Overview
| Comment: | Added Certificate Revocation List (CRL) to X509 status. Moved get X509 extension items to end of function. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | status_x509 |
| Files: | files | file ages | folders |
| SHA3-256: |
f22fb82c96fa91eda3df21250ab5b149 |
| User & Date: | bohagan on 2023-08-02 01:17:14 |
| Other Links: | branch diff | manifest | tags |
Context
|
2023-08-07
| ||
| 03:27 | Added Issuer Alt Name to X509 status, refactored get SAN and CRL check-in: 35be4894ce user: bohagan tags: status_x509 | |
|
2023-08-02
| ||
| 01:17 | Added Certificate Revocation List (CRL) to X509 status. Moved get X509 extension items to end of function. check-in: f22fb82c96 user: bohagan tags: status_x509 | |
|
2023-08-01
| ||
| 22:42 | Added Certificate purposes to X509 status output. Corrected certificate alias get text bug. Refactored code to reduce number of variables and use common buffers for SHA fingerprints. check-in: e94d9cae93 user: bohagan tags: status_x509 | |
Changes
Modified generic/tlsX509.c from [a4177f2631] to [6962c4384a].
| ︙ | ︙ | |||
78 79 80 81 82 83 84 85 86 87 88 89 90 91 |
char serial[BUFSIZ];
char notBefore[BUFSIZ];
char notAfter[BUFSIZ];
char buffer[BUFSIZ];
char certStr[CERT_STR_SIZE];
unsigned char md[EVP_MAX_MD_SIZE];
STACK_OF(GENERAL_NAME) *san;
certStr[0] = 0;
subject[0] = 0;
issuer[0] = 0;
serial[0] = 0;
notBefore[0] = 0;
notAfter[0] = 0;
| > > | 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
char serial[BUFSIZ];
char notBefore[BUFSIZ];
char notAfter[BUFSIZ];
char buffer[BUFSIZ];
char certStr[CERT_STR_SIZE];
unsigned char md[EVP_MAX_MD_SIZE];
STACK_OF(GENERAL_NAME) *san;
STACK_OF(DIST_POINT) *crl;
STACK_OF(OPENSSL_STRING) *ocsp;
certStr[0] = 0;
subject[0] = 0;
issuer[0] = 0;
serial[0] = 0;
notBefore[0] = 0;
notAfter[0] = 0;
|
| ︙ | ︙ | |||
160 161 162 163 164 165 166 |
notAfter[max(n, 0)] = 0;
(void)BIO_flush(bio);
}
BIO_free(bio);
}
| | | > > > > < > < < < < > | 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 |
notAfter[max(n, 0)] = 0;
(void)BIO_flush(bio);
}
BIO_free(bio);
}
/* Version of the encoded certificate */
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("version", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewLongObj(X509_get_version(cert)+1));
/* Signature algorithm used by the CA to sign the certificate. Must match signatureAlgorithm. */
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("signature", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(OBJ_nid2ln(X509_get_signature_nid(cert)),-1));
/* SHA1 Fingerprint of cert - DER representation */
X509_digest(cert, EVP_sha1(), md, &len);
len = String_to_Hex(md, len, buffer, BUFSIZ);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("sha1_hash", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len));
/* SHA256 Fingerprint of cert - DER representation */
X509_digest(cert, EVP_sha256(), md, &len);
len = String_to_Hex(md, len, buffer, BUFSIZ);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("sha256_hash", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len));
/* The subject identifies the entity associated with the public key stored in the subject public key field. */
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subject", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(subject, -1));
/* The issuer identifies the entity that has signed and issued the certificate. */
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("issuer", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(issuer, -1));
/* Certificate validity period is the time interval during which the CA
warrants that it will maintain information about the status of the certificate. */
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("notBefore", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(notBefore, -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("notAfter", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(notAfter, -1));
/* Unique number assigned by CA to certificate. */
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("serialNumber", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(serial, -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("certificate", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(certStr, -1));
/* Information about the signature of certificate cert */
