TclTLS
Check-in [121a81e392]
Login
HomeTimelineDownloadBrowse SourceBranchesTagsTicketsWiki
Overview
Comment:Updated Tls_NewX509Obj to use Tcl_Objs for returned hex values. Use a dynamically allocated temp buffer.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | tls-1.8
Files: files | file ages | folders
SHA3-256: 121a81e392c23b0e06b5c444d522a198a5b21efc88b4e3ffe17752d1ea6b41d2
User & Date: bohagan on 2024-06-28 19:33:34
Other Links: branch diff | manifest | tags
Context
2024-06-29
00:53
Added certificate validation process info to the documentation check-in: afe4ade027 user: bohagan tags: tls-1.8
2024-06-28
19:33
Updated Tls_NewX509Obj to use Tcl_Objs for returned hex values. Use a dynamically allocated temp buffer. check-in: 121a81e392 user: bohagan tags: tls-1.8
18:50
Refactored Tls_NewX509Obj to use Tcl_Size, common var names, added function descriptions, etc. check-in: 1bf152a55d user: bohagan tags: tls-1.8
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Modified generic/tls.c from [d36478ef49] to [d5754546f3]. 

366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387


388
389
390
391
392
393
394

	} else {
	    return 1;
	}
    } else if (cert == NULL || ssl == NULL) {
	return 0;
    }

    dprintf("VerifyCallback: eval callback");

    /* Create command to eval with fn, chan, depth, cert info list, status, and error args */
    cmdPtr = Tcl_DuplicateObj(statePtr->vcmd);
    Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("verify", -1));
    Tcl_ListObjAppendElement(interp, cmdPtr,
	Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1));
    Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(depth));
    Tcl_ListObjAppendElement(interp, cmdPtr, Tls_NewX509Obj(interp, cert, 0));
    Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(ok));
    Tcl_ListObjAppendElement(interp, cmdPtr,
	Tcl_NewStringObj((char*)X509_verify_cert_error_string(err), -1));

    /* Prevent I/O while callback is in progress */
    /* statePtr->flags |= TLS_TCL_CALLBACK; */



    /* Eval callback command */
    Tcl_IncrRefCount(cmdPtr);
    ok = EvalCallback(interp, statePtr, cmdPtr);
    Tcl_DecrRefCount(cmdPtr);

    dprintf("VerifyCallback: command result = %d", ok);








|














>
>








366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396

	} else {
	    return 1;
	}
    } else if (cert == NULL || ssl == NULL) {
	return 0;
    }

    dprintf("VerifyCallback: create callback command");

    /* Create command to eval with fn, chan, depth, cert info list, status, and error args */
    cmdPtr = Tcl_DuplicateObj(statePtr->vcmd);
    Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("verify", -1));
    Tcl_ListObjAppendElement(interp, cmdPtr,
	Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1));
    Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(depth));
    Tcl_ListObjAppendElement(interp, cmdPtr, Tls_NewX509Obj(interp, cert, 0));
    Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(ok));
    Tcl_ListObjAppendElement(interp, cmdPtr,
	Tcl_NewStringObj((char*)X509_verify_cert_error_string(err), -1));

    /* Prevent I/O while callback is in progress */
    /* statePtr->flags |= TLS_TCL_CALLBACK; */

    dprintf("VerifyCallback: eval callback");

    /* Eval callback command */
    Tcl_IncrRefCount(cmdPtr);
    ok = EvalCallback(interp, statePtr, cmdPtr);
    Tcl_DecrRefCount(cmdPtr);

    dprintf("VerifyCallback: command result = %d", ok);

418
419
420
421
422
423
424


425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443


444
445
446
447
448
449
450

    statePtr->err = msg;

    dprintf("Called with message %s", msg);

    if (statePtr->callback == (Tcl_Obj*)NULL) {
	return;
    }



    /* Create command to eval with fn, chan, and message args */
    cmdPtr = Tcl_DuplicateObj(statePtr->callback);
    Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("error", -1));
    Tcl_ListObjAppendElement(interp, cmdPtr,
	    Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1));
    if (msg != NULL) {
	Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(msg, -1));

