1/* 2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#include "hx_locl.h" 35 36/** 37 * @page page_print Hx509 printing functions 38 * 39 * See the library functions here: @ref hx509_print 40 */ 41 42struct hx509_validate_ctx_data { 43 int flags; 44 hx509_vprint_func vprint_func; 45 void *ctx; 46}; 47 48struct cert_status { 49 unsigned int selfsigned:1; 50 unsigned int isca:1; 51 unsigned int isproxy:1; 52 unsigned int haveSAN:1; 53 unsigned int haveIAN:1; 54 unsigned int haveSKI:1; 55 unsigned int haveAKI:1; 56 unsigned int haveCRLDP:1; 57}; 58 59 60/* 61 * 62 */ 63 64static int 65Time2string(const Time *T, char **str) 66{ 67 time_t t; 68 char *s; 69 struct tm *tm; 70 71 *str = NULL; 72 t = _hx509_Time2time_t(T); 73 tm = gmtime (&t); 74 s = malloc(30); 75 if (s == NULL) 76 return ENOMEM; 77 strftime(s, 30, "%Y-%m-%d %H:%M:%S", tm); 78 *str = s; 79 return 0; 80} 81 82/** 83 * Helper function to print on stdout for: 84 * - hx509_oid_print(), 85 * - hx509_bitstring_print(), 86 * - hx509_validate_ctx_set_print(). 87 * 88 * @param ctx the context to the print function. If the ctx is NULL, 89 * stdout is used. 90 * @param fmt the printing format. 91 * @param va the argumet list. 92 * 93 * @ingroup hx509_print 94 */ 95 96void 97hx509_print_stdout(void *ctx, const char *fmt, va_list va) 98{ 99 FILE *f = ctx; 100 if (f == NULL) 101 f = stdout; 102 vfprintf(f, fmt, va); 103} 104 105static void 106print_func(hx509_vprint_func func, void *ctx, const char *fmt, ...) 107{ 108 va_list va; 109 va_start(va, fmt); 110 (*func)(ctx, fmt, va); 111 va_end(va); 112} 113 114/** 115 * Print a oid to a string. 116 * 117 * @param oid oid to print 118 * @param str allocated string, free with hx509_xfree(). 119 * 120 * @return An hx509 error code, see hx509_get_error_string(). 121 * 122 * @ingroup hx509_print 123 */ 124 125int 126hx509_oid_sprint(const heim_oid *oid, char **str) 127{ 128 return der_print_heim_oid(oid, '.', str); 129} 130 131/** 132 * Print a oid using a hx509_vprint_func function. To print to stdout 133 * use hx509_print_stdout(). 134 * 135 * @param oid oid to print 136 * @param func hx509_vprint_func to print with. 137 * @param ctx context variable to hx509_vprint_func function. 138 * 139 * @ingroup hx509_print 140 */ 141 142void 143hx509_oid_print(const heim_oid *oid, hx509_vprint_func func, void *ctx) 144{ 145 char *str; 146 hx509_oid_sprint(oid, &str); 147 print_func(func, ctx, "%s", str); 148 free(str); 149} 150 151/** 152 * Print a bitstring using a hx509_vprint_func function. To print to 153 * stdout use hx509_print_stdout(). 154 * 155 * @param b bit string to print. 156 * @param func hx509_vprint_func to print with. 157 * @param ctx context variable to hx509_vprint_func function. 158 * 159 * @ingroup hx509_print 160 */ 161 162void 163hx509_bitstring_print(const heim_bit_string *b, 164 hx509_vprint_func func, void *ctx) 165{ 166 size_t i; 167 print_func(func, ctx, "\tlength: %d\n\t", b->length); 168 for (i = 0; i < (b->length + 7) / 8; i++) 169 print_func(func, ctx, "%02x%s%s", 170 ((unsigned char *)b->data)[i], 171 i < (b->length - 7) / 8 172 && (i == 0 || (i % 16) != 15) ? ":" : "", 173 i != 0 && (i % 16) == 15 ? 174 (i <= ((b->length + 7) / 8 - 2) ? "\n\t" : "\n"):""); 175} 176 177/** 178 * Print certificate usage for a certificate to a string. 179 * 180 * @param context A hx509 context. 181 * @param c a certificate print the keyusage for. 182 * @param s the return string with the keysage printed in to, free 183 * with hx509_xfree(). 184 * 185 * @return An hx509 error code, see hx509_get_error_string(). 