search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
No empty .Rs/.Re
[netbsd-mini2440.git] / crypto / dist / heimdal / lib / hx509 / print.c
blob0699df85e079e3d8654b4ae17beb43b1a72569a7
1 /*
2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "hx_locl.h"
35 __RCSID("$Heimdal: print.c 22420 2008-01-13 09:42:35Z lha $"
36 "$NetBSD$");
37
38 /**
39 * @page page_print Hx509 printing functions
40 *
41 * See the library functions here: @ref hx509_print
42 */
43
44 struct hx509_validate_ctx_data {
45 int flags;
46 hx509_vprint_func vprint_func;
47 void *ctx;
48 };
49
50 struct cert_status {
51 unsigned int selfsigned:1;
52 unsigned int isca:1;
53 unsigned int isproxy:1;
54 unsigned int haveSAN:1;
55 unsigned int haveIAN:1;
56 unsigned int haveSKI:1;
57 unsigned int haveAKI:1;
58 unsigned int haveCRLDP:1;
59 };
60
61
62 /*
63 *
64 */
65
66 static int
67 Time2string(const Time *T, char **str)
68 {
69 time_t t;
70 char *s;
71 struct tm *tm;
72
73 *str = NULL;
74 t = _hx509_Time2time_t(T);
75 tm = gmtime (&t);
76 s = malloc(30);
77 if (s == NULL)
78 return ENOMEM;
79 strftime(s, 30, "%Y-%m-%d %H:%M:%S", tm);
80 *str = s;
81 return 0;
82 }
83
84 /**
85 * Helper function to print on stdout for:
86 * - hx509_oid_print(),
87 * - hx509_bitstring_print(),
88 * - hx509_validate_ctx_set_print().
89 *
90 * @param ctx the context to the print function. If the ctx is NULL,
91 * stdout is used.
92 * @param fmt the printing format.
93 * @param va the argumet list.
94 *
95 * @ingroup hx509_print
96 */
97
98 void
99 hx509_print_stdout(void *ctx, const char *fmt, va_list va)
100 {
101 FILE *f = ctx;
102 if (f == NULL)
103 f = stdout;
104 vfprintf(f, fmt, va);
105 }
106
107 static void
108 print_func(hx509_vprint_func func, void *ctx, const char *fmt, ...)
109 {
110 va_list va;
111 va_start(va, fmt);
112 (*func)(ctx, fmt, va);
113 va_end(va);
114 }
115
116 /**
117 * Print a oid to a string.
118 *
119 * @param oid oid to print
120 * @param str allocated string, free with hx509_xfree().
121 *
122 * @return An hx509 error code, see hx509_get_error_string().
123 *
124 * @ingroup hx509_print
125 */
126
127 int
128 hx509_oid_sprint(const heim_oid *oid, char **str)
129 {
130 return der_print_heim_oid(oid, '.', str);
131 }
132
133 /**
134 * Print a oid using a hx509_vprint_func function. To print to stdout
135 * use hx509_print_stdout().
136 *
137 * @param oid oid to print
138 * @param func hx509_vprint_func to print with.
139 * @param ctx context variable to hx509_vprint_func function.
140 *
141 * @ingroup hx509_print
142 */
143
144 void
145 hx509_oid_print(const heim_oid *oid, hx509_vprint_func func, void *ctx)
146 {
147 char *str;
148 hx509_oid_sprint(oid, &str);
149 print_func(func, ctx, "%s", str);
150 free(str);
151 }
152
153 /**
154 * Print a bitstring using a hx509_vprint_func function. To print to
155 * stdout use hx509_print_stdout().
156 *
157 * @param b bit string to print.
158 * @param func hx509_vprint_func to print with.
159 * @param ctx context variable to hx509_vprint_func function.
