print.c revision 1.1.1.1.12.1
1 1.1.1.1.12.1 snj /* $NetBSD: print.c,v 1.1.1.1.12.1 2017/08/30 06:54:28 snj Exp $ */ 2 1.1 elric 3 1.1 elric /* 4 1.1 elric * Copyright (c) 2004 - 2007 Kungliga Tekniska Hgskolan 5 1.1 elric * (Royal Institute of Technology, Stockholm, Sweden). 6 1.1 elric * All rights reserved. 7 1.1 elric * 8 1.1 elric * Redistribution and use in source and binary forms, with or without 9 1.1 elric * modification, are permitted provided that the following conditions 10 1.1 elric * are met: 11 1.1 elric * 12 1.1 elric * 1. Redistributions of source code must retain the above copyright 13 1.1 elric * notice, this list of conditions and the following disclaimer. 14 1.1 elric * 15 1.1 elric * 2. Redistributions in binary form must reproduce the above copyright 16 1.1 elric * notice, this list of conditions and the following disclaimer in the 17 1.1 elric * documentation and/or other materials provided with the distribution. 18 1.1 elric * 19 1.1 elric * 3. Neither the name of the Institute nor the names of its contributors 20 1.1 elric * may be used to endorse or promote products derived from this software 21 1.1 elric * without specific prior written permission. 22 1.1 elric * 23 1.1 elric * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 1.1 elric * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 1.1 elric * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 1.1 elric * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 1.1 elric * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 1.1 elric * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 1.1 elric * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 1.1 elric * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 1.1 elric * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 1.1 elric * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 1.1 elric * SUCH DAMAGE. 34 1.1 elric */ 35 1.1 elric 36 1.1 elric #include "hx_locl.h" 37 1.1 elric 38 1.1 elric /** 39 1.1 elric * @page page_print Hx509 printing functions 40 1.1 elric * 41 1.1 elric * See the library functions here: @ref hx509_print 42 1.1 elric */ 43 1.1 elric 44 1.1 elric struct hx509_validate_ctx_data { 45 1.1 elric int flags; 46 1.1 elric hx509_vprint_func vprint_func; 47 1.1 elric void *ctx; 48 1.1 elric }; 49 1.1 elric 50 1.1 elric struct cert_status { 51 1.1 elric unsigned int selfsigned:1; 52 1.1 elric unsigned int isca:1; 53 1.1 elric unsigned int isproxy:1; 54 1.1 elric unsigned int haveSAN:1; 55 1.1 elric unsigned int haveIAN:1; 56 1.1 elric unsigned int haveSKI:1; 57 1.1 elric unsigned int haveAKI:1; 58 1.1 elric unsigned int haveCRLDP:1; 59 1.1 elric }; 60 1.1 elric 61 1.1 elric 62 1.1 elric /* 63 1.1 elric * 64 1.1 elric */ 65 1.1 elric 66 1.1 elric static int 67 1.1 elric Time2string(const Time *T, char **str) 68 1.1 elric { 69 1.1 elric time_t t; 70 1.1 elric char *s; 71 1.1 elric struct tm *tm; 72 1.1 elric 73 1.1 elric *str = NULL; 74 1.1 elric t = _hx509_Time2time_t(T); 75 1.1 elric tm = gmtime (&t); 76 1.1 elric s = malloc(30); 77 1.1 elric if (s == NULL) 78 1.1 elric return ENOMEM; 79 1.1 elric strftime(s, 30, "%Y-%m-%d %H:%M:%S", tm); 80 1.1 elric *str = s; 81 1.1 elric return 0; 82 1.1 elric } 83 1.1 elric 84 1.1 elric /** 85 1.1 elric * Helper function to print on stdout for: 86 1.1 elric * - hx509_oid_print(), 87 1.1 elric * - hx509_bitstring_print(), 88 1.1 elric * - hx509_validate_ctx_set_print(). 89 1.1 elric * 90 1.1 elric * @param ctx the context to the print function. If the ctx is NULL, 91 1.1 elric * stdout is used. 92 1.1 elric * @param fmt the printing format. 93 1.1 elric * @param va the argumet list. 94 1.1 elric * 95 1.1 elric * @ingroup hx509_print 96 1.1 elric */ 97 1.1 elric 98 1.1 elric void 99 1.1 elric hx509_print_stdout(void *ctx, const char *fmt, va_list va) 100 1.1 elric { 101 1.1 elric FILE *f = ctx; 102 1.1 elric if (f == NULL) 103 1.1 elric f = stdout; 104 1.1 elric vfprintf(f, fmt, va); 105 1.1 elric } 106 1.1 elric 107 1.1 elric static void 108 1.1 elric print_func(hx509_vprint_func func, void *ctx, const char *fmt, ...) 109 1.1 elric { 110 1.1 elric va_list va; 111 1.1 elric va_start(va, fmt); 112 1.1 elric (*func)(ctx, fmt, va); 113 1.1 elric va_end(va); 114 1.1 elric } 115 1.1 elric 116 1.1 elric /** 117 1.1 elric * Print a oid to a string. 118 1.1 elric * 119 1.1 elric * @param oid oid to print 120 1.1 elric * @param str allocated string, free with hx509_xfree(). 121 1.1 elric * 122 1.1 elric * @return An hx509 error code, see hx509_get_error_string(). 123 1.1 elric * 124 1.1 elric * @ingroup hx509_print 125 1.1 elric */ 126 1.1 elric 127 1.1 elric int 128 1.1 elric hx509_oid_sprint(const heim_oid *oid, char **str) 129 1.1 elric { 130 1.1 elric return der_print_heim_oid(oid, '.', str); 131 1.1 elric } 132 1.1 elric 133 1.1 elric /** 134 1.1 elric * Print a oid using a hx509_vprint_func function. To print to stdout 135 1.1 elric * use hx509_print_stdout(). 