1 /*
2  * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "hx_locl.h"
35 
36 /**
37  * @page page_print Hx509 printing functions
38  *
39  * See the library functions here: @ref hx509_print
40  */
41 
42 struct hx509_validate_ctx_data {
43     int flags;
44     hx509_vprint_func vprint_func;
45     void *ctx;
46 };
47 
48 struct cert_status {
49     unsigned int selfsigned:1;
50     unsigned int isca:1;
51     unsigned int isproxy:1;
52     unsigned int haveSAN:1;
53     unsigned int haveIAN:1;
54     unsigned int haveSKI:1;
55     unsigned int haveAKI:1;
56     unsigned int haveCRLDP:1;
57 };
58 
59 
60 /*
61  *
62  */
63 
64 static int
Time2string(const Time * T,char ** str)65 Time2string(const Time *T, char **str)
66 {
67     time_t t;
68     char *s;
69     struct tm *tm;
70 
71     *str = NULL;
72     t = _hx509_Time2time_t(T);
73     tm = gmtime (&t);
74     s = malloc(30);
75     if (s == NULL)
76 	return ENOMEM;
77     strftime(s, 30, "%Y-%m-%d %H:%M:%S", tm);
78     *str = s;
79     return 0;
80 }
81 
82 /**
83  * Helper function to print on stdout for:
84  * - hx509_oid_print(),
85  * - hx509_bitstring_print(),
86  * - hx509_validate_ctx_set_print().
87  *
88  * @param ctx the context to the print function. If the ctx is NULL,
89  * stdout is used.
90  * @param fmt the printing format.
91  * @param va the argumet list.
92  *
93  * @ingroup hx509_print
94  */
95 
96 void
hx509_print_stdout(void * ctx,const char * fmt,va_list va)97 hx509_print_stdout(void *ctx, const char *fmt, va_list va)
98 {
99     FILE *f = ctx;
100     if (f == NULL)
101 	f = stdout;
102     vfprintf(f, fmt, va);
103 }
104 
105 static void
print_func(hx509_vprint_func func,void * ctx,const char * fmt,...)106 print_func(hx509_vprint_func func, void *ctx, const char *fmt, ...)
107 {
108     va_list va;
109     va_start(va, fmt);
110     (*func)(ctx, fmt, va);
111     va_end(va);
112 }
113 
114 /**
115  * Print a oid to a string.
116  *
117  * @param oid oid to print
118  * @param str allocated string, free with hx509_xfree().
119  *
120  * @return An hx509 error code, see hx509_get_error_string().
121  *
122  * @ingroup hx509_print
123  */
124 
125 int
hx509_oid_sprint(const heim_oid * oid,char ** str)126 hx509_oid_sprint(const heim_oid *oid, char **str)
127 {
128     return der_print_heim_oid(oid, '.', str);
129 }
130 
131 /**
132  * Print a oid using a hx509_vprint_func function. To print to stdout
133  * use hx509_print_stdout().
134  *
135  * @param oid oid to print
136  * @param func hx509_vprint_func to print with.
137  * @param ctx context variable to hx509_vprint_func function.
138  *
139  * @ingroup hx509_print
140  */
141 
142 void
hx509_oid_print(const heim_oid * oid,hx509_vprint_func func,void * ctx)143 hx509_oid_print(const heim_oid *oid, hx509_vprint_func func, void *ctx)
144 {
145     char *str;
146     hx509_oid_sprint(oid, &str);
147     print_func(func, ctx, "%s", str);
148     free(str);
149 }
150 
151 /**
152  * Print a bitstring using a hx509_vprint_func function. To print to
153  * stdout use hx509_print_stdout().
154  *
155  * @param b bit string to print.
156  * @param func hx509_vprint_func to print with.
157  * @param ctx context variable to hx509_vprint_func function.