160 *
161 * @ingroup hx509_print
162 */
163
164 void
165 hx509_bitstring_print(const heim_bit_string *b,
166 hx509_vprint_func func, void *ctx)
167 {
168 int i;
169 print_func(func, ctx, "\tlength: %d\n\t", b->length);
170 for (i = 0; i < (b->length + 7) / 8; i++)
171 print_func(func, ctx, "%02x%s%s",
172 ((unsigned char *)b->data)[i],
173 i < (b->length - 7) / 8
174 && (i == 0 || (i % 16) != 15) ? ":" : "",
175 i != 0 && (i % 16) == 15 ?
176 (i <= ((b->length + 7) / 8 - 2) ? "\n\t" : "\n"):"");
177 }
178
179 /**
180 * Print certificate usage for a certificate to a string.
181 *
182 * @param context A hx509 context.
183 * @param c a certificate print the keyusage for.
184 * @param s the return string with the keysage printed in to, free
185 * with hx509_xfree().
186 *
187 * @return An hx509 error code, see hx509_get_error_string().
188 *
189 * @ingroup hx509_print
190 */
191
192 int
193 hx509_cert_keyusage_print(hx509_context context, hx509_cert c, char **s)
194 {
195 KeyUsage ku;
196 char buf[256];
197 int ret;
198
199 *s = NULL;
200
201 ret = _hx509_cert_get_keyusage(context, c, &ku);
202 if (ret)
203 return ret;
204 unparse_flags(KeyUsage2int(ku), asn1_KeyUsage_units(), buf, sizeof(buf));
205 *s = strdup(buf);
206 if (*s == NULL) {
207 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
208 return ENOMEM;
209 }
210
211 return 0;
212 }
213
214 /*
215 *
216 */
217
218 static void
219 validate_vprint(void *c, const char *fmt, va_list va)
220 {
221 hx509_validate_ctx ctx = c;
222 if (ctx->vprint_func == NULL)
223 return;
224 (ctx->vprint_func)(ctx->ctx, fmt, va);
225 }
226
227 static void
228 validate_print(hx509_validate_ctx ctx, int flags, const char *fmt, ...)
229 {
230 va_list va;
231 if ((ctx->flags & flags) == 0)
232 return;
233 va_start(va, fmt);
234 validate_vprint(ctx, fmt, va);
235 va_end(va);
236 }
237
238 /*
239 * Dont Care, SHOULD critical, SHOULD NOT critical, MUST critical,
240 * MUST NOT critical
241 */
242 enum critical_flag { D_C = 0, S_C, S_N_C, M_C, M_N_C };
243
244 static int
245 check_Null(hx509_validate_ctx ctx,
246 struct cert_status *status,
247 enum critical_flag cf, const Extension *e)
248 {
249 switch(cf) {
250 case D_C:
251 break;
252 case S_C:
253 if (!e->critical)
254 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
255 "\tCritical not set on SHOULD\n");
256 break;
257 case S_N_C:
258 if (e->critical)
259 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
260 "\tCritical set on SHOULD NOT\n");
261 break;
262 case M_C:
263 if (!e->critical)
264 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
265 "\tCritical not set on MUST\n");
266 break;
267 case M_N_C:
268 if (e->critical)
269 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
270 "\tCritical set on MUST NOT\n");
271 break;
272 default:
273 _hx509_abort("internal check_Null state error");
274 }
275 return 0;
276 }
277
278 static int
279 check_subjectKeyIdentifier(hx509_validate_ctx ctx,
280 struct cert_status *status,
281 enum critical_flag cf,
282 const Extension *e)
283 {
284 SubjectKeyIdentifier si;
285 size_t size;
286 int ret;
287
288 status->haveSKI = 1;
289 check_Null(ctx, status, cf, e);
290
291 ret = decode_SubjectKeyIdentifier(e->extnValue.data,
292 e->extnValue.length,
293 &si, &size);
294 if (ret) {
295 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
296 "Decoding SubjectKeyIdentifier failed: %d", ret);
297 return 1;
298 }
299 if (size != e->extnValue.length) {
300 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
301 "Decoding SKI ahve extra bits on the end");
302 return 1;
303 }
304 if (si.length == 0)
305 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
306 "SKI is too short (0 bytes)");
307 if (si.length > 20)
308 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
309 "SKI is too long");
310
311 {
312 char *id;
313 hex_encode(si.data, si.length, &id);
314 if (id) {
315 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
316 "\tsubject key id: %s\n", id);
317 free(id);
318 }
319 }
