1 /*
2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "hx_locl.h"
35
36 /**
37 * @page page_print Hx509 printing functions
38 *
39 * See the library functions here: @ref hx509_print
40 */
41
42 struct hx509_validate_ctx_data {
43 int flags;
44 hx509_vprint_func vprint_func;
45 void *ctx;
46 };
47
48 struct cert_status {
49 unsigned int selfsigned:1;
50 unsigned int isca:1;
51 unsigned int isproxy:1;
52 unsigned int haveSAN:1;
53 unsigned int haveIAN:1;
54 unsigned int haveSKI:1;
55 unsigned int haveAKI:1;
56 unsigned int haveCRLDP:1;
57 };
58
59
60 /*
61 *
62 */
63
64 static int
Time2string(const Time * T,char ** str)65 Time2string(const Time *T, char **str)
66 {
67 time_t t;
68 char *s;
69 struct tm *tm;
70
71 *str = NULL;
72 t = _hx509_Time2time_t(T);
73 tm = gmtime (&t);
74 s = malloc(30);
75 if (s == NULL)
76 return ENOMEM;
77 strftime(s, 30, "%Y-%m-%d %H:%M:%S", tm);
78 *str = s;
79 return 0;
80 }
81
82 /**
83 * Helper function to print on stdout for:
84 * - hx509_oid_print(),
85 * - hx509_bitstring_print(),
86 * - hx509_validate_ctx_set_print().
87 *
88 * @param ctx the context to the print function. If the ctx is NULL,
89 * stdout is used.
90 * @param fmt the printing format.
91 * @param va the argumet list.
92 *
93 * @ingroup hx509_print
94 */
95
96 void
hx509_print_stdout(void * ctx,const char * fmt,va_list va)97 hx509_print_stdout(void *ctx, const char *fmt, va_list va)
98 {
99 FILE *f = ctx;
100 if (f == NULL)
101 f = stdout;
102 vfprintf(f, fmt, va);
103 }
104
105 static void
print_func(hx509_vprint_func func,void * ctx,const char * fmt,...)106 print_func(hx509_vprint_func func, void *ctx, const char *fmt, ...)
107 {
108 va_list va;
109 va_start(va, fmt);
110 (*func)(ctx, fmt, va);
111 va_end(va);
112 }
113
114 /**
115 * Print a oid to a string.
116 *
117 * @param oid oid to print
118 * @param str allocated string, free with hx509_xfree().
119 *
120 * @return An hx509 error code, see hx509_get_error_string().
121 *
122 * @ingroup hx509_print
123 */
124
125 int
hx509_oid_sprint(const heim_oid * oid,char ** str)126 hx509_oid_sprint(const heim_oid *oid, char **str)
127 {
128 return der_print_heim_oid(oid, '.', str);
129 }
130
131 /**
132 * Print a oid using a hx509_vprint_func function. To print to stdout
133 * use hx509_print_stdout().
134 *
135 * @param oid oid to print
136 * @param func hx509_vprint_func to print with.
137 * @param ctx context variable to hx509_vprint_func function.
138 *
139 * @ingroup hx509_print
140 */
141
142 void
hx509_oid_print(const heim_oid * oid,hx509_vprint_func func,void * ctx)143 hx509_oid_print(const heim_oid *oid, hx509_vprint_func func, void *ctx)
144 {
145 char *str;
146 hx509_oid_sprint(oid, &str);
147 print_func(func, ctx, "%s", str);
148 free(str);
149 }
150
151 /**
152 * Print a bitstring using a hx509_vprint_func function. To print to
153 * stdout use hx509_print_stdout().
154 *
155 * @param b bit string to print.
156 * @param func hx509_vprint_func to print with.
157 * @param ctx context variable to hx509_vprint_func function.