    } else if ((msg = Tcl_GetString(Tcl_GetObjResult(interp))) != NULL) {
	Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(msg, -1));

    } else {
	listPtr = Tcl_NewListObj(0, NULL);
	while ((err = ERR_get_error()) != 0) {
	    Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj(ERR_reason_error_string(err), -1));
	}
	Tcl_ListObjAppendElement(interp, cmdPtr, listPtr);
    }



    /* Eval callback command */
    Tcl_IncrRefCount(cmdPtr);
    EvalCallback(interp, statePtr, cmdPtr);
    Tcl_DecrRefCount(cmdPtr);
}









>
>



















>
>








420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456

    statePtr->err = msg;

    dprintf("Called with message %s", msg);

    if (statePtr->callback == (Tcl_Obj*)NULL) {
	return;
    }

    dprintf("Tls_Error: create callback command");

    /* Create command to eval with fn, chan, and message args */
    cmdPtr = Tcl_DuplicateObj(statePtr->callback);
    Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("error", -1));
    Tcl_ListObjAppendElement(interp, cmdPtr,
	    Tcl_NewStringObj(Tcl_GetChannelName(statePtr->self), -1));
    if (msg != NULL) {
	Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(msg, -1));

    } else if ((msg = Tcl_GetString(Tcl_GetObjResult(interp))) != NULL) {
	Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj(msg, -1));

    } else {
	listPtr = Tcl_NewListObj(0, NULL);
	while ((err = ERR_get_error()) != 0) {
	    Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj(ERR_reason_error_string(err), -1));
	}
	Tcl_ListObjAppendElement(interp, cmdPtr, listPtr);
    }

    dprintf("Tls_Error: eval callback");

    /* Eval callback command */
    Tcl_IncrRefCount(cmdPtr);
    EvalCallback(interp, statePtr, cmdPtr);
    Tcl_DecrRefCount(cmdPtr);
}


513
514
515
516
517
518
519


520
521
522
523
524
525


526
527
528
529
530
531
532

	    strncpy(buf, ret, (size_t) len);
	    buf[len] = '\0';
	    return (int) len;
	} else {
	    return -1;
	}
    }



    /* Create command to eval with fn, rwflag, and size args */
    cmdPtr = Tcl_DuplicateObj(statePtr->password);
    Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("password", -1));
    Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(rwflag));
    Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(size));



    Tcl_Preserve((ClientData) interp);
    Tcl_Preserve((ClientData) statePtr);

    /* Eval callback command */
    Tcl_IncrRefCount(cmdPtr);
    code = Tcl_EvalObjEx(interp, cmdPtr, TCL_EVAL_GLOBAL);








>
>






>
>








519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542

	    strncpy(buf, ret, (size_t) len);
	    buf[len] = '\0';
	    return (int) len;
	} else {
	    return -1;
	}
    }

    dprintf("PasswordCallback: create callback command");

    /* Create command to eval with fn, rwflag, and size args */
    cmdPtr = Tcl_DuplicateObj(statePtr->password);
    Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("password", -1));
    Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(rwflag));
    Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewIntObj(size));

    dprintf("PasswordCallback: eval callback");

    Tcl_Preserve((ClientData) interp);
    Tcl_Preserve((ClientData) statePtr);

    /* Eval callback command */
    Tcl_IncrRefCount(cmdPtr);
    code = Tcl_EvalObjEx(interp, cmdPtr, TCL_EVAL_GLOBAL);

2276
2277
2278
2279
2280
2281
2282


2283
2284
2285
2286
2287
2288
2289

    Tcl_Obj *objPtr, *listPtr;
    const SSL *ssl;
    const SSL_CIPHER *cipher;
    const SSL_SESSION *session;
    const EVP_MD *md;
    (void) clientData;



    if (objc != 2) {
	Tcl_WrongNumArgs(interp, 1, objv, "channel");
	return TCL_ERROR;
    }

    chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL);
    if (chan == (Tcl_Channel) NULL) {