158  *
159  * @ingroup hx509_print
160  */
161 
162 void
hx509_bitstring_print(const heim_bit_string * b,hx509_vprint_func func,void * ctx)163 hx509_bitstring_print(const heim_bit_string *b,
164 		      hx509_vprint_func func, void *ctx)
165 {
166     size_t i;
167     print_func(func, ctx, "\tlength: %d\n\t", b->length);
168     for (i = 0; i < (b->length + 7) / 8; i++)
169 	print_func(func, ctx, "%02x%s%s",
170 		   ((unsigned char *)b->data)[i],
171 		   i < (b->length - 7) / 8
172 		   && (i == 0 || (i % 16) != 15) ? ":" : "",
173 		   i != 0 && (i % 16) == 15 ?
174 		   (i <= ((b->length + 7) / 8 - 2) ? "\n\t" : "\n"):"");
175 }
176 
177 /**
178  * Print certificate usage for a certificate to a string.
179  *
180  * @param context A hx509 context.
181  * @param c a certificate print the keyusage for.
182  * @param s the return string with the keysage printed in to, free
183  * with hx509_xfree().
184  *
185  * @return An hx509 error code, see hx509_get_error_string().
186  *
187  * @ingroup hx509_print
188  */
189 
190 int
hx509_cert_keyusage_print(hx509_context context,hx509_cert c,char ** s)191 hx509_cert_keyusage_print(hx509_context context, hx509_cert c, char **s)
192 {
193     KeyUsage ku;
194     char buf[256];
195     int ret;
196 
197     *s = NULL;
198 
199     ret = _hx509_cert_get_keyusage(context, c, &ku);
200     if (ret)
201 	return ret;
202     unparse_flags(KeyUsage2int(ku), asn1_KeyUsage_units(), buf, sizeof(buf));
203     *s = strdup(buf);
204     if (*s == NULL) {
205 	hx509_set_error_string(context, 0, ENOMEM, "out of memory");
206 	return ENOMEM;
207     }
208 
209     return 0;
210 }
211 
212 /*
213  *
214  */
215 
216 static void
validate_vprint(void * c,const char * fmt,va_list va)217 validate_vprint(void *c, const char *fmt, va_list va)
218 {
219     hx509_validate_ctx ctx = c;
220     if (ctx->vprint_func == NULL)
221 	return;
222     (ctx->vprint_func)(ctx->ctx, fmt, va);
223 }
224 
225 static void
validate_print(hx509_validate_ctx ctx,int flags,const char * fmt,...)226 validate_print(hx509_validate_ctx ctx, int flags, const char *fmt, ...)
227 {
228     va_list va;
229     if ((ctx->flags & flags) == 0)
230 	return;
231     va_start(va, fmt);
232     validate_vprint(ctx, fmt, va);
233     va_end(va);
234 }
235 
236 /*
237  * Dont Care, SHOULD critical, SHOULD NOT critical, MUST critical,
238  * MUST NOT critical
239  */
240 enum critical_flag { D_C = 0, S_C, S_N_C, M_C, M_N_C };
241 
242 static int
check_Null(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)243 check_Null(hx509_validate_ctx ctx,
244 	   struct cert_status *status,
245 	   enum critical_flag cf, const Extension *e)
246 {
247     switch(cf) {
248     case D_C:
249 	break;
250     case S_C:
251 	if (!e->critical)
252 	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
253 			   "\tCritical not set on SHOULD\n");
254 	break;
255     case S_N_C:
256 	if (e->critical)
257 	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
258 			   "\tCritical set on SHOULD NOT\n");
259 	break;
260     case M_C:
261 	if (!e->critical)
262 	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
263 			   "\tCritical not set on MUST\n");
264 	break;
265     case M_N_C:
266 	if (e->critical)
267 	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
268 			   "\tCritical set on MUST NOT\n");
269 	break;
270     default:
271 	_hx509_abort("internal check_Null state error");
272     }
273     return 0;
274 }
275 
276 static int
check_subjectKeyIdentifier(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)277 check_subjectKeyIdentifier(hx509_validate_ctx ctx,
278 			   struct cert_status *status,
279 			   enum critical_flag cf,
280 			   const Extension *e)
281 {
282     SubjectKeyIdentifier si;
283     size_t size;
284     int ret;
285 
286     status->haveSKI = 1;
287     check_Null(ctx, status, cf, e);
288 
289     ret = decode_SubjectKeyIdentifier(e->extnValue.data,
290 				      e->extnValue.length,
291 				      &si, &size);
292     if (ret) {
293 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
294 		       "Decoding SubjectKeyIdentifier failed: %d", ret);
