TclTLS
Diff
Login
HomeTimelineDownloadBrowse SourceBranchesTagsTicketsWiki
Annotate Patch Unified Diff
EuroTcl/OpenACS 11 - 12 JULY 2024, VIENNA

Differences From Artifact [2dcf9a15dc]:

To Artifact [b2a7efe519]:

12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35


36
37
38




39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/x509_vfy.h>
#include <openssl/asn1.h>
#include "tlsInt.h"

/* Define maximum certificate size. Max PEM size 100kB and DER size is 24kB. */
#define CERT_STR_SIZE 32768


/*
 * String_to_Hex --
 *	Format contents of a binary string as a hex string
 *
 * Results:
 *	Returns size of output hex string
 *
 * Side Effects:
 *	None
 *
 */
Tcl_Size String_to_Hex(unsigned char* input, int ilen, unsigned char *buffer, Tcl_Size blen) {
    Tcl_Size len = 0;
    unsigned char *iptr = input;


    unsigned char *optr = &buffer[0];
    const char *hex = "0123456789abcdef";





    for (int i = 0; i < ilen && len < blen - 1; i++, len += 2) {
        *optr++ = hex[(*iptr>>4)&0xF];
        *optr++ = hex[(*iptr++)&0xF];
    }
    *optr = 0;
    return len;
}

/*
 * BIO_to_Buffer --
 *	Output contents of a BIO to a buffer
 *
 * Results:
 *	Returns length of string in buffer
 *
 * Side effects:
 *	None
 *
 */
Tcl_Size BIO_to_Buffer(int result, BIO *bio, void *buffer, int blen) {
    Tcl_Size len = 0;
    int pending = BIO_pending(bio);

    if (result) {
	len = (Tcl_Size) BIO_read(bio, buffer, (pending < blen) ? pending : blen);
	(void)BIO_flush(bio);
	if (len < 0) {
	    len = 0;
	}
    }
    return len;
}








|







|





|
<

>
>
|


>
>
>
>
|
|
|

<
|













|




|








12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

34
35
36
37
38
39
40
41
42
43
44
45
46
47

48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/x509_vfy.h>
#include <openssl/asn1.h>
#include "tlsInt.h"

/* Define maximum certificate size. Max PEM size 100kB and DER size is 24kB. */
#define CERT_STR_SIZE 24576


/*
 * String_to_Hex --
 *	Format contents of a binary string as a hex string
 *
 * Results:
 *	TCL byte array object with x509 identifier as a hex string
 *
 * Side Effects:
 *	None
 *
 */
Tcl_Obj *String_to_Hex(unsigned char* input, int ilen) {

    unsigned char *iptr = input;
    Tcl_Obj *resultObj = Tcl_NewByteArrayObj(NULL, 0);
    unsigned char *data = Tcl_SetByteArrayLength(resultObj, ilen*2);
    unsigned char *dptr = &data[0];
    const char *hex = "0123456789abcdef";

    if (resultObj == NULL) {
	return NULL;
    }

    for (int i = 0; i < ilen; i++) {
        *dptr++ = hex[(*iptr>>4)&0xF];
        *dptr++ = hex[(*iptr++)&0xF];
    }

    return resultObj;
}

/*
 * BIO_to_Buffer --
 *	Output contents of a BIO to a buffer
 *
 * Results:
 *	Returns length of string in buffer
 *
 * Side effects:
 *	None
 *
 */
Tcl_Size BIO_to_Buffer(int result, BIO *bio, void *output, int olen) {
    Tcl_Size len = 0;
    int pending = BIO_pending(bio);

    if (result) {
	len = (Tcl_Size) BIO_read(bio, output, (pending < olen) ? pending : olen);
	(void)BIO_flush(bio);
	if (len < 0) {
	    len = 0;
	}
    }
    return len;
}