158 *
159 * @ingroup hx509_print
160 */
161
162 void
hx509_bitstring_print(const heim_bit_string * b,hx509_vprint_func func,void * ctx)163 hx509_bitstring_print(const heim_bit_string *b,
164 hx509_vprint_func func, void *ctx)
165 {
166 size_t i;
167 print_func(func, ctx, "\tlength: %d\n\t", b->length);
168 for (i = 0; i < (b->length + 7) / 8; i++)
169 print_func(func, ctx, "%02x%s%s",
170 ((unsigned char *)b->data)[i],
171 i < (b->length - 7) / 8
172 && (i == 0 || (i % 16) != 15) ? ":" : "",
173 i != 0 && (i % 16) == 15 ?
174 (i <= ((b->length + 7) / 8 - 2) ? "\n\t" : "\n"):"");
175 }
176
177 /**
178 * Print certificate usage for a certificate to a string.
179 *
180 * @param context A hx509 context.
181 * @param c a certificate print the keyusage for.
182 * @param s the return string with the keysage printed in to, free
183 * with hx509_xfree().
184 *
185 * @return An hx509 error code, see hx509_get_error_string().
186 *
187 * @ingroup hx509_print
188 */
189
190 int
hx509_cert_keyusage_print(hx509_context context,hx509_cert c,char ** s)191 hx509_cert_keyusage_print(hx509_context context, hx509_cert c, char **s)
192 {
193 KeyUsage ku;
194 char buf[256];
195 int ret;
196
197 *s = NULL;
198
199 ret = _hx509_cert_get_keyusage(context, c, &ku);
200 if (ret)
201 return ret;
202 unparse_flags(KeyUsage2int(ku), asn1_KeyUsage_units(), buf, sizeof(buf));
203 *s = strdup(buf);
204 if (*s == NULL) {
205 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
206 return ENOMEM;
207 }
208
209 return 0;
210 }
211
212 /*
213 *
214 */
215
216 static void
validate_vprint(void * c,const char * fmt,va_list va)217 validate_vprint(void *c, const char *fmt, va_list va)
218 {
219 hx509_validate_ctx ctx = c;
220 if (ctx->vprint_func == NULL)
221 return;
222 (ctx->vprint_func)(ctx->ctx, fmt, va);
223 }
224
225 static void
validate_print(hx509_validate_ctx ctx,int flags,const char * fmt,...)226 validate_print(hx509_validate_ctx ctx, int flags, const char *fmt, ...)
227 {
228 va_list va;
229 if ((ctx->flags & flags) == 0)
230 return;
231 va_start(va, fmt);
232 validate_vprint(ctx, fmt, va);
233 va_end(va);
234 }
235
236 /*
237 * Dont Care, SHOULD critical, SHOULD NOT critical, MUST critical,
238 * MUST NOT critical
239 */
240 enum critical_flag { D_C = 0, S_C, S_N_C, M_C, M_N_C };
241
242 static int
check_Null(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)243 check_Null(hx509_validate_ctx ctx,
244 struct cert_status *status,
245 enum critical_flag cf, const Extension *e)
246 {
247 switch(cf) {
248 case D_C:
249 break;
250 case S_C:
251 if (!e->critical)
252 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
253 "\tCritical not set on SHOULD\n");
254 break;
255 case S_N_C:
256 if (e->critical)
257 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
258 "\tCritical set on SHOULD NOT\n");
259 break;
260 case M_C:
261 if (!e->critical)
262 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
263 "\tCritical not set on MUST\n");
264 break;
265 case M_N_C:
266 if (e->critical)
267 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
268 "\tCritical set on MUST NOT\n");
269 break;
270 default:
271 _hx509_abort("internal check_Null state error");
272 }
273 return 0;
274 }
275
276 static int
check_subjectKeyIdentifier(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)277 check_subjectKeyIdentifier(hx509_validate_ctx ctx,
278 struct cert_status *status,
279 enum critical_flag cf,
280 const Extension *e)
281 {
282 SubjectKeyIdentifier si;
283 size_t size;
284 int ret;
285
286 status->haveSKI = 1;
287 check_Null(ctx, status, cf, e);
288
289 ret = decode_SubjectKeyIdentifier(e->extnValue.data,
290 e->extnValue.length,
291 &si, &size);
292 if (ret) {