136 1.1 elric * 137 1.1 elric * @param oid oid to print 138 1.1 elric * @param func hx509_vprint_func to print with. 139 1.1 elric * @param ctx context variable to hx509_vprint_func function. 140 1.1 elric * 141 1.1 elric * @ingroup hx509_print 142 1.1 elric */ 143 1.1 elric 144 1.1 elric void 145 1.1 elric hx509_oid_print(const heim_oid *oid, hx509_vprint_func func, void *ctx) 146 1.1 elric { 147 1.1 elric char *str; 148 1.1 elric hx509_oid_sprint(oid, &str); 149 1.1 elric print_func(func, ctx, "%s", str); 150 1.1 elric free(str); 151 1.1 elric } 152 1.1 elric 153 1.1 elric /** 154 1.1 elric * Print a bitstring using a hx509_vprint_func function. To print to 155 1.1 elric * stdout use hx509_print_stdout(). 156 1.1 elric * 157 1.1 elric * @param b bit string to print. 158 1.1 elric * @param func hx509_vprint_func to print with. 159 1.1 elric * @param ctx context variable to hx509_vprint_func function. 160 1.1 elric * 161 1.1 elric * @ingroup hx509_print 162 1.1 elric */ 163 1.1 elric 164 1.1 elric void 165 1.1 elric hx509_bitstring_print(const heim_bit_string *b, 166 1.1 elric hx509_vprint_func func, void *ctx) 167 1.1 elric { 168 1.1.1.1.12.1 snj size_t i; 169 1.1 elric print_func(func, ctx, "\tlength: %d\n\t", b->length); 170 1.1 elric for (i = 0; i < (b->length + 7) / 8; i++) 171 1.1 elric print_func(func, ctx, "%02x%s%s", 172 1.1 elric ((unsigned char *)b->data)[i], 173 1.1 elric i < (b->length - 7) / 8 174 1.1 elric && (i == 0 || (i % 16) != 15) ? ":" : "", 175 1.1 elric i != 0 && (i % 16) == 15 ? 176 1.1 elric (i <= ((b->length + 7) / 8 - 2) ? "\n\t" : "\n"):""); 177 1.1 elric } 178 1.1 elric 179 1.1 elric /** 180 1.1 elric * Print certificate usage for a certificate to a string. 181 1.1 elric * 182 1.1 elric * @param context A hx509 context. 183 1.1 elric * @param c a certificate print the keyusage for. 184 1.1 elric * @param s the return string with the keysage printed in to, free 185 1.1 elric * with hx509_xfree(). 186 1.1 elric * 187 1.1 elric * @return An hx509 error code, see hx509_get_error_string(). 188 1.1 elric * 189 1.1 elric * @ingroup hx509_print 190 1.1 elric */ 191 1.1 elric 192 1.1 elric int 193 1.1 elric hx509_cert_keyusage_print(hx509_context context, hx509_cert c, char **s) 194 1.1 elric { 195 1.1 elric KeyUsage ku; 196 1.1 elric char buf[256]; 197 1.1 elric int ret; 198 1.1 elric 199 1.1 elric *s = NULL; 200 1.1 elric 201 1.1 elric ret = _hx509_cert_get_keyusage(context, c, &ku); 202 1.1 elric if (ret) 203 1.1 elric return ret; 204 1.1 elric unparse_flags(KeyUsage2int(ku), asn1_KeyUsage_units(), buf, sizeof(buf)); 205 1.1 elric *s = strdup(buf); 206 1.1 elric if (*s == NULL) { 207 1.1 elric hx509_set_error_string(context, 0, ENOMEM, "out of memory"); 208 1.1 elric return ENOMEM; 209 1.1 elric } 210 1.1 elric 211 1.1 elric return 0; 212 1.1 elric } 213 1.1 elric 214 1.1 elric /* 215 1.1 elric * 216 1.1 elric */ 217 1.1 elric 218 1.1 elric static void 219 1.1 elric validate_vprint(void *c, const char *fmt, va_list va) 220 1.1 elric { 221 1.1 elric hx509_validate_ctx ctx = c; 222 1.1 elric if (ctx->vprint_func == NULL) 223 1.1 elric return; 224 1.1 elric (ctx->vprint_func)(ctx->ctx, fmt, va); 225 1.1 elric } 226 1.1 elric 227 1.1 elric static void 228 1.1 elric validate_print(hx509_validate_ctx ctx, int flags, const char *fmt, ...) 229 1.1 elric { 230 1.1 elric va_list va; 231 1.1 elric if ((ctx->flags & flags) == 0) 232 1.1 elric return; 233 1.1 elric va_start(va, fmt); 234 1.1 elric validate_vprint(ctx, fmt, va); 235 1.1 elric va_end(va); 236 1.1 elric } 237 1.1 elric 238 1.1 elric /* 239 1.1 elric * Dont Care, SHOULD critical, SHOULD NOT critical, MUST critical, 240 1.1 elric * MUST NOT critical 241 1.1 elric */ 242 1.1 elric enum critical_flag { D_C = 0, S_C, S_N_C, M_C, M_N_C }; 243 1.1 elric 244 1.1 elric static int 245 1.1 elric check_Null(hx509_validate_ctx ctx, 246 1.1 elric struct cert_status *status, 247 1.1 elric enum critical_flag cf, const Extension *e) 248 1.1 elric { 249 1.1 elric switch(cf) { 250 1.1 elric case D_C: 251 1.1 elric break; 252 1.1 elric case S_C: 253 1.1 elric if (!e->critical) 254 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 255 1.1 elric "\tCritical not set on SHOULD\n"); 256 1.1 elric break; 257 1.1 elric case S_N_C: 258 1.1 elric if (e->critical) 259 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 260 1.1 elric "\tCritical set on SHOULD NOT\n"); 261 1.1 elric break; 262 1.1 elric case M_C: 263 1.1 elric if (!e->critical) 264 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 265 1.1 elric "\tCritical not set on MUST\n"); 266 1.1 elric break; 267 1.1 elric case