101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

}

/*
 * Tls_x509Identifier --
 *	Get X.509 certificate Authority or Subject Key Identifiers
 *
 * Results:
 *	TCL string object with x509 identifier as a hex string
 *
 * Side effects:
 *	None
 *
 */
Tcl_Obj *Tls_x509Identifier(const ASN1_OCTET_STRING *astring) {
    Tcl_Obj *resultObj = NULL;
    Tcl_Size len = 0;
    unsigned char buffer[1024];

    if (astring != NULL) {
	len = String_to_Hex((unsigned char *)ASN1_STRING_get0_data(astring),
	    ASN1_STRING_length(astring), buffer, 1024);
    }
    resultObj = Tcl_NewStringObj((char *) &buffer[0], len);
    return resultObj;
}

/*
 * Tls_x509KeyUsage --
 *	Get X.509 certificate key usage types
 *








|







<
<


|
|

<








105
106
107
108
109
110
111
112
113
114
115
116
117
118
119


120
121
122
123
124

125
126
127
128
129
130
131

}

/*
 * Tls_x509Identifier --
 *	Get X.509 certificate Authority or Subject Key Identifiers
 *
 * Results:
 *	TCL byte array object with x509 identifier as a hex string
 *
 * Side effects:
 *	None
 *
 */
Tcl_Obj *Tls_x509Identifier(const ASN1_OCTET_STRING *astring) {
    Tcl_Obj *resultObj = NULL;



    if (astring != NULL) {
	resultObj = String_to_Hex((unsigned char *)ASN1_STRING_get0_data(astring),
	    ASN1_STRING_length(astring));
    }

    return resultObj;
}

/*
 * Tls_x509KeyUsage --
 *	Get X.509 certificate key usage types
 *

459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479




480
481
482

483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498

499

500

501
502
503
504
505
506
507

 * Result:
 *	A Tcl List with the X509 certificate info as a key-value list
 *
 * Side effects:
 *	None
 *
 */

Tcl_Obj*
Tls_NewX509Obj(Tcl_Interp *interp, X509 *cert, int all) {
    Tcl_Obj *resultObj = Tcl_NewListObj(0, NULL);
    BIO *bio = BIO_new(BIO_s_mem());
    int mdnid, pknid, bits;
    Tcl_Size len;
    unsigned int ulen;
    uint32_t xflags;
    char buffer[BUFSIZ];
    unsigned char md[EVP_MAX_MD_SIZE];
    unsigned long flags = XN_FLAG_RFC2253 | ASN1_STRFLGS_UTF8_CONVERT;
    flags &= ~ASN1_STRFLGS_ESC_MSB;





    if (interp == NULL || cert == NULL || bio == NULL || resultObj == NULL) {
	Tcl_DecrRefCount(resultObj);
	BIO_free(bio);

	return NULL;
    }

    /* Signature algorithm and value - RFC 5280 section 4.1.1.2 and 4.1.1.3 */
    /* signatureAlgorithm is the id of the cryptographic algorithm used by the
	CA to sign this cert. signatureValue is the digital signature computed
	upon the ASN.1 DER encoded tbsCertificate. */
    {
	const X509_ALGOR *sig_alg;
	const ASN1_BIT_STRING *sig;
	int sig_nid;

	X509_get0_signature(&sig, &sig_alg, cert);
	/* sig_nid = X509_get_signature_nid(cert) */
	sig_nid = OBJ_obj2nid(sig_alg->algorithm);
	LAPPEND_STR(interp, resultObj, "signatureAlgorithm", OBJ_nid2ln(sig_nid), -1);

	len = (sig_nid != NID_undef) ? String_to_Hex(sig->data, sig->length, (unsigned char *) buffer, BUFSIZ) : 0;

	LAPPEND_STR(interp, resultObj, "signatureValue", buffer, len);

    }

    /* Version of the encoded certificate - RFC 5280 section 4.1.2.1 */
    LAPPEND_LONG(interp, resultObj, "version", X509_get_version(cert)+1);