293 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
294 "Decoding SubjectKeyIdentifier failed: %d", ret);
295 return 1;
296 }
297 if (size != e->extnValue.length) {
298 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
299 "Decoding SKI ahve extra bits on the end");
300 return 1;
301 }
302 if (si.length == 0)
303 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
304 "SKI is too short (0 bytes)");
305 if (si.length > 20)
306 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
307 "SKI is too long");
308
309 {
310 char *id;
311 hex_encode(si.data, si.length, &id);
312 if (id) {
313 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
314 "\tsubject key id: %s\n", id);
315 free(id);
316 }
317 }
318
319 free_SubjectKeyIdentifier(&si);
320
321 return 0;
322 }
323
324 static int
check_authorityKeyIdentifier(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)325 check_authorityKeyIdentifier(hx509_validate_ctx ctx,
326 struct cert_status *status,
327 enum critical_flag cf,
328 const Extension *e)
329 {
330 AuthorityKeyIdentifier ai;
331 size_t size;
332 int ret;
333
334 status->haveAKI = 1;
335 check_Null(ctx, status, cf, e);
336
337 ret = decode_AuthorityKeyIdentifier(e->extnValue.data,
338 e->extnValue.length,
339 &ai, &size);
340 if (ret) {
341 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
342 "Decoding AuthorityKeyIdentifier failed: %d", ret);
343 return 1;
344 }
345 if (size != e->extnValue.length) {
346 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
347 "Decoding SKI ahve extra bits on the end");
348 return 1;
349 }
350
351 if (ai.keyIdentifier) {
352 char *id;
353 hex_encode(ai.keyIdentifier->data, ai.keyIdentifier->length, &id);
354 if (id) {
355 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
356 "\tauthority key id: %s\n", id);
357 free(id);
358 }
359 }
360
361 return 0;
362 }
363
364 static int
check_extKeyUsage(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)365 check_extKeyUsage(hx509_validate_ctx ctx,
366 struct cert_status *status,
367 enum critical_flag cf,
368 const Extension *e)
369 {
370 ExtKeyUsage eku;
371 size_t size, i;
372 int ret;
373
374 check_Null(ctx, status, cf, e);
375
376 ret = decode_ExtKeyUsage(e->extnValue.data,
377 e->extnValue.length,
378 &eku, &size);
379 if (ret) {
380 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
381 "Decoding ExtKeyUsage failed: %d", ret);
382 return 1;
383 }
384 if (size != e->extnValue.length) {
385 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
386 "Padding data in EKU");
387 free_ExtKeyUsage(&eku);
388 return 1;
389 }
390 if (eku.len == 0) {
391 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
392 "ExtKeyUsage length is 0");
393 return 1;
394 }
395
396 for (i = 0; i < eku.len; i++) {
397 char *str;
398 ret = der_print_heim_oid (&eku.val[i], '.', &str);
399 if (ret) {
400 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
401 "\tEKU: failed to print oid %d", i);
402 free_ExtKeyUsage(&eku);
403 return 1;
404 }
405 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
406 "\teku-%d: %s\n", i, str);;
407 free(str);
408 }
409
410 free_ExtKeyUsage(&eku);
411
412 return 0;
413 }
414
415 static int
check_pkinit_san(hx509_validate_ctx ctx,heim_any * a)416 check_pkinit_san(hx509_validate_ctx ctx, heim_any *a)
417 {
418 KRB5PrincipalName kn;
419 unsigned i;
420 size_t size;
421 int ret;
422
423 ret = decode_KRB5PrincipalName(a->data, a->length, &kn, &size);
424 if (ret) {
425 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
426 "Decoding kerberos name in SAN failed: %d", ret);
427 return 1;
428 }
429
430 if (size != a->length) {
431 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
432 "Decoding kerberos name have extra bits on the end");