295 	return 1;
296     }
297     if (size != e->extnValue.length) {
298 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
299 		       "Decoding SKI ahve extra bits on the end");
300 	return 1;
301     }
302     if (si.length == 0)
303 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
304 		       "SKI is too short (0 bytes)");
305     if (si.length > 20)
306 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
307 		       "SKI is too long");
308 
309     {
310 	char *id;
311 	hex_encode(si.data, si.length, &id);
312 	if (id) {
313 	    validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
314 			   "\tsubject key id: %s\n", id);
315 	    free(id);
316 	}
317     }
318 
319     free_SubjectKeyIdentifier(&si);
320 
321     return 0;
322 }
323 
324 static int
check_authorityKeyIdentifier(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)325 check_authorityKeyIdentifier(hx509_validate_ctx ctx,
326 			     struct cert_status *status,
327 			     enum critical_flag cf,
328 			     const Extension *e)
329 {
330     AuthorityKeyIdentifier ai;
331     size_t size;
332     int ret;
333 
334     status->haveAKI = 1;
335     check_Null(ctx, status, cf, e);
336 
337     ret = decode_AuthorityKeyIdentifier(e->extnValue.data,
338 					e->extnValue.length,
339 					&ai, &size);
340     if (ret) {
341 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
342 		       "Decoding AuthorityKeyIdentifier failed: %d", ret);
343 	return 1;
344     }
345     if (size != e->extnValue.length) {
346 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
347 		       "Decoding SKI ahve extra bits on the end");
348 	return 1;
349     }
350 
351     if (ai.keyIdentifier) {
352 	char *id;
353 	hex_encode(ai.keyIdentifier->data, ai.keyIdentifier->length, &id);
354 	if (id) {
355 	    validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
356 			   "\tauthority key id: %s\n", id);
357 	    free(id);
358 	}
359     }
360 
361     return 0;
362 }
363 
364 static int
check_extKeyUsage(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)365 check_extKeyUsage(hx509_validate_ctx ctx,
366 		  struct cert_status *status,
367 		  enum critical_flag cf,
368 		  const Extension *e)
369 {
370     ExtKeyUsage eku;
371     size_t size, i;
372     int ret;
373 
374     check_Null(ctx, status, cf, e);
375 
376     ret = decode_ExtKeyUsage(e->extnValue.data,
377 			     e->extnValue.length,
378 			     &eku, &size);
379     if (ret) {
380 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
381 		       "Decoding ExtKeyUsage failed: %d", ret);
382 	return 1;
383     }
384     if (size != e->extnValue.length) {
385 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
386 		       "Padding data in EKU");
387 	free_ExtKeyUsage(&eku);
388 	return 1;
389     }
390     if (eku.len == 0) {
391 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
392 		       "ExtKeyUsage length is 0");
393 	return 1;
394     }
395 
396     for (i = 0; i < eku.len; i++) {
397 	char *str;
398 	ret = der_print_heim_oid (&eku.val[i], '.', &str);
399 	if (ret) {
400 	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
401 			   "\tEKU: failed to print oid %d", i);
402 	    free_ExtKeyUsage(&eku);
403 	    return 1;
404 	}
405 	validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
406 		       "\teku-%d: %s\n", i, str);;
407 	free(str);
408     }
409 
410     free_ExtKeyUsage(&eku);
411 
412     return 0;
413 }
414 
415 static int
check_pkinit_san(hx509_validate_ctx ctx,heim_any * a)416 check_pkinit_san(hx509_validate_ctx ctx, heim_any *a)
417 {
418     KRB5PrincipalName kn;
419     unsigned i;
420     size_t size;
421     int ret;
422 
423     ret = decode_KRB5PrincipalName(a->data, a->length, &kn, &size);
424     if (ret) {
425 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
426 		       "Decoding kerberos name in SAN failed: %d", ret);
427 	return 1;
428     }
429 
430     if (size != a->length) {
431 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
432 		       "Decoding kerberos name have extra bits on the end");
433 	return 1;
434     }
435 
