Check-in [3b068ff2f6]
Overview
Comment:Added CA Issuers URL to X509 status
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | status_x509
Files: files | file ages | folders
SHA3-256: 3b068ff2f6d394ebdbe628ad01d545b0cce1b43f36540c7c38860ad93062e6fb
User & Date: bohagan on 2023-08-19 22:14:31
Other Links: branch diff | manifest | tags
Context
2023-08-20
19:45
Moved X509 functions to separate procedures. check-in: 2186b86385 user: bohagan tags: status_x509
2023-08-19
22:14
Added CA Issuers URL to X509 status check-in: 3b068ff2f6 user: bohagan tags: status_x509
20:30
Updated ConnectionInfoObjCmd to localize variables check-in: 070af72ccb user: bohagan tags: status_x509
Changes

Modified generic/tlsX509.c from [2bf827806d] to [fd21ef0332].

91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
    Tcl_Obj *certPtr = Tcl_NewListObj(0, NULL), *listPtr;
    BIO *bio = BIO_new(BIO_s_mem());
    int mdnid, pknid, bits, len;
    uint32_t xflags, usage;
    char buffer[BUFSIZ];
    unsigned char md[EVP_MAX_MD_SIZE];
    STACK_OF(GENERAL_NAME) *names;
    STACK_OF(DIST_POINT) *crl;
    STACK_OF(OPENSSL_STRING) *ocsp;
    unsigned long flags = XN_FLAG_RFC2253 | ASN1_STRFLGS_UTF8_CONVERT;
    flags &= ~ASN1_STRFLGS_ESC_MSB;

    if (bio == NULL || certPtr == NULL) {
	return NULL;
    }







<







91
92
93
94
95
96
97

98
99
100
101
102
103
104
    Tcl_Obj *certPtr = Tcl_NewListObj(0, NULL), *listPtr;
    BIO *bio = BIO_new(BIO_s_mem());
    int mdnid, pknid, bits, len;
    uint32_t xflags, usage;
    char buffer[BUFSIZ];
    unsigned char md[EVP_MAX_MD_SIZE];
    STACK_OF(GENERAL_NAME) *names;

    STACK_OF(OPENSSL_STRING) *ocsp;
    unsigned long flags = XN_FLAG_RFC2253 | ASN1_STRFLGS_UTF8_CONVERT;
    flags &= ~ASN1_STRFLGS_ESC_MSB;

    if (bio == NULL || certPtr == NULL) {
	return NULL;
    }
425
426
427
428
429
430
431


432

433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464

465
466
467
468
469
470
471
472


473

474
475
476
477
478
479

480
481
482

483























484
485
486
487
488
489
490
	    Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Any Extended Key Usage", -1));
	}
    }
    LAPPEND_LIST(interp, certPtr, "extendedKeyUsage", listPtr);

    /* CRL Distribution Points identifies where CRL information can be obtained.
	RFC 5280 section 4.2.1.13*/


    listPtr = Tcl_NewListObj(0, NULL);

    if (crl = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL)) {
	Tcl_Obj *namesPtr = Tcl_NewListObj(0, NULL);

	for (int i=0; i < sk_DIST_POINT_num(crl); i++) {
	    DIST_POINT *dp = sk_DIST_POINT_value(crl, i);
	    DIST_POINT_NAME *distpoint = dp->distpoint;

	    if (distpoint->type == 0) {
		/* fullname GENERALIZEDNAME */
		for (int j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) {
		    GENERAL_NAME *gen = sk_GENERAL_NAME_value(distpoint->name.fullname, j);
		    int type;
		    ASN1_STRING *uri = GENERAL_NAME_get0_value(gen, &type);
		    if (type == GEN_URI) {
			Tcl_ListObjAppendElement(interp, listPtr,
			    Tcl_NewStringObj((char*)ASN1_STRING_get0_data(uri), ASN1_STRING_length(uri)));
		    }
		}
	    } else if (distpoint->type == 1) {
		/* relativename X509NAME */
		STACK_OF(X509_NAME_ENTRY) *sk_relname = distpoint->name.relativename;
		for (int j = 0; j < sk_X509_NAME_ENTRY_num(sk_relname); j++) {
		    X509_NAME_ENTRY *e = sk_X509_NAME_ENTRY_value(sk_relname, j);
		    ASN1_STRING *d = X509_NAME_ENTRY_get_data(e);
		    Tcl_ListObjAppendElement(interp, listPtr,
			Tcl_NewStringObj((char*)ASN1_STRING_data(d), ASN1_STRING_length(d)));
		}
	    }
	}
	CRL_DIST_POINTS_free(crl);
    }
    LAPPEND_LIST(interp, certPtr, "crlDistributionPoints", listPtr);


    /* Freshest CRL extension */
    if (xflags & EXFLAG_FRESHEST) {
    }

    /* Authority Information Access indicates how to access info and services
	for the certificate issuer. RFC 5280 section 4.2.2.1, NID_info_access */
    /* Get On-line Certificate Status Protocol (OSCP) URL */


    listPtr = Tcl_NewListObj(0, NULL);

    if (ocsp = X509_get1_ocsp(cert)) {
	for (int i = 0; i < sk_OPENSSL_STRING_num(ocsp); i++) {
	    Tcl_ListObjAppendElement(interp, listPtr,
		Tcl_NewStringObj(sk_OPENSSL_STRING_value(ocsp, i), -1));
	}
	X509_email_free(ocsp);