    /* Unique number assigned by CA to certificate - RFC 5280 section 4.1.2.2 */
    len = BIO_to_Buffer(i2a_ASN1_INTEGER(bio, X509_get0_serialNumber(cert)), bio, buffer, BUFSIZ);








<
<
|






<
<



>
>
>
>
|


>
















>
|
>
|
>








460
461
462
463
464
465
466


467
468
469
470
471
472
473


474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512

 * Result:
 *	A Tcl List with the X509 certificate info as a key-value list
 *
 * Side effects:
 *	None
 *
 */


Tcl_Obj *Tls_NewX509Obj(Tcl_Interp *interp, X509 *cert, int all) {
    Tcl_Obj *resultObj = Tcl_NewListObj(0, NULL);
    BIO *bio = BIO_new(BIO_s_mem());
    int mdnid, pknid, bits;
    Tcl_Size len;
    unsigned int ulen;
    uint32_t xflags;


    unsigned long flags = XN_FLAG_RFC2253 | ASN1_STRFLGS_UTF8_CONVERT;
    flags &= ~ASN1_STRFLGS_ESC_MSB;

    char *buffer = ckalloc(BUFSIZ > EVP_MAX_MD_SIZE ? BUFSIZ : EVP_MAX_MD_SIZE);

    printf("Called\n");

    if (interp == NULL || cert == NULL || bio == NULL || resultObj == NULL || buffer == NULL) {
	Tcl_DecrRefCount(resultObj);
	BIO_free(bio);
	if (buffer != NULL) ckfree(buffer);
	return NULL;
    }

    /* Signature algorithm and value - RFC 5280 section 4.1.1.2 and 4.1.1.3 */
    /* signatureAlgorithm is the id of the cryptographic algorithm used by the
	CA to sign this cert. signatureValue is the digital signature computed
	upon the ASN.1 DER encoded tbsCertificate. */
    {
	const X509_ALGOR *sig_alg;
	const ASN1_BIT_STRING *sig;
	int sig_nid;

	X509_get0_signature(&sig, &sig_alg, cert);
	/* sig_nid = X509_get_signature_nid(cert) */
	sig_nid = OBJ_obj2nid(sig_alg->algorithm);
	LAPPEND_STR(interp, resultObj, "signatureAlgorithm", OBJ_nid2ln(sig_nid), -1);
	if (sig_nid != NID_undef) {
	    LAPPEND_OBJ(interp, resultObj, "signatureValue", String_to_Hex(sig->data, sig->length));
	} else {
	    LAPPEND_STR(interp, resultObj, "signatureValue", "", 0);
	}
    }

    /* Version of the encoded certificate - RFC 5280 section 4.1.2.1 */
    LAPPEND_LONG(interp, resultObj, "version", X509_get_version(cert)+1);

    /* Unique number assigned by CA to certificate - RFC 5280 section 4.1.2.2 */
    len = BIO_to_Buffer(i2a_ASN1_INTEGER(bio, X509_get0_serialNumber(cert)), bio, buffer, BUFSIZ);

527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564

565
566
567
568
569
570

571
572
573
574
575
576
577


    /* Subject identifies the entity associated with the public key stored in
	the subject public key field. RFC 5280 section 4.1.2.6 */
    len = BIO_to_Buffer(X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, flags), bio, buffer, BUFSIZ);
    LAPPEND_STR(interp, resultObj, "subject", buffer, len);

    /* SHA1 Digest (Fingerprint) of cert - DER representation */
    if (X509_digest(cert, EVP_sha1(), md, &ulen)) {
	len = String_to_Hex(md, (int) ulen, (unsigned char *) buffer, BUFSIZ);
	LAPPEND_STR(interp, resultObj, "sha1_hash", buffer, len);
    }

    /* SHA256 Digest (Fingerprint) of cert - DER representation */
    if (X509_digest(cert, EVP_sha256(), md, &ulen)) {
	len = String_to_Hex(md, (int) ulen, (unsigned char *) buffer, BUFSIZ);
	LAPPEND_STR(interp, resultObj, "sha256_hash", buffer, len);
    }