436     /* print kerberos principal, add code to quote / within components */
437     for (i = 0; i < kn.principalName.name_string.len; i++) {
438 	validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s",
439 		       kn.principalName.name_string.val[i]);
440 	if (i + 1 < kn.principalName.name_string.len)
441 	    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "/");
442     }
443     validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "@");
444     validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", kn.realm);
445 
446     free_KRB5PrincipalName(&kn);
447     return 0;
448 }
449 
450 static int
check_utf8_string_san(hx509_validate_ctx ctx,heim_any * a)451 check_utf8_string_san(hx509_validate_ctx ctx, heim_any *a)
452 {
453     PKIXXmppAddr jid;
454     size_t size;
455     int ret;
456 
457     ret = decode_PKIXXmppAddr(a->data, a->length, &jid, &size);
458     if (ret) {
459 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
460 		       "Decoding JID in SAN failed: %d", ret);
461 	return 1;
462     }
463 
464     validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", jid);
465     free_PKIXXmppAddr(&jid);
466 
467     return 0;
468 }
469 
470 static int
check_altnull(hx509_validate_ctx ctx,heim_any * a)471 check_altnull(hx509_validate_ctx ctx, heim_any *a)
472 {
473     return 0;
474 }
475 
476 static int
check_CRLDistributionPoints(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)477 check_CRLDistributionPoints(hx509_validate_ctx ctx,
478 			   struct cert_status *status,
479 			   enum critical_flag cf,
480 			   const Extension *e)
481 {
482     CRLDistributionPoints dp;
483     size_t size;
484     int ret;
485     size_t i;
486 
487     check_Null(ctx, status, cf, e);
488 
489     ret = decode_CRLDistributionPoints(e->extnValue.data,
490 				       e->extnValue.length,
491 				       &dp, &size);
492     if (ret) {
493 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
494 		       "Decoding CRL Distribution Points failed: %d\n", ret);
495 	return 1;
496     }
497 
498     validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "CRL Distribution Points:\n");
499     for (i = 0 ; i < dp.len; i++) {
500 	if (dp.val[i].distributionPoint) {
501 	    DistributionPointName dpname;
502 	    heim_any *data = dp.val[i].distributionPoint;
503 	    size_t j;
504 
505 	    ret = decode_DistributionPointName(data->data, data->length,
506 					       &dpname, NULL);
507 	    if (ret) {
508 		validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
509 			       "Failed to parse CRL Distribution Point Name: %d\n", ret);
510 		continue;
511 	    }
512 
513 	    switch (dpname.element) {
514 	    case choice_DistributionPointName_fullName:
515 		validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n");
516 
517 		for (j = 0 ; j < dpname.u.fullName.len; j++) {
518 		    char *s;
519 		    GeneralName *name = &dpname.u.fullName.val[j];
520 
521 		    ret = hx509_general_name_unparse(name, &s);
522 		    if (ret == 0 && s != NULL) {
523 			validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "   %s\n", s);
524 			free(s);
525 		    }
526 		}
527 		break;
528 	    case choice_DistributionPointName_nameRelativeToCRLIssuer:
529 		validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
530 			       "Unknown nameRelativeToCRLIssuer");
531 		break;
532 	    default:
533 		validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
534 			       "Unknown DistributionPointName");
535 		break;
536 	    }
537 	    free_DistributionPointName(&dpname);
538 	}
539     }
540     free_CRLDistributionPoints(&dp);
541 
542     status->haveCRLDP = 1;
543 
544     return 0;
545 }
546 
547 
548 struct {
549     const char *name;
550     const heim_oid *oid;
551     int (*func)(hx509_validate_ctx, heim_any *);
552 } altname_types[] = {
553     { "pk-init", &asn1_oid_id_pkinit_san, check_pkinit_san },
554     { "jabber", &asn1_oid_id_pkix_on_xmppAddr, check_utf8_string_san },
555     { "dns-srv", &asn1_oid_id_pkix_on_dnsSRV, check_altnull },
556     { "card-id", &asn1_oid_id_uspkicommon_card_id, check_altnull },
557     { "Microsoft NT-PRINCIPAL-NAME", &asn1_oid_id_pkinit_ms_san, check_utf8_string_san }
