Start printing extensions in x509_crt_info()

b28487db · Manuel Pégourié-Gonnard · 887aa5b3 · b28487db · b28487db · b28487db
Commit b28487db authored Apr 01, 2014 by Manuel Pégourié-Gonnard
4 changed files
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h
@@ -110,24 +110,27 @@

 /*
 * X.509 extension types
+ *
+ * Comments refer to the status for using certificates. Status can be
+ * different for writing certificates or reading CRLs or CSRs.
 */
 #define EXT_AUTHORITY_KEY_IDENTIFIER    (1 << 0)
 #define EXT_SUBJECT_KEY_IDENTIFIER      (1 << 1)
-#define EXT_KEY_USAGE                   (1 << 2)
+#define EXT_KEY_USAGE                   (1 << 2)    /* Parsed but not used */
 #define EXT_CERTIFICATE_POLICIES        (1 << 3)
 #define EXT_POLICY_MAPPINGS             (1 << 4)
-#define EXT_SUBJECT_ALT_NAME            (1 << 5)
+#define EXT_SUBJECT_ALT_NAME            (1 << 5)    /* Supported (DNS) */
 #define EXT_ISSUER_ALT_NAME             (1 << 6)
 #define EXT_SUBJECT_DIRECTORY_ATTRS     (1 << 7)
-#define EXT_BASIC_CONSTRAINTS           (1 << 8)
+#define EXT_BASIC_CONSTRAINTS           (1 << 8)    /* Supported */
 #define EXT_NAME_CONSTRAINTS            (1 << 9)
 #define EXT_POLICY_CONSTRAINTS          (1 << 10)
-#define EXT_EXTENDED_KEY_USAGE          (1 << 11)
+#define EXT_EXTENDED_KEY_USAGE          (1 << 11)   /* Parsed but not used */
 #define EXT_CRL_DISTRIBUTION_POINTS     (1 << 12)
 #define EXT_INIHIBIT_ANYPOLICY          (1 << 13)
 #define EXT_FRESHEST_CRL                (1 << 14)

-#define EXT_NS_CERT_TYPE                (1 << 16)
+#define EXT_NS_CERT_TYPE                (1 << 16)   /* Parsed (and then ?) */

 /*
 * Storage format identifiers

--- a/include/polarssl/x509_crt.h
+++ b/include/polarssl/x509_crt.h
@@ -72,18 +72,18 @@ typedef struct _x509_crt

    x509_buf issuer_id;         /**< Optional X.509 v2/v3 issuer unique identifier. */
    x509_buf subject_id;        /**< Optional X.509 v2/v3 subject unique identifier. */
-    x509_buf v3_ext;            /**< Optional X.509 v3 extensions. Only Basic Contraints are supported at this time. */
+    x509_buf v3_ext;            /**< Optional X.509 v3 extensions.  */
    x509_sequence subject_alt_names;    /**< Optional list of Subject Alternative Names (Only dNSName supported). */

    int ext_types;              /**< Bit string containing detected and parsed extensions */
    int ca_istrue;              /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
    int max_pathlen;            /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */

-    unsigned char key_usage;    /**< Optional key usage extension value: See the values below */
+    unsigned char key_usage;    /**< Optional key usage extension value: See the values in x509.h */

    x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */

-    unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values below */
+    unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */

    x509_buf sig_oid2;          /**< Signature algorithm. Must match sig_oid1. */
    x509_buf sig;               /**< Signature: hash of the tbs part signed with the private key. */

--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1102,8 +1102,8 @@ static int compat_snprintf(char *str, size_t size, const char *format, ...)
 /*
 * Return an informational string about the certificate.
 */
-#define BEFORE_COLON    14
-#define BC              "14"
+#define BEFORE_COLON    18
+#define BC              "18"
 int x509_crt_info( char *buf, size_t size, const char *prefix,
                   const x509_crt *crt )
 {
@@ -1116,41 +1116,41 @@ int x509_crt_info( char *buf, size_t size, const char *prefix,
    p = buf;
    n = size;