M_N_C: 268 1.1 elric if (e->critical) 269 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 270 1.1 elric "\tCritical set on MUST NOT\n"); 271 1.1 elric break; 272 1.1 elric default: 273 1.1 elric _hx509_abort("internal check_Null state error"); 274 1.1 elric } 275 1.1 elric return 0; 276 1.1 elric } 277 1.1 elric 278 1.1 elric static int 279 1.1 elric check_subjectKeyIdentifier(hx509_validate_ctx ctx, 280 1.1 elric struct cert_status *status, 281 1.1 elric enum critical_flag cf, 282 1.1 elric const Extension *e) 283 1.1 elric { 284 1.1 elric SubjectKeyIdentifier si; 285 1.1 elric size_t size; 286 1.1 elric int ret; 287 1.1 elric 288 1.1 elric status->haveSKI = 1; 289 1.1 elric check_Null(ctx, status, cf, e); 290 1.1 elric 291 1.1 elric ret = decode_SubjectKeyIdentifier(e->extnValue.data, 292 1.1 elric e->extnValue.length, 293 1.1 elric &si, &size); 294 1.1 elric if (ret) { 295 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 296 1.1 elric "Decoding SubjectKeyIdentifier failed: %d", ret); 297 1.1 elric return 1; 298 1.1 elric } 299 1.1 elric if (size != e->extnValue.length) { 300 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 301 1.1 elric "Decoding SKI ahve extra bits on the end"); 302 1.1 elric return 1; 303 1.1 elric } 304 1.1 elric if (si.length == 0) 305 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 306 1.1 elric "SKI is too short (0 bytes)"); 307 1.1 elric if (si.length > 20) 308 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 309 1.1 elric "SKI is too long"); 310 1.1 elric 311 1.1 elric { 312 1.1 elric char *id; 313 1.1 elric hex_encode(si.data, si.length, &id); 314 1.1 elric if (id) { 315 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 316 1.1 elric "\tsubject key id: %s\n", id); 317 1.1 elric free(id); 318 1.1 elric } 319 1.1 elric } 320 1.1 elric 321 1.1 elric free_SubjectKeyIdentifier(&si); 322 1.1 elric 323 1.1 elric return 0; 324 1.1 elric } 325 1.1 elric 326 1.1 elric static int 327 1.1 elric check_authorityKeyIdentifier(hx509_validate_ctx ctx, 328 1.1 elric struct cert_status *status, 329 1.1 elric enum critical_flag cf, 330 1.1 elric const Extension *e) 331 1.1 elric { 332 1.1 elric AuthorityKeyIdentifier ai; 333 1.1 elric size_t size; 334 1.1 elric int ret; 335 1.1 elric 336 1.1 elric status->haveAKI = 1; 337 1.1 elric check_Null(ctx, status, cf, e); 338 1.1 elric 339 1.1 elric ret = decode_AuthorityKeyIdentifier(e->extnValue.data, 340 1.1 elric e->extnValue.length, 341 1.1 elric &ai, &size); 342 1.1 elric if (ret) { 343 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 344 1.1 elric "Decoding AuthorityKeyIdentifier failed: %d", ret); 345 1.1 elric return 1; 346 1.1 elric } 347 1.1 elric if (size != e->extnValue.length) { 348 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 349 1.1 elric "Decoding SKI ahve extra bits on the end"); 350 1.1 elric return 1; 351 1.1 elric } 352 1.1 elric 353 1.1 elric if (ai.keyIdentifier) { 354 1.1 elric char *id; 355 1.1 elric hex_encode(ai.keyIdentifier->data, ai.keyIdentifier->length, &id); 356 1.1 elric if (id) { 357 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 358 1.1 elric "\tauthority key id: %s\n", id); 359 1.1 elric free(id); 360 1.1 elric } 361 1.1 elric } 362 1.1 elric 363 1.1 elric return 0; 364 1.1 elric } 365 1.1 elric 366 1.1 elric static int 367 1.1 elric check_extKeyUsage(hx509_validate_ctx ctx, 368 1.1 elric struct cert_status *status, 369 1.1 elric enum critical_flag cf, 370 1.1 elric const Extension *e) 371 1.1 elric { 372 1.1 elric ExtKeyUsage eku; 373 1.1 elric size_t size, i; 374 1.1 elric int ret; 375 1.1 elric 376 1.1 elric check_Null(ctx, status, cf, e); 377 1.1 elric 378 1.1 elric ret = decode_ExtKeyUsage(e->extnValue.data, 379 1.1 elric e->extnValue.length, 380 1.1 elric &eku, &size); 381 1.1 elric if (ret) { 382 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 383 1.1 elric "Decoding ExtKeyUsage failed: %d", ret); 384 1.1 elric return 1; 385 1.1 elric } 386 1.1 elric if (size != e->extnValue.length) { 387 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 388 1.1 elric "Padding data in EKU"); 389 1.1 elric free_ExtKeyUsage(&eku); 390 1.1 elric return 1; 391 1.1 elric } 392 1.1 elric if (eku.len == 0) { 393 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 394 1.1 elric "ExtKeyUsage length is 0"); 395 1.1 elric return 1; 396 1.1 elric } 397 1.1 elric 398 1.1 elric for (i = 0; i < eku.len; i++) { 399 1.1 elric char *str; 400 1.1 elric ret = der_print_heim_oid (&eku.val[i], '.', &str); 401 1.1 elric if (ret) { 402 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 403 1.1 elric "\tEKU: failed to print oid %d", i); 404 1.1 elric free_ExtKeyUsage(&eku); 405 1.1 elric return 1; 406 1.1 elric } 407 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 408 1.1 elric "\teku-%d: %s\n", i, str);; 409 1.1 elric free(str); 410 1.1 elric } 411 1.1 elric 412 1.1 elric free_ExtKeyUsage(&eku); 413 1.1 elric 414 1.1 elric return 0; 415 1.1 elric } 416 1.1 elric 417 1.1 elric static int 418 1.1 elric check_pkinit_san(hx509_validate_ctx ctx, heim_any *a) 419 1.1 elric { 420 1.1 elric KRB5PrincipalName kn; 421 1.1 elric unsigned i; 422 1.1 elric size_t size; 423 1.1 elric int ret; 424 1.1 elric 425 1.1 elric ret = decode_KRB5PrincipalName(a->data, a->length, &kn, &size); 426 1.1 elric if (ret) { 427 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 428 1.1 elric "Decoding kerberos name in SAN failed: %d", ret); 429 1.1 elric return 1; 430 1.1 elric } 431 1.1 elric 432 1.1 elric if (size != a->length) { 433 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 434 1.1 elric "Decoding kerberos name have extra bits on the end"); 435 1.1 elric return 1; 436 1.1 elric } 437 1.1 elric 438 1.1 elric /* print kerberos principal, add code to quote / within components */ 439 1.1 elric for (i = 0; i < kn.principalName.name_string.len; i++) { 440 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", 441 1.1 elric kn.principalName.name_string.val[i]); 442 1.1 elric if (i + 1 < kn.principalName.name_string.len) 443 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "/"); 444 1.1 elric } 445 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "@"); 446 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", kn.realm); 447 1.1 elric 448 1.1 elric free_KRB5PrincipalName(&kn); 449 1.1 elric return 0; 450 1.1 elric } 451 1.1 elric 452 1.1 elric static int 453 1.1 elric check_utf8_string_san(hx509_validate_ctx ctx, heim_any *a) 454 1.1 elric { 455 1.1 elric PKIXXmppAddr jid; 456 1.1 elric size_t size; 457 1.1 elric int ret; 458 1.1 elric 459 1.1 elric ret = decode_PKIXXmppAddr(a->data, a->length, &jid, &size); 460 1.1 elric if (ret) { 461 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 462 1.1 elric "Decoding JID in SAN failed: %d", ret); 463 1.1 elric return 1; 464 1.1 elric } 465 1.1 elric 466 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", jid); 467 1.1 elric free_PKIXXmppAddr(&jid); 468 1.1 elric 469 1.1 elric return 0; 470 1.1 elric } 471 1.1 elric 472 1.1 elric static int 473 1.1 elric check_altnull(hx509_validate_ctx ctx, heim_any *a) 474 1.1 elric { 475 1.1 elric return 0; 476 1.1 elric } 477 1.1 elric 478 1.1 elric static int 479 1.1 elric check_CRLDistributionPoints(hx509_validate_ctx ctx, 480 1.1 elric struct cert_status *status, 481 1.1 elric enum critical_flag cf, 482 1.1 elric const Extension *e) 483 1.1 elric { 484 1.1 elric CRLDistributionPoints dp; 485 1.1 elric size_t size; 486 1.1.1.1.12.1 snj int ret; 487 1.1.1.1.12.1 snj size_t i; 488 1.1 elric 489 1.1 elric check_Null(ctx, status, cf, e); 490 1.1 elric 491 1.1 elric ret = decode_CRLDistributionPoints(e->extnValue.data, 492 1.1 elric e->extnValue.length, 493 1.1 elric &dp, &size); 494 1.1 elric if (ret) { 495 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 496 1.1 elric "Decoding CRL Distribution Points failed: %d\n", ret); 497 1.1 elric return 1; 498 1.1 elric } 499 1.1 elric 500 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "CRL Distribution Points:\n"); 501 1.1 elric for (i = 0 ; i < dp.len; i++) { 502 1.1 elric if (dp.val[i].distributionPoint) { 503 1.1 elric DistributionPointName dpname; 504 1.1 elric heim_any *data = dp.val[i].distributionPoint; 505 1.1.1.1.12.1 snj size_t j; 506 1.1.1.1.12.1 snj 507 1.1 elric ret = decode_DistributionPointName(data->data, data->length, 508 1.1 elric &dpname, NULL); 509 1.1 elric if (ret) { 510 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 511 1.1 elric "Failed to parse CRL Distribution Point Name: %d\n", ret); 512 1.1 elric continue; 513 1.1 elric } 514 1.1 elric 515 1.1 elric switch (dpname.element) { 516 1.1 elric case choice_DistributionPointName_fullName: 517 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n"); 518 1.1.1.1.12.1 snj 519 1.1 elric for (j = 0 ; j < dpname.u.fullName.len; j++) { 520 1.1 elric char *s; 521 1.1 elric GeneralName *name = &dpname.u.fullName.val[j]; 522 1.1 elric 523 1.1 elric ret = hx509_general_name_unparse(name, &s); 524 1.1 elric if (ret == 0 && s != NULL) { 525 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " %s\n", s); 526 1.1 elric free(s); 527 1.1 elric } 528 1.1 elric } 529 1.1 elric break; 530 1.1 elric case choice_DistributionPointName_nameRelativeToCRLIssuer: 531 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 532 1.1 elric "Unknown nameRelativeToCRLIssuer"); 533 1.1 elric break; 534 1.1 elric default: 535 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 536 1.1 elric "Unknown DistributionPointName"); 537 1.1 elric break; 538 1.1 elric } 539 1.1 elric free_DistributionPointName(&dpname); 