186 * 187 * @ingroup hx509_print 188 */ 189 190int 191hx509_cert_keyusage_print(hx509_context context, hx509_cert c, char **s) 192{ 193 KeyUsage ku; 194 char buf[256]; 195 int ret; 196 197 *s = NULL; 198 199 ret = _hx509_cert_get_keyusage(context, c, &ku); 200 if (ret) 201 return ret; 202 unparse_flags(KeyUsage2int(ku), asn1_KeyUsage_units(), buf, sizeof(buf)); 203 *s = strdup(buf); 204 if (*s == NULL) { 205 hx509_set_error_string(context, 0, ENOMEM, "out of memory"); 206 return ENOMEM; 207 } 208 209 return 0; 210} 211 212/* 213 * 214 */ 215 216static void 217validate_vprint(void *c, const char *fmt, va_list va) 218{ 219 hx509_validate_ctx ctx = c; 220 if (ctx->vprint_func == NULL) 221 return; 222 (ctx->vprint_func)(ctx->ctx, fmt, va); 223} 224 225static void 226validate_print(hx509_validate_ctx ctx, int flags, const char *fmt, ...) 227{ 228 va_list va; 229 if ((ctx->flags & flags) == 0) 230 return; 231 va_start(va, fmt); 232 validate_vprint(ctx, fmt, va); 233 va_end(va); 234} 235 236/* 237 * Dont Care, SHOULD critical, SHOULD NOT critical, MUST critical, 238 * MUST NOT critical 239 */ 240enum critical_flag { D_C = 0, S_C, S_N_C, M_C, M_N_C }; 241 242static int 243check_Null(hx509_validate_ctx ctx, 244 struct cert_status *status, 245 enum critical_flag cf, const Extension *e) 246{ 247 switch(cf) { 248 case D_C: 249 break; 250 case S_C: 251 if (!e->critical) 252 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 253 "\tCritical not set on SHOULD\n"); 254 break; 255 case S_N_C: 256 if (e->critical) 257 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 258 "\tCritical set on SHOULD NOT\n"); 259 break; 260 case M_C: 261 if (!e->critical) 262 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 263 "\tCritical not set on MUST\n"); 264 break; 265 case M_N_C: 266 if (e->critical) 267 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 268 "\tCritical set on MUST NOT\n"); 269 break; 270 default: 271 _hx509_abort("internal check_Null state error"); 272 } 273 return 0; 274} 275 276static int 277check_subjectKeyIdentifier(hx509_validate_ctx ctx, 278 struct cert_status *status, 279 enum critical_flag cf, 280 const Extension *e) 281{ 282 SubjectKeyIdentifier si; 283 size_t size; 284 int ret; 285 286 status->haveSKI = 1; 287 check_Null(ctx, status, cf, e); 288 289 ret = decode_SubjectKeyIdentifier(e->extnValue.data, 290 e->extnValue.length, 291 &si, &size); 292 if (ret) { 293 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 294 "Decoding SubjectKeyIdentifier failed: %d", ret); 295 return 1; 296 } 297 if (size != e->extnValue.length) { 298 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 299 "Decoding SKI ahve extra bits on the end"); 300 return 1; 301 } 302 if (si.length == 0) 303 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 304 "SKI is too short (0 bytes)"); 305 if (si.length > 20) 306 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 307 "SKI is too long"); 308 309 { 310 char *id; 311 hex_encode(si.data, si.length, &id); 312 if (id) { 313 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 314 "\tsubject key id: %s\n", id); 315 free(id); 316 } 317 } 318 319 free_SubjectKeyIdentifier(&si); 320 321 return 0; 322} 323 324static int 325check_authorityKeyIdentifier(hx509_validate_ctx ctx, 326 struct cert_status *status, 327 enum critical_flag cf, 328 const Extension *e) 329{ 330 AuthorityKeyIdentifier ai; 331 size_t size; 332 int ret; 333 334 status->haveAKI = 1; 335 check_Null(ctx, status, cf, e); 336 337 ret = decode_AuthorityKeyIdentifier(e->extnValue.data, 338 e->extnValue.length, 339 &ai, &size); 340 if (ret) { 341 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 342 "Decoding AuthorityKeyIdentifier failed: %d", ret); 343 return 1; 344 } 345 if (size != e->extnValue.length) { 346 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 347 "Decoding SKI ahve extra bits on the end"); 348 return 1; 349 } 350 351 if (ai.keyIdentifier) { 352 char *id; 353 hex_encode(ai.keyIdentifier->data, ai.keyIdentifier->length, &id); 354 if (id) { 355 