433 return 1;
434 }
435
436 /* print kerberos principal, add code to quote / within components */
437 for (i = 0; i < kn.principalName.name_string.len; i++) {
438 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s",
439 kn.principalName.name_string.val[i]);
440 if (i + 1 < kn.principalName.name_string.len)
441 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "/");
442 }
443 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "@");
444 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", kn.realm);
445
446 free_KRB5PrincipalName(&kn);
447 return 0;
448 }
449
450 static int
check_utf8_string_san(hx509_validate_ctx ctx,heim_any * a)451 check_utf8_string_san(hx509_validate_ctx ctx, heim_any *a)
452 {
453 PKIXXmppAddr jid;
454 size_t size;
455 int ret;
456
457 ret = decode_PKIXXmppAddr(a->data, a->length, &jid, &size);
458 if (ret) {
459 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
460 "Decoding JID in SAN failed: %d", ret);
461 return 1;
462 }
463
464 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", jid);
465 free_PKIXXmppAddr(&jid);
466
467 return 0;
468 }
469
470 static int
check_altnull(hx509_validate_ctx ctx,heim_any * a)471 check_altnull(hx509_validate_ctx ctx, heim_any *a)
472 {
473 return 0;
474 }
475
476 static int
check_CRLDistributionPoints(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)477 check_CRLDistributionPoints(hx509_validate_ctx ctx,
478 struct cert_status *status,
479 enum critical_flag cf,
480 const Extension *e)
481 {
482 CRLDistributionPoints dp;
483 size_t size;
484 int ret;
485 size_t i;
486
487 check_Null(ctx, status, cf, e);
488
489 ret = decode_CRLDistributionPoints(e->extnValue.data,
490 e->extnValue.length,
491 &dp, &size);
492 if (ret) {
493 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
494 "Decoding CRL Distribution Points failed: %d\n", ret);
495 return 1;
496 }
497
498 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "CRL Distribution Points:\n");
499 for (i = 0 ; i < dp.len; i++) {
500 if (dp.val[i].distributionPoint) {
501 DistributionPointName dpname;
502 heim_any *data = dp.val[i].distributionPoint;
503 size_t j;
504
505 ret = decode_DistributionPointName(data->data, data->length,
506 &dpname, NULL);
507 if (ret) {
508 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
509 "Failed to parse CRL Distribution Point Name: %d\n", ret);
510 continue;
511 }
512
513 switch (dpname.element) {
514 case choice_DistributionPointName_fullName:
515 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n");
516
517 for (j = 0 ; j < dpname.u.fullName.len; j++) {
518 char *s;
519 GeneralName *name = &dpname.u.fullName.val[j];
520
521 ret = hx509_general_name_unparse(name, &s);
522 if (ret == 0 && s != NULL) {
523 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " %s\n", s);
524 free(s);
525 }
526 }
527 break;
528 case choice_DistributionPointName_nameRelativeToCRLIssuer:
529 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
530 "Unknown nameRelativeToCRLIssuer");
531 break;
532 default:
533 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
534 "Unknown DistributionPointName");
535 break;
536 }
537 free_DistributionPointName(&dpname);
538 }
539 }
540 free_CRLDistributionPoints(&dp);
541
542 status->haveCRLDP = 1;
543
544 return 0;
545 }
546
547
548 struct {
549 const char *name;
550 const heim_oid *oid;
551 int (*func)(hx509_validate_ctx, heim_any *);
552 } altname_types[] = {
553 { "pk-init", &asn1_oid_id_pkinit_san, check_pkinit_san },
554 { "jabber", &asn1_oid_id_pkix_on_xmppAddr, check_utf8_string_san },
555 { "dns-srv", &asn1_oid_id_pkix_on_dnsSRV, check_altnull },
556 { "card-id", &asn1_oid_id_uspkicommon_card_id, check_altnull },