320
321 free_SubjectKeyIdentifier(&si);
322
323 return 0;
324 }
325
326 static int
327 check_authorityKeyIdentifier(hx509_validate_ctx ctx,
328 struct cert_status *status,
329 enum critical_flag cf,
330 const Extension *e)
331 {
332 AuthorityKeyIdentifier ai;
333 size_t size;
334 int ret;
335
336 status->haveAKI = 1;
337 check_Null(ctx, status, cf, e);
338
339 status->haveSKI = 1;
340 check_Null(ctx, status, cf, e);
341
342 ret = decode_AuthorityKeyIdentifier(e->extnValue.data,
343 e->extnValue.length,
344 &ai, &size);
345 if (ret) {
346 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
347 "Decoding AuthorityKeyIdentifier failed: %d", ret);
348 return 1;
349 }
350 if (size != e->extnValue.length) {
351 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
352 "Decoding SKI ahve extra bits on the end");
353 return 1;
354 }
355
356 if (ai.keyIdentifier) {
357 char *id;
358 hex_encode(ai.keyIdentifier->data, ai.keyIdentifier->length, &id);
359 if (id) {
360 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
361 "\tauthority key id: %s\n", id);
362 free(id);
363 }
364 }
365
366 return 0;
367 }
368
369
370 static int
371 check_pkinit_san(hx509_validate_ctx ctx, heim_any *a)
372 {
373 KRB5PrincipalName kn;
374 unsigned i;
375 size_t size;
376 int ret;
377
378 ret = decode_KRB5PrincipalName(a->data, a->length, &kn, &size);
379 if (ret) {
380 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
381 "Decoding kerberos name in SAN failed: %d", ret);
382 return 1;
383 }
384
385 if (size != a->length) {
386 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
387 "Decoding kerberos name have extra bits on the end");
388 return 1;
389 }
390
391 /* print kerberos principal, add code to quote / within components */
392 for (i = 0; i < kn.principalName.name_string.len; i++) {
393 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s",
394 kn.principalName.name_string.val[i]);
395 if (i + 1 < kn.principalName.name_string.len)
396 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "/");
397 }
398 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "@");
399 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", kn.realm);
400
401 free_KRB5PrincipalName(&kn);
402 return 0;
403 }
404
405 static int
406 check_utf8_string_san(hx509_validate_ctx ctx, heim_any *a)
407 {
408 PKIXXmppAddr jid;
409 size_t size;
410 int ret;
411
412 ret = decode_PKIXXmppAddr(a->data, a->length, &jid, &size);
413 if (ret) {
414 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
415 "Decoding JID in SAN failed: %d", ret);
416 return 1;
417 }
418
419 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", jid);
420 free_PKIXXmppAddr(&jid);
421
422 return 0;
423 }
424
425 static int
426 check_altnull(hx509_validate_ctx ctx, heim_any *a)
427 {
428 return 0;
429 }
430
431 static int
432 check_CRLDistributionPoints(hx509_validate_ctx ctx,
433 struct cert_status *status,
434 enum critical_flag cf,
435 const Extension *e)
436 {
437 CRLDistributionPoints dp;
438 size_t size;
439 int ret, i;
440
441 check_Null(ctx, status, cf, e);
442
443 ret = decode_CRLDistributionPoints(e->extnValue.data,
444 e->extnValue.length,
445 &dp, &size);
446 if (ret) {
447 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
448 "Decoding CRL Distribution Points failed: %d\n", ret);
449 return 1;
450 }
451
452 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "CRL Distribution Points:\n");
453 for (i = 0 ; i < dp.len; i++) {
454 if (dp.val[i].distributionPoint) {
455 DistributionPointName dpname;
456 heim_any *data = dp.val[i].distributionPoint;
457 int j;
458
459 ret = decode_DistributionPointName(data->data, data->length,
460 &dpname, NULL);
461 if (ret) {
462 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
463 "Failed to parse CRL Distribution Point Name: %d\n", ret);
464 continue;
465 }
466
467 switch (dpname.element) {
468 case choice_DistributionPointName_fullName:
469 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n");
470
471 for (j = 0 ; j < dpname.u.fullName.len; j++) {