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 356 "\tauthority key id: %s\n", id); 357 free(id); 358 } 359 } 360 361 return 0; 362} 363 364static int 365check_extKeyUsage(hx509_validate_ctx ctx, 366 struct cert_status *status, 367 enum critical_flag cf, 368 const Extension *e) 369{ 370 ExtKeyUsage eku; 371 size_t size, i; 372 int ret; 373 374 check_Null(ctx, status, cf, e); 375 376 ret = decode_ExtKeyUsage(e->extnValue.data, 377 e->extnValue.length, 378 &eku, &size); 379 if (ret) { 380 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 381 "Decoding ExtKeyUsage failed: %d", ret); 382 return 1; 383 } 384 if (size != e->extnValue.length) { 385 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 386 "Padding data in EKU"); 387 free_ExtKeyUsage(&eku); 388 return 1; 389 } 390 if (eku.len == 0) { 391 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 392 "ExtKeyUsage length is 0"); 393 return 1; 394 } 395 396 for (i = 0; i < eku.len; i++) { 397 char *str; 398 ret = der_print_heim_oid (&eku.val[i], '.', &str); 399 if (ret) { 400 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 401 "\tEKU: failed to print oid %d", i); 402 free_ExtKeyUsage(&eku); 403 return 1; 404 } 405 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 406 "\teku-%d: %s\n", i, str);; 407 free(str); 408 } 409 410 free_ExtKeyUsage(&eku); 411 412 return 0; 413} 414 415static int 416check_pkinit_san(hx509_validate_ctx ctx, heim_any *a) 417{ 418 KRB5PrincipalName kn; 419 unsigned i; 420 size_t size; 421 int ret; 422 423 ret = decode_KRB5PrincipalName(a->data, a->length, &kn, &size); 424 if (ret) { 425 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 426 "Decoding kerberos name in SAN failed: %d", ret); 427 return 1; 428 } 429 430 if (size != a->length) { 431 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 432 "Decoding kerberos name have extra bits on the end"); 433 return 1; 434 } 435 436 /* print kerberos principal, add code to quote / within components */ 437 for (i = 0; i < kn.principalName.name_string.len; i++) { 438 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", 439 kn.principalName.name_string.val[i]); 440 if (i + 1 < kn.principalName.name_string.len) 441 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "/"); 442 } 443 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "@"); 444 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", kn.realm); 445 446 free_KRB5PrincipalName(&kn); 447 return 0; 448} 449 450static int 451check_utf8_string_san(hx509_validate_ctx ctx, heim_any *a) 452{ 453 PKIXXmppAddr jid; 454 size_t size; 455 int ret; 456 457 ret = decode_PKIXXmppAddr(a->data, a->length, &jid, &size); 458 if (ret) { 459 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 460 "Decoding JID in SAN failed: %d", ret); 461 return 1; 462 } 463 464 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", jid); 465 free_PKIXXmppAddr(&jid); 466 467 return 0; 468} 469 470static int 471check_altnull(hx509_validate_ctx ctx, heim_any *a) 472{ 473 return 0; 474} 475 476static int 477check_CRLDistributionPoints(hx509_validate_ctx ctx, 478 struct cert_status *status, 479 enum critical_flag cf, 480 const Extension *e) 481{ 482 CRLDistributionPoints dp; 483 size_t size; 484 int ret; 485 size_t i; 486 487 check_Null(ctx, status, cf, e); 488 489 ret = decode_CRLDistributionPoints(e->extnValue.data, 490 e->extnValue.length, 491 &dp, &size); 492 if (ret) { 493 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 494 "Decoding CRL Distribution Points failed: %d\n", ret); 495 return 1; 496 } 497 498 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "CRL Distribution Points:\n"); 499 for (i = 0 ; i < dp.len; i++) { 500 if (dp.val[i].distributionPoint) { 501 DistributionPointName dpname; 502 heim_any *data = dp.val[i].distributionPoint; 503 size_t j; 504 505 ret = decode_DistributionPointName(data->data, data->length, 506 &dpname, NULL); 507 if (ret) { 508 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 509 "Failed to parse CRL Distribution Point Name: %d\n", ret); 510 continue; 511 } 512 513 switch (dpname.element) { 514 case choice_DistributionPointName_fullName: 515 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n"); 516 517 for (j = 0 ; j < dpname.u.fullName.len; j++) { 518 char *s; 519 GeneralName *name = &dpname.u.fullName.val[j]; 520 521 ret = hx509_general_name_unparse(name, &s); 522 if (ret == 0 && s != NULL) { 523 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " %s\n", s); 524 free(s); 525 } 526 } 527 break; 528 case choice_DistributionPointName_nameRelativeToCRLIssuer: 529 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 530 "Unknown nameRelativeToCRLIssuer"); 531 break; 532 default: 533 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 534 "Unknown DistributionPointName"); 535 break; 536 } 537 free_DistributionPointName(&dpname); 538 } 539 } 540 free_CRLDistributionPoints(&dp); 541 542 status->haveCRLDP = 1; 543 544 return 0; 545} 546 547 548struct { 549 const char *name; 550 const heim_oid *oid; 551 int (*func)(hx509_validate_ctx, heim_any *); 552} altname_types[] = { 553 { "pk-init", &asn1_oid_id_pkinit_san, check_pkinit_san }, 554 { "jabber", &asn1_oid_id_pkix_on_xmppAddr, check_utf8_string_san }, 555 { "dns-srv", &asn1_oid_id_pkix_on_dnsSRV, check_altnull }, 556 { "card-id", &asn1_oid_id_uspkicommon_card_id, check_altnull }, 557 { "Microsoft NT-PRINCIPAL-NAME", &asn1_oid_id_pkinit_ms_san, check_utf8_string_san } 558}; 559 560static int 561check_altName(hx509_validate_ctx ctx, 562 struct cert_status *status, 563 const char *name, 564 enum critical_flag cf, 565 const Extension *e) 566{ 567 GeneralNames gn; 568 size_t size; 569 int ret; 570 size_t i; 571 572 check_Null(ctx, status, cf, e); 573 574 if (e->extnValue.length == 0) { 575 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 576 "%sAltName empty, not allowed", name); 577 return 1; 578 } 579 ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length, 580 &gn, &size); 581 if (ret) { 582 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 583 "\tret = %d while decoding %s GeneralNames\n", 584 ret, name); 585 return 1; 586 } 587 if (gn.len == 0) { 588 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 589 "%sAltName generalName empty, not allowed\n", name); 590 return 1; 591 } 592 593 for (i = 0; i < gn.len; i++) { 594 switch (gn.val[i].element) { 595 case choice_GeneralName_otherName: { 596 unsigned j; 597 598 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 599 "%sAltName otherName ", name); 600 601 for (j = 0; j < sizeof(altname_types)/sizeof(altname_types[0]); j++) { 602 if (der_heim_oid_cmp(altname_types[j].oid, 603 &gn.val[i].u.otherName.type_id) != 0) 604 continue; 605 606 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ", 607 altname_types[j].name); 608 (*altname_types[j].func)(ctx, &gn.val[i].u.otherName.value); 609 break; 610 } 611 if (j == sizeof(altname_types)/sizeof(altname_types[0])) { 612 hx509_oid_print(&gn.val[i].u.otherName.type_id, 613 validate_vprint, ctx); 614 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " unknown"); 615 } 616 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\n"); 617 break; 618 } 619 default: { 620 char *s; 621 ret = hx509_general_name_unparse(&gn.val[i], &s); 622 if (ret) { 623 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 624 "ret = %d unparsing GeneralName\n", ret); 625 return 1; 626 } 627 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s\n", s); 628 free(s); 629 break; 630 } 631 } 632 } 633 634 free_GeneralNames(&gn); 635 636 return 0; 637} 638 639static int 640check_subjectAltName(hx509_validate_ctx ctx, 641 struct cert_status *status, 