557 { "Microsoft NT-PRINCIPAL-NAME", &asn1_oid_id_pkinit_ms_san, check_utf8_string_san }
558 };
559
560 static int
check_altName(hx509_validate_ctx ctx,struct cert_status * status,const char * name,enum critical_flag cf,const Extension * e)561 check_altName(hx509_validate_ctx ctx,
562 struct cert_status *status,
563 const char *name,
564 enum critical_flag cf,
565 const Extension *e)
566 {
567 GeneralNames gn;
568 size_t size;
569 int ret;
570 size_t i;
571
572 check_Null(ctx, status, cf, e);
573
574 if (e->extnValue.length == 0) {
575 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
576 "%sAltName empty, not allowed", name);
577 return 1;
578 }
579 ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length,
580 &gn, &size);
581 if (ret) {
582 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
583 "\tret = %d while decoding %s GeneralNames\n",
584 ret, name);
585 return 1;
586 }
587 if (gn.len == 0) {
588 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
589 "%sAltName generalName empty, not allowed\n", name);
590 return 1;
591 }
592
593 for (i = 0; i < gn.len; i++) {
594 switch (gn.val[i].element) {
595 case choice_GeneralName_otherName: {
596 unsigned j;
597
598 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
599 "%sAltName otherName ", name);
600
601 for (j = 0; j < sizeof(altname_types)/sizeof(altname_types[0]); j++) {
602 if (der_heim_oid_cmp(altname_types[j].oid,
603 &gn.val[i].u.otherName.type_id) != 0)
604 continue;
605
606 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ",
607 altname_types[j].name);
608 (*altname_types[j].func)(ctx, &gn.val[i].u.otherName.value);
609 break;
610 }
611 if (j == sizeof(altname_types)/sizeof(altname_types[0])) {
612 hx509_oid_print(&gn.val[i].u.otherName.type_id,
613 validate_vprint, ctx);
614 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " unknown");
615 }
616 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\n");
617 break;
618 }
619 default: {
620 char *s;
621 ret = hx509_general_name_unparse(&gn.val[i], &s);
622 if (ret) {
623 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
624 "ret = %d unparsing GeneralName\n", ret);
625 return 1;
626 }
627 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s\n", s);
628 free(s);
629 break;
630 }
631 }
632 }
633
634 free_GeneralNames(&gn);
635
636 return 0;
637 }
638
639 static int
check_subjectAltName(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)640 check_subjectAltName(hx509_validate_ctx ctx,
641 struct cert_status *status,
642 enum critical_flag cf,
643 const Extension *e)
644 {
645 status->haveSAN = 1;
646 return check_altName(ctx, status, "subject", cf, e);
647 }
648
649 static int
check_issuerAltName(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)650 check_issuerAltName(hx509_validate_ctx ctx,
651 struct cert_status *status,
652 enum critical_flag cf,
653 const Extension *e)
654 {
655 status->haveIAN = 1;
656 return check_altName(ctx, status, "issuer", cf, e);
657 }
658
659
660 static int
check_basicConstraints(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)661 check_basicConstraints(hx509_validate_ctx ctx,
662 struct cert_status *status,
663 enum critical_flag cf,
664 const Extension *e)
665 {
666 BasicConstraints b;
667 size_t size;
668 int ret;
669
670 check_Null(ctx, status, cf, e);
671
672 ret = decode_BasicConstraints(e->extnValue.data, e->extnValue.length,
673 &b, &size);
674 if (ret) {
675 printf("\tret = %d while decoding BasicConstraints\n", ret);
676 return 0;
677 }
678 if (size != e->extnValue.length)
679 printf("\tlength of der data isn't same as extension\n");
680
681 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
682 "\tis %sa CA\n", b.cA && *b.cA ? "" : "NOT ");
683 if (b.pathLenConstraint)
