Commit e4205dc5 authored by Paul Bakker's avatar Paul Bakker
Browse files

Merged printing of X509 extensions

parents 4c412777 0db29b05
......@@ -110,24 +110,27 @@
/*
* X.509 extension types
*
* Comments refer to the status for using certificates. Status can be
* different for writing certificates or reading CRLs or CSRs.
*/
#define EXT_AUTHORITY_KEY_IDENTIFIER (1 << 0)
#define EXT_SUBJECT_KEY_IDENTIFIER (1 << 1)
#define EXT_KEY_USAGE (1 << 2)
#define EXT_KEY_USAGE (1 << 2) /* Parsed but not used */
#define EXT_CERTIFICATE_POLICIES (1 << 3)
#define EXT_POLICY_MAPPINGS (1 << 4)
#define EXT_SUBJECT_ALT_NAME (1 << 5)
#define EXT_SUBJECT_ALT_NAME (1 << 5) /* Supported (DNS) */
#define EXT_ISSUER_ALT_NAME (1 << 6)
#define EXT_SUBJECT_DIRECTORY_ATTRS (1 << 7)
#define EXT_BASIC_CONSTRAINTS (1 << 8)
#define EXT_BASIC_CONSTRAINTS (1 << 8) /* Supported */
#define EXT_NAME_CONSTRAINTS (1 << 9)
#define EXT_POLICY_CONSTRAINTS (1 << 10)
#define EXT_EXTENDED_KEY_USAGE (1 << 11)
#define EXT_EXTENDED_KEY_USAGE (1 << 11) /* Parsed but not used */
#define EXT_CRL_DISTRIBUTION_POINTS (1 << 12)
#define EXT_INIHIBIT_ANYPOLICY (1 << 13)
#define EXT_FRESHEST_CRL (1 << 14)
#define EXT_NS_CERT_TYPE (1 << 16)
#define EXT_NS_CERT_TYPE (1 << 16) /* Parsed (and then ?) */
/*
* Storage format identifiers
......
......@@ -72,18 +72,18 @@ typedef struct _x509_crt
x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
x509_buf v3_ext; /**< Optional X.509 v3 extensions. Only Basic Contraints are supported at this time. */
x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */
int ext_types; /**< Bit string containing detected and parsed extensions */
int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
int max_pathlen; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */
unsigned char key_usage; /**< Optional key usage extension value: See the values below */
unsigned char key_usage; /**< Optional key usage extension value: See the values in x509.h */
x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */
unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values below */
unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */
x509_buf sig_oid2; /**< Signature algorithm. Must match sig_oid1. */
x509_buf sig; /**< Signature: hash of the tbs part signed with the private key. */
......
......@@ -341,20 +341,15 @@ static int x509_get_subject_alt_name( unsigned char **p,
return( POLARSSL_ERR_X509_INVALID_EXTENSIONS +
POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
/* Skip everything but DNS name */
if( tag != ( ASN1_CONTEXT_SPECIFIC | 2 ) )
{
*p += tag_len;
continue;
}
buf = &(cur->buf);
buf->tag = tag;
buf->p = *p;
buf->len = tag_len;
*p += buf->len;
/* Allocate and assign next pointer */
if (*p < end)
if( cur->buf.p != NULL )
{
cur->next = (asn1_sequence *) polarssl_malloc(
sizeof( asn1_sequence ) );
......@@ -366,6 +361,12 @@ static int x509_get_subject_alt_name( unsigned char **p,
memset( cur->next, 0, sizeof( asn1_sequence ) );
cur = cur->next;
}
buf = &(cur->buf);
buf->tag = tag;
buf->p = *p;
buf->len = tag_len;
*p += buf->len;
}
/* Set final sequence entry's next pointer to NULL */
......@@ -1099,11 +1100,138 @@ static int compat_snprintf(char *str, size_t size, const char *format, ...)