    }
    LAPPEND_LIST(interp, certPtr, "ocsp", listPtr);


    /* CA Issuers URL caIssuers */
























    /* Subject Information Access - RFC 5280 section 4.2.2.2, NID_sinfo_access */

    /* Certificate Alias. If uses a PKCS#12 structure, alias will reflect the
	friendlyName attribute (RFC 2985). */
    len = 0;
    LAPPEND_STR(interp, certPtr, "alias", X509_alias_get0(cert, &len), len);







>
>
|
>
|
|

|
|
|

|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
>








>
>
|
>
|
|
|
|
|
|
>
|
|
|
>
|
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>







424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
	    Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Any Extended Key Usage", -1));
	}
    }
    LAPPEND_LIST(interp, certPtr, "extendedKeyUsage", listPtr);

    /* CRL Distribution Points identifies where CRL information can be obtained.
	RFC 5280 section 4.2.1.13*/
    {
	STACK_OF(DIST_POINT) *crl;
	listPtr = Tcl_NewListObj(0, NULL);

	if (crl = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL)) {
	    Tcl_Obj *namesPtr = Tcl_NewListObj(0, NULL);

	    for (int i=0; i < sk_DIST_POINT_num(crl); i++) {
		DIST_POINT *dp = sk_DIST_POINT_value(crl, i);
		DIST_POINT_NAME *distpoint = dp->distpoint;

		if (distpoint->type == 0) {
		    /* fullname GENERALIZEDNAME */
		    for (int j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) {
			GENERAL_NAME *gen = sk_GENERAL_NAME_value(distpoint->name.fullname, j);
			int type;
			ASN1_STRING *uri = GENERAL_NAME_get0_value(gen, &type);
			if (type == GEN_URI) {
			    Tcl_ListObjAppendElement(interp, listPtr,
				Tcl_NewStringObj((char*)ASN1_STRING_get0_data(uri), ASN1_STRING_length(uri)));
			}
		    }
		} else if (distpoint->type == 1) {
		    /* relativename X509NAME */
		    STACK_OF(X509_NAME_ENTRY) *sk_relname = distpoint->name.relativename;
		    for (int j = 0; j < sk_X509_NAME_ENTRY_num(sk_relname); j++) {
			X509_NAME_ENTRY *e = sk_X509_NAME_ENTRY_value(sk_relname, j);
			ASN1_STRING *d = X509_NAME_ENTRY_get_data(e);
			Tcl_ListObjAppendElement(interp, listPtr,
			    Tcl_NewStringObj((char*)ASN1_STRING_data(d), ASN1_STRING_length(d)));
		    }
		}
	    }
	    CRL_DIST_POINTS_free(crl);
	}
	LAPPEND_LIST(interp, certPtr, "crlDistributionPoints", listPtr);
    }

    /* Freshest CRL extension */
    if (xflags & EXFLAG_FRESHEST) {
    }

    /* Authority Information Access indicates how to access info and services
	for the certificate issuer. RFC 5280 section 4.2.2.1, NID_info_access */
    /* Get On-line Certificate Status Protocol (OSCP) URL */
    {
	STACK_OF(OPENSSL_STRING) *ocsp;
	listPtr = Tcl_NewListObj(0, NULL);

	if (ocsp = X509_get1_ocsp(cert)) {
	    for (int i = 0; i < sk_OPENSSL_STRING_num(ocsp); i++) {
		Tcl_ListObjAppendElement(interp, listPtr,
		    Tcl_NewStringObj(sk_OPENSSL_STRING_value(ocsp, i), -1));
	    }
	    X509_email_free(ocsp);
	    /* sk_OPENSSL_STRING_free(ocsp); */
	}
	LAPPEND_LIST(interp, certPtr, "ocsp", listPtr);
    }

    /* CA Issuers URL, caIssuers */
    {
	STACK_OF(ACCESS_DESCRIPTION) *ads;
	listPtr = Tcl_NewListObj(0, NULL);

	if (ads = X509_get_ext_d2i(cert, NID_info_access, NULL, NULL)) {
	    for (int i = 0; i < sk_ACCESS_DESCRIPTION_num(ads); i++) {
		ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(ads, i);
		if (OBJ_obj2nid(ad->method) == NID_ad_ca_issuers && ad->location) {
		    if (ad->location->type == GEN_URI) {
			unsigned char *buf;

			len = ASN1_STRING_to_UTF8(&buf, ad->location->d.uniformResourceIdentifier);
			Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj(buf, len));
			OPENSSL_free(buf);
			break;
		    }
		}
	    }
	    /* sk_ACCESS_DESCRIPTION_pop_free(ads, ACCESS_DESCRIPTION_free); */
	    AUTHORITY_INFO_ACCESS_free(ads);
	}
	LAPPEND_LIST(interp, certPtr, "caIssuers", listPtr);
    }

    /* Subject Information Access - RFC 5280 section 4.2.2.2, NID_sinfo_access */

    /* Certificate Alias. If uses a PKCS#12 structure, alias will reflect the
	friendlyName attribute (RFC 2985). */
    len = 0;
    LAPPEND_STR(interp, certPtr, "alias", X509_alias_get0(cert, &len), len);