472 char *s;
473 GeneralName *name = &dpname.u.fullName.val[j];
474
475 ret = hx509_general_name_unparse(name, &s);
476 if (ret == 0 && s != NULL) {
477 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " %s\n", s);
478 free(s);
479 }
480 }
481 break;
482 case choice_DistributionPointName_nameRelativeToCRLIssuer:
483 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
484 "Unknown nameRelativeToCRLIssuer");
485 break;
486 default:
487 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
488 "Unknown DistributionPointName");
489 break;
490 }
491 free_DistributionPointName(&dpname);
492 }
493 }
494 free_CRLDistributionPoints(&dp);
495
496 status->haveCRLDP = 1;
497
498 return 0;
499 }
500
501
502 struct {
503 const char *name;
504 const heim_oid *(*oid)(void);
505 int (*func)(hx509_validate_ctx, heim_any *);
506 } check_altname[] = {
507 { "pk-init", oid_id_pkinit_san, check_pkinit_san },
508 { "jabber", oid_id_pkix_on_xmppAddr, check_utf8_string_san },
509 { "dns-srv", oid_id_pkix_on_dnsSRV, check_altnull },
510 { "card-id", oid_id_uspkicommon_card_id, check_altnull },
511 { "Microsoft NT-PRINCIPAL-NAME", oid_id_pkinit_ms_san, check_utf8_string_san }
512 };
513
514 static int
515 check_altName(hx509_validate_ctx ctx,
516 struct cert_status *status,
517 const char *name,
518 enum critical_flag cf,
519 const Extension *e)
520 {
521 GeneralNames gn;
522 size_t size;
523 int ret, i;
524
525 check_Null(ctx, status, cf, e);
526
527 if (e->extnValue.length == 0) {
528 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
529 "%sAltName empty, not allowed", name);
530 return 1;
531 }
532 ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length,
533 &gn, &size);
534 if (ret) {
535 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
536 "\tret = %d while decoding %s GeneralNames\n",
537 ret, name);
538 return 1;
539 }
540 if (gn.len == 0) {
541 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
542 "%sAltName generalName empty, not allowed\n", name);
543 return 1;
544 }
545
546 for (i = 0; i < gn.len; i++) {
547 switch (gn.val[i].element) {
548 case choice_GeneralName_otherName: {
549 unsigned j;
550
551 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
552 "%sAltName otherName ", name);
553
554 for (j = 0; j < sizeof(check_altname)/sizeof(check_altname[0]); j++) {
555 if (der_heim_oid_cmp((*check_altname[j].oid)(),
556 &gn.val[i].u.otherName.type_id) != 0)
557 continue;
558
559 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ",
560 check_altname[j].name);
561 (*check_altname[j].func)(ctx, &gn.val[i].u.otherName.value);
562 break;
563 }
564 if (j == sizeof(check_altname)/sizeof(check_altname[0])) {
565 hx509_oid_print(&gn.val[i].u.otherName.type_id,
566 validate_vprint, ctx);
567 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " unknown");
568 }
569 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\n");
570 break;
571 }
572 default: {
573 char *s;
574 ret = hx509_general_name_unparse(&gn.val[i], &s);
575 if (ret) {
576 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
577 "ret = %d unparsing GeneralName\n", ret);
578 return 1;
579 }
580 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s\n", s);
581 free(s);
582 break;
583 }
584 }
585 }
586
587 free_GeneralNames(&gn);
588
589 return 0;
590 }
591
592 static int
593 check_subjectAltName(hx509_validate_ctx ctx,
594 struct cert_status *status,
595 enum critical_flag cf,
596 const Extension *e)
597 {
598 status->haveSAN = 1;
599 return check_altName(ctx, status, "subject", cf, e);
600 }
601
602 static int
603 check_issuerAltName(hx509_validate_ctx ctx,
604 struct cert_status *status,
605 enum critical_flag cf,
606 const Extension *e)
607 {
608 status->haveIAN = 1;
609 return check_altName(ctx, status, "issuer", cf, e);
610 }
611
612
613 static int
614 check_basicConstraints(hx509_validate_ctx ctx,
615 struct cert_status *status,
616 enum critical_flag cf,
617 const Extension *e)
618 {
619 BasicConstraints b;
620 size_t size;