p += (unsigned int) ret; \
}
static int x509_info_subject_alt_name( char **buf, size_t *size,
const x509_sequence *subject_alt_name )
{
size_t i;
size_t n = *size;
char *p = *buf;
const x509_sequence *cur = subject_alt_name;
const char *sep = "";
size_t sep_len = 0;
while( cur != NULL )
{
if( cur->buf.len + sep_len >= n )
{
*p = '\0';
return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL );
}
n -= cur->buf.len + sep_len;
for( i = 0; i < sep_len; i++ )
*p++ = sep[i];
for( i = 0; i < cur->buf.len; i++ )
*p++ = cur->buf.p[i];
sep = ", ";
sep_len = 2;
cur = cur->next;
}
*p = '\0';
*size = n;
*buf = p;
return( 0 );
}
#define PRINT_ITEM(i) \
{ \
ret = snprintf( p, n, "%s" i, sep ); \
SAFE_SNPRINTF(); \
sep = ", "; \
}
#define CERT_TYPE(type,name) \
if( ns_cert_type & type ) \
PRINT_ITEM( name );
static int x509_info_cert_type( char **buf, size_t *size,
unsigned char ns_cert_type )
{
int ret;
size_t n = *size;
char *p = *buf;
const char *sep = "";
CERT_TYPE( NS_CERT_TYPE_SSL_CLIENT, "SSL Client" );
CERT_TYPE( NS_CERT_TYPE_SSL_SERVER, "SSL Server" );
CERT_TYPE( NS_CERT_TYPE_EMAIL, "Email" );
CERT_TYPE( NS_CERT_TYPE_OBJECT_SIGNING, "Object Signing" );
CERT_TYPE( NS_CERT_TYPE_RESERVED, "Reserved" );
CERT_TYPE( NS_CERT_TYPE_SSL_CA, "SSL CA" );
CERT_TYPE( NS_CERT_TYPE_EMAIL_CA, "Email CA" );
CERT_TYPE( NS_CERT_TYPE_OBJECT_SIGNING_CA, "Object Signing CA" );
*size = n;
*buf = p;
return( 0 );
}
#define KEY_USAGE(code,name) \
if( key_usage & code ) \
PRINT_ITEM( name );
static int x509_info_key_usage( char **buf, size_t *size,
unsigned char key_usage )
{
int ret;
size_t n = *size;
char *p = *buf;
const char *sep = "";
KEY_USAGE( KU_DIGITAL_SIGNATURE, "Digital Signature" );
KEY_USAGE( KU_NON_REPUDIATION, "Non Repudiation" );
KEY_USAGE( KU_KEY_ENCIPHERMENT, "Key Encipherment" );
KEY_USAGE( KU_DATA_ENCIPHERMENT, "Data Encipherment" );
KEY_USAGE( KU_KEY_AGREEMENT, "Key Agreement" );
KEY_USAGE( KU_KEY_CERT_SIGN, "Key Cert Sign" );
KEY_USAGE( KU_CRL_SIGN, "CRL Sign" );
*size = n;
*buf = p;
return( 0 );
}
static int x509_info_ext_key_usage( char **buf, size_t *size,
const x509_sequence *extended_key_usage )
{
int ret;
const char *desc;
size_t n = *size;
char *p = *buf;
const x509_sequence *cur = extended_key_usage;
const char *sep = "";
while( cur != NULL )
{
if( oid_get_extended_key_usage( &cur->buf, &desc ) != 0 )
desc = "???";
ret = snprintf( p, n, "%s%s", sep, desc );
SAFE_SNPRINTF();
sep = ", ";
cur = cur->next;
}
*size = n;
*buf = p;
return( 0 );
}
/*
* Return an informational string about the certificate.
*/
#define BEFORE_COLON 14
#define BC "14"
#define BEFORE_COLON 18
#define BC "18"
int x509_crt_info( char *buf, size_t size, const char *prefix,
const x509_crt *crt )
{
......@@ -1116,41 +1244,41 @@ int x509_crt_info( char *buf, size_t size, const char *prefix,
p = buf;
n = size;
ret = snprintf( p, n, "%scert. version : %d\n",
ret = snprintf( p, n, "%scert. version : %d\n",
prefix, crt->version );
SAFE_SNPRINTF();
ret = snprintf( p, n, "%sserial number : ",
ret = snprintf( p, n, "%sserial number : ",
prefix );
SAFE_SNPRINTF();
ret = x509_serial_gets( p, n, &crt->serial);
SAFE_SNPRINTF();
ret = snprintf( p, n, "\n%sissuer name : ", prefix );
ret = snprintf( p, n, "\n%sissuer name : ", prefix );
SAFE_SNPRINTF();
ret = x509_dn_gets( p, n, &crt->issuer );
SAFE_SNPRINTF();
ret = snprintf( p, n, "\n%ssubject name : ", prefix );
ret = snprintf( p, n, "\n%ssubject name : ", prefix );
SAFE_SNPRINTF();
ret = x509_dn_gets( p, n, &crt->subject );
SAFE_SNPRINTF();
ret = snprintf( p, n, "\n%sissued on : " \
ret = snprintf( p, n, "\n%sissued on : " \
"%04d-%02d-%02d %02d:%02d:%02d", prefix,
