Index: doc/tls.html
==================================================================
--- doc/tls.html
+++ doc/tls.html
@@ -288,15 +288,22 @@
num_extensions n
Number of certificate extensions.
extensions list
List of certificate extension names.
+ authorityKeyIdentifier string
+ (AKI) Key identifier of the Issuing CA certificate that signed
+ the SSL certificate. This value matches the SKI value of the
+ Intermediate CA certificate.
subjectKeyIdentifier string
- Hash of the public key inside the certificate.
+ (SKI) Hash of the public key inside the certificate. Used to
+ identify certificates that contain a particular public key.
subjectAltName list
List of all of the alternative domain names, sub domains,
and IP addresses that are secured by the certificate.
+ ocsp list
+ List of all OCSP URLs.
certificate cert
The PEM encoded certificate.
signatureAlgorithm algorithm
Index: generic/tlsX509.c
==================================================================
--- generic/tlsX509.c
+++ generic/tlsX509.c
@@ -113,11 +113,11 @@
char subject[BUFSIZ];
char issuer[BUFSIZ];
char serial[BUFSIZ];
char notBefore[BUFSIZ];
char notAfter[BUFSIZ];
- char publicKey[BUFSIZ];
+ char buffer[BUFSIZ];
char certStr[CERT_STR_SIZE], *certStr_p;
int certStr_len, toRead;
char sha1_hash_ascii[SHA_DIGEST_LENGTH * 2 + 1];
unsigned char sha1_hash_binary[SHA_DIGEST_LENGTH];
char sha256_hash_ascii[SHA256_DIGEST_LENGTH * 2 + 1];
@@ -217,13 +217,13 @@
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("extension_flags", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewIntObj(xflags));
/* Public key - X509_get0_pubkey */
key = X509_get0_pubkey_bitstr(cert);
- len = String_to_Hex(key->data, key->length, publicKey, BUFSIZ);
+ len = String_to_Hex(key->data, key->length, buffer, BUFSIZ);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("publicKey", -1));
- Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(publicKey, len));
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len));
/* Check if cert was issued by CA cert issuer or self signed */
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("self_signed", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewBooleanObj(X509_check_issued(cert, cert) == X509_V_OK));
}
@@ -245,23 +245,10 @@
} else {
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1));
}
}
- /* Alias */
- Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("alias", -1));
- len = 0;
- bstring = X509_alias_get0(cert, &len);
- Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj(bstring, len));
-
- /* Subject Key Identifier is a hash of the encoded public key. Required for
- CA certs. CAs use SKI for Issuer Key Identifier (AKI) extension on issued certificates. */
- Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectKeyIdentifier", -1));
- len = 0;
- bstring = X509_keyid_get0(cert, &len);
- Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj(bstring, len));
-
/* SHA1 Fingerprint of cert - DER representation */
X509_digest(cert, EVP_sha1(), sha1_hash_binary, &len);
len = String_to_Hex(sha1_hash_binary, len, sha1_hash_ascii, BUFSIZ);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("sha1_hash", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(sha1_hash_ascii, len));
@@ -334,10 +321,58 @@
sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free);
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectAltName", -1));
Tcl_ListObjAppendElement(interp, certPtr, namesPtr);
}
+ /* Certificate Alias */
+ len = 0;
+ bstring = X509_alias_get0(cert, &len);
+ len = String_to_Hex(bstring, len, buffer, BUFSIZ);
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("alias", -1));
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len));
+
+ /* Get Subject Key id, Authority Key id */
+ {
+ ASN1_OCTET_STRING *astring;
+ /* X509_keyid_get0 */
+ astring = X509_get0_subject_key_id(cert);
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectKeyIdentifier", -1));
+ if (astring != NULL) {
+ len = String_to_Hex((char *)ASN1_STRING_get0_data(astring), ASN1_STRING_length(astring), buffer, BUFSIZ);
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj(buffer, len));
+ } else {
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1));
+ }
+
+ astring = X509_get0_authority_key_id(cert);
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("authorityKeyIdentifier", -1));
+ if (astring != NULL) {
+ len = String_to_Hex((char *)ASN1_STRING_get0_data(astring), ASN1_STRING_length(astring), buffer, BUFSIZ);
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj(buffer, len));
+ } else {
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1));
+ }
+
+ /* const GENERAL_NAMES *X509_get0_authority_issuer(cert);
+ const ASN1_INTEGER *X509_get0_authority_serial(cert); */
+ }
+
+ /* Get OSCP URL */
+ {
+ STACK_OF(OPENSSL_STRING) *str_stack = X509_get1_ocsp(cert);
+ Tcl_Obj *urlsPtr = Tcl_NewListObj(0, NULL);
+
+ for (int i = 0; i < sk_OPENSSL_STRING_num(str_stack); i++) {
+ Tcl_ListObjAppendElement(interp, urlsPtr,
+ Tcl_NewStringObj(sk_OPENSSL_STRING_value(str_stack, i), -1));
+ }
+
+ X509_email_free(str_stack);
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("ocsp", -1));
+ Tcl_ListObjAppendElement(interp, certPtr, urlsPtr);
+ }
+
/* Signature algorithm and value */
{
const X509_ALGOR *sig_alg;
const ASN1_BIT_STRING *sig;
int sig_nid;
@@ -349,14 +384,14 @@
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("signatureAlgorithm", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(OBJ_nid2ln(sig_nid),-1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("signatureValue", -1));
if (sig_nid != NID_undef) {
- len = String_to_Hex(sig->data, sig->length, publicKey, BUFSIZ);
- Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(publicKey, len));
+ len = String_to_Hex(sig->data, sig->length, buffer, BUFSIZ);
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len));
} else {
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1));
}
}
return certPtr;
}