684 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
685 "\tpathLenConstraint: %d\n", *b.pathLenConstraint);
686
687 if (b.cA) {
688 if (*b.cA) {
689 if (!e->critical)
690 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
691 "Is a CA and not BasicConstraints CRITICAL\n");
692 status->isca = 1;
693 }
694 else
695 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
696 "cA is FALSE, not allowed to be\n");
697 }
698 free_BasicConstraints(&b);
699
700 return 0;
701 }
702
703 static int
check_proxyCertInfo(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)704 check_proxyCertInfo(hx509_validate_ctx ctx,
705 struct cert_status *status,
706 enum critical_flag cf,
707 const Extension *e)
708 {
709 check_Null(ctx, status, cf, e);
710 status->isproxy = 1;
711 return 0;
712 }
713
714 static int
check_authorityInfoAccess(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)715 check_authorityInfoAccess(hx509_validate_ctx ctx,
716 struct cert_status *status,
717 enum critical_flag cf,
718 const Extension *e)
719 {
720 AuthorityInfoAccessSyntax aia;
721 size_t size;
722 int ret;
723 size_t i;
724
725 check_Null(ctx, status, cf, e);
726
727 ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data,
728 e->extnValue.length,
729 &aia, &size);
730 if (ret) {
731 printf("\tret = %d while decoding AuthorityInfoAccessSyntax\n", ret);
732 return 0;
733 }
734
735 for (i = 0; i < aia.len; i++) {
736 char *str;
737 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
738 "\ttype: ");
739 hx509_oid_print(&aia.val[i].accessMethod, validate_vprint, ctx);
740 hx509_general_name_unparse(&aia.val[i].accessLocation, &str);
741 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
742 "\n\tdirname: %s\n", str);
743 free(str);
744 }
745 free_AuthorityInfoAccessSyntax(&aia);
746
747 return 0;
748 }
749
750 /*
751 *
752 */
753
754 struct {
755 const char *name;
756 const heim_oid *oid;
757 int (*func)(hx509_validate_ctx ctx,
758 struct cert_status *status,
759 enum critical_flag cf,
760 const Extension *);
761 enum critical_flag cf;
762 } check_extension[] = {
763 #define ext(name, checkname) #name, &asn1_oid_id_x509_ce_##name, check_##checkname
764 { ext(subjectDirectoryAttributes, Null), M_N_C },
765 { ext(subjectKeyIdentifier, subjectKeyIdentifier), M_N_C },
766 { ext(keyUsage, Null), S_C },
767 { ext(subjectAltName, subjectAltName), M_N_C },
768 { ext(issuerAltName, issuerAltName), S_N_C },
769 { ext(basicConstraints, basicConstraints), D_C },
770 { ext(cRLNumber, Null), M_N_C },
771 { ext(cRLReason, Null), M_N_C },
772 { ext(holdInstructionCode, Null), M_N_C },
773 { ext(invalidityDate, Null), M_N_C },
774 { ext(deltaCRLIndicator, Null), M_C },
775 { ext(issuingDistributionPoint, Null), M_C },
776 { ext(certificateIssuer, Null), M_C },
777 { ext(nameConstraints, Null), M_C },
778 { ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C },
779 { ext(certificatePolicies, Null), 0 },
780 { ext(policyMappings, Null), M_N_C },
781 { ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C },
782 { ext(policyConstraints, Null), D_C },
783 { ext(extKeyUsage, extKeyUsage), D_C },
784 { ext(freshestCRL, Null), M_N_C },
785 { ext(inhibitAnyPolicy, Null), M_C },
786 #undef ext
787 #define ext(name, checkname) #name, &asn1_oid_id_pkix_pe_##name, check_##checkname
788 { ext(proxyCertInfo, proxyCertInfo), M_C },
789 { ext(authorityInfoAccess, authorityInfoAccess), M_C },
790 #undef ext
791 { "US Fed PKI - PIV Interim", &asn1_oid_id_uspkicommon_piv_interim,
792 check_Null, D_C },
793 { "Netscape cert comment", &asn1_oid_id_netscape_cert_comment,
794 check_Null, D_C },
795 { NULL, NULL, NULL, 0 }
796 };
797
798 /**
799 * Allocate a hx509 validation/printing context.