>
>








2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301

    Tcl_Obj *objPtr, *listPtr;
    const SSL *ssl;
    const SSL_CIPHER *cipher;
    const SSL_SESSION *session;
    const EVP_MD *md;
    (void) clientData;

    dprintf("Called");

    if (objc != 2) {
	Tcl_WrongNumArgs(interp, 1, objv, "channel");
	return TCL_ERROR;
    }

    chan = Tcl_GetChannel(interp, Tcl_GetString(objv[1]), NULL);
    if (chan == (Tcl_Channel) NULL) {

2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361

	LAPPEND_BOOL(interp, objPtr, "is_quic", SSL_is_quic(ssl));

	/* Is TLS */
	LAPPEND_BOOL(interp, objPtr, "is_tls", SSL_is_tls(ssl));
#endif

	/* DANE TLS authentication */
	LAPPEND_BOOL(interp, objPtr, "dane_auth", SSL_get0_dane(ssl) != NULL);

	/* Waiting for async */
	LAPPEND_BOOL(interp, objPtr, "waiting_for_async", SSL_waiting_for_async(ssl));

	/* Time-out */
	LAPPEND_LONG(interp, objPtr, "time-out", SSL_get_default_timeout(ssl));

	/* Is Certificate Transparency validation enabled */
	LAPPEND_BOOL(interp, objPtr, "ct_enabled", SSL_ct_is_enabled(ssl));
    }








|


|








2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373

	LAPPEND_BOOL(interp, objPtr, "is_quic", SSL_is_quic(ssl));

	/* Is TLS */
	LAPPEND_BOOL(interp, objPtr, "is_tls", SSL_is_tls(ssl));
#endif

	/* DANE TLS authentication */
	LAPPEND_BOOL(interp, objPtr, "dane_auth", SSL_get0_dane((SSL *)ssl) != NULL);

	/* Waiting for async */
	LAPPEND_BOOL(interp, objPtr, "waiting_for_async", SSL_waiting_for_async((SSL *)ssl));

	/* Time-out */
	LAPPEND_LONG(interp, objPtr, "time-out", SSL_get_default_timeout(ssl));

	/* Is Certificate Transparency validation enabled */
	LAPPEND_BOOL(interp, objPtr, "ct_enabled", SSL_ct_is_enabled(ssl));
    }

2969
2970
2971
2972
2973
2974
2975
2976


2977
2978
2979
2980
2981
2982
2983
2984
2985

 *	A standard TCL result
 *
 * Side effects:
 *	Shutdown SSL library
 *
 *------------------------------------------------------*
 */
static int TlsLibShutdown(ClientData clientData) {


    BIO_cleanup();
    return TCL_OK;
}

/*
 *------------------------------------------------------*
 *
 *	TlsLibInit --
 *








|
>
>

<








2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991

2992
2993
2994
2995
2996
2997
2998

 *	A standard TCL result
 *
 * Side effects:
 *	Shutdown SSL library
 *
 *------------------------------------------------------*
 */
void TlsLibShutdown(ClientData clientData) {
    dprintf("Called");

    BIO_cleanup();

}

/*
 *------------------------------------------------------*
 *
 *	TlsLibInit --
 *

Modified generic/tlsInt.h from [991758417a] to [38995395f3]. 

136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

    if (text != NULL) Tcl_ListObjAppendElement(interp, obj, Tcl_NewStringObj(text, -1)); \
    Tcl_ListObjAppendElement(interp, obj, Tcl_NewLongObj(value)); \
}
#define LAPPEND_BOOL(interp, obj, text, value) {\
    if (text != NULL) Tcl_ListObjAppendElement(interp, obj, Tcl_NewStringObj(text, -1)); \
    Tcl_ListObjAppendElement(interp, obj, Tcl_NewBooleanObj(value)); \
}
#define LAPPEND_OBJ(interp, obj, text, listObj) {\
    if (text != NULL) Tcl_ListObjAppendElement(interp, obj, Tcl_NewStringObj(text, -1)); \
    Tcl_ListObjAppendElement(interp, obj, listObj); \
}