crt->valid_from.year, crt->valid_from.mon,
crt->valid_from.day, crt->valid_from.hour,
crt->valid_from.min, crt->valid_from.sec );
SAFE_SNPRINTF();
ret = snprintf( p, n, "\n%sexpires on : " \
ret = snprintf( p, n, "\n%sexpires on : " \
"%04d-%02d-%02d %02d:%02d:%02d", prefix,
crt->valid_to.year, crt->valid_to.mon,
crt->valid_to.day, crt->valid_to.hour,
crt->valid_to.min, crt->valid_to.sec );
SAFE_SNPRINTF();
ret = snprintf( p, n, "\n%ssigned using : ", prefix );
ret = snprintf( p, n, "\n%ssigned using : ", prefix );
SAFE_SNPRINTF();
ret = oid_get_sig_alg_desc( &crt->sig_oid1, &desc );
......@@ -1160,16 +1288,75 @@ int x509_crt_info( char *buf, size_t size, const char *prefix,
ret = snprintf( p, n, "%s", desc );
SAFE_SNPRINTF();
/* Key size */
if( ( ret = x509_key_size_helper( key_size_str, BEFORE_COLON,
pk_get_name( &crt->pk ) ) ) != 0 )
{
return( ret );
}
ret = snprintf( p, n, "\n%s%-" BC "s: %d bits\n", prefix, key_size_str,
ret = snprintf( p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
(int) pk_get_size( &crt->pk ) );
SAFE_SNPRINTF();
/*
* Optional extensions
*/
if( crt->ext_types & EXT_BASIC_CONSTRAINTS )
{
ret = snprintf( p, n, "\n%sbasic constraints : CA=%s", prefix,
crt->ca_istrue ? "true" : "false" );
SAFE_SNPRINTF();
if( crt->max_pathlen > 0 )
{
ret = snprintf( p, n, ", max_pathlen=%d", crt->max_pathlen - 1 );
SAFE_SNPRINTF();
}
}
if( crt->ext_types & EXT_SUBJECT_ALT_NAME )
{
ret = snprintf( p, n, "\n%ssubject alt name : ", prefix );
SAFE_SNPRINTF();
if( ( ret = x509_info_subject_alt_name( &p, &n,
&crt->subject_alt_names ) ) != 0 )
return( ret );
}
if( crt->ext_types & EXT_NS_CERT_TYPE )
{
ret = snprintf( p, n, "\n%scert. type : ", prefix );
SAFE_SNPRINTF();
if( ( ret = x509_info_cert_type( &p, &n, crt->ns_cert_type ) ) != 0 )
return( ret );
}
if( crt->ext_types & EXT_KEY_USAGE )
{
ret = snprintf( p, n, "\n%skey usage : ", prefix );
SAFE_SNPRINTF();
if( ( ret = x509_info_key_usage( &p, &n, crt->key_usage ) ) != 0 )
return( ret );
}
if( crt->ext_types & EXT_EXTENDED_KEY_USAGE )
{
ret = snprintf( p, n, "\n%sext key usage : ", prefix );
SAFE_SNPRINTF();
if( ( ret = x509_info_ext_key_usage( &p, &n,
&crt->ext_key_usage ) ) != 0 )
return( ret );
}
ret = snprintf( p, n, "\n" );
SAFE_SNPRINTF();
return( (int) ( size - n ) );
}
......
-----BEGIN CERTIFICATE-----
MIIDpzCCAo+gAwIBAgIBITANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER
MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN
MTQwNDAxMTQ0NDQzWhcNMjQwMzI5MTQ0NDQzWjA8MQswCQYDVQQGEwJOTDERMA8G
A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/
uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD
d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf
CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr
lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w
bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB
o4G0MIGxMAkGA1UdEwQCMAAwHQYDVR0OBBYEFB901j8pwXR0RTsFEiw9qL1DWQKm
MGMGA1UdIwRcMFqAFLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQG
EwJOTDERMA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3Qg
Q0GCAQAwCwYDVR0PBAQDAgXgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3
DQEBCwUAA4IBAQANtiYR2P6+a7rEtJARIgpurw1URYejATbbp3ZhaHBW603Wyb2+
KJtm1KPCzoju/qTRt65YYkt+tu1wTzamyrkPxt8bBKmxiWnu5j1HLxdjOz8VW9lf
vTb5egR4dU9eNXni/5QkzrdkMO+ob4puDXY7ytPuGX6YfNVhCkrhBlYDJNE57CkK
vpCNj3+Te8PEkWPAEaUhqCnQk6qvPvpBfc/hqgwzlRMt3u5NkiVOuH72dtr4fOI1
nlAU8D2wuvDVr3X5281ONNEtHU6rXe98vlUzS9QV9lBDdsO9nRYJzv2Nb1cjRIM5
JZl0ILLR2tc6E/W5YXalNp37jfrFii1U9WrJ
-----END CERTIFICATE-----
This diff is collapsed.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment