TclTLS: Check-in [af0ed7ddd0]

Overview

Comment:	Added more X509 status
Downloads:	Tarball \| ZIP archive \| SQL archive
Timelines:	family \| ancestors \| descendants \| both \| status_x509
Files:	files \| file ages \| folders
SHA3-256:	af0ed7ddd05d6f049c0494e7359b8c5414f3a47207f085c2639d7288962ed03a
User & Date:	bohagan on 2023-09-01 21:35:32
Other Links:	branch diff \| manifest \| tags

Context

2023-09-01
21:57		Merged status and X509 updates branch into master check-in: 3432ab03a3 user: bohagan tags: trunk
21:35		Added more X509 status Leaf check-in: af0ed7ddd0 user: bohagan tags: status_x509
2023-08-28
01:56		Added load CA file comments check-in: d4b5b9bd2a user: bohagan tags: status_x509

Changes

Modified generic/tlsX509.c from [c0c6da8f72] to [0d1e21b228].

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18	/* * Copyright (C) 1997-2000 Sensus Consulting Ltd. * Matt Newman <[email protected]> * Copyright (C) 2023 Brian O'Hagan / #include <tcl.h> #include <stdio.h> #include <openssl/bio.h> #include <openssl/sha.h> #include <openssl/x509.h> #include <openssl/x509v3.h> #include <openssl/asn1.h> #include "tlsInt.h" / Define maximum certificate size. Max PEM size 100kB and DER size is 24kB. / #define CERT_STR_SIZE 32768 / Common macros */	>	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19	/* * Copyright (C) 1997-2000 Sensus Consulting Ltd. * Matt Newman <[email protected]> * Copyright (C) 2023 Brian O'Hagan / #include <tcl.h> #include <stdio.h> #include <openssl/bio.h> #include <openssl/sha.h> #include <openssl/x509.h> #include <openssl/x509v3.h> #include <openssl/x509_vfy.h> #include <openssl/asn1.h> #include "tlsInt.h" / Define maximum certificate size. Max PEM size 100kB and DER size is 24kB. / #define CERT_STR_SIZE 32768 / Common macros */
︙			︙
36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53	if (text != NULL) Tcl_ListObjAppendElement(interp, obj, Tcl_NewStringObj(text, -1)); \ Tcl_ListObjAppendElement(interp, obj, listObj); \ } /* * Binary string to hex string / ~~int String_to_Hex(char input, int len, char output, int ~~size~~) {~~ int count = 0; ~~for (int i = 0; i < len && count < ~~size~~ - 1; i++, count += 2) {~~ sprintf(output + count, "%02X", input[i] & 0xff); } output[count] = 0; return count; } /	\| \|	37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54	if (text != NULL) Tcl_ListObjAppendElement(interp, obj, Tcl_NewStringObj(text, -1)); \ Tcl_ListObjAppendElement(interp, obj, listObj); \ } /* * Binary string to hex string / int String_to_Hex(char input, int ilen, char output, int olen) { int count = 0; for (int i = 0; i < ilen && count < olen - 1; i++, count += 2) { sprintf(output + count, "%02X", input[i] & 0xff); } output[count] = 0; return count; } /
︙			︙
113 114 115 116 117 118 119 ~~120~~ 121 122 123 124 125 126 127	uint32_t usage = X509_get_key_usage(cert); Tcl_Obj *listPtr = Tcl_NewListObj(0, NULL); if (listPtr == NULL) { return NULL; } ~~if ((xflags & EXFLAG_KUSAGE) && usage < ~~0xffffff~~) {~~ if (usage & KU_DIGITAL_SIGNATURE) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Digital Signature", -1)); } if (usage & KU_NON_REPUDIATION) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Non-Repudiation", -1)); } if (usage & KU_KEY_ENCIPHERMENT) {	\|	114 115 116 117 118 119 120 121 122 123 124 125 126 127 128	uint32_t usage = X509_get_key_usage(cert); Tcl_Obj *listPtr = Tcl_NewListObj(0, NULL); if (listPtr == NULL) { return NULL; } if ((xflags & EXFLAG_KUSAGE) && usage < UINT32_MAX) { if (usage & KU_DIGITAL_SIGNATURE) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Digital Signature", -1)); } if (usage & KU_NON_REPUDIATION) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Non-Repudiation", -1)); } if (usage & KU_KEY_ENCIPHERMENT) {
︙			︙
141 142 143 144 145 146 147 148 149 150 151 152 153 154	} if (usage & KU_ENCIPHER_ONLY) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Encipher Only", -1)); } if (usage & KU_DECIPHER_ONLY) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Decipher Only", -1)); } } return listPtr; } /* * Get Certificate Purpose */	> >	142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157	} if (usage & KU_ENCIPHER_ONLY) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Encipher Only", -1)); } if (usage & KU_DECIPHER_ONLY) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Decipher Only", -1)); } } else { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("unrestricted", -1)); } return listPtr; } /* * Get Certificate Purpose */
︙			︙
236 237 238 239 240 241 242 ~~243~~ 244 245 246 247 248 249 250	uint32_t usage = X509_get_key_usage(cert); Tcl_Obj *listPtr = Tcl_NewListObj(0, NULL); if (listPtr == NULL) { return NULL; } ~~if (xflags & EXFLAG_XKUSAGE) {~~ usage = X509_get_extended_key_usage(cert); if (usage & XKU_SSL_SERVER) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("TLS Web Server Authentication", -1)); } if (usage & XKU_SSL_CLIENT) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("TLS Web Client Authentication", -1));	\|	239 240 241 242 243 244 245 246 247 248 249 250 251 252 253	uint32_t usage = X509_get_key_usage(cert); Tcl_Obj *listPtr = Tcl_NewListObj(0, NULL); if (listPtr == NULL) { return NULL; } if ((xflags & EXFLAG_XKUSAGE) && usage < UINT32_MAX) { usage = X509_get_extended_key_usage(cert); if (usage & XKU_SSL_SERVER) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("TLS Web Server Authentication", -1)); } if (usage & XKU_SSL_CLIENT) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("TLS Web Client Authentication", -1));
︙			︙
266 267 268 269 270 271 272 273 274 275 276 277 278 279	} if (usage & XKU_DVCS ) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("DVCS", -1)); } if (usage & XKU_ANYEKU) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Any Extended Key Usage", -1)); } } return listPtr; } /* * Get CRL Distribution Points */	> >	269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284	} if (usage & XKU_DVCS ) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("DVCS", -1)); } if (usage & XKU_ANYEKU) { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Any Extended Key Usage", -1)); } } else { Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("unrestricted", -1)); } return listPtr; } /* * Get CRL Distribution Points */
︙			︙
440 441 442 443 444 445 446 ~~447~~ 448 449 450 451 452 ~~453~~ 454 455 456 457 458 459 460	LAPPEND_STR(interp, certPtr, "notAfter", buffer, len); /* Subject identifies the entity associated with the public key stored in the subject public key field. RFC 5280 section 4.1.2.6 / len = BIO_to_Buffer(X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, flags), bio, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "subject", buffer, len); ~~/ SHA1 Fingerprint of cert - DER representation /~~ if (X509_digest(cert, EVP_sha1(), md, &len)) { len = String_to_Hex(md, len, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "sha1_hash", buffer, len); } ~~/ SHA256 Fingerprint of cert - DER representation /~~ if (X509_digest(cert, EVP_sha256(), md, &len)) { len = String_to_Hex(md, len, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "sha256_hash", buffer, len); } / Subject Public Key Info specifies the public key and identifies the algorithm with which the key is used. RFC 5280 section 4.1.2.7 */	\| \|	445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465	LAPPEND_STR(interp, certPtr, "notAfter", buffer, len); /* Subject identifies the entity associated with the public key stored in the subject public key field. RFC 5280 section 4.1.2.6 / len = BIO_to_Buffer(X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, flags), bio, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "subject", buffer, len); / SHA1 Digest (Fingerprint) of cert - DER representation / if (X509_digest(cert, EVP_sha1(), md, &len)) { len = String_to_Hex(md, len, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "sha1_hash", buffer, len); } / SHA256 Digest (Fingerprint) of cert - DER representation / if (X509_digest(cert, EVP_sha256(), md, &len)) { len = String_to_Hex(md, len, buffer, BUFSIZ); LAPPEND_STR(interp, certPtr, "sha256_hash", buffer, len); } / Subject Public Key Info specifies the public key and identifies the algorithm with which the key is used. RFC 5280 section 4.1.2.7 */