    /* Subject Public Key Info specifies the public key and identifies the
	algorithm with which the key is used. RFC 5280 section 4.1.2.7 */
    if (X509_get_signature_info(cert, &mdnid, &pknid, &bits, &xflags)) {
	ASN1_BIT_STRING *key;
	unsigned int n;

	LAPPEND_STR(interp, resultObj, "signingDigest", OBJ_nid2ln(mdnid), -1);
	LAPPEND_STR(interp, resultObj, "publicKeyAlgorithm", OBJ_nid2ln(pknid), -1);
	LAPPEND_INT(interp, resultObj, "bits", bits); /* Effective security bits */

	key = X509_get0_pubkey_bitstr(cert);
	len = String_to_Hex(key->data, key->length, (unsigned char *) buffer, BUFSIZ);
	LAPPEND_STR(interp, resultObj, "publicKey", buffer, len);

	len = 0;
	if (X509_pubkey_digest(cert, EVP_get_digestbynid(pknid), md, &n)) {
	    len = String_to_Hex(md, (int) n, (unsigned char *) buffer, BUFSIZ);
	}
	LAPPEND_STR(interp, resultObj, "publicKeyHash", buffer, len);


	/* digest of the DER representation of the certificate */
	len = 0;
	if (X509_digest(cert, EVP_get_digestbynid(mdnid), md, &n)) {
	    len = String_to_Hex(md, (int) n, (unsigned char *) buffer, BUFSIZ);
	}
	LAPPEND_STR(interp, resultObj, "signatureHash", buffer, len);

    }

    /* Certificate Purpose. Call before checking for extensions. */
    LAPPEND_STR(interp, resultObj, "purpose", Tls_x509Purpose(cert), -1);
    LAPPEND_OBJ(interp, resultObj, "certificatePurpose", Tls_x509Purposes(interp, cert));

    /* Get extensions flags */








|
<
|



|
<
|













<
|

<
|
|
|
|
|
>

<
|
|
|
|
>








532
533
534
535
536
537
538
539

540
541
542
543
544

545
546
547
548
549
550
551
552
553
554
555
556
557
558

559
560

561
562
563
564
565
566
567

568
569
570
571
572
573
574
575
576
577
578
579


    /* Subject identifies the entity associated with the public key stored in
	the subject public key field. RFC 5280 section 4.1.2.6 */
    len = BIO_to_Buffer(X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, flags), bio, buffer, BUFSIZ);
    LAPPEND_STR(interp, resultObj, "subject", buffer, len);

    /* SHA1 Digest (Fingerprint) of cert - DER representation */
    if (X509_digest(cert, EVP_sha1(), (unsigned char *)buffer, &ulen)) {

	LAPPEND_OBJ(interp, resultObj, "sha1_hash", String_to_Hex((unsigned char *)buffer, (int) ulen));
    }

    /* SHA256 Digest (Fingerprint) of cert - DER representation */
    if (X509_digest(cert, EVP_sha256(), (unsigned char *)buffer, &ulen)) {

	LAPPEND_OBJ(interp, resultObj, "sha256_hash", String_to_Hex((unsigned char *)buffer, (int) ulen));
    }

    /* Subject Public Key Info specifies the public key and identifies the
	algorithm with which the key is used. RFC 5280 section 4.1.2.7 */
    if (X509_get_signature_info(cert, &mdnid, &pknid, &bits, &xflags)) {
	ASN1_BIT_STRING *key;
	unsigned int n;

	LAPPEND_STR(interp, resultObj, "signingDigest", OBJ_nid2ln(mdnid), -1);
	LAPPEND_STR(interp, resultObj, "publicKeyAlgorithm", OBJ_nid2ln(pknid), -1);
	LAPPEND_INT(interp, resultObj, "bits", bits); /* Effective security bits */

	key = X509_get0_pubkey_bitstr(cert);