/* Contains the public key and identify the algorithm with which the key is used */
if (X509_get_signature_info(cert, &nid, &pknid, &bits, &xflags) == 1) {
ASN1_BIT_STRING *key;
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("signingDigest", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(OBJ_nid2ln(nid),-1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("publicKeyAlgorithm", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(OBJ_nid2ln(pknid),-1));
|
| ︙ | ︙ | |||
226 227 228 229 230 231 232 |
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len));
/* Check if cert was issued by CA cert issuer or self signed */
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("self_signed", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewBooleanObj(X509_check_issued(cert, cert) == X509_V_OK));
}
| | > > > > > > | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | > | 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 |
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len));
/* Check if cert was issued by CA cert issuer or self signed */
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("self_signed", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewBooleanObj(X509_check_issued(cert, cert) == X509_V_OK));
}
/* Unique Ids - The unique identifiers are present in the certificate to handle the
possibility of reuse of subject and/or issuer names over time.*/
{
const ASN1_BIT_STRING *iuid, *suid;
X509_get0_uids(cert, &iuid, &suid);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("issuerUniqueId", -1));
if (iuid != NULL) {
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj((char *)iuid->data, iuid->length));
} else {
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1));
}
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectUniqueId", -1));
if (suid != NULL) {
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj((char *)suid->data, suid->length));
} else {
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1));
}
}
/* Count of extensions */
num_of_exts = X509_get_ext_count(cert);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("num_extensions", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewIntObj(num_of_exts));
/* Get extension names */
if (num_of_exts > 0) {
Tcl_Obj *extsPtr = Tcl_NewListObj(0, NULL);
const STACK_OF(X509_EXTENSION) *exts;
exts = X509_get0_extensions(cert);
for (int i=0; i < num_of_exts; i++) {
X509_EXTENSION *ex = sk_X509_EXTENSION_value(exts, i);
ASN1_OBJECT *obj = X509_EXTENSION_get_object(ex);
unsigned nid2 = OBJ_obj2nid(obj);
Tcl_ListObjAppendElement(interp, extsPtr, Tcl_NewStringObj(OBJ_nid2ln(nid2), -1));
}
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("extensions", -1));
Tcl_ListObjAppendElement(interp, certPtr, extsPtr);
}
/* Certificate Alias as UTF-8 string */
{
unsigned char *bstring;
len = 0;
bstring = X509_alias_get0(cert, &len);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("alias", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj((char *)bstring, len));
}
/* Get Subject Key id, Authority Key id. The Authority Key Identifier (AKI) of a
certificate should be the Subject Key Identifier (SKI) of its signer (the CA). */
{
/* Identifies certificates that contain a particular public key */
ASN1_OCTET_STRING *astring;
/* X509_keyid_get0 */
astring = X509_get0_subject_key_id(cert);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectKeyIdentifier", -1));
if (astring != NULL) {
len = String_to_Hex((char *)ASN1_STRING_get0_data(astring), ASN1_STRING_length(astring), buffer, BUFSIZ);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len));
} else {
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1));
}
/* Identifies the public key corresponding to the private key used to sign a certificate */
astring = X509_get0_authority_key_id(cert);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("authorityKeyIdentifier", -1));
if (astring != NULL) {
len = String_to_Hex((char *)ASN1_STRING_get0_data(astring), ASN1_STRING_length(astring), buffer, BUFSIZ);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len));
} else {
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1));
}
/* const GENERAL_NAMES *X509_get0_authority_issuer(cert);
const ASN1_INTEGER *X509_get0_authority_serial(cert); */
}
/* Signature algorithm and value */