642 enum critical_flag cf, 643 const Extension *e) 644{ 645 status->haveSAN = 1; 646 return check_altName(ctx, status, "subject", cf, e); 647} 648 649static int 650check_issuerAltName(hx509_validate_ctx ctx, 651 struct cert_status *status, 652 enum critical_flag cf, 653 const Extension *e) 654{ 655 status->haveIAN = 1; 656 return check_altName(ctx, status, "issuer", cf, e); 657} 658 659 660static int 661check_basicConstraints(hx509_validate_ctx ctx, 662 struct cert_status *status, 663 enum critical_flag cf, 664 const Extension *e) 665{ 666 BasicConstraints b; 667 size_t size; 668 int ret; 669 670 check_Null(ctx, status, cf, e); 671 672 ret = decode_BasicConstraints(e->extnValue.data, e->extnValue.length, 673 &b, &size); 674 if (ret) { 675 printf("\tret = %d while decoding BasicConstraints\n", ret); 676 return 0; 677 } 678 if (size != e->extnValue.length) 679 printf("\tlength of der data isn't same as extension\n"); 680 681 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 682 "\tis %sa CA\n", b.cA && *b.cA ? "" : "NOT "); 683 if (b.pathLenConstraint) 684 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 685 "\tpathLenConstraint: %d\n", *b.pathLenConstraint); 686 687 if (b.cA) { 688 if (*b.cA) { 689 if (!e->critical) 690 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 691 "Is a CA and not BasicConstraints CRITICAL\n"); 692 status->isca = 1; 693 } 694 else 695 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 696 "cA is FALSE, not allowed to be\n"); 697 } 698 free_BasicConstraints(&b); 699 700 return 0; 701} 702 703static int 704check_proxyCertInfo(hx509_validate_ctx ctx, 705 struct cert_status *status, 706 enum critical_flag cf, 707 const Extension *e) 708{ 709 check_Null(ctx, status, cf, e); 710 status->isproxy = 1; 711 return 0; 712} 713 714static int 715check_authorityInfoAccess(hx509_validate_ctx ctx, 716 struct cert_status *status, 717 enum critical_flag cf, 718 const Extension *e) 719{ 720 AuthorityInfoAccessSyntax aia; 721 size_t size; 722 int ret; 723 size_t i; 724 725 check_Null(ctx, status, cf, e); 726 727 ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data, 728 e->extnValue.length, 729 &aia, &size); 730 if (ret) { 731 printf("\tret = %d while decoding AuthorityInfoAccessSyntax\n", ret); 732 return 0; 733 } 734 735 for (i = 0; i < aia.len; i++) { 736 char *str; 737 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 738 "\ttype: "); 739 hx509_oid_print(&aia.val[i].accessMethod, validate_vprint, ctx); 740 hx509_general_name_unparse(&aia.val[i].accessLocation, &str); 741 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 742 "\n\tdirname: %s\n", str); 743 free(str); 744 } 745 free_AuthorityInfoAccessSyntax(&aia); 746 747 return 0; 748} 749 750/* 751 * 752 */ 753 754struct { 755 const char *name; 756 const heim_oid *oid; 757 int (*func)(hx509_validate_ctx ctx, 758 struct cert_status *status, 759 enum critical_flag cf, 760 const Extension *); 761 enum critical_flag cf; 762} check_extension[] = { 763#define ext(name, checkname) #name, &asn1_oid_id_x509_ce_##name, check_##checkname 764 { ext(subjectDirectoryAttributes, Null), M_N_C }, 765 { ext(subjectKeyIdentifier, subjectKeyIdentifier), M_N_C }, 766 { ext(keyUsage, Null), S_C }, 767 { ext(subjectAltName, subjectAltName), M_N_C }, 768 { ext(issuerAltName, issuerAltName), S_N_C }, 769 { ext(basicConstraints, basicConstraints), D_C }, 770 { ext(cRLNumber, Null), M_N_C }, 771 { ext(cRLReason, Null), M_N_C }, 772 { ext(holdInstructionCode, Null), M_N_C }, 773 { ext(invalidityDate, Null), M_N_C }, 774 { ext(deltaCRLIndicator, Null), M_C }, 775 { ext(issuingDistributionPoint, Null), M_C }, 776 { ext(certificateIssuer, Null), M_C }, 777 { ext(nameConstraints, Null), M_C }, 778 { ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C }, 779 { ext(certificatePolicies, Null), 