Check-in [35be4894ce]
Overview
Comment:Added Issuer Alt Name to X509 status, refactored get SAN and CRL
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | status_x509
Files: files | file ages | folders
SHA3-256: 35be4894cebc716f8e853196d0d0025de50da8732bcd71d7fb9c41fb8e96e63a
User & Date: bohagan on 2023-08-07 03:27:12
Other Links: branch diff | manifest | tags
Context
2023-08-10
03:16
Reordered get parameters in Tls_NewX509Obj to follow RFC 5280 section order. Added get self issued, Key usage, Extended Key usage, and purpose values. Added more comments, optimized code, etc. check-in: 10bcd4c88f user: bohagan tags: status_x509
2023-08-07
03:27
Added Issuer Alt Name to X509 status, refactored get SAN and CRL check-in: 35be4894ce user: bohagan tags: status_x509
2023-08-02
01:17
Added Certificate Revocation List (CRL) to X509 status. Moved get X509 extension items to end of function. check-in: f22fb82c96 user: bohagan tags: status_x509
Changes

Modified generic/tlsIO.c from [ede520a139] to [55240df165].

142
143
144
145
146
147
148
149

150
151
152
153
154
155
156
142
143
144
145
146
147
148

149
150
151
152
153
154
155
156







-
+







	    dprintf("Asked to wait for a TLS handshake that has already failed.  Returning soft error");
	    *errorCodePtr = ECONNRESET;
	}
	return(-1);
    }

    for (;;) {
	/* Not initialized yet! */
	/* Not initialized yet! Also calls SSL_do_handshake. */
	if (statePtr->flags & TLS_TCL_SERVER) {
	    dprintf("Calling SSL_accept()");
	    err = SSL_accept(statePtr->ssl);

	} else {
	    dprintf("Calling SSL_connect()");
	    err = SSL_connect(statePtr->ssl);

Modified generic/tlsX509.c from [6962c4384a] to [581b34e1fe].

361
362
363
364
365
366
367

368
369

370
371
372
373

374
375
376
377
378
379
380
381





























382
383
384

385
386

387
388
389
390
391
392
393
394
395
396
397
398



399
400
401
402
403
404








405

406

407
408







409
410
411
412
413


414
415
416
417
418
419
420
421
422
423
424
425
361
362
363
364
365
366
367
368
369

370
371

372

373








374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407

408
409
410
411
412
413
414
415
416
417



418
419
420
421





422
423
424
425
426
427
428
429

430
431
432


433
434
435
436
437
438
439
440
441
442


443
444
445
446
447


448
449
450
451
452
453
454







+

-
+

-

-
+
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+



+

-
+









-
-
-
+
+
+

-
-
-
-
-
+
+
+
+
+
+
+
+
-
+

+
-
-
+
+
+
+
+
+
+



-
-
+
+



-
-







	equivalent to the subject CA's subjectDomainPolicy. */

    /* Subject Alternative Name (SAN) extension. Additional URLs, DNS name, or IP addresses
	bound to certificate. */
    san = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
    if (san) {
	Tcl_Obj *namesPtr = Tcl_NewListObj(0, NULL);
	bio = BIO_new(BIO_s_mem());

	for (int i=0; i < sk_GENERAL_NAME_num(san); i++)         {
	for (int i=0; i < sk_GENERAL_NAME_num(san); i++) {
	    const GENERAL_NAME *name = sk_GENERAL_NAME_value(san, i);
	    size_t len2;

	    if (name) {
	    if (name && bio) {
		if (name->type == GEN_DNS) {
		    char *dns_name;
		    if ((len2 = ASN1_STRING_to_UTF8(&dns_name, name->d.dNSName)) > 0) {
			Tcl_ListObjAppendElement(interp, namesPtr, Tcl_NewStringObj(dns_name, (int)len2));
			OPENSSL_free (dns_name);
		    }
		} else if (name->type == GEN_IPADD) {
		    /* name->d.iPAddress */
		if (GENERAL_NAME_print(bio, name)) {
		    int n = BIO_read(bio, buffer, min(BIO_pending(bio), BUFSIZ));
		    buffer[max(n, 0)] = 0;
		    (void)BIO_flush(bio);
		    Tcl_ListObjAppendElement(interp, namesPtr, Tcl_NewStringObj(buffer, n));
		}
	    }
	}
	BIO_free(bio);
	sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free);
	Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectAltName", -1));
	Tcl_ListObjAppendElement(interp, certPtr, namesPtr);
    }