︙			︙
472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499	len = 0; if (X509_pubkey_digest(cert, EVP_get_digestbynid(pknid), md, &n)) { len = String_to_Hex(md, (int)n, buffer, BUFSIZ); } LAPPEND_STR(interp, certPtr, "publicKeyHash", buffer, len); len = 0; if (X509_digest(cert, EVP_get_digestbynid(mdnid), md, &n)) { len = String_to_Hex(md, (int)n, buffer, BUFSIZ); } LAPPEND_STR(interp, certPtr, "signatureHash", buffer, len); } /* Get extensions flags / xflags = X509_get_extension_flags(cert); LAPPEND_INT(interp, certPtr, "extFlags", xflags); / Check if cert was issued by CA cert issuer or self signed / LAPPEND_BOOL(interp, certPtr, "selfIssued", xflags & EXFLAG_SI); LAPPEND_BOOL(interp, certPtr, "selfSigned", xflags & EXFLAG_SS); / The Unique Ids are used to handle the possibility of reuse of subject and/or issuer names over time. RFC 5280 section 4.1.2.8 / { const ASN1_BIT_STRING iuid, *suid; X509_get0_uids(cert, &iuid, &suid);	> > > > > > > >	477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512	len = 0; if (X509_pubkey_digest(cert, EVP_get_digestbynid(pknid), md, &n)) { len = String_to_Hex(md, (int)n, buffer, BUFSIZ); } LAPPEND_STR(interp, certPtr, "publicKeyHash", buffer, len); /* digest of the DER representation of the certificate / len = 0; if (X509_digest(cert, EVP_get_digestbynid(mdnid), md, &n)) { len = String_to_Hex(md, (int)n, buffer, BUFSIZ); } LAPPEND_STR(interp, certPtr, "signatureHash", buffer, len); } / Certificate Purpose. Call before checking for extensions. / LAPPEND_STR(interp, certPtr, "purpose", Tls_x509Purpose(cert), -1); LAPPEND_OBJ(interp, certPtr, "certificatePurpose", Tls_x509Purposes(interp, cert)); / Get extensions flags / xflags = X509_get_extension_flags(cert); LAPPEND_INT(interp, certPtr, "extFlags", xflags); / Check if cert was issued by CA cert issuer or self signed / LAPPEND_BOOL(interp, certPtr, "selfIssued", xflags & EXFLAG_SI); LAPPEND_BOOL(interp, certPtr, "selfSigned", xflags & EXFLAG_SS); LAPPEND_BOOL(interp, certPtr, "isProxyCert", xflags & EXFLAG_PROXY); LAPPEND_BOOL(interp, certPtr, "extInvalid", xflags & EXFLAG_INVALID); LAPPEND_BOOL(interp, certPtr, "isCACert", X509_check_ca(cert)); / The Unique Ids are used to handle the possibility of reuse of subject and/or issuer names over time. RFC 5280 section 4.1.2.8 / { const ASN1_BIT_STRING iuid, *suid; X509_get0_uids(cert, &iuid, &suid);
︙			︙
526 527 528 529 530 531 532 ~~533 534 535 536 537 538~~ 539 540 541 542 543 544 545	LAPPEND_OBJ(interp, certPtr, "subjectKeyIdentifier", Tls_x509Identifier(X509_get0_subject_key_id(cert))); /* Key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key in the certificate. RFC 5280 section 4.2.1.3, NID_key_usage / LAPPEND_OBJ(interp, certPtr, "keyUsage", Tls_x509KeyUsage(interp, cert, xflags)); ~~/ Certificate Purpose /~~ ~~LAPPEND_STR(interp, certPtr, "purpose", Tls_x509Purpose(cert), -1);~~ ~~/ Get purposes /~~ ~~LAPPEND_OBJ(interp, certPtr, "certificatePurpose", Tls_x509Purposes(interp, cert));~~ / Certificate Policies - indicates the issuing CA considers its issuerDomainPolicy equivalent to the subject CA's subjectDomainPolicy. RFC 5280 section 4.2.1.4, NID_certificate_policies / if (xflags & EXFLAG_INVALID_POLICY) { / Reject cert / } / Policy Mappings - RFC 5280 section 4.2.1.5, NID_policy_mappings */	< < < < < <	539 540 541 542 543 544 545 546 547 548 549 550 551 552	LAPPEND_OBJ(interp, certPtr, "subjectKeyIdentifier", Tls_x509Identifier(X509_get0_subject_key_id(cert))); /* Key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key in the certificate. RFC 5280 section 4.2.1.3, NID_key_usage / LAPPEND_OBJ(interp, certPtr, "keyUsage", Tls_x509KeyUsage(interp, cert, xflags)); / Certificate Policies - indicates the issuing CA considers its issuerDomainPolicy equivalent to the subject CA's subjectDomainPolicy. RFC 5280 section 4.2.1.4, NID_certificate_policies / if (xflags & EXFLAG_INVALID_POLICY) { / Reject cert / } / Policy Mappings - RFC 5280 section 4.2.1.5, NID_policy_mappings */