558 };
559 
560 static int
check_altName(hx509_validate_ctx ctx,struct cert_status * status,const char * name,enum critical_flag cf,const Extension * e)561 check_altName(hx509_validate_ctx ctx,
562 	      struct cert_status *status,
563 	      const char *name,
564 	      enum critical_flag cf,
565 	      const Extension *e)
566 {
567     GeneralNames gn;
568     size_t size;
569     int ret;
570     size_t i;
571 
572     check_Null(ctx, status, cf, e);
573 
574     if (e->extnValue.length == 0) {
575 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
576 		       "%sAltName empty, not allowed", name);
577 	return 1;
578     }
579     ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length,
580 			      &gn, &size);
581     if (ret) {
582 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
583 		       "\tret = %d while decoding %s GeneralNames\n",
584 		       ret, name);
585 	return 1;
586     }
587     if (gn.len == 0) {
588 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
589 		       "%sAltName generalName empty, not allowed\n", name);
590 	return 1;
591     }
592 
593     for (i = 0; i < gn.len; i++) {
594 	switch (gn.val[i].element) {
595 	case choice_GeneralName_otherName: {
596 	    unsigned j;
597 
598 	    validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
599 			   "%sAltName otherName ", name);
600 
601 	    for (j = 0; j < sizeof(altname_types)/sizeof(altname_types[0]); j++) {
602 		if (der_heim_oid_cmp(altname_types[j].oid,
603 				     &gn.val[i].u.otherName.type_id) != 0)
604 		    continue;
605 
606 		validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ",
607 			       altname_types[j].name);
608 		(*altname_types[j].func)(ctx, &gn.val[i].u.otherName.value);
609 		break;
610 	    }
611 	    if (j == sizeof(altname_types)/sizeof(altname_types[0])) {
612 		hx509_oid_print(&gn.val[i].u.otherName.type_id,
613 				validate_vprint, ctx);
614 		validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " unknown");
615 	    }
616 	    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\n");
617 	    break;
618 	}
619 	default: {
620 	    char *s;
621 	    ret = hx509_general_name_unparse(&gn.val[i], &s);
622 	    if (ret) {
623 		validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
624 			       "ret = %d unparsing GeneralName\n", ret);
625 		return 1;
626 	    }
627 	    validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s\n", s);
628 	    free(s);
629 	    break;
630 	}
631 	}
632     }
633 
634     free_GeneralNames(&gn);
635 
636     return 0;
637 }
638 
639 static int
check_subjectAltName(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)640 check_subjectAltName(hx509_validate_ctx ctx,
641 		     struct cert_status *status,
642 		     enum critical_flag cf,
643 		     const Extension *e)
644 {
645     status->haveSAN = 1;
646     return check_altName(ctx, status, "subject", cf, e);
647 }
648 
649 static int
check_issuerAltName(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)650 check_issuerAltName(hx509_validate_ctx ctx,
651 		    struct cert_status *status,
652 		     enum critical_flag cf,
653 		     const Extension *e)
654 {
655     status->haveIAN = 1;
656     return check_altName(ctx, status, "issuer", cf, e);
657 }
658 
659 
660 static int
check_basicConstraints(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)661 check_basicConstraints(hx509_validate_ctx ctx,
662 		       struct cert_status *status,
663 		       enum critical_flag cf,
664 		       const Extension *e)
665 {
666     BasicConstraints b;
667     size_t size;
668     int ret;
669 
670     check_Null(ctx, status, cf, e);
671 
672     ret = decode_BasicConstraints(e->extnValue.data, e->extnValue.length,
673 				  &b, &size);
674     if (ret) {
675 	printf("\tret = %d while decoding BasicConstraints\n", ret);
676 	return 0;
677     }
678     if (size != e->extnValue.length)
679 	printf("\tlength of der data isn't same as extension\n");
680 
681     validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
682 		   "\tis %sa CA\n", b.cA && *b.cA ? "" : "NOT ");