0 }, 780 { ext(policyMappings, Null), M_N_C }, 781 { ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C }, 782 { ext(policyConstraints, Null), D_C }, 783 { ext(extKeyUsage, extKeyUsage), D_C }, 784 { ext(freshestCRL, Null), M_N_C }, 785 { ext(inhibitAnyPolicy, Null), M_C }, 786#undef ext 787#define ext(name, checkname) #name, &asn1_oid_id_pkix_pe_##name, check_##checkname 788 { ext(proxyCertInfo, proxyCertInfo), M_C }, 789 { ext(authorityInfoAccess, authorityInfoAccess), M_C }, 790#undef ext 791 { "US Fed PKI - PIV Interim", &asn1_oid_id_uspkicommon_piv_interim, 792 check_Null, D_C }, 793 { "Netscape cert comment", &asn1_oid_id_netscape_cert_comment, 794 check_Null, D_C }, 795 { NULL, NULL, NULL, 0 } 796}; 797 798/** 799 * Allocate a hx509 validation/printing context. 800 * 801 * @param context A hx509 context. 802 * @param ctx a new allocated hx509 validation context, free with 803 * hx509_validate_ctx_free(). 804 805 * @return An hx509 error code, see hx509_get_error_string(). 806 * 807 * @ingroup hx509_print 808 */ 809 810int 811hx509_validate_ctx_init(hx509_context context, hx509_validate_ctx *ctx) 812{ 813 *ctx = malloc(sizeof(**ctx)); 814 if (*ctx == NULL) 815 return ENOMEM; 816 memset(*ctx, 0, sizeof(**ctx)); 817 return 0; 818} 819 820/** 821 * Set the printing functions for the validation context. 822 * 823 * @param ctx a hx509 valication context. 824 * @param func the printing function to usea. 825 * @param c the context variable to the printing function. 826 * 827 * @return An hx509 error code, see hx509_get_error_string(). 828 * 829 * @ingroup hx509_print 830 */ 831 832void 833hx509_validate_ctx_set_print(hx509_validate_ctx ctx, 834 hx509_vprint_func func, 835 void *c) 836{ 837 ctx->vprint_func = func; 838 ctx->ctx = c; 839} 840 841/** 842 * Add flags to control the behaivor of the hx509_validate_cert() 843 * function. 844 * 845 * @param ctx A hx509 validation context. 846 * @param flags flags to add to the validation context. 847 * 848 * @return An hx509 error code, see hx509_get_error_string(). 849 * 850 * @ingroup hx509_print 851 */ 852 853void 854hx509_validate_ctx_add_flags(hx509_validate_ctx ctx, int flags) 855{ 856 ctx->flags |= flags; 857} 858 859/** 860 * Free an hx509 validate context. 861 * 862 * @param ctx the hx509 validate context to free. 863 * 864 * @ingroup hx509_print 865 */ 866 867void 868hx509_validate_ctx_free(hx509_validate_ctx ctx) 869{ 870 free(ctx); 871} 872 873/** 874 * Validate/Print the status of the certificate. 875 * 876 * @param context A hx509 context. 877 * @param ctx A hx509 validation context. 878 * @param cert the cerificate to validate/print. 879 880 * @return An hx509 error code, see hx509_get_error_string(). 881 * 882 * @ingroup hx509_print 883 */ 884 885int 886hx509_validate_cert(hx509_context context, 887 hx509_validate_ctx ctx, 888 hx509_cert cert) 889{ 890 Certificate *c = _hx509_get_cert(cert); 891 TBSCertificate *t = &c->tbsCertificate; 892 hx509_name issuer, subject; 893 char *str; 894 struct cert_status status; 895 int ret; 896 897 memset(&status, 0, sizeof(status)); 898 899 if (_hx509_cert_get_version(c) != 3) 900 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 901 "Not version 3 certificate\n"); 902 903 if ((t->version == NULL || *t->version < 2) && t->extensions) 904 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 905 "Not version 3 certificate with extensions\n"); 906 907 if (_hx509_cert_get_version(c) >= 3 && t->extensions == NULL) 908 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 909 "Version 3 certificate without extensions\n"); 910 911 ret = hx509_cert_get_subject(cert, &subject); 912 if (ret) abort(); 913 hx509_name_to_string(subject, &str); 914 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 915 "subject name: %s\n", str); 916 free(str); 917 918 ret = hx509_cert_get_issuer(cert, &issuer); 919 if (ret) abort(); 920 hx509_name_to_string(issuer, &str); 921 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 922 "issuer name: %s\n", str); 923 free(str); 924 925 if (hx509_name_cmp(subject, issuer) == 0) { 926 status.selfsigned = 1; 927 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 928 "\tis a self-signed certificate\n"); 929 } 930 931 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 932 "Validity:\n"); 933 934 Time2string(&t->validity.notBefore, &str); 935 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotBefore %s\n", str); 936 free(str); 937 Time2string(&t->validity.notAfter, &str); 938 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotAfter %s\n", str); 939 free(str); 940 941 if (t->extensions) { 942 size_t i, j; 943 944 if (t->extensions->len == 0) { 945 validate_print(ctx, 946 HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE, 947 "The empty extensions list is not " 948 "allowed by PKIX\n"); 949 } 950 951 for (i = 0; i < t->extensions->len; i++) { 952 953 for (j = 0; check_extension[j].name; j++) 954 if (der_heim_oid_cmp(check_extension[j].oid, 955 &t->extensions->val[i].extnID) == 0) 956 break; 957 if (check_extension[j].name == NULL) { 958 int flags = HX509_VALIDATE_F_VERBOSE; 959 if (t->extensions->val[i].critical) 960 flags |= HX509_VALIDATE_F_VALIDATE; 961 validate_print(ctx, flags, "don't know what "); 962 if (t->extensions->val[i].critical) 963 validate_print(ctx, flags, "and is CRITICAL "); 964 if (ctx->flags & flags) 965 hx509_oid_print(&t->extensions->val[i].extnID, 966 validate_vprint, ctx); 967 validate_print(ctx, flags, " is\n"); 968 continue; 969 } 970 validate_print(ctx, 971 HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE, 972 "checking extention: %s\n", 973 check_extension[j].name); 974 (*check_extension[j].func)(ctx, 975 &status, 976 check_extension[j].cf, 977 &t->extensions->val[i]); 978 } 979 } else 980 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extentions\n"); 981 982 if (status.isca) { 983 if (!status.haveSKI) 984 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 985 "CA certificate have no SubjectKeyIdentifier\n"); 986 987 } else { 988 if (!status.haveAKI) 989 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 990 "Is not CA and doesn't have " 991 "AuthorityKeyIdentifier\n"); 992 } 993 994 995 if (!status.haveSKI) 996 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 997 "Doesn't have SubjectKeyIdentifier\n"); 998 999 if (status.isproxy && status.isca) 1000 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 1001 "Proxy and CA at the same time!\n"); 1002 1003 if (status.isproxy) { 1004 if (status.haveSAN) 1005 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 1006 "Proxy and have SAN\n"); 1007 if (status.haveIAN) 1008 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 1009 "Proxy and have IAN\n"); 1010 } 1011 1012 if (hx509_name_is_null_p(subject) && !status.haveSAN) 1013 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 1014 "NULL subject DN and doesn't have a SAN\n"); 1015 1016 if (!status.selfsigned && !status.haveCRLDP) 1017 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 1018 "Not a CA nor PROXY and doesn't have" 1019 "CRL Dist Point\n"); 1020 1021 if (status.selfsigned) { 1022 ret = _hx509_verify_signature_bitstring(context, 1023 cert, 1024 &c->signatureAlgorithm, 1025 &c->tbsCertificate._save, 1026 &c->signatureValue); 1027 if (ret == 0) 1028 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 1029 "Self-signed certificate was self-signed\n"); 1030 else 1031 validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 1032 "Self-signed certificate NOT really self-signed!\n"); 1033 } 1034 1035 hx509_name_free(&subject); 1036 hx509_name_free(&issuer); 1037 1038 return 0; 1039} 1040