Overview
| Comment: | Added Issuer Alt Name to X509 status, refactored get SAN and CRL |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | status_x509 |
| Files: | files | file ages | folders |
| SHA3-256: |
35be4894cebc716f8e853196d0d0025d |
| User & Date: | bohagan on 2023-08-07 03:27:12 |
| Other Links: | branch diff | manifest | tags |
Context
|
2023-08-10
| ||
| 03:16 | Reordered get parameters in Tls_NewX509Obj to follow RFC 5280 section order. Added get self issued, Key usage, Extended Key usage, and purpose values. Added more comments, optimized code, etc. check-in: 10bcd4c88f user: bohagan tags: status_x509 | |
|
2023-08-07
| ||
| 03:27 | Added Issuer Alt Name to X509 status, refactored get SAN and CRL check-in: 35be4894ce user: bohagan tags: status_x509 | |
|
2023-08-02
| ||
| 01:17 | Added Certificate Revocation List (CRL) to X509 status. Moved get X509 extension items to end of function. check-in: f22fb82c96 user: bohagan tags: status_x509 | |
Changes
Modified generic/tlsIO.c from [ede520a139] to [55240df165].
| ︙ | ︙ | |||
142 143 144 145 146 147 148 |
dprintf("Asked to wait for a TLS handshake that has already failed. Returning soft error");
*errorCodePtr = ECONNRESET;
}
return(-1);
}
for (;;) {
| | | 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 |
dprintf("Asked to wait for a TLS handshake that has already failed. Returning soft error");
*errorCodePtr = ECONNRESET;
}
return(-1);
}
for (;;) {
/* Not initialized yet! Also calls SSL_do_handshake. */
if (statePtr->flags & TLS_TCL_SERVER) {
dprintf("Calling SSL_accept()");
err = SSL_accept(statePtr->ssl);
} else {
dprintf("Calling SSL_connect()");
err = SSL_connect(statePtr->ssl);
|
| ︙ | ︙ |
Modified generic/tlsX509.c from [6962c4384a] to [581b34e1fe].
| ︙ | ︙ | |||
361 362 363 364 365 366 367 368 |
equivalent to the subject CA's subjectDomainPolicy. */
/* Subject Alternative Name (SAN) extension. Additional URLs, DNS name, or IP addresses
bound to certificate. */
san = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
if (san) {
Tcl_Obj *namesPtr = Tcl_NewListObj(0, NULL);
| > | < | < | > | > | > > > | > > > | | > > > > > | > > > > > > > > > > | | | | < | | > > > | > | < > > | | > > > > > | | < < | 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 |
equivalent to the subject CA's subjectDomainPolicy. */
/* Subject Alternative Name (SAN) extension. Additional URLs, DNS name, or IP addresses
bound to certificate. */
san = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
if (san) {
Tcl_Obj *namesPtr = Tcl_NewListObj(0, NULL);
bio = BIO_new(BIO_s_mem());
for (int i=0; i < sk_GENERAL_NAME_num(san); i++) {
const GENERAL_NAME *name = sk_GENERAL_NAME_value(san, i);
if (name && bio) {
if (GENERAL_NAME_print(bio, name)) {
int n = BIO_read(bio, buffer, min(BIO_pending(bio), BUFSIZ));
buffer[max(n, 0)] = 0;
(void)BIO_flush(bio);
Tcl_ListObjAppendElement(interp, namesPtr, Tcl_NewStringObj(buffer, n));
}
}
}
BIO_free(bio);
sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectAltName", -1));
Tcl_ListObjAppendElement(interp, certPtr, namesPtr);
}
/* Issuer Alternative Name */
san = X509_get_ext_d2i(cert, NID_issuer_alt_name, NULL, NULL);
if (san) {
Tcl_Obj *namesPtr = Tcl_NewListObj(0, NULL);
bio = BIO_new(BIO_s_mem());
for (int i=0; i < sk_GENERAL_NAME_num(san); i++) {
const GENERAL_NAME *name = sk_GENERAL_NAME_value(san, i);
if (name && bio) {
if (GENERAL_NAME_print(bio, name)) {
int n = BIO_read(bio, buffer, min(BIO_pending(bio), BUFSIZ));
buffer[max(n, 0)] = 0;
(void)BIO_flush(bio);
Tcl_ListObjAppendElement(interp, namesPtr, Tcl_NewStringObj(buffer, n));
}
}
}
BIO_free(bio);
sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("issuerAltName", -1));
Tcl_ListObjAppendElement(interp, certPtr, namesPtr);
}
/* Get the STACK of all crl distribution point entries for this certificate. */
/* CRL_DIST_POINTS is typedef on STACK_OF(DIST_POINT). */
crl = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL);
if (crl) {
Tcl_Obj *namesPtr = Tcl_NewListObj(0, NULL);
for (int i=0; i < sk_DIST_POINT_num(crl); i++) {
DIST_POINT *dp = sk_DIST_POINT_value(crl, i);
DIST_POINT_NAME *distpoint = dp->distpoint;
if (distpoint->type == 0) {
/* fullname GENERALIZEDNAME */
for (int j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) {
GENERAL_NAME *gen = sk_GENERAL_NAME_value(distpoint->name.fullname, j);
int type;
ASN1_STRING *uri = GENERAL_NAME_get0_value(gen, &type);
if (type == GEN_URI) {
Tcl_ListObjAppendElement(interp, namesPtr,
Tcl_NewStringObj((char*)ASN1_STRING_get0_data(uri), ASN1_STRING_length(uri)));
}
}
} else if (distpoint->type == 1) {
/* relativename X509NAME */
STACK_OF(X509_NAME_ENTRY) *sk_relname = distpoint->name.relativename;
for (int j = 0; j < sk_X509_NAME_ENTRY_num(sk_relname); j++) {
X509_NAME_ENTRY *e = sk_X509_NAME_ENTRY_value(sk_relname, j);
ASN1_STRING *d = X509_NAME_ENTRY_get_data(e);
Tcl_ListObjAppendElement(interp, namesPtr, Tcl_NewStringObj((char*)ASN1_STRING_data(d), ASN1_STRING_length(d)));
}
}
}
CRL_DIST_POINTS_free(crl);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("crlDistributionPoints", -1));
Tcl_ListObjAppendElement(interp, certPtr, namesPtr);
}
/* Subject Directory Attributes */
/* Basic Constraints - identifies whether the subject of the certificate is a CA and
the maximum depth of valid certification paths that include this certificate. */
/* Get OSCP URL */
ocsp = X509_get1_ocsp(cert);
|
| ︙ | ︙ |