683     if (b.pathLenConstraint)
684 	validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
685 		       "\tpathLenConstraint: %d\n", *b.pathLenConstraint);
686 
687     if (b.cA) {
688 	if (*b.cA) {
689 	    if (!e->critical)
690 		validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
691 			       "Is a CA and not BasicConstraints CRITICAL\n");
692 	    status->isca = 1;
693 	}
694 	else
695 	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
696 			   "cA is FALSE, not allowed to be\n");
697     }
698     free_BasicConstraints(&b);
699 
700     return 0;
701 }
702 
703 static int
check_proxyCertInfo(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)704 check_proxyCertInfo(hx509_validate_ctx ctx,
705 		    struct cert_status *status,
706 		    enum critical_flag cf,
707 		    const Extension *e)
708 {
709     check_Null(ctx, status, cf, e);
710     status->isproxy = 1;
711     return 0;
712 }
713 
714 static int
check_authorityInfoAccess(hx509_validate_ctx ctx,struct cert_status * status,enum critical_flag cf,const Extension * e)715 check_authorityInfoAccess(hx509_validate_ctx ctx,
716 			  struct cert_status *status,
717 			  enum critical_flag cf,
718 			  const Extension *e)
719 {
720     AuthorityInfoAccessSyntax aia;
721     size_t size;
722     int ret;
723     size_t i;
724 
725     check_Null(ctx, status, cf, e);
726 
727     ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data,
728 					   e->extnValue.length,
729 					   &aia, &size);
730     if (ret) {
731 	printf("\tret = %d while decoding AuthorityInfoAccessSyntax\n", ret);
732 	return 0;
733     }
734 
735     for (i = 0; i < aia.len; i++) {
736 	char *str;
737 	validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
738 		       "\ttype: ");
739 	hx509_oid_print(&aia.val[i].accessMethod, validate_vprint, ctx);
740 	hx509_general_name_unparse(&aia.val[i].accessLocation, &str);
741 	validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
742 		       "\n\tdirname: %s\n", str);
743 	free(str);
744     }
745     free_AuthorityInfoAccessSyntax(&aia);
746 
747     return 0;
748 }
749 
750 /*
751  *
752  */
753 
754 struct {
755     const char *name;
756     const heim_oid *oid;
757     int (*func)(hx509_validate_ctx ctx,
758 		struct cert_status *status,
759 		enum critical_flag cf,
760 		const Extension *);
761     enum critical_flag cf;
762 } check_extension[] = {
763 #define ext(name, checkname) #name, &asn1_oid_id_x509_ce_##name, check_##checkname
764     { ext(subjectDirectoryAttributes, Null), M_N_C },
765     { ext(subjectKeyIdentifier, subjectKeyIdentifier), M_N_C },
766     { ext(keyUsage, Null), S_C },
767     { ext(subjectAltName, subjectAltName), M_N_C },
768     { ext(issuerAltName, issuerAltName), S_N_C },
769     { ext(basicConstraints, basicConstraints), D_C },
770     { ext(cRLNumber, Null), M_N_C },
771     { ext(cRLReason, Null), M_N_C },
772     { ext(holdInstructionCode, Null), M_N_C },
773     { ext(invalidityDate, Null), M_N_C },
774     { ext(deltaCRLIndicator, Null), M_C },
775     { ext(issuingDistributionPoint, Null), M_C },
776     { ext(certificateIssuer, Null), M_C },
777     { ext(nameConstraints, Null), M_C },
778     { ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C },
779     { ext(certificatePolicies, Null), 0 },
780     { ext(policyMappings, Null), M_N_C },
781     { ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C },
782     { ext(policyConstraints, Null), D_C },
783     { ext(extKeyUsage, extKeyUsage), D_C },
784     { ext(freshestCRL, Null), M_N_C },
785     { ext(inhibitAnyPolicy, Null), M_C },
786 #undef ext
787 #define ext(name, checkname) #name, &asn1_oid_id_pkix_pe_##name, check_##checkname
788     { ext(proxyCertInfo, proxyCertInfo), M_C },
789     { ext(authorityInfoAccess, authorityInfoAccess), M_C },
790 #undef ext
791     { "US Fed PKI - PIV Interim", &asn1_oid_id_uspkicommon_piv_interim,
792       check_Null, D_C },
793     { "Netscape cert comment", &asn1_oid_id_netscape_cert_comment,
794       check_Null, D_C },
795     { NULL, NULL, NULL, 0 }
796 };
797 
798 /**
799  * Allocate a hx509 validation/printing context.
