Index: doc/tls.html
==================================================================
--- doc/tls.html
+++ doc/tls.html
@@ -234,18 +234,22 @@
If -local is given, then the certificate information
is the one used locally.
+ - all string
+ - Dump of all certificate data.
- version value
- The certification version
- - signature_algorithm algorithm
+ - signatureAlgorithm algorithm
- Cipher algorithm used for certificate signature.
- digest version
- Certificate signature digest.
- - public_key_algorithm algorithm
+ - publicKeyAlgorithm algorithm
- Certificate signature public key algorithm.
+ - publicKey string
+ - Certificate signature public key.
- bits n
- Number of bits used for certificate signature key
- self_signed boolean
- Is certificate signature self signed.
- sha1_hash hash
@@ -258,11 +262,11 @@
- The distinguished name (DN) of the certificate issuer.
- notBefore date
- The begin date for the validity of the certificate.
- notAfter date
- The expiry date for the certificate.
- - serial n
+ - serialNumber n
- The serial number of the certificate.
- certificate cert
- The PEM encoded certificate.
- num_extensions n
- Number of certificate extensions.
@@ -281,14 +285,17 @@
- The protocol selected after Application-Layer Protocol
Negotiation (ALPN).
- protocol value
- The protocol version used for the connection:
SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3, or unknown
- - signature_hash string
- - The signature hash value.
+ - signatureHashAlgorithm string
+ - The signature hash algorithm.
- signature_type type
- The signature type value.
+ - subjectAltName list
+ - List of all of the alternative domain names, sub domains,
+ and IP addresses that are secured by the certificate.
- ca_names list
- List of the Certificate Authorities used to create the certificate.
@@ -306,11 +313,11 @@
The name of the connected to server.
protocol version
The protocol version used for the connection:
SSL2, SSL3, TLS1, TLS1.1, TLS1.2, TLS1.3, or unknown.
renegotiation state
- Whether protocol renegotiation is allowed or disallowed.
+ Whether protocol renegotiation is supported or not.
securitylevel level
The security level used for selection of ciphers, key size, etc.
session_reused boolean
Whether the session has been reused or not.
is_server boolean
@@ -510,12 +517,11 @@
current validity of the certificate.
A value of 0 means the certificate is deemed invalid.
A value of 1 means the certificate is deemed valid.
The error argument supplies the message, if any, generated
- by
- X509_STORE_CTX_get_error().
+ by X509_STORE_CTX_get_error().
The callback may override normal validation processing by explicitly
returning one of the above status values.
Index: generic/tlsX509.c
==================================================================
--- generic/tlsX509.c
+++ generic/tlsX509.c
@@ -136,11 +136,11 @@
n = BIO_read(bio, issuer, min(BIO_pending(bio), BUFSIZ - 1));
n = max(n, 0);
issuer[n] = 0;
(void)BIO_flush(bio);
- i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert));
+ i2a_ASN1_INTEGER(bio, X509_get0_serialNumber(cert));
n = BIO_read(bio, serial, min(BIO_pending(bio), BUFSIZ - 1));
n = max(n, 0);
serial[n] = 0;
(void)BIO_flush(bio);
@@ -163,30 +163,43 @@
certStr_p += n;
}
*certStr_p = '\0';
(void)BIO_flush(bio);
}
+
+ /* All */
+ if (X509_print_ex(bio, cert, flags, 0)) {
+ char all[65536];
+ n = BIO_read(bio, all, min(BIO_pending(bio), 65535));
+ n = max(n, 0);
+ all[n] = 0;
+ (void)BIO_flush(bio);
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("all", -1));
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(all, n));
+ }
BIO_free(bio);
}
- strcpy(notBefore, ASN1_UTCTIME_tostr(X509_getm_notBefore(cert)));
- strcpy(notAfter, ASN1_UTCTIME_tostr(X509_getm_notAfter(cert)));
+ strcpy(notBefore, ASN1_UTCTIME_tostr(X509_get0_notBefore(cert)));
+ strcpy(notAfter, ASN1_UTCTIME_tostr(X509_get0_notAfter(cert)));
/* Version */
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("version", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewLongObj(X509_get_version(cert)+1));
/* Signature algorithm */
- Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("signature_algorithm", -1));