	LAPPEND_OBJ(interp, resultObj, "publicKey", String_to_Hex(key->data, key->length));


	if (X509_pubkey_digest(cert, EVP_get_digestbynid(pknid), (unsigned char *)buffer, &n)) {
	    LAPPEND_OBJ(interp, resultObj, "publicKeyHash", String_to_Hex((unsigned char *)buffer, (int) n));
	} else {
	    LAPPEND_STR(interp, resultObj, "publicKeyHash", "", 0);
	}

	/* digest of the DER representation of the certificate */

	if (X509_digest(cert, EVP_get_digestbynid(mdnid), (unsigned char *)buffer, &n)) {
	    LAPPEND_OBJ(interp, resultObj, "signatureHash", String_to_Hex((unsigned char *)buffer, (int) n));
	} else {
	    LAPPEND_STR(interp, resultObj, "signatureHash", "", 0);
	}
    }

    /* Certificate Purpose. Call before checking for extensions. */
    LAPPEND_STR(interp, resultObj, "purpose", Tls_x509Purpose(cert), -1);
    LAPPEND_OBJ(interp, resultObj, "certificatePurpose", Tls_x509Purposes(interp, cert));

    /* Get extensions flags */

697
698
699
700
701
702
703

704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720

721
722

	Tcl_Obj *allObj = Tcl_NewByteArrayObj(NULL, 0);
	Tcl_Obj *certObj = Tcl_NewByteArrayObj(NULL, 0);
	unsigned char *allStr, *certStr;

	if (allObj == NULL || certObj == NULL) {
	    Tcl_DecrRefCount(allObj);
	    BIO_free(bio);

	    return resultObj;
	}

	/* Get certificate */
	certStr = Tcl_SetByteArrayLength(certObj, CERT_STR_SIZE);
	len = BIO_to_Buffer(PEM_write_bio_X509(bio, cert), bio, certStr, CERT_STR_SIZE);
	Tcl_SetByteArrayLength(certObj, len);
	LAPPEND_OBJ(interp, resultObj, "certificate", certObj)

	/* Get all info on certificate */
	allStr = Tcl_SetByteArrayLength(allObj, CERT_STR_SIZE * 2);
	len = BIO_to_Buffer(X509_print_ex(bio, cert, flags, 0), bio, allStr, CERT_STR_SIZE * 2);
	Tcl_SetByteArrayLength(allObj, len);
	LAPPEND_OBJ(interp, resultObj, "all", allObj)
    }

    BIO_free(bio);

    return resultObj;
}








>

















>



699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726

	Tcl_Obj *allObj = Tcl_NewByteArrayObj(NULL, 0);
	Tcl_Obj *certObj = Tcl_NewByteArrayObj(NULL, 0);
	unsigned char *allStr, *certStr;

	if (allObj == NULL || certObj == NULL) {
	    Tcl_DecrRefCount(allObj);
	    BIO_free(bio);
	    ckfree(buffer);
	    return resultObj;
	}

	/* Get certificate */
	certStr = Tcl_SetByteArrayLength(certObj, CERT_STR_SIZE);
	len = BIO_to_Buffer(PEM_write_bio_X509(bio, cert), bio, certStr, CERT_STR_SIZE);
	Tcl_SetByteArrayLength(certObj, len);
	LAPPEND_OBJ(interp, resultObj, "certificate", certObj)

	/* Get all info on certificate */
	allStr = Tcl_SetByteArrayLength(allObj, CERT_STR_SIZE * 2);
	len = BIO_to_Buffer(X509_print_ex(bio, cert, flags, 0), bio, allStr, CERT_STR_SIZE * 2);
	Tcl_SetByteArrayLength(allObj, len);
	LAPPEND_OBJ(interp, resultObj, "all", allObj)
    }

    BIO_free(bio);
    ckfree(buffer);
    return resultObj;
}
Powered by Fossil · RSS