints(hx509_validate_ctx ctx, +check_basicConstraints(hx509_validate_ctx ctx, struct cert_status *status, - enum critical_flag cf, + enum critical_flag cf, const Extension *e) { BasicConstraints b; @@ -620,7 +668,7 @@ check_basicConstraints(hx509_validate_ctx ctx, int ret; check_Null(ctx, status, cf, e); - + ret = decode_BasicConstraints(e->extnValue.data, e->extnValue.length, &b, &size); if (ret) { @@ -653,9 +701,9 @@ check_basicConstraints(hx509_validate_ctx ctx, } static int -check_proxyCertInfo(hx509_validate_ctx ctx, +check_proxyCertInfo(hx509_validate_ctx ctx, struct cert_status *status, - enum critical_flag cf, + enum critical_flag cf, const Extension *e) { check_Null(ctx, status, cf, e); @@ -664,18 +712,19 @@ check_proxyCertInfo(hx509_validate_ctx ctx, } static int -check_authorityInfoAccess(hx509_validate_ctx ctx, +check_authorityInfoAccess(hx509_validate_ctx ctx, struct cert_status *status, - enum critical_flag cf, + enum critical_flag cf, const Extension *e) { AuthorityInfoAccessSyntax aia; size_t size; - int ret, i; + int ret; + size_t i; check_Null(ctx, status, cf, e); - ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data, + ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data, e->extnValue.length, &aia, &size); if (ret) { @@ -704,14 +753,14 @@ check_authorityInfoAccess(hx509_validate_ctx ctx, struct { const char *name; - const heim_oid *(*oid)(void); - int (*func)(hx509_validate_ctx ctx, + const heim_oid *oid; + int (*func)(hx509_validate_ctx ctx, struct cert_status *status, - enum critical_flag cf, + enum critical_flag cf, const Extension *); enum critical_flag cf; } check_extension[] = { -#define ext(name, checkname) #name, &oid_id_x509_ce_##name, check_##checkname +#define ext(name, checkname) #name, &asn1_oid_id_x509_ce_##name, check_##checkname { ext(subjectDirectoryAttributes, Null), M_N_C }, { ext(subjectKeyIdentifier, subjectKeyIdentifier), M_N_C }, { ext(keyUsage, Null), S_C }, @@ -727,28 +776,28 @@ struct { { ext(certificateIssuer, Null), M_C }, { ext(nameConstraints, Null), M_C }, { ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C }, - { ext(certificatePolicies, Null) }, + { ext(certificatePolicies, Null), 0 }, { ext(policyMappings, Null), M_N_C }, { ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C }, { ext(policyConstraints, Null), D_C }, - { ext(extKeyUsage, Null), D_C }, + { ext(extKeyUsage, extKeyUsage), D_C }, { ext(freshestCRL, Null), M_N_C }, { ext(inhibitAnyPolicy, Null), M_C }, #undef ext -#define ext(name, checkname) #name, &oid_id_pkix_pe_##name, check_##checkname +#define ext(name, checkname) #name, &asn1_oid_id_pkix_pe_##name, check_##checkname { ext(proxyCertInfo, proxyCertInfo), M_C }, { ext(authorityInfoAccess, authorityInfoAccess), M_C }, #undef ext - { "US Fed PKI - PIV Interim", oid_id_uspkicommon_piv_interim, + { "US Fed PKI - PIV Interim", &asn1_oid_id_uspkicommon_piv_interim, check_Null, D_C }, - { "Netscape cert comment", oid_id_netscape_cert_comment, + { "Netscape cert comment", &asn1_oid_id_netscape_cert_comment, check_Null, D_C }, - { NULL } + { NULL, NULL, NULL, 0 } }; /** * Allocate a hx509 validation/printing context. - * + * * @param context A hx509 context. * @param ctx a new allocated hx509 validation context, free with * hx509_validate_ctx_free(). @@ -770,7 +819,7 @@ hx509_validate_ctx_init(hx509_context context, hx509_validate_ctx *ctx) /** * Set the printing functions for the validation context. - * + * * @param ctx a hx509 valication context. * @param func the printing function to usea. * @param c the context variable to the printing function. @@ -781,7 +830,7 @@ hx509_validate_ctx_init(hx509_context context, hx509_validate_ctx *ctx) */ void -hx509_validate_ctx_set_print(hx509_validate_ctx ctx, +hx509_validate_ctx_set_print(hx509_validate_ctx ctx, hx509_vprint_func func, void *c) { @@ -792,7 +841,7 @@ hx509_validate_ctx_set_print(hx509_validate_ctx ctx, /** * Add flags to control the behaivor of the hx509_validate_cert() * function. - * + * * @param