800 *
801 * @param context A hx509 context.
802 * @param ctx a new allocated hx509 validation context, free with
803 * hx509_validate_ctx_free().
804
805 * @return An hx509 error code, see hx509_get_error_string().
806 *
807 * @ingroup hx509_print
808 */
809
810 int
hx509_validate_ctx_init(hx509_context context,hx509_validate_ctx * ctx)811 hx509_validate_ctx_init(hx509_context context, hx509_validate_ctx *ctx)
812 {
813 *ctx = malloc(sizeof(**ctx));
814 if (*ctx == NULL)
815 return ENOMEM;
816 memset(*ctx, 0, sizeof(**ctx));
817 return 0;
818 }
819
820 /**
821 * Set the printing functions for the validation context.
822 *
823 * @param ctx a hx509 valication context.
824 * @param func the printing function to usea.
825 * @param c the context variable to the printing function.
826 *
827 * @return An hx509 error code, see hx509_get_error_string().
828 *
829 * @ingroup hx509_print
830 */
831
832 void
hx509_validate_ctx_set_print(hx509_validate_ctx ctx,hx509_vprint_func func,void * c)833 hx509_validate_ctx_set_print(hx509_validate_ctx ctx,
834 hx509_vprint_func func,
835 void *c)
836 {
837 ctx->vprint_func = func;
838 ctx->ctx = c;
839 }
840
841 /**
842 * Add flags to control the behaivor of the hx509_validate_cert()
843 * function.
844 *
845 * @param ctx A hx509 validation context.
846 * @param flags flags to add to the validation context.
847 *
848 * @return An hx509 error code, see hx509_get_error_string().
849 *
850 * @ingroup hx509_print
851 */
852
853 void
hx509_validate_ctx_add_flags(hx509_validate_ctx ctx,int flags)854 hx509_validate_ctx_add_flags(hx509_validate_ctx ctx, int flags)
855 {
856 ctx->flags |= flags;
857 }
858
859 /**
860 * Free an hx509 validate context.
861 *
862 * @param ctx the hx509 validate context to free.
863 *
864 * @ingroup hx509_print
865 */
866
867 void
hx509_validate_ctx_free(hx509_validate_ctx ctx)868 hx509_validate_ctx_free(hx509_validate_ctx ctx)
869 {
870 free(ctx);
871 }
872
873 /**
874 * Validate/Print the status of the certificate.
875 *
876 * @param context A hx509 context.
877 * @param ctx A hx509 validation context.
878 * @param cert the cerificate to validate/print.
879
880 * @return An hx509 error code, see hx509_get_error_string().