-    ret = snprintf( p, n, "%scert. version : %d\n",
+    ret = snprintf( p, n, "%scert. version     : %d\n",
                               prefix, crt->version );
    SAFE_SNPRINTF();
-    ret = snprintf( p, n, "%sserial number : ",
+    ret = snprintf( p, n, "%sserial number     : ",
                               prefix );
    SAFE_SNPRINTF();

    ret = x509_serial_gets( p, n, &crt->serial);
    SAFE_SNPRINTF();

-    ret = snprintf( p, n, "\n%sissuer name   : ", prefix );
+    ret = snprintf( p, n, "\n%sissuer name       : ", prefix );
    SAFE_SNPRINTF();
    ret = x509_dn_gets( p, n, &crt->issuer  );
    SAFE_SNPRINTF();

-    ret = snprintf( p, n, "\n%ssubject name  : ", prefix );
+    ret = snprintf( p, n, "\n%ssubject name      : ", prefix );
    SAFE_SNPRINTF();
    ret = x509_dn_gets( p, n, &crt->subject );
    SAFE_SNPRINTF();

-    ret = snprintf( p, n, "\n%sissued  on    : " \
+    ret = snprintf( p, n, "\n%sissued  on        : " \
                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
                   crt->valid_from.year, crt->valid_from.mon,
                   crt->valid_from.day,  crt->valid_from.hour,
                   crt->valid_from.min,  crt->valid_from.sec );
    SAFE_SNPRINTF();

-    ret = snprintf( p, n, "\n%sexpires on    : " \
+    ret = snprintf( p, n, "\n%sexpires on        : " \
                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
                   crt->valid_to.year, crt->valid_to.mon,
                   crt->valid_to.day,  crt->valid_to.hour,
                   crt->valid_to.min,  crt->valid_to.sec );
    SAFE_SNPRINTF();

-    ret = snprintf( p, n, "\n%ssigned using  : ", prefix );
+    ret = snprintf( p, n, "\n%ssigned using      : ", prefix );
    SAFE_SNPRINTF();

    ret = oid_get_sig_alg_desc( &crt->sig_oid1, &desc );
@@ -1160,16 +1160,65 @@ int x509_crt_info( char *buf, size_t size, const char *prefix,
        ret = snprintf( p, n, "%s", desc );
    SAFE_SNPRINTF();

+    /* Key size */
    if( ( ret = x509_key_size_helper( key_size_str, BEFORE_COLON,
                                      pk_get_name( &crt->pk ) ) ) != 0 )
    {
        return( ret );
    }

-    ret = snprintf( p, n, "\n%s%-" BC "s: %d bits\n", prefix, key_size_str,
+    ret = snprintf( p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
                          (int) pk_get_size( &crt->pk ) );
    SAFE_SNPRINTF();

+    /*
+     * Optional extensions
+     */
+
+    if( crt->ext_types & EXT_BASIC_CONSTRAINTS )
+    {
+        ret = snprintf( p, n, "\n%sbasic constraints : CA=%s", prefix,
+                        crt->ca_istrue ? "true" : "false" );
+        SAFE_SNPRINTF();
+
+        if( crt->max_pathlen > 0 )
+        {
+            ret = snprintf( p, n, ", max_pathlen=%d", crt->max_pathlen - 1 );
+            SAFE_SNPRINTF();
+        }
+    }
+
+    if( crt->ext_types & EXT_SUBJECT_ALT_NAME )
+    {
+        ret = snprintf( p, n, "\n%ssubject alt name  : ", prefix );
+        SAFE_SNPRINTF();
+        /* TODO */
+    }
+
+    if( crt->ext_types & EXT_NS_CERT_TYPE )
+    {
+        ret = snprintf( p, n, "\n%scert. type        : ", prefix );
+        SAFE_SNPRINTF();
+        /* TODO */
+    }
+
+    if( crt->ext_types & EXT_KEY_USAGE )
+    {
+        ret = snprintf( p, n, "\n%skey usage         : ", prefix );
+        SAFE_SNPRINTF();
+        /* TODO */
+    }
+
+    if( crt->ext_types & EXT_EXTENDED_KEY_USAGE )
+    {
+        ret = snprintf( p, n, "\n%sext key usage     : ", prefix );
+        SAFE_SNPRINTF();
+        /* TODO */
+    }
+
+    ret = snprintf( p, n, "\n" );
+    SAFE_SNPRINTF();
+
    return( (int) ( size - n ) );
 }


--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data