621 int ret;
622
623 check_Null(ctx, status, cf, e);
624
625 ret = decode_BasicConstraints(e->extnValue.data, e->extnValue.length,
626 &b, &size);
627 if (ret) {
628 printf("\tret = %d while decoding BasicConstraints\n", ret);
629 return 0;
630 }
631 if (size != e->extnValue.length)
632 printf("\tlength of der data isn't same as extension\n");
633
634 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
635 "\tis %sa CA\n", b.cA && *b.cA ? "" : "NOT ");
636 if (b.pathLenConstraint)
637 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
638 "\tpathLenConstraint: %d\n", *b.pathLenConstraint);
639
640 if (b.cA) {
641 if (*b.cA) {
642 if (!e->critical)
643 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
644 "Is a CA and not BasicConstraints CRITICAL\n");
645 status->isca = 1;
646 }
647 else
648 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
649 "cA is FALSE, not allowed to be\n");
650 }
651 free_BasicConstraints(&b);
652
653 return 0;
654 }
655
656 static int
657 check_proxyCertInfo(hx509_validate_ctx ctx,
658 struct cert_status *status,
659 enum critical_flag cf,
660 const Extension *e)
661 {
662 check_Null(ctx, status, cf, e);
663 status->isproxy = 1;
664 return 0;
665 }
666
667 static int
668 check_authorityInfoAccess(hx509_validate_ctx ctx,
669 struct cert_status *status,
670 enum critical_flag cf,
671 const Extension *e)
672 {
673 AuthorityInfoAccessSyntax aia;
674 size_t size;
675 int ret, i;
676
677 check_Null(ctx, status, cf, e);
678
679 ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data,
680 e->extnValue.length,
681 &aia, &size);
682 if (ret) {
683 printf("\tret = %d while decoding AuthorityInfoAccessSyntax\n", ret);
684 return 0;
685 }
686
687 for (i = 0; i < aia.len; i++) {
688 char *str;
689 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
690 "\ttype: ");
691 hx509_oid_print(&aia.val[i].accessMethod, validate_vprint, ctx);
692 hx509_general_name_unparse(&aia.val[i].accessLocation, &str);
693 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
694 "\n\tdirname: %s\n", str);
695 free(str);
696 }
697 free_AuthorityInfoAccessSyntax(&aia);
698
699 return 0;
700 }
701
702 /*
703 *
704 */
705
706 struct {
707 const char *name;
708 const heim_oid *(*oid)(void);
709 int (*func)(hx509_validate_ctx ctx,
710 struct cert_status *status,
711 enum critical_flag cf,
712 const Extension *);
713 enum critical_flag cf;
714 } check_extension[] = {
715 #define ext(name, checkname) #name, &oid_id_x509_ce_##name, check_##checkname
716 { ext(subjectDirectoryAttributes, Null), M_N_C },
717 { ext(subjectKeyIdentifier, subjectKeyIdentifier), M_N_C },
718 { ext(keyUsage, Null), S_C },
719 { ext(subjectAltName, subjectAltName), M_N_C },
720 { ext(issuerAltName, issuerAltName), S_N_C },
721 { ext(basicConstraints, basicConstraints), D_C },
722 { ext(cRLNumber, Null), M_N_C },
723 { ext(cRLReason, Null), M_N_C },
724 { ext(holdInstructionCode, Null), M_N_C },
725 { ext(invalidityDate, Null), M_N_C },
726 { ext(deltaCRLIndicator, Null), M_C },
727 { ext(issuingDistributionPoint, Null), M_C },
728 { ext(certificateIssuer, Null), M_C },
729 { ext(nameConstraints, Null), M_C },
730 { ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C },
731 { ext(certificatePolicies, Null) },
732 { ext(policyMappings, Null), M_N_C },
733 { ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C },
734 { ext(policyConstraints, Null), D_C },
735 { ext(extKeyUsage, Null), D_C },
736 { ext(freshestCRL, Null), M_N_C },
737 { ext(inhibitAnyPolicy, Null), M_C },
738 #undef ext
739 #define ext(name, checkname) #name, &oid_id_pkix_pe_##name, check_##checkname
740 { ext(proxyCertInfo, proxyCertInfo), M_C },
741 { ext(authorityInfoAccess, authorityInfoAccess), M_C },
742 #undef ext
743 { "US Fed PKI - PIV Interim", oid_id_uspkicommon_piv_interim,
744 check_Null, D_C },
745 { "Netscape cert comment", oid_id_netscape_cert_comment,
746 check_Null, D_C },
747 { NULL }
748 };
749
750 /**
751 * Allocate a hx509 validation/printing context.