800  *
801  * @param context A hx509 context.
802  * @param ctx a new allocated hx509 validation context, free with
803  * hx509_validate_ctx_free().
804 
805  * @return An hx509 error code, see hx509_get_error_string().
806  *
807  * @ingroup hx509_print
808  */
809 
810 int
hx509_validate_ctx_init(hx509_context context,hx509_validate_ctx * ctx)811 hx509_validate_ctx_init(hx509_context context, hx509_validate_ctx *ctx)
812 {
813     *ctx = malloc(sizeof(**ctx));
814     if (*ctx == NULL)
815 	return ENOMEM;
816     memset(*ctx, 0, sizeof(**ctx));
817     return 0;
818 }
819 
820 /**
821  * Set the printing functions for the validation context.
822  *
823  * @param ctx a hx509 valication context.
824  * @param func the printing function to usea.
825  * @param c the context variable to the printing function.
826  *
827  * @return An hx509 error code, see hx509_get_error_string().
828  *
829  * @ingroup hx509_print
830  */
831 
832 void
hx509_validate_ctx_set_print(hx509_validate_ctx ctx,hx509_vprint_func func,void * c)833 hx509_validate_ctx_set_print(hx509_validate_ctx ctx,
834 			     hx509_vprint_func func,
835 			     void *c)
836 {
837     ctx->vprint_func = func;
838     ctx->ctx = c;
839 }
840 
841 /**
842  * Add flags to control the behaivor of the hx509_validate_cert()
843  * function.
844  *
845  * @param ctx A hx509 validation context.
846  * @param flags flags to add to the validation context.
847  *
848  * @return An hx509 error code, see hx509_get_error_string().
849  *
850  * @ingroup hx509_print
851  */
852 
853 void
hx509_validate_ctx_add_flags(hx509_validate_ctx ctx,int flags)854 hx509_validate_ctx_add_flags(hx509_validate_ctx ctx, int flags)
855 {
856     ctx->flags |= flags;
857 }
858 
859 /**
860  * Free an hx509 validate context.
861  *
862  * @param ctx the hx509 validate context to free.
863  *
864  * @ingroup hx509_print
865  */
866 
867 void
hx509_validate_ctx_free(hx509_validate_ctx ctx)868 hx509_validate_ctx_free(hx509_validate_ctx ctx)
869 {
870     free(ctx);
871 }
872 
873 /**
874  * Validate/Print the status of the certificate.
875  *
876  * @param context A hx509 context.
877  * @param ctx A hx509 validation context.
878  * @param cert the cerificate to validate/print.
879 
880  * @return An hx509 error code, see hx509_get_error_string().