881 *
882 * @ingroup hx509_print
883 */
884
885 int
hx509_validate_cert(hx509_context context,hx509_validate_ctx ctx,hx509_cert cert)886 hx509_validate_cert(hx509_context context,
887 hx509_validate_ctx ctx,
888 hx509_cert cert)
889 {
890 Certificate *c = _hx509_get_cert(cert);
891 TBSCertificate *t = &c->tbsCertificate;
892 hx509_name issuer, subject;
893 char *str;
894 struct cert_status status;
895 int ret;
896
897 memset(&status, 0, sizeof(status));
898
899 if (_hx509_cert_get_version(c) != 3)
900 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
901 "Not version 3 certificate\n");
902
903 if ((t->version == NULL || *t->version < 2) && t->extensions)
904 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
905 "Not version 3 certificate with extensions\n");
906
907 if (_hx509_cert_get_version(c) >= 3 && t->extensions == NULL)
908 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
909 "Version 3 certificate without extensions\n");
910
911 ret = hx509_cert_get_subject(cert, &subject);
912 if (ret) abort();
913 hx509_name_to_string(subject, &str);
914 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
915 "subject name: %s\n", str);
916 free(str);
917
918 ret = hx509_cert_get_issuer(cert, &issuer);
919 if (ret) abort();
920 hx509_name_to_string(issuer, &str);
921 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
922 "issuer name: %s\n", str);
923 free(str);
924
925 if (hx509_name_cmp(subject, issuer) == 0) {
926 status.selfsigned = 1;
927 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
928 "\tis a self-signed certificate\n");
929 }
930
931 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
932 "Validity:\n");
933
934 Time2string(&t->validity.notBefore, &str);
935 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotBefore %s\n", str);
936 free(str);
937 Time2string(&t->validity.notAfter, &str);
938 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotAfter %s\n", str);
939 free(str);
940
941 if (t->extensions) {
942 size_t i, j;
943
944 if (t->extensions->len == 0) {
945 validate_print(ctx,
946 HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
947 "The empty extensions list is not "
948 "allowed by PKIX\n");
949 }
950
951 for (i = 0; i < t->extensions->len; i++) {
952
953 for (j = 0; check_extension[j].name; j++)
954 if (der_heim_oid_cmp(check_extension[j].oid,
955 &t->extensions->val[i].extnID) == 0)
956 break;
957 if (check_extension[j].name == NULL) {
958 int flags = HX509_VALIDATE_F_VERBOSE;
959 if (t->extensions->val[i].critical)
960 flags |= HX509_VALIDATE_F_VALIDATE;
961 validate_print(ctx, flags, "don't know what ");
962 if (t->extensions->val[i].critical)
963 validate_print(ctx, flags, "and is CRITICAL ");
964 if (ctx->flags & flags)
965 hx509_oid_print(&t->extensions->val[i].extnID,
966 validate_vprint, ctx);
967 validate_print(ctx, flags, " is\n");
968 continue;
969 }
970 validate_print(ctx,
971 HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
972 "checking extention: %s\n",
973 check_extension[j].name);
974 (*check_extension[j].func)(ctx,
975 &status,
976 check_extension[j].cf,
977 &t->extensions->val[i]);
978 }
979 } else
980 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extentions\n");
981
982 if (status.isca) {
983 if (!status.haveSKI)
984 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
985 "CA certificate have no SubjectKeyIdentifier\n");
986
987 } else {
988 if (!status.haveAKI)
989 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
990 "Is not CA and doesn't have "
991 "AuthorityKeyIdentifier\n");
992 }
993
994
995 if (!status.haveSKI)
996 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
997 "Doesn't have SubjectKeyIdentifier\n");
998
999 if (status.isproxy && status.isca)
1000 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1001 "Proxy and CA at the same time!\n");
1002
1003 if (status.isproxy) {
1004 if (status.haveSAN)
1005 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1006 "Proxy and have SAN\n");
1007 if (status.haveIAN)
1008 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1009 "Proxy and have IAN\n");
1010 }
1011
1012 if (hx509_name_is_null_p(subject) && !status.haveSAN)
1013 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1014 "NULL subject DN and doesn't have a SAN\n");
1015
1016 if (!status.selfsigned && !status.haveCRLDP)
1017 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1018 "Not a CA nor PROXY and doesn't have"
1019 "CRL Dist Point\n");
1020
1021 if (status.selfsigned) {
1022 ret = _hx509_verify_signature_bitstring(context,
1023 cert,
1024 &c->signatureAlgorithm,
1025 &c->tbsCertificate._save,
1026 &c->signatureValue);
1027 if (ret == 0)
1028 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
1029 "Self-signed certificate was self-signed\n");
1030 else
1031 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1032 "Self-signed certificate NOT really self-signed!\n");
1033 }
1034
1035 hx509_name_free(&subject);
1036 hx509_name_free(&issuer);
1037
1038 return 0;
1039 }
1040