︙			︙
553 554 555 556 557 558 559 ~~560~~ 561 562 563 ~~564~~ 565 566 567 568 569 570 571	LAPPEND_OBJ(interp, certPtr, "issuerAltName", Tls_x509Names(interp, cert, NID_issuer_alt_name, bio)); /* Subject Directory Attributes provides identification attributes (e.g., nationality) of the subject. RFC 5280 section 4.2.1.8 (subjectDirectoryAttributes) / / Basic Constraints identifies whether the subject of the cert is a CA and the max depth of valid cert paths for this cert. RFC 5280 section 4.2.1.9, NID_basic_constraints / ~~if (xflags & EXFLAG_~~BCONS~~) {~~ LAPPEND_LONG(interp, certPtr, "pathLen", X509_get_pathlen(cert)); } LAPPEND_BOOL(interp, certPtr, "basicConstraintsCA", xflags & EXFLAG_CA); ~~LAPPEND_BOOL(interp, certPtr, "basicConstraintsCritical", xflags & EXFLAG_CRITICAL);~~ / Name Constraints is only used in CA certs to indicate the name space for all subject names in subsequent certificates in a certification path MUST be located. RFC 5280 section 4.2.1.10, NID_name_constraints / / Policy Constraints is only used in CA certs to limit the length of a cert chain for that CA. RFC 5280 section 4.2.1.11, NID_policy_constraints */	\| > > <	560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579	LAPPEND_OBJ(interp, certPtr, "issuerAltName", Tls_x509Names(interp, cert, NID_issuer_alt_name, bio)); /* Subject Directory Attributes provides identification attributes (e.g., nationality) of the subject. RFC 5280 section 4.2.1.8 (subjectDirectoryAttributes) / / Basic Constraints identifies whether the subject of the cert is a CA and the max depth of valid cert paths for this cert. RFC 5280 section 4.2.1.9, NID_basic_constraints / if (!(xflags & EXFLAG_PROXY)) { LAPPEND_LONG(interp, certPtr, "pathLen", X509_get_pathlen(cert)); } else { LAPPEND_LONG(interp, certPtr, "pathLen", X509_get_proxy_pathlen(cert)); } LAPPEND_BOOL(interp, certPtr, "basicConstraintsCA", xflags & EXFLAG_CA); / Name Constraints is only used in CA certs to indicate the name space for all subject names in subsequent certificates in a certification path MUST be located. RFC 5280 section 4.2.1.10, NID_name_constraints / / Policy Constraints is only used in CA certs to limit the length of a cert chain for that CA. RFC 5280 section 4.2.1.11, NID_policy_constraints */
︙			︙
581 582 583 584 585 586 587 ~~588 589~~ 590 591 592 593 594 595 596	/* Freshest CRL extension / if (xflags & EXFLAG_FRESHEST) { } / Authority Information Access indicates how to access info and services for the certificate issuer. RFC 5280 section 4.2.2.1, NID_info_access / ~~/ Get On-line Certificate Status Protocol (OSCP) URL / LAPPEND_OBJ(interp, certPtr, "ocsp", Tls_x509Oscp(interp, cert));~~ / Get Certificate Authority (CA) Issuers URL / LAPPEND_OBJ(interp, certPtr, "caIssuers", Tls_x509CaIssuers(interp, cert)); / Subject Information Access - RFC 5280 section 4.2.2.2, NID_sinfo_access / / Certificate Alias. If uses a PKCS#12 structure, alias will reflect the	\| \|	589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604	/* Freshest CRL extension / if (xflags & EXFLAG_FRESHEST) { } / Authority Information Access indicates how to access info and services for the certificate issuer. RFC 5280 section 4.2.2.1, NID_info_access / / Get On-line Certificate Status Protocol (OSCP) Responders URL / LAPPEND_OBJ(interp, certPtr, "ocspResponders", Tls_x509Oscp(interp, cert)); / Get Certificate Authority (CA) Issuers URL / LAPPEND_OBJ(interp, certPtr, "caIssuers", Tls_x509CaIssuers(interp, cert)); / Subject Information Access - RFC 5280 section 4.2.2.2, NID_sinfo_access / / Certificate Alias. If uses a PKCS#12 structure, alias will reflect the
︙			︙