/*
 * OpenSSL BIO Routines
 */
#define BIO_TYPE_TCL	(19|0x0400)









|

|








136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

    if (text != NULL) Tcl_ListObjAppendElement(interp, obj, Tcl_NewStringObj(text, -1)); \
    Tcl_ListObjAppendElement(interp, obj, Tcl_NewLongObj(value)); \
}
#define LAPPEND_BOOL(interp, obj, text, value) {\
    if (text != NULL) Tcl_ListObjAppendElement(interp, obj, Tcl_NewStringObj(text, -1)); \
    Tcl_ListObjAppendElement(interp, obj, Tcl_NewBooleanObj(value)); \
}
#define LAPPEND_OBJ(interp, obj, text, tclObj) {\
    if (text != NULL) Tcl_ListObjAppendElement(interp, obj, Tcl_NewStringObj(text, -1)); \
    Tcl_ListObjAppendElement(interp, obj, (tclObj != NULL) ? tclObj : Tcl_NewStringObj("", 0)); \
}

/*
 * OpenSSL BIO Routines
 */
#define BIO_TYPE_TCL	(19|0x0400)

Modified generic/tlsX509.c from [2dcf9a15dc] to [b2a7efe519]. 

12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35


36
37
38




39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/x509_vfy.h>
#include <openssl/asn1.h>
#include "tlsInt.h"

/* Define maximum certificate size. Max PEM size 100kB and DER size is 24kB. */
#define CERT_STR_SIZE 32768


/*
 * String_to_Hex --
 *	Format contents of a binary string as a hex string
 *
 * Results:
 *	Returns size of output hex string
 *
 * Side Effects:
 *	None
 *
 */
Tcl_Size String_to_Hex(unsigned char* input, int ilen, unsigned char *buffer, Tcl_Size blen) {
    Tcl_Size len = 0;
    unsigned char *iptr = input;


    unsigned char *optr = &buffer[0];
    const char *hex = "0123456789abcdef";





    for (int i = 0; i < ilen && len < blen - 1; i++, len += 2) {
        *optr++ = hex[(*iptr>>4)&0xF];
        *optr++ = hex[(*iptr++)&0xF];
    }
    *optr = 0;
    return len;
}

/*
 * BIO_to_Buffer --
 *	Output contents of a BIO to a buffer
 *
 * Results:
 *	Returns length of string in buffer
 *
 * Side effects:
 *	None
 *
 */
Tcl_Size BIO_to_Buffer(int result, BIO *bio, void *buffer, int blen) {
    Tcl_Size len = 0;
    int pending = BIO_pending(bio);

    if (result) {
	len = (Tcl_Size) BIO_read(bio, buffer, (pending < blen) ? pending : blen);
	(void)BIO_flush(bio);
	if (len < 0) {
	    len = 0;
	}
    }
    return len;
}








|







|





|
<

>
>
|


>
>
>
>
|
|
|

<
|













|




|








12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

34
35
36
37
38
39
40
41
42
43
44
45
46
47

48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/x509_vfy.h>
#include <openssl/asn1.h>
#include "tlsInt.h"

/* Define maximum certificate size. Max PEM size 100kB and DER size is 24kB. */
#define CERT_STR_SIZE 24576


/*
 * String_to_Hex --
 *	Format contents of a binary string as a hex string
 *
 * Results:
 *	TCL byte array object with x509 identifier as a hex string
 *
 * Side Effects:
 *	None
 *
 */
Tcl_Obj *String_to_Hex(unsigned char* input, int ilen) {

    unsigned char *iptr = input;
    Tcl_Obj *resultObj = Tcl_NewByteArrayObj(NULL, 0);
    unsigned char *data = Tcl_SetByteArrayLength(resultObj, ilen*2);
    unsigned char *dptr = &data[0];
    const char *hex = "0123456789abcdef";

    if (resultObj == NULL) {
	return NULL;
    }

    for (int i = 0; i < ilen; i++) {
        *dptr++ = hex[(*iptr>>4)&0xF];
        *dptr++ = hex[(*iptr++)&0xF];
    }

    return resultObj;
}

/*
 * BIO_to_Buffer --
 *	Output contents of a BIO to a buffer
 *
 * Results:
 *	Returns length of string in buffer
 *
 * Side effects:
 *	None
 *
 */
Tcl_Size BIO_to_Buffer(int result, BIO *bio, void *output, int olen) {
    Tcl_Size len = 0;
    int pending = BIO_pending(bio);

    if (result) {
	len = (Tcl_Size) BIO_read(bio, output, (pending < olen) ? pending : olen);
	(void)BIO_flush(bio);
	if (len < 0) {
	    len = 0;
	}
    }
    return len;
}