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("signatureAlgorithm", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(OBJ_nid2ln(X509_get_signature_nid(cert)),-1));
/* Information about the signature of certificate cert */
if (X509_get_signature_info(cert, &nid, &pknid, &bits, &xflags) == 1) {
+ ASN1_BIT_STRING *key;
+
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("digest", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(OBJ_nid2ln(nid),-1));
- Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("public_key_algorithm", -1));
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("publicKeyAlgorithm", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(OBJ_nid2ln(pknid),-1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("bits", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewIntObj(bits));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("extension_flags", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewIntObj(xflags));
@@ -193,31 +206,44 @@
if (pknid == NID_rsaEncryption || pknid == NID_dsa) {
EVP_PKEY *pkey = X509_get_pubkey(cert);
}
+ /* X509_get0_pubkey_bitstr returns the BIT STRING portion of |x509|'s public key. */
+ key = X509_get0_pubkey_bitstr(cert);
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("publicKey", -1));
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj((char *)key->data, key->length);
+
/* Check if cert was issued by CA cert issuer or self signed */
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("self_signed", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewBooleanObj(X509_check_issued(cert, cert) == X509_V_OK));
}
-
- /* Subject Key Identifier */
+
+ /* Alias */
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("alias", -1));
+ len = 0;
+ bstring = X509_alias_get0(cert, &len);
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj(bstring, len));
+
+ /* Subject Key Identifier is a hash of the encoded public key. Required for
+ CA certs. CAs use SKI for Issuer Key Identifier (AKI) extension on issued certificates. */
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectKeyIdentifier", -1));
+ len = 0;
bstring = X509_keyid_get0(cert, &len);
- Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(bstring, len));
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj(bstring, len));
- /* SHA1 - DER representation*/
- X509_digest(cert, EVP_sha1(), sha1_hash_binary, NULL);
+ /* SHA1 Fingerprint of cert - DER representation */
+ X509_digest(cert, EVP_sha1(), sha1_hash_binary, &len);
for (int n = 0; n < SHA_DIGEST_LENGTH; n++) {
sha1_hash_ascii[n*2] = shachars[(sha1_hash_binary[n] & 0xF0) >> 4];
sha1_hash_ascii[n*2+1] = shachars[(sha1_hash_binary[n] & 0x0F)];
}
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("sha1_hash", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(sha1_hash_ascii, SHA_DIGEST_LENGTH * 2));
- /* SHA256 - DER representation */
- X509_digest(cert, EVP_sha256(), sha256_hash_binary, NULL);
+ /* SHA256 Fingerprint of cert - DER representation */
+ X509_digest(cert, EVP_sha256(), sha256_hash_binary, &len);
for (int n = 0; n < SHA256_DIGEST_LENGTH; n++) {
sha256_hash_ascii[n*2] = shachars[(sha256_hash_binary[n] & 0xF0) >> 4];
sha256_hash_ascii[n*2+1] = shachars[(sha256_hash_binary[n] & 0x0F)];
}
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("sha256_hash", -1));
@@ -233,11 +259,11 @@
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj( notBefore, -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("notAfter", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj( notAfter, -1));
- Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("serial", -1));
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("serialNumber", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj( serial, -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("certificate", -1));
Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj( certStr, -1));
@@ -281,11 +307,11 @@
/* name->d.iPAddress */
}
}
}
sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free);
- Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subject_alt_names", -1));
+ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectAltName", -1));
Tcl_ListObjAppendElement(interp, certPtr, namesPtr);
}
return certPtr;
}