752 *
753 * @param context A hx509 context.
754 * @param ctx a new allocated hx509 validation context, free with
755 * hx509_validate_ctx_free().
756
757 * @return An hx509 error code, see hx509_get_error_string().
758 *
759 * @ingroup hx509_print
760 */
761
762 int
763 hx509_validate_ctx_init(hx509_context context, hx509_validate_ctx *ctx)
764 {
765 *ctx = malloc(sizeof(**ctx));
766 if (*ctx == NULL)
767 return ENOMEM;
768 memset(*ctx, 0, sizeof(**ctx));
769 return 0;
770 }
771
772 /**
773 * Set the printing functions for the validation context.
774 *
775 * @param ctx a hx509 valication context.
776 * @param func the printing function to usea.
777 * @param c the context variable to the printing function.
778 *
779 * @return An hx509 error code, see hx509_get_error_string().
780 *
781 * @ingroup hx509_print
782 */
783
784 void
785 hx509_validate_ctx_set_print(hx509_validate_ctx ctx,
786 hx509_vprint_func func,
787 void *c)
788 {
789 ctx->vprint_func = func;
790 ctx->ctx = c;
791 }
792
793 /**
794 * Add flags to control the behaivor of the hx509_validate_cert()
795 * function.
796 *
797 * @param ctx A hx509 validation context.
798 * @param flags flags to add to the validation context.
799 *
800 * @return An hx509 error code, see hx509_get_error_string().
801 *
802 * @ingroup hx509_print
803 */
804
805 void
806 hx509_validate_ctx_add_flags(hx509_validate_ctx ctx, int flags)
807 {
808 ctx->flags |= flags;
809 }
810
811 /**
812 * Free an hx509 validate context.
813 *
814 * @param ctx the hx509 validate context to free.
815 *
816 * @ingroup hx509_print
817 */
818
819 void
820 hx509_validate_ctx_free(hx509_validate_ctx ctx)
821 {
822 free(ctx);
823 }
824
825 /**
826 * Validate/Print the status of the certificate.
827 *
828 * @param context A hx509 context.
829 * @param ctx A hx509 validation context.
830 * @param cert the cerificate to validate/print.
831
832 * @return An hx509 error code, see hx509_get_error_string().