101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

}

/*
 * Tls_x509Identifier --
 *	Get X.509 certificate Authority or Subject Key Identifiers
 *
 * Results:
 *	TCL string object with x509 identifier as a hex string
 *
 * Side effects:
 *	None
 *
 */
Tcl_Obj *Tls_x509Identifier(const ASN1_OCTET_STRING *astring) {
    Tcl_Obj *resultObj = NULL;
    Tcl_Size len = 0;
    unsigned char buffer[1024];

    if (astring != NULL) {
	len = String_to_Hex((unsigned char *)ASN1_STRING_get0_data(astring),
	    ASN1_STRING_length(astring), buffer, 1024);
    }
    resultObj = Tcl_NewStringObj((char *) &buffer[0], len);
    return resultObj;
}

/*
 * Tls_x509KeyUsage --
 *	Get X.509 certificate key usage types
 *








|







<
<


|
|

<








105
106
107
108
109
110
111
112
113
114
115
116
117
118
119


120
121
122
123
124

125
126
127
128
129
130
131

}

/*
 * Tls_x509Identifier --
 *	Get X.509 certificate Authority or Subject Key Identifiers
 *
 * Results:
 *	TCL byte array object with x509 identifier as a hex string
 *
 * Side effects:
 *	None
 *
 */
Tcl_Obj *Tls_x509Identifier(const ASN1_OCTET_STRING *astring) {
    Tcl_Obj *resultObj = NULL;



    if (astring != NULL) {
	resultObj = String_to_Hex((unsigned char *)ASN1_STRING_get0_data(astring),
	    ASN1_STRING_length(astring));
    }

    return resultObj;
}

/*
 * Tls_x509KeyUsage --
 *	Get X.509 certificate key usage types
 *

459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479




480
481
482

483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498

499

500

501
502
503
504
505
506
507

 * Result:
 *	A Tcl List with the X509 certificate info as a key-value list
 *
 * Side effects:
 *	None
 *
 */

Tcl_Obj*
Tls_NewX509Obj(Tcl_Interp *interp, X509 *cert, int all) {
    Tcl_Obj *resultObj = Tcl_NewListObj(0, NULL);
    BIO *bio = BIO_new(BIO_s_mem());
    int mdnid, pknid, bits;
    Tcl_Size len;
    unsigned int ulen;
    uint32_t xflags;
    char buffer[BUFSIZ];
    unsigned char md[EVP_MAX_MD_SIZE];
    unsigned long flags = XN_FLAG_RFC2253 | ASN1_STRFLGS_UTF8_CONVERT;
    flags &= ~ASN1_STRFLGS_ESC_MSB;





    if (interp == NULL || cert == NULL || bio == NULL || resultObj == NULL) {
	Tcl_DecrRefCount(resultObj);
	BIO_free(bio);

	return NULL;
    }

    /* Signature algorithm and value - RFC 5280 section 4.1.1.2 and 4.1.1.3 */
    /* signatureAlgorithm is the id of the cryptographic algorithm used by the
	CA to sign this cert. signatureValue is the digital signature computed
	upon the ASN.1 DER encoded tbsCertificate. */
    {
	const X509_ALGOR *sig_alg;
	const ASN1_BIT_STRING *sig;
	int sig_nid;

	X509_get0_signature(&sig, &sig_alg, cert);
	/* sig_nid = X509_get_signature_nid(cert) */
	sig_nid = OBJ_obj2nid(sig_alg->algorithm);
	LAPPEND_STR(interp, resultObj, "signatureAlgorithm", OBJ_nid2ln(sig_nid), -1);

	len = (sig_nid != NID_undef) ? String_to_Hex(sig->data, sig->length, (unsigned char *) buffer, BUFSIZ) : 0;

	LAPPEND_STR(interp, resultObj, "signatureValue", buffer, len);

    }

    /* Version of the encoded certificate - RFC 5280 section 4.1.2.1 */
    LAPPEND_LONG(interp, resultObj, "version", X509_get_version(cert)+1);

    /* Unique number assigned by CA to certificate - RFC 5280 section 4.1.2.2 */
    len = BIO_to_Buffer(i2a_ASN1_INTEGER(bio, X509_get0_serialNumber(cert)), bio, buffer, BUFSIZ);








<
<
|






<
<



>
>
>
>
|


>
















>
|
>
|
>








460
461
462
463
464
465
466


467
468
469
470
471
472
473


474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512

 * Result:
 *	A Tcl List with the X509 certificate info as a key-value list
 *
 * Side effects:
 *	None
 *
 */


Tcl_Obj *Tls_NewX509Obj(Tcl_Interp *interp, X509 *cert, int all) {
    Tcl_Obj *resultObj = Tcl_NewListObj(0, NULL);
    BIO *bio = BIO_new(BIO_s_mem());
    int mdnid, pknid, bits;
    Tcl_Size len;
    unsigned int ulen;
    uint32_t xflags;


    unsigned long flags = XN_FLAG_RFC2253 | ASN1_STRFLGS_UTF8_CONVERT;
    flags &= ~ASN1_STRFLGS_ESC_MSB;

    char *buffer = ckalloc(BUFSIZ > EVP_MAX_MD_SIZE ? BUFSIZ : EVP_MAX_MD_SIZE);

    printf("Called\n");

    if (interp == NULL || cert == NULL || bio == NULL || resultObj == NULL || buffer == NULL) {
	Tcl_DecrRefCount(resultObj);
	BIO_free(bio);
	if (buffer != NULL) ckfree(buffer);
	return NULL;
    }

    /* Signature algorithm and value - RFC 5280 section 4.1.1.2 and 4.1.1.3 */
    /* signatureAlgorithm is the id of the cryptographic algorithm used by the
	CA to sign this cert. signatureValue is the digital signature computed
	upon the ASN.1 DER encoded tbsCertificate. */
    {
	const X509_ALGOR *sig_alg;
	const ASN1_BIT_STRING *sig;
	int sig_nid;

	X509_get0_signature(&sig, &sig_alg, cert);
	/* sig_nid = X509_get_signature_nid(cert) */
	sig_nid = OBJ_obj2nid(sig_alg->algorithm);
	LAPPEND_STR(interp, resultObj, "signatureAlgorithm", OBJ_nid2ln(sig_nid), -1);
	if (sig_nid != NID_undef) {
	    LAPPEND_OBJ(interp, resultObj, "signatureValue", String_to_Hex(sig->data, sig->length));
	} else {
	    LAPPEND_STR(interp, resultObj, "signatureValue", "", 0);
	}
    }

    /* Version of the encoded certificate - RFC 5280 section 4.1.2.1 */
    LAPPEND_LONG(interp, resultObj, "version", X509_get_version(cert)+1);

    /* Unique number assigned by CA to certificate - RFC 5280 section 4.1.2.2 */
    len = BIO_to_Buffer(i2a_ASN1_INTEGER(bio, X509_get0_serialNumber(cert)), bio, buffer, BUFSIZ);

527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564

565
566
567
568
569
570

571
572
573
574
575
576
577


    /* Subject identifies the entity associated with the public key stored in
	the subject public key field. RFC 5280 section 4.1.2.6 */
    len = BIO_to_Buffer(X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, flags), bio, buffer, BUFSIZ);
    LAPPEND_STR(interp, resultObj, "subject", buffer, len);

    /* SHA1 Digest (Fingerprint) of cert - DER representation */
    if (X509_digest(cert, EVP_sha1(), md, &ulen)) {
	len = String_to_Hex(md, (int) ulen, (unsigned char *) buffer, BUFSIZ);
	LAPPEND_STR(interp, resultObj, "sha1_hash", buffer, len);
    }