540 1.1 elric } 541 1.1 elric } 542 1.1 elric free_CRLDistributionPoints(&dp); 543 1.1 elric 544 1.1 elric status->haveCRLDP = 1; 545 1.1 elric 546 1.1 elric return 0; 547 1.1 elric } 548 1.1 elric 549 1.1 elric 550 1.1 elric struct { 551 1.1 elric const char *name; 552 1.1 elric const heim_oid *oid; 553 1.1 elric int (*func)(hx509_validate_ctx, heim_any *); 554 1.1 elric } altname_types[] = { 555 1.1 elric { "pk-init", &asn1_oid_id_pkinit_san, check_pkinit_san }, 556 1.1 elric { "jabber", &asn1_oid_id_pkix_on_xmppAddr, check_utf8_string_san }, 557 1.1 elric { "dns-srv", &asn1_oid_id_pkix_on_dnsSRV, check_altnull }, 558 1.1 elric { "card-id", &asn1_oid_id_uspkicommon_card_id, check_altnull }, 559 1.1 elric { "Microsoft NT-PRINCIPAL-NAME", &asn1_oid_id_pkinit_ms_san, check_utf8_string_san } 560 1.1 elric }; 561 1.1 elric 562 1.1 elric static int 563 1.1 elric check_altName(hx509_validate_ctx ctx, 564 1.1 elric struct cert_status *status, 565 1.1 elric const char *name, 566 1.1 elric enum critical_flag cf, 567 1.1 elric const Extension *e) 568 1.1 elric { 569 1.1 elric GeneralNames gn; 570 1.1 elric size_t size; 571 1.1.1.1.12.1 snj int ret; 572 1.1.1.1.12.1 snj size_t i; 573 1.1 elric 574 1.1 elric check_Null(ctx, status, cf, e); 575 1.1 elric 576 1.1 elric if (e->extnValue.length == 0) { 577 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 578 1.1 elric "%sAltName empty, not allowed", name); 579 1.1 elric return 1; 580 1.1 elric } 581 1.1 elric ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length, 582 1.1 elric &gn, &size); 583 1.1 elric if (ret) { 584 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 585 1.1 elric "\tret = %d while decoding %s GeneralNames\n", 586 1.1 elric ret, name); 587 1.1 elric return 1; 588 1.1 elric } 589 1.1 elric if (gn.len == 0) { 590 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 591 1.1 elric "%sAltName generalName empty, not allowed\n", name); 592 1.1 elric return 1; 593 1.1 elric } 594 1.1 elric 595 1.1 elric for (i = 0; i < gn.len; i++) { 596 1.1 elric switch (gn.val[i].element) { 597 1.1 elric case choice_GeneralName_otherName: { 598 1.1 elric unsigned j; 599 1.1 elric 600 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 601 1.1 elric "%sAltName otherName ", name); 602 1.1 elric 603 1.1 elric for (j = 0; j < sizeof(altname_types)/sizeof(altname_types[0]); j++) { 604 1.1 elric if (der_heim_oid_cmp(altname_types[j].oid, 605 1.1 elric &gn.val[i].u.otherName.type_id) != 0) 606 1.1 elric continue; 607 1.1.1.1.12.1 snj 608 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ", 609 1.1 elric altname_types[j].name); 610 1.1 elric (*altname_types[j].func)(ctx, &gn.val[i].u.otherName.value); 611 1.1 elric break; 612 1.1 elric } 613 1.1 elric if (j == sizeof(altname_types)/sizeof(altname_types[0])) { 614 1.1 elric hx509_oid_print(&gn.val[i].u.otherName.type_id, 615 1.1 elric validate_vprint, ctx); 616 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " unknown"); 617 1.1 elric } 618 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\n"); 619 1.1 elric break; 620 1.1 elric } 621 1.1 elric default: { 622 1.1 elric char *s; 623 1.1 elric ret = hx509_general_name_unparse(&gn.val[i], &s); 624 1.1 elric if (ret) { 625 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 626 1.1 elric "ret = %d unparsing GeneralName\n", ret); 627 1.1 elric return 1; 628 1.1 elric } 629 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s\n", s); 630 1.1 elric free(s); 631 1.1 elric break; 632 1.1 elric } 633 1.1 elric } 634 1.1 elric } 635 1.1 elric 636 1.1 elric free_GeneralNames(&gn); 637 1.1 elric 638 1.1 elric return 0; 639 1.1 elric } 640 1.1 elric 641 1.1 elric static int 642 1.1 elric check_subjectAltName(hx509_validate_ctx ctx, 643 1.1 elric struct cert_status *status, 644 1.1 elric enum critical_flag cf, 645 1.1 elric const Extension *e) 646 1.1 elric { 647 1.1 elric status->haveSAN = 1; 648 1.1 elric return check_altName(ctx, status, "subject", cf, e); 649 1.1 elric } 650 1.1 elric 651 1.1 elric static int 652 1.1 elric check_issuerAltName(hx509_validate_ctx ctx, 653 1.1 elric struct cert_status *status, 654 1.1 elric enum critical_flag cf, 655 1.1 elric const Extension *e) 656 1.1 elric { 657 1.1 elric status->haveIAN = 1; 658 1.1 elric return check_altName(ctx, status, "issuer", cf, e); 659 1.1 elric } 660 1.1 elric 661 1.1 elric 662 1.1 elric static int 663 1.1 elric check_basicConstraints(hx509_validate_ctx ctx, 664 1.1 elric struct cert_status *status, 665 1.1 elric enum critical_flag cf, 666 1.1 elric const Extension *e) 667 1.1 elric { 668 1.1 elric BasicConstraints b; 669 1.1 elric size_t size; 670 1.1 elric int ret; 671 1.1 elric 672 1.1 elric check_Null(ctx, status, cf, e); 673 1.1 elric 674 1.1 elric ret = decode_BasicConstraints(e->extnValue.data, e->extnValue.length, 675 1.1 elric &b, &size); 676 1.1 elric if (ret) { 677 1.1 elric printf("\tret = %d while decoding BasicConstraints\n", ret); 678 1.1 elric return 0; 679 1.1 elric } 680 1.1 elric if (size != e->extnValue.length) 681 1.1 elric printf("\tlength of der data isn't same as extension\n"); 682 1.1 elric 683 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 684 1.1 elric "\tis %sa CA\n", b.cA && *b.cA ? "" : "NOT "); 685 1.1 elric if (b.pathLenConstraint) 686 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 687 1.1 elric "\tpathLenConstraint: %d\n", *b.pathLenConstraint); 688 1.1 elric 689 1.1 elric if (b.cA) { 690 1.1 elric if (*b.cA) { 691 1.1 elric if (!e->critical) 692 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 693 1.1 elric "Is a CA and not BasicConstraints CRITICAL\n"); 694 1.1 elric status->isca = 1; 695 1.1 elric } 696 1.1 elric else 697 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 698 1.1 elric "cA is FALSE, not allowed to be\n"); 699 1.1 elric } 700 1.1 elric free_BasicConstraints(&b); 701 1.1 elric 702 1.1 elric return 0; 703 1.1 elric } 704 1.1 elric 705 1.1 elric static int 706 1.1 elric check_proxyCertInfo(hx509_validate_ctx ctx, 707 1.1 elric struct cert_status *status, 708 1.1 elric enum critical_flag cf, 709 1.1 elric const Extension *e) 710 1.1 elric { 711 1.1 elric check_Null(ctx, status, cf, e); 712 1.1 elric status->isproxy = 1; 713 1.1 elric return 0; 714 1.1 elric } 715 1.1 elric 716 1.1 elric static int 717 1.1 elric check_authorityInfoAccess(hx509_validate_ctx ctx, 718 1.1 elric struct cert_status *status, 719 1.1 elric enum critical_flag cf, 720 1.1 elric const Extension *e) 721 1.1 elric { 722 1.1 elric AuthorityInfoAccessSyntax aia; 723 1.1 elric size_t size; 724 1.1.1.1.12.1 snj int ret; 725 1.1.1.1.12.1 snj size_t i; 726 1.1 elric 727 1.1 elric check_Null(ctx, status, cf, e); 728 1.1 elric 729 1.1 elric ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data, 730 1.1 elric e->extnValue.length, 731 1.1 elric &aia, &size); 732 1.1 elric if (ret) { 733 1.1 elric printf("\tret = %d while decoding AuthorityInfoAccessSyntax\n", ret); 734 1.1 elric return 0; 735 1.1 elric } 736 1.1 elric 737 1.1 elric for (i = 0; i < aia.len; i++) { 738 1.1 elric char *str; 739 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 740 1.1 elric "\ttype: "); 741 1.1 elric hx509_oid_print(&aia.val[i].accessMethod, validate_vprint, ctx); 742 1.1 elric hx509_general_name_unparse(&aia.val[i].accessLocation, &str); 743 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 744 1.1 elric "\n\tdirname: %s\n", str); 745 1.1 elric free(str); 746 1.1 elric } 747 1.1 elric free_AuthorityInfoAccessSyntax(&aia); 748 1.1 elric 749 1.1 elric return 0; 750 1.1 elric } 751 1.1 elric 752 1.1 elric /* 753 1.1 elric * 754 1.1 elric */ 755 1.1 elric 756 1.1 elric struct { 757 1.1 elric const char *name; 758 1.1 elric const heim_oid *oid; 759 1.1 elric int (*func)(hx509_validate_ctx ctx, 760 1.1 elric struct cert_status *status, 761 1.1 elric enum critical_flag cf, 762 1.1 elric const Extension *); 763 1.1 elric enum critical_flag cf; 764 1.1 elric } check_extension[] = { 765 1.1 elric #define ext(name, checkname) #name, &asn1_oid_id_x509_ce_##name, check_##checkname 766 1.1 elric { ext(subjectDirectoryAttributes, Null), M_N_C }, 767 1.1 elric { ext(subjectKeyIdentifier, subjectKeyIdentifier), M_N_C }, 768 1.1 elric { ext(keyUsage, Null), S_C }, 769 1.1 elric { ext(subjectAltName, subjectAltName), M_N_C }, 770 1.1 elric { ext(issuerAltName, issuerAltName), S_N_C }, 771 1.1 elric { ext(basicConstraints, basicConstraints), D_C }, 772 1.1 elric { ext(cRLNumber, Null), M_N_C }, 773 1.1 elric { ext(cRLReason, Null), M_N_C }, 774 1.1 elric { ext(holdInstructionCode, Null), M_N_C }, 775 1.1 elric { ext(invalidityDate, Null), M_N_C }, 776 1.1 elric { ext(deltaCRLIndicator, Null), M_C }, 777 1.1 elric { ext(issuingDistributionPoint, Null), M_C }, 778 1.1 elric { ext(certificateIssuer, Null), M_C }, 779 1.1 elric { ext(nameConstraints, Null), M_C }, 780 1.1 elric { ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C }, 781 1.1.1.1.12.1 snj { ext(certificatePolicies, Null), 0 }, 782 1.1 elric { ext(policyMappings, Null), M_N_C }, 783 1.1 elric { ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C }, 784 1.1 elric { ext(policyConstraints, Null), D_C }, 785 1.1 elric { ext(extKeyUsage, extKeyUsage), D_C }, 786 1.1 elric { ext(freshestCRL, Null), M_N_C }, 787 1.1 elric { ext(inhibitAnyPolicy, Null), M_C }, 788 1.1 elric #undef ext 789 1.1 elric #define ext(name, checkname) #name, &asn1_oid_id_pkix_pe_##name, check_##checkname 790 1.1 elric { ext(proxyCertInfo, proxyCertInfo), M_C }, 791 1.1 elric { ext(authorityInfoAccess, authorityInfoAccess), M_C }, 792 1.1 elric #undef ext 793 1.1 elric { "US Fed PKI - PIV Interim", &asn1_oid_id_uspkicommon_piv_interim, 794 1.1 elric check_Null, D_C }, 795 1.1 elric { "Netscape cert comment", &asn1_oid_id_netscape_cert_comment, 796 1.1 elric check_Null, D_C }, 797 1.1.1.1.12.1 snj { NULL, NULL, NULL, 0 } 798 1.1 elric }; 799 1.1 elric 800 1.1 elric /** 801 1.1 elric * Allocate a hx509 validation/printing context. 802 1.1 elric * 803 1.1 elric * @param context A hx509 context. 804 1.1 elric * @param ctx a new allocated hx509 validation context, free with 805 1.1 elric * hx509_validate_ctx_free(). 806 1.1 elric 807 1.1 elric * @return An hx509 error code, see hx509_get_error_string(). 808 1.1 elric * 809 1.1 elric * @ingroup hx509_print 810 1.1 elric */ 811 1.1 elric 812 1.1 elric int 813 1.1 elric hx509_validate_ctx_init(hx509_context context, hx509_validate_ctx *ctx) 814 1.1 elric { 815 1.1 elric *ctx = malloc(sizeof(**ctx)); 816 1.1 elric if (*ctx == NULL) 817 1.1 elric return ENOMEM; 818 1.1 elric memset(*ctx, 0, sizeof(**ctx)); 819 1.1 elric return 0; 820 1.1 elric } 821 1.1 elric 822 1.1 elric /** 823 1.1 elric * Set the printing functions for the validation context. 824 1.1 elric * 825 1.1 elric * @param ctx a hx509 valication context. 826 1.1 elric * @param func the printing function to usea. 827 1.1 elric * @param c the context variable to the printing function. 828 1.1 elric * 829 1.1 elric * @return An hx509 error code, see hx509_get_error_string(). 830 1.1 elric * 831 1.1 elric * @ingroup hx509_print 832 1.1 elric */ 833 1.1 elric 834 1.1 elric void 835 1.1 elric hx509_validate_ctx_set_print(hx509_validate_ctx ctx, 836 1.1 elric hx509_vprint_func func, 837 1.1 elric void *c) 838 1.1 elric { 839 1.1 elric ctx->vprint_func = func; 840 1.1 elric ctx->ctx = c; 841 1.1 elric } 842 1.1 elric 843 1.1 elric /** 844 1.1 elric * Add flags to control the behaivor of the hx509_validate_cert() 845 1.1 elric * function. 846 1.1 elric * 847 1.1 elric * @param ctx A hx509 validation context. 848 1.1 elric * @param flags flags to add to the validation context. 849 1.1 elric * 850 1.1 elric * @return An hx509 error code, see hx509_get_error_string(). 851 1.1 elric * 852 1.1 elric * @ingroup hx509_print 853 1.1 elric */ 854 1.1 elric 855 1.1 elric void 856 1.1 elric hx509_validate_ctx_add_flags(hx509_validate_ctx ctx, int flags) 857 1.1 elric { 858 1.1 elric ctx->flags |= flags; 859 1.1 elric } 860 1.1 elric 861 1.1 elric /** 862 1.1 elric * Free an hx509 validate context. 863 1.1 elric * 864 1.1 elric * @param ctx the hx509 validate context to free. 865 1.1 elric * 866 1.1 elric * @ingroup hx509_print 867 1.1 elric */ 868 1.1 elric 869 1.1 elric void 870 1.1 elric hx509_validate_ctx_free(hx509_validate_ctx ctx) 871 1.1 elric { 872 1.1 elric free(ctx); 873 1.1 elric } 874 1.1 elric 875 1.1 elric /** 876 1.1 elric * Validate/Print the status of the certificate. 877 1.1 elric * 878 1.1 elric * @param context A hx509 context. 879 1.1 elric * @param ctx A hx509 validation context. 880 1.1 elric * @param cert the cerificate to validate/print. 881 1.1 elric 882 1.1 elric * @return An hx509 error code, see hx509_get_error_string(). 883 1.1 elric * 884 1.1 elric * @ingroup hx509_print 885 1.1 elric */ 886 1.1 elric 887 1.1 elric int 888 1.1 elric hx509_validate_cert(hx509_context context, 889 1.1 elric hx509_validate_ctx ctx, 890 1.1 elric hx509_cert cert) 891 1.1 elric { 892 1.1 elric Certificate *c = _hx509_get_cert(cert); 893 1.1 elric TBSCertificate *t = &c->tbsCertificate; 894 1.1 elric hx509_name issuer, subject; 895 1.1 elric char *str; 896 1.1 elric struct cert_status status; 897 1.1 elric int ret; 898 1.1 elric 899 1.1 elric memset(&status, 0, sizeof(status)); 900 1.1 elric 901 1.1 elric if (_hx509_cert_get_version(c) != 3) 902 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 903 1.1 elric "Not version 3 certificate\n"); 904 1.1 elric 905 1.1 elric if ((t->version == NULL || *t->version < 2) && t->extensions) 906 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 907 1.1 elric "Not version 3 certificate with extensions\n"); 908 1.1.1.1.12.1 snj 909 1.1 elric if (_hx509_cert_get_version(c) >= 3 && t->extensions == NULL) 910 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 911 1.1 elric "Version 3 certificate without extensions\n"); 912 1.1 elric 913 1.1 elric ret = hx509_cert_get_subject(cert, &subject); 914 1.1 elric if (ret) abort(); 915 1.1 elric hx509_name_to_string(subject, &str); 916 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 917 1.1 elric "subject name: %s\n", str); 918 1.1 elric free(str); 919 1.1 elric 920 1.1 elric ret = hx509_cert_get_issuer(cert, &issuer); 921 1.1 elric if (ret) abort(); 922 1.1 elric hx509_name_to_string(issuer, &str); 923 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 924 1.1 elric "issuer name: %s\n", str); 925 1.1 elric free(str); 926 1.1 elric 927 1.1 elric if (hx509_name_cmp(subject, issuer) == 0) { 928 1.1 elric status.selfsigned = 1; 929 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 930 1.1 elric "\tis a self-signed certificate\n"); 931 1.1 elric } 932 1.1 elric 933 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 934 1.1 elric "Validity:\n"); 935 1.1 elric 936 1.1 elric Time2string(&t->validity.notBefore, &str); 937 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotBefore %s\n", str); 938 1.1 elric free(str); 939 1.1 elric Time2string(&t->validity.notAfter, &str); 940 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotAfter %s\n", str); 941 1.1 elric free(str); 942 1.1 elric 943 1.1 elric if (t->extensions) { 944 1.1.1.1.12.1 snj size_t i, j; 945 1.1 elric 946 1.1 elric if (t->extensions->len == 0) { 947 1.1 elric validate_print(ctx, 948 1.1 elric HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE, 949 1.1 elric "The empty extensions list is not " 950 1.1 elric "allowed by PKIX\n"); 951 1.1 elric } 952 1.1 elric 953 1.1 elric for (i = 0; i < t->extensions->len; i++) { 954 1.1 elric 955 1.1 elric for (j = 0; check_extension[j].name; j++) 956 1.1 elric if (der_heim_oid_cmp(check_extension[j].oid, 957 1.1 elric &t->extensions->val[i].extnID) == 0) 958 1.1 elric break; 959 1.1 elric if (check_extension[j].name == NULL) { 960 1.1 elric int flags = HX509_VALIDATE_F_VERBOSE; 961 1.1 elric if (t->extensions->val[i].critical) 962 1.1 elric flags |= HX509_VALIDATE_F_VALIDATE; 963 1.1 elric validate_print(ctx, flags, "don't know what "); 964 1.1 elric if (t->extensions->val[i].critical) 965 1.1 elric validate_print(ctx, flags, "and is CRITICAL "); 966 1.1 elric if (ctx->flags & flags) 967 1.1 elric hx509_oid_print(&t->extensions->val[i].extnID, 968 1.1 elric validate_vprint, ctx); 969 1.1 elric validate_print(ctx, flags, " is\n"); 970 1.1 elric continue; 971 1.1 elric } 972 1.1 elric validate_print(ctx, 973 1.1 elric HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE, 974 1.1.1.1.12.1 snj "checking extension: %s\n", 975 1.1 elric check_extension[j].name); 976 1.1 elric (*check_extension[j].func)(ctx, 977 1.1 elric &status, 978 1.1 elric check_extension[j].cf, 979 1.1 elric &t->extensions->val[i]); 980 1.1 elric } 981 1.1 elric } else 982 1.1.1.1.12.1 snj validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extensions\n"); 983 1.1.1.1.12.1 snj 984 1.1 elric if (status.isca) { 985 1.1 elric if (!status.haveSKI) 986 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 987 1.1 elric "CA certificate have no SubjectKeyIdentifier\n"); 988 1.1 elric 989 1.1 elric } else { 990 1.1 elric if (!status.haveAKI) 991 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 992 1.1 elric "Is not CA and doesn't have " 993 1.1 elric "AuthorityKeyIdentifier\n"); 994 1.1 elric } 995 1.1.1.1.12.1 snj 996 1.1 elric 997 1.1 elric if (!status.haveSKI) 998 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 999 1.1 elric "Doesn't have SubjectKeyIdentifier\n"); 1000 1.1 elric 1001 1.1 elric if (status.isproxy && status.isca) 1002 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 1003 1.1 elric "Proxy and CA at the same time!\n"); 1004 1.1 elric 1005 1.1 elric if (status.isproxy) { 1006 1.1 elric if (status.haveSAN) 1007 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 1008 1.1 elric "Proxy and have SAN\n"); 1009 1.1 elric if (status.haveIAN) 1010 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 1011 1.1 elric "Proxy and have IAN\n"); 1012 1.1 elric } 1013 1.1 elric 1014 1.1 elric if (hx509_name_is_null_p(subject) && !status.haveSAN) 1015 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 1016 1.1 elric "NULL subject DN and doesn't have a SAN\n"); 1017 1.1 elric 1018 1.1 elric if (!status.selfsigned && !status.haveCRLDP) 1019 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 1020 1.1 elric "Not a CA nor PROXY and doesn't have" 1021 1.1 elric "CRL Dist Point\n"); 1022 1.1 elric 1023 1.1 elric if (status.selfsigned) { 1024 1.1 elric ret = _hx509_verify_signature_bitstring(context, 1025 1.1 elric cert, 1026 1.1 elric &c->signatureAlgorithm, 1027 1.1 elric &c->tbsCertificate._save, 1028 1.1 elric &c->signatureValue); 1029 1.1 elric if (ret == 0) 1030 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VERBOSE, 1031 1.1 elric "Self-signed certificate was self-signed\n"); 1032 1.1 elric else 1033 1.1 elric validate_print(ctx, HX509_VALIDATE_F_VALIDATE, 1034 1.1 elric "Self-signed certificate NOT really self-signed!\n"); 1035 1.1 elric } 1036 1.1 elric 1037 1.1 elric hx509_name_free(&subject); 1038 1.1 elric hx509_name_free(&issuer); 1039 1.1 elric 1040 1.1 elric return 0; 1041 1.1 elric } 1042
Indexes created Thu Apr 16 00:22:31 UTC 2026