833 *
834 * @ingroup hx509_print
835 */
836
837 int
838 hx509_validate_cert(hx509_context context,
839 hx509_validate_ctx ctx,
840 hx509_cert cert)
841 {
842 Certificate *c = _hx509_get_cert(cert);
843 TBSCertificate *t = &c->tbsCertificate;
844 hx509_name issuer, subject;
845 char *str;
846 struct cert_status status;
847 int ret;
848
849 memset(&status, 0, sizeof(status));
850
851 if (_hx509_cert_get_version(c) != 3)
852 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
853 "Not version 3 certificate\n");
854
855 if ((t->version == NULL || *t->version < 2) && t->extensions)
856 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
857 "Not version 3 certificate with extensions\n");
858
859 if (_hx509_cert_get_version(c) >= 3 && t->extensions == NULL)
860 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
861 "Version 3 certificate without extensions\n");
862
863 ret = hx509_cert_get_subject(cert, &subject);
864 if (ret) abort();
865 hx509_name_to_string(subject, &str);
866 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
867 "subject name: %s\n", str);
868 free(str);
869
870 ret = hx509_cert_get_issuer(cert, &issuer);
871 if (ret) abort();
872 hx509_name_to_string(issuer, &str);
873 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
874 "issuer name: %s\n", str);
875 free(str);
876
877 if (hx509_name_cmp(subject, issuer) == 0) {
878 status.selfsigned = 1;
879 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
880 "\tis a self-signed certificate\n");
881 }
882
883 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
884 "Validity:\n");
885
886 Time2string(&t->validity.notBefore, &str);
887 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotBefore %s\n", str);
888 free(str);
889 Time2string(&t->validity.notAfter, &str);
890 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotAfter %s\n", str);
891 free(str);
892
893 if (t->extensions) {
894 int i, j;
895
896 if (t->extensions->len == 0) {
897 validate_print(ctx,
898 HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
899 "The empty extensions list is not "
900 "allowed by PKIX\n");
901 }
902
903 for (i = 0; i < t->extensions->len; i++) {
904
905 for (j = 0; check_extension[j].name; j++)
906 if (der_heim_oid_cmp((*check_extension[j].oid)(),
907 &t->extensions->val[i].extnID) == 0)
908 break;
909 if (check_extension[j].name == NULL) {
910 int flags = HX509_VALIDATE_F_VERBOSE;
911 if (t->extensions->val[i].critical)
912 flags |= HX509_VALIDATE_F_VALIDATE;
913 validate_print(ctx, flags, "don't know what ");
914 if (t->extensions->val[i].critical)
915 validate_print(ctx, flags, "and is CRITICAL ");
916 if (ctx->flags & flags)
917 hx509_oid_print(&t->extensions->val[i].extnID,
918 validate_vprint, ctx);
919 validate_print(ctx, flags, " is\n");
920 continue;
921 }
922 validate_print(ctx,
923 HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
924 "checking extention: %s\n",
925 check_extension[j].name);
926 (*check_extension[j].func)(ctx,
927 &status,
928 check_extension[j].cf,
929 &t->extensions->val[i]);
930 }
931 } else
932 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extentions\n");
933
934 if (status.isca) {
935 if (!status.haveSKI)
936 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
937 "CA certificate have no SubjectKeyIdentifier\n");
938
939 } else {
940 if (!status.haveAKI)
941 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
942 "Is not CA and doesn't have "
943 "AuthorityKeyIdentifier\n");
944 }
945
946
947 if (!status.haveSKI)
948 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
949 "Doesn't have SubjectKeyIdentifier\n");
950
951 if (status.isproxy && status.isca)
952 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
953 "Proxy and CA at the same time!\n");
954
955 if (status.isproxy) {
956 if (status.haveSAN)
957 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
958 "Proxy and have SAN\n");
959 if (status.haveIAN)
960 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
961 "Proxy and have IAN\n");
962 }
963
964 if (hx509_name_is_null_p(subject) && !status.haveSAN)
965 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
966 "NULL subject DN and doesn't have a SAN\n");
967
968 if (!status.selfsigned && !status.haveCRLDP)
969 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
970 "Not a CA nor PROXY and doesn't have"
971 "CRL Dist Point\n");
972
973 if (status.selfsigned) {
974 ret = _hx509_verify_signature_bitstring(context,
975 c,
976 &c->signatureAlgorithm,
977 &c->tbsCertificate._save,
978 &c->signatureValue);
979 if (ret == 0)
980 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
981 "Self-signed certificate was self-signed\n");
982 else
983 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
984 "Self-signed certificate NOT really self-signed!\n");
985 }
986
987 hx509_name_free(&subject);
988 hx509_name_free(&issuer);
989
990 return 0;
991 }
NetBSD on the FriendlyARM MINI2440