    /* SHA256 Digest (Fingerprint) of cert - DER representation */
    if (X509_digest(cert, EVP_sha256(), md, &ulen)) {
	len = String_to_Hex(md, (int) ulen, (unsigned char *) buffer, BUFSIZ);
	LAPPEND_STR(interp, resultObj, "sha256_hash", buffer, len);
    }

    /* Subject Public Key Info specifies the public key and identifies the
	algorithm with which the key is used. RFC 5280 section 4.1.2.7 */
    if (X509_get_signature_info(cert, &mdnid, &pknid, &bits, &xflags)) {
	ASN1_BIT_STRING *key;
	unsigned int n;

	LAPPEND_STR(interp, resultObj, "signingDigest", OBJ_nid2ln(mdnid), -1);
	LAPPEND_STR(interp, resultObj, "publicKeyAlgorithm", OBJ_nid2ln(pknid), -1);
	LAPPEND_INT(interp, resultObj, "bits", bits); /* Effective security bits */

	key = X509_get0_pubkey_bitstr(cert);
	len = String_to_Hex(key->data, key->length, (unsigned char *) buffer, BUFSIZ);
	LAPPEND_STR(interp, resultObj, "publicKey", buffer, len);

	len = 0;
	if (X509_pubkey_digest(cert, EVP_get_digestbynid(pknid), md, &n)) {
	    len = String_to_Hex(md, (int) n, (unsigned char *) buffer, BUFSIZ);
	}
	LAPPEND_STR(interp, resultObj, "publicKeyHash", buffer, len);


	/* digest of the DER representation of the certificate */
	len = 0;
	if (X509_digest(cert, EVP_get_digestbynid(mdnid), md, &n)) {
	    len = String_to_Hex(md, (int) n, (unsigned char *) buffer, BUFSIZ);
	}
	LAPPEND_STR(interp, resultObj, "signatureHash", buffer, len);

    }

    /* Certificate Purpose. Call before checking for extensions. */
    LAPPEND_STR(interp, resultObj, "purpose", Tls_x509Purpose(cert), -1);
    LAPPEND_OBJ(interp, resultObj, "certificatePurpose", Tls_x509Purposes(interp, cert));

    /* Get extensions flags */








|
<
|



|
<
|













<
|

<
|
|
|
|
|
>

<
|
|
|
|
>








532
533
534
535
536
537
538
539

540
541
542
543
544

545
546
547
548
549
550
551
552
553
554
555
556
557
558

559
560

561
562
563
564
565
566
567

568
569
570
571
572
573
574
575
576
577
578
579


    /* Subject identifies the entity associated with the public key stored in
	the subject public key field. RFC 5280 section 4.1.2.6 */
    len = BIO_to_Buffer(X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, flags), bio, buffer, BUFSIZ);
    LAPPEND_STR(interp, resultObj, "subject", buffer, len);

    /* SHA1 Digest (Fingerprint) of cert - DER representation */
    if (X509_digest(cert, EVP_sha1(), (unsigned char *)buffer, &ulen)) {

	LAPPEND_OBJ(interp, resultObj, "sha1_hash", String_to_Hex((unsigned char *)buffer, (int) ulen));
    }

    /* SHA256 Digest (Fingerprint) of cert - DER representation */
    if (X509_digest(cert, EVP_sha256(), (unsigned char *)buffer, &ulen)) {

	LAPPEND_OBJ(interp, resultObj, "sha256_hash", String_to_Hex((unsigned char *)buffer, (int) ulen));
    }

    /* Subject Public Key Info specifies the public key and identifies the
	algorithm with which the key is used. RFC 5280 section 4.1.2.7 */
    if (X509_get_signature_info(cert, &mdnid, &pknid, &bits, &xflags)) {
	ASN1_BIT_STRING *key;
	unsigned int n;

	LAPPEND_STR(interp, resultObj, "signingDigest", OBJ_nid2ln(mdnid), -1);
	LAPPEND_STR(interp, resultObj, "publicKeyAlgorithm", OBJ_nid2ln(pknid), -1);
	LAPPEND_INT(interp, resultObj, "bits", bits); /* Effective security bits */

	key = X509_get0_pubkey_bitstr(cert);

	LAPPEND_OBJ(interp, resultObj, "publicKey", String_to_Hex(key->data, key->length));


	if (X509_pubkey_digest(cert, EVP_get_digestbynid(pknid), (unsigned char *)buffer, &n)) {
	    LAPPEND_OBJ(interp, resultObj, "publicKeyHash", String_to_Hex((unsigned char *)buffer, (int) n));
	} else {
	    LAPPEND_STR(interp, resultObj, "publicKeyHash", "", 0);
	}

	/* digest of the DER representation of the certificate */

	if (X509_digest(cert, EVP_get_digestbynid(mdnid), (unsigned char *)buffer, &n)) {
	    LAPPEND_OBJ(interp, resultObj, "signatureHash", String_to_Hex((unsigned char *)buffer, (int) n));
	} else {
	    LAPPEND_STR(interp, resultObj, "signatureHash", "", 0);
	}
    }

    /* Certificate Purpose. Call before checking for extensions. */
    LAPPEND_STR(interp, resultObj, "purpose", Tls_x509Purpose(cert), -1);
    LAPPEND_OBJ(interp, resultObj, "certificatePurpose", Tls_x509Purposes(interp, cert));

    /* Get extensions flags */

697
698
699
700
701
702
703

704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720

721
722

	Tcl_Obj *allObj = Tcl_NewByteArrayObj(NULL, 0);
	Tcl_Obj *certObj = Tcl_NewByteArrayObj(NULL, 0);
	unsigned char *allStr, *certStr;

	if (allObj == NULL || certObj == NULL) {
	    Tcl_DecrRefCount(allObj);
	    BIO_free(bio);

	    return resultObj;
	}

	/* Get certificate */
	certStr = Tcl_SetByteArrayLength(certObj, CERT_STR_SIZE);
	len = BIO_to_Buffer(PEM_write_bio_X509(bio, cert), bio, certStr, CERT_STR_SIZE);
	Tcl_SetByteArrayLength(certObj, len);
	LAPPEND_OBJ(interp, resultObj, "certificate", certObj)

	/* Get all info on certificate */
	allStr = Tcl_SetByteArrayLength(allObj, CERT_STR_SIZE * 2);
	len = BIO_to_Buffer(X509_print_ex(bio, cert, flags, 0), bio, allStr, CERT_STR_SIZE * 2);
	Tcl_SetByteArrayLength(allObj, len);
	LAPPEND_OBJ(interp, resultObj, "all", allObj)
    }

    BIO_free(bio);

    return resultObj;
}








>

















>



699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726

	Tcl_Obj *allObj = Tcl_NewByteArrayObj(NULL, 0);
	Tcl_Obj *certObj = Tcl_NewByteArrayObj(NULL, 0);
	unsigned char *allStr, *certStr;

	if (allObj == NULL || certObj == NULL) {
	    Tcl_DecrRefCount(allObj);
	    BIO_free(bio);
	    ckfree(buffer);
	    return resultObj;
	}

	/* Get certificate */
	certStr = Tcl_SetByteArrayLength(certObj, CERT_STR_SIZE);
	len = BIO_to_Buffer(PEM_write_bio_X509(bio, cert), bio, certStr, CERT_STR_SIZE);
	Tcl_SetByteArrayLength(certObj, len);
	LAPPEND_OBJ(interp, resultObj, "certificate", certObj)

	/* Get all info on certificate */
	allStr = Tcl_SetByteArrayLength(allObj, CERT_STR_SIZE * 2);
	len = BIO_to_Buffer(X509_print_ex(bio, cert, flags, 0), bio, allStr, CERT_STR_SIZE * 2);
	Tcl_SetByteArrayLength(allObj, len);
	LAPPEND_OBJ(interp, resultObj, "all", allObj)
    }

    BIO_free(bio);
    ckfree(buffer);
    return resultObj;
}

Powered by Fossil · RSS