    /* Issuer Alternative Name */
    san = X509_get_ext_d2i(cert, NID_issuer_alt_name, NULL, NULL);
    if (san) {
	Tcl_Obj *namesPtr = Tcl_NewListObj(0, NULL);
	bio = BIO_new(BIO_s_mem());

	for (int i=0; i < sk_GENERAL_NAME_num(san); i++) {
	    const GENERAL_NAME *name = sk_GENERAL_NAME_value(san, i);

	    if (name && bio) {
		if (GENERAL_NAME_print(bio, name)) {
		    int n = BIO_read(bio, buffer, min(BIO_pending(bio), BUFSIZ));
		    buffer[max(n, 0)] = 0;
		    (void)BIO_flush(bio);
		    Tcl_ListObjAppendElement(interp, namesPtr, Tcl_NewStringObj(buffer, n));
		}
	    }
	}
	BIO_free(bio);
	sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free);
	Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectAltName", -1));
	Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("issuerAltName", -1));
	Tcl_ListObjAppendElement(interp, certPtr, namesPtr);
    }

    /* Get the STACK of all crl distribution point entries for this certificate. */
    /* CRL_DIST_POINTS is typedef on STACK_OF(DIST_POINT). */
    crl = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL);
    if (crl) {
	Tcl_Obj *namesPtr = Tcl_NewListObj(0, NULL);

	for (int i=0; i < sk_GENERAL_NAME_num(crl); i++)         {
	    const GENERAL_NAME *name = sk_GENERAL_NAME_value(crl, i);
	    size_t len2;
	for (int i=0; i < sk_DIST_POINT_num(crl); i++) {
	    DIST_POINT *dp = sk_DIST_POINT_value(crl, i);
	    DIST_POINT_NAME *distpoint = dp->distpoint;

	    if (name) {
		if (name->type == GEN_DNS) {
		    char *dns_name;
		    if ((len2 = ASN1_STRING_to_UTF8(&dns_name, name->d.dNSName)) > 0) {
			Tcl_ListObjAppendElement(interp, namesPtr, Tcl_NewStringObj(dns_name, (int)len2));
	    if (distpoint->type == 0) {
		/* fullname GENERALIZEDNAME */
		for (int j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) {
		    GENERAL_NAME *gen = sk_GENERAL_NAME_value(distpoint->name.fullname, j);
		    int type;
		    ASN1_STRING *uri = GENERAL_NAME_get0_value(gen, &type);
		    if (type == GEN_URI) {
			Tcl_ListObjAppendElement(interp, namesPtr,
			OPENSSL_free (dns_name);
			    Tcl_NewStringObj((char*)ASN1_STRING_get0_data(uri), ASN1_STRING_length(uri)));
		    }
		}
		} else if (name->type == GEN_IPADD) {
		    /* name->d.iPAddress */
	    } else if (distpoint->type == 1) {
		/* relativename X509NAME */
		STACK_OF(X509_NAME_ENTRY) *sk_relname = distpoint->name.relativename;
		for (int j = 0; j < sk_X509_NAME_ENTRY_num(sk_relname); j++) {
		    X509_NAME_ENTRY *e = sk_X509_NAME_ENTRY_value(sk_relname, j);
		    ASN1_STRING *d = X509_NAME_ENTRY_get_data(e);
		    Tcl_ListObjAppendElement(interp, namesPtr, Tcl_NewStringObj((char*)ASN1_STRING_data(d), ASN1_STRING_length(d)));
		}
	    }
	}
	sk_GENERAL_NAME_pop_free(crl, GENERAL_NAME_free);
	Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("cRLDistributionPoints", -1));
	CRL_DIST_POINTS_free(crl);
	Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("crlDistributionPoints", -1));
	Tcl_ListObjAppendElement(interp, certPtr, namesPtr);
    }


    /* Issuer Alternative Name */
    /* Subject Directory Attributes */

    /* Basic Constraints - identifies whether the subject of the certificate is a CA and
	the maximum depth of valid certification paths that include this certificate. */

    /* Get OSCP URL */
    ocsp = X509_get1_ocsp(cert);