ctx A hx509 validation context. * @param flags flags to add to the validation context. * @@ -809,7 +858,7 @@ hx509_validate_ctx_add_flags(hx509_validate_ctx ctx, int flags) /** * Free an hx509 validate context. - * + * * @param ctx the hx509 validate context to free. * * @ingroup hx509_print @@ -823,7 +872,7 @@ hx509_validate_ctx_free(hx509_validate_ctx ctx) /** * Validate/Print the status of the certificate. - * + * * @param context A hx509 context. * @param ctx A hx509 validation context. * @param cert the cerificate to validate/print. @@ -850,11 +899,11 @@ hx509_validate_cert(hx509_context context, if (_hx509_cert_get_version(c) != 3) validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Not version 3 certificate\n"); - + if ((t->version == NULL || *t->version < 2) && t->extensions) validate_print(ctx, HX509_VALIDATE_F_VALIDATE, "Not version 3 certificate with extensions\n"); - + if (_hx509_cert_get_version(c) >= 3 && t->extensions == NULL) validate_print(ctx, HX509_VALIDATE_F_VALIDATE, "Version 3 certificate without extensions\n"); @@ -890,7 +939,7 @@ hx509_validate_cert(hx509_context context, free(str); if (t->extensions) { - int i, j; + size_t i, j; if (t->extensions->len == 0) { validate_print(ctx, @@ -902,7 +951,7 @@ hx509_validate_cert(hx509_context context, for (i = 0; i < t->extensions->len; i++) { for (j = 0; check_extension[j].name; j++) - if (der_heim_oid_cmp((*check_extension[j].oid)(), + if (der_heim_oid_cmp(check_extension[j].oid, &t->extensions->val[i].extnID) == 0) break; if (check_extension[j].name == NULL) { @@ -913,7 +962,7 @@ hx509_validate_cert(hx509_context context, if (t->extensions->val[i].critical) validate_print(ctx, flags, "and is CRITICAL "); if (ctx->flags & flags) - hx509_oid_print(&t->extensions->val[i].extnID, + hx509_oid_print(&t->extensions->val[i].extnID, validate_vprint, ctx); validate_print(ctx, flags, " is\n"); continue; @@ -929,57 +978,57 @@ hx509_validate_cert(hx509_context context, } } else validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extentions\n"); - + if (status.isca) { if (!status.haveSKI) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, + validate_print(ctx, HX509_VALIDATE_F_VALIDATE, "CA certificate have no SubjectKeyIdentifier\n"); } else { if (!status.haveAKI) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, + validate_print(ctx, HX509_VALIDATE_F_VALIDATE, "Is not CA and doesn't have " "AuthorityKeyIdentifier\n"); } - + if (!status.haveSKI) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, + validate_print(ctx, HX509_VALIDATE_F_VALIDATE, "Doesn't have SubjectKeyIdentifier\n"); if (status.isproxy && status.isca) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, + validate_print(ctx, HX509_VALIDATE_F_VALIDATE, "Proxy and CA at the same time!\n"); if (status.isproxy) { if (status.haveSAN) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, + validate_print(ctx, HX509_VALIDATE_F_VALIDATE, "Proxy and have SAN\n"); if (status.haveIAN) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, + validate_print(ctx, HX509_VALIDATE_F_VALIDATE, "Proxy and have IAN\n"); } if (hx509_name_is_null_p(subject) && !status.haveSAN) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, + validate_print(ctx, HX509_VALIDATE_F_VALIDATE, "NULL subject DN and doesn't have a SAN\n"); if (!status.selfsigned && !status.haveCRLDP) - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, + validate_print(ctx, HX509_VALIDATE_F_VALIDATE, "Not a CA nor PROXY and doesn't have" "CRL Dist Point\n"); if (status.selfsigned) { ret = _hx509_verify_signature_bitstring(context, - c, + cert, &c->signatureAlgorithm, &c->tbsCertificate._save, &c->signatureValue); if (ret == 0) - validate_print(ctx, HX509_VALIDATE_F_VERBOSE, + validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Self-signed certificate was self-signed\n"); else - validate_print(ctx, HX509_VALIDATE_F_VALIDATE, + validate_print(ctx, HX509_VALIDATE_F_VALIDATE, "Self-signed certificate NOT really self-signed!\n"); } |