/* The signatureAlgorithm field contains the identifier for the cryptographic algorithm
used by the CA to sign this certificate. The signatureValue field contains a digital
signature computed upon the ASN.1 DER encoded tbsCertificate. */
{
const X509_ALGOR *sig_alg;
const ASN1_BIT_STRING *sig;
int sig_nid;
X509_get0_signature(&sig, &sig_alg, cert);
/* sig_nid = X509_get_signature_nid(cert) */
sig_nid = OBJ_obj2nid(sig_alg->algorithm);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("signatureAlgorithm", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(OBJ_nid2ln(sig_nid),-1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("signatureValue", -1));
if (sig_nid != NID_undef) {
len = String_to_Hex(sig->data, sig->length, buffer, BUFSIZ);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len));
} else {
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1));
}
}
/* Key usage extension defines the purpose (e.g., encipherment, signature, certificate
signing) of the key contained in the certificate. */
{
Tcl_Obj *purpPtr = Tcl_NewListObj(0, NULL);
for (int j = 0; j < X509_PURPOSE_get_count(); j++) {
X509_PURPOSE *ptmp = X509_PURPOSE_get0(j);
Tcl_Obj *tmpPtr = Tcl_NewListObj(0, NULL);
for (int i = 0; i < 2; i++) {
int idret = X509_check_purpose(cert, X509_PURPOSE_get_id(ptmp), i);
Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj(i ? "CA" : "nonCA", -1));
Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj(idret ? "Yes" : "No", -1));
}
Tcl_ListObjAppendElement(interp, purpPtr, Tcl_NewStringObj(X509_PURPOSE_get0_name(ptmp), -1));
Tcl_ListObjAppendElement(interp, purpPtr, tmpPtr);
}
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("certificatePurpose", -1));
Tcl_ListObjAppendElement(interp, certPtr, purpPtr);
}
/* Certificate Policies - indicates the issuing CA considers its issuerDomainPolicy
equivalent to the subject CA's subjectDomainPolicy. */
/* Subject Alternative Name (SAN) extension. Additional URLs, DNS name, or IP addresses
bound to certificate. */
san = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
if (san) {
Tcl_Obj *namesPtr = Tcl_NewListObj(0, NULL);
for (int i=0; i < sk_GENERAL_NAME_num(san); i++) {
const GENERAL_NAME *name = sk_GENERAL_NAME_value(san, i);
size_t len2;
|
| ︙ | ︙ | |||
287 288 289 290 291 292 293 |
}
}
sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectAltName", -1));
Tcl_ListObjAppendElement(interp, certPtr, namesPtr);
}
| | < > | | < | < | | < > > | < < < < | < < | < < | < < < | < < | < | < < | | | < < < | < < < | | | | | | < | < < < | < < < | < < < < < < < < < < | | | < < > | > | | < | | | < < | > | | | 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 |
}
}
sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectAltName", -1));
Tcl_ListObjAppendElement(interp, certPtr, namesPtr);
}
/* Get the STACK of all crl distribution point entries for this certificate. */
/* CRL_DIST_POINTS is typedef on STACK_OF(DIST_POINT). */
crl = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL);
if (crl) {
Tcl_Obj *namesPtr = Tcl_NewListObj(0, NULL);
for (int i=0; i < sk_GENERAL_NAME_num(crl); i++) {
const GENERAL_NAME *name = sk_GENERAL_NAME_value(crl, i);
size_t len2;
if (name) {
if (name->type == GEN_DNS) {
char *dns_name;
if ((len2 = ASN1_STRING_to_UTF8(&dns_name, name->d.dNSName)) > 0) {
Tcl_ListObjAppendElement(interp, namesPtr, Tcl_NewStringObj(dns_name, (int)len2));
OPENSSL_free (dns_name);
}
} else if (name->type == GEN_IPADD) {
/* name->d.iPAddress */
}
}
}
sk_GENERAL_NAME_pop_free(crl, GENERAL_NAME_free);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("cRLDistributionPoints", -1));
Tcl_ListObjAppendElement(interp, certPtr, namesPtr);
}
/* Issuer Alternative Name */
/* Subject Directory Attributes */
/* Basic Constraints - identifies whether the subject of the certificate is a CA and
the maximum depth of valid certification paths that include this certificate. */
/* Get OSCP URL */
ocsp = X509_get1_ocsp(cert);
if (ocsp) {
Tcl_Obj *urlsPtr = Tcl_NewListObj(0, NULL);
for (int i = 0; i < sk_OPENSSL_STRING_num(ocsp); i++) {
Tcl_ListObjAppendElement(interp, urlsPtr,
Tcl_NewStringObj(sk_OPENSSL_STRING_value(ocsp, i), -1));
}
X509_email_free(ocsp);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("ocsp", -1));
Tcl_ListObjAppendElement(interp, certPtr, urlsPtr);
}
return certPtr;
}
|