881  *
882  * @ingroup hx509_print
883  */
884 
885 int
hx509_validate_cert(hx509_context context,hx509_validate_ctx ctx,hx509_cert cert)886 hx509_validate_cert(hx509_context context,
887 		    hx509_validate_ctx ctx,
888 		    hx509_cert cert)
889 {
890     Certificate *c = _hx509_get_cert(cert);
891     TBSCertificate *t = &c->tbsCertificate;
892     hx509_name issuer, subject;
893     char *str;
894     struct cert_status status;
895     int ret;
896 
897     memset(&status, 0, sizeof(status));
898 
899     if (_hx509_cert_get_version(c) != 3)
900 	validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
901 		       "Not version 3 certificate\n");
902 
903     if ((t->version == NULL || *t->version < 2) && t->extensions)
904 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
905 		       "Not version 3 certificate with extensions\n");
906 
907     if (_hx509_cert_get_version(c) >= 3 && t->extensions == NULL)
908 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
909 		       "Version 3 certificate without extensions\n");
910 
911     ret = hx509_cert_get_subject(cert, &subject);
912     if (ret) abort();
913     hx509_name_to_string(subject, &str);
914     validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
915 		   "subject name: %s\n", str);
916     free(str);
917 
918     ret = hx509_cert_get_issuer(cert, &issuer);
919     if (ret) abort();
920     hx509_name_to_string(issuer, &str);
921     validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
922 		   "issuer name: %s\n", str);
923     free(str);
924 
925     if (hx509_name_cmp(subject, issuer) == 0) {
926 	status.selfsigned = 1;
927 	validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
928 		       "\tis a self-signed certificate\n");
929     }
930 
931     validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
932 		   "Validity:\n");
933 
934     Time2string(&t->validity.notBefore, &str);
935     validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotBefore %s\n", str);
936     free(str);
937     Time2string(&t->validity.notAfter, &str);
938     validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotAfter  %s\n", str);
939     free(str);
940 
941     if (t->extensions) {
942 	size_t i, j;
943 
944 	if (t->extensions->len == 0) {
945 	    validate_print(ctx,
946 			   HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
947 			   "The empty extensions list is not "
948 			   "allowed by PKIX\n");
949 	}
950 
951 	for (i = 0; i < t->extensions->len; i++) {
952 
953 	    for (j = 0; check_extension[j].name; j++)
954 		if (der_heim_oid_cmp(check_extension[j].oid,
955 				     &t->extensions->val[i].extnID) == 0)
956 		    break;
957 	    if (check_extension[j].name == NULL) {
958 		int flags = HX509_VALIDATE_F_VERBOSE;
959 		if (t->extensions->val[i].critical)
960 		    flags |= HX509_VALIDATE_F_VALIDATE;
961 		validate_print(ctx, flags, "don't know what ");
962 		if (t->extensions->val[i].critical)
963 		    validate_print(ctx, flags, "and is CRITICAL ");
964 		if (ctx->flags & flags)
965 		    hx509_oid_print(&t->extensions->val[i].extnID,
966 				    validate_vprint, ctx);
967 		validate_print(ctx, flags, " is\n");
968 		continue;
969 	    }
970 	    validate_print(ctx,
971 			   HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
972 			   "checking extention: %s\n",
973 			   check_extension[j].name);
974 	    (*check_extension[j].func)(ctx,
975 				       &status,
976 				       check_extension[j].cf,
977 				       &t->extensions->val[i]);
978 	}
979     } else
980 	validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extentions\n");
981 
982     if (status.isca) {
983 	if (!status.haveSKI)
984 	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
985 			   "CA certificate have no SubjectKeyIdentifier\n");
986 
987     } else {
988 	if (!status.haveAKI)
989 	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
990 			   "Is not CA and doesn't have "
991 			   "AuthorityKeyIdentifier\n");
992     }
993 
994 
995     if (!status.haveSKI)
996 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
997 		       "Doesn't have SubjectKeyIdentifier\n");
998 
999     if (status.isproxy && status.isca)
1000 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1001 		       "Proxy and CA at the same time!\n");
1002 
1003     if (status.isproxy) {
1004 	if (status.haveSAN)
1005 	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1006 			   "Proxy and have SAN\n");
1007 	if (status.haveIAN)
1008 	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1009 			   "Proxy and have IAN\n");
1010     }
1011 
1012     if (hx509_name_is_null_p(subject) && !status.haveSAN)
1013 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1014 		       "NULL subject DN and doesn't have a SAN\n");
1015 
1016     if (!status.selfsigned && !status.haveCRLDP)
1017 	validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1018 		       "Not a CA nor PROXY and doesn't have"
1019 		       "CRL Dist Point\n");
1020 
1021     if (status.selfsigned) {
1022 	ret = _hx509_verify_signature_bitstring(context,
1023 						cert,
1024 						&c->signatureAlgorithm,
1025 						&c->tbsCertificate._save,
1026 						&c->signatureValue);
1027 	if (ret == 0)
1028 	    validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
1029 			   "Self-signed certificate was self-signed\n");
1030 	else
1031 	    validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1032 			   "Self-signed certificate NOT really self-signed!\n");
1033     }
1034 
1035     hx509_name_free(&subject);
1036     hx509_name_free(&issuer);
1037 
1038     return 0;
1039 }
1040