kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5043 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 441efad4d7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '441efad4d7'
${ noResults }
boringssl/crypto/x509/t_x509.c

548 lines
17 KiB
Raw Blame History 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.] */

  56. 

  57. #include <ctype.h>

  58. #include <openssl/asn1.h>

  59. #include <openssl/bio.h>

  60. #include <openssl/digest.h>

  61. #include <openssl/err.h>

  62. #include <openssl/evp.h>

  63. #include <openssl/mem.h>

  64. #include <openssl/obj.h>

  65. #include <openssl/x509.h>

  66. #include <openssl/x509v3.h>

  67. 

  68. #include "internal.h"

  69. 

  70. 

  71. #ifndef OPENSSL_NO_FP_API

  72. int X509_print_ex_fp(FILE *fp, X509 *x, unsigned long nmflag,

  73.                      unsigned long cflag)

  74. {

  75.     BIO *b;

  76.     int ret;

  77. 

  78.     if ((b = BIO_new(BIO_s_file())) == NULL) {

  79.         OPENSSL_PUT_ERROR(X509, ERR_R_BUF_LIB);

  80.         return (0);

  81.     }

  82.     BIO_set_fp(b, fp, BIO_NOCLOSE);

  83.     ret = X509_print_ex(b, x, nmflag, cflag);

  84.     BIO_free(b);

  85.     return (ret);

  86. }

  87. 

  88. int X509_print_fp(FILE *fp, X509 *x)

  89. {

  90.     return X509_print_ex_fp(fp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);

  91. }

  92. #endif

  93. 

  94. int X509_print(BIO *bp, X509 *x)

  95. {

  96.     return X509_print_ex(bp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);

  97. }

  98. 

  99. int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,

  100.                   unsigned long cflag)

  101. {

  102.     long l;

  103.     int ret = 0, i;

  104.     char *m = NULL, mlch = ' ';

  105.     int nmindent = 0;

  106.     X509_CINF *ci;

  107.     ASN1_INTEGER *bs;

  108.     EVP_PKEY *pkey = NULL;

  109.     const char *neg;

  110. 

  111.     if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {

  112.         mlch = '\n';

  113.         nmindent = 12;

  114.     }

  115. 

  116.     if (nmflags == X509_FLAG_COMPAT)

  117.         nmindent = 16;

  118. 

  119.     ci = x->cert_info;

  120.     if (!(cflag & X509_FLAG_NO_HEADER)) {

  121.         if (BIO_write(bp, "Certificate:\n", 13) <= 0)

  122.             goto err;

  123.         if (BIO_write(bp, "    Data:\n", 10) <= 0)

  124.             goto err;

  125.     }

  126.     if (!(cflag & X509_FLAG_NO_VERSION)) {

  127.         l = X509_get_version(x);

  128.         if (BIO_printf(bp, "%8sVersion: %lu (0x%lx)\n", "", l + 1, l) <= 0)

  129.             goto err;

  130.     }

  131.     if (!(cflag & X509_FLAG_NO_SERIAL)) {

  132. 

  133.         if (BIO_write(bp, "        Serial Number:", 22) <= 0)

  134.             goto err;

  135. 

  136.         bs = X509_get_serialNumber(x);

  137.         if (bs->length < (int)sizeof(long)

  138.             || (bs->length == sizeof(long) && (bs->data[0] & 0x80) == 0)) {

  139.             l = ASN1_INTEGER_get(bs);

  140.             if (bs->type == V_ASN1_NEG_INTEGER) {

  141.                 l = -l;

  142.                 neg = "-";

  143.             } else

  144.                 neg = "";

  145.             if (BIO_printf(bp, " %s%lu (%s0x%lx)\n", neg, l, neg, l) <= 0)

  146.                 goto err;

  147.         } else {

  148.             neg = (bs->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : "";

  149.             if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0)

  150.                 goto err;

  151. 

  152.             for (i = 0; i < bs->length; i++) {

  153.                 if (BIO_printf(bp, "%02x%c", bs->data[i],

  154.                                ((i + 1 == bs->length) ? '\n' : ':')) <= 0)

  155.                     goto err;

  156.             }

  157.         }

  158. 

  159.     }

  160. 

  161.     if (!(cflag & X509_FLAG_NO_SIGNAME)) {

  162.         if (X509_signature_print(bp, ci->signature, NULL) <= 0)

  163.             goto err;

  164.     }

  165. 

  166.     if (!(cflag & X509_FLAG_NO_ISSUER)) {

  167.         if (BIO_printf(bp, "        Issuer:%c", mlch) <= 0)

  168.             goto err;

  169.         if (X509_NAME_print_ex(bp, X509_get_issuer_name(x), nmindent, nmflags)

  170.             < 0)

  171.             goto err;

  172.         if (BIO_write(bp, "\n", 1) <= 0)

  173.             goto err;

  174.     }

  175.     if (!(cflag & X509_FLAG_NO_VALIDITY)) {

  176.         if (BIO_write(bp, "        Validity\n", 17) <= 0)

  177.             goto err;

  178.         if (BIO_write(bp, "            Not Before: ", 24) <= 0)

  179.             goto err;

  180.         if (!ASN1_TIME_print(bp, X509_get_notBefore(x)))

  181.             goto err;

  182.         if (BIO_write(bp, "\n            Not After : ", 25) <= 0)

  183.             goto err;

  184.         if (!ASN1_TIME_print(bp, X509_get_notAfter(x)))

  185.             goto err;

  186.         if (BIO_write(bp, "\n", 1) <= 0)

  187.             goto err;

  188.     }

  189.     if (!(cflag & X509_FLAG_NO_SUBJECT)) {

  190.         if (BIO_printf(bp, "        Subject:%c", mlch) <= 0)

  191.             goto err;

  192.         if (X509_NAME_print_ex

  193.             (bp, X509_get_subject_name(x), nmindent, nmflags) < 0)

  194.             goto err;

  195.         if (BIO_write(bp, "\n", 1) <= 0)

  196.             goto err;

  197.     }

  198.     if (!(cflag & X509_FLAG_NO_PUBKEY)) {

  199.         if (BIO_write(bp, "        Subject Public Key Info:\n", 33) <= 0)

  200.             goto err;

  201.         if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0)

  202.             goto err;

  203.         if (i2a_ASN1_OBJECT(bp, ci->key->algor->algorithm) <= 0)

  204.             goto err;

  205.         if (BIO_puts(bp, "\n") <= 0)

  206.             goto err;

  207. 

  208.         pkey = X509_get_pubkey(x);

  209.         if (pkey == NULL) {

  210.             BIO_printf(bp, "%12sUnable to load Public Key\n", "");

  211.             ERR_print_errors(bp);

  212.         } else {

  213.             EVP_PKEY_print_public(bp, pkey, 16, NULL);

  214.             EVP_PKEY_free(pkey);

  215.         }

  216.     }

  217. 

  218.     if (!(cflag & X509_FLAG_NO_IDS)) {

  219.         if (ci->issuerUID) {

  220.             if (BIO_printf(bp, "%8sIssuer Unique ID: ", "") <= 0)

  221.                 goto err;

  222.             if (!X509_signature_dump(bp, ci->issuerUID, 12))

  223.                 goto err;

  224.         }

  225.         if (ci->subjectUID) {

  226.             if (BIO_printf(bp, "%8sSubject Unique ID: ", "") <= 0)

  227.                 goto err;

  228.             if (!X509_signature_dump(bp, ci->subjectUID, 12))

  229.                 goto err;

  230.         }

  231.     }

  232. 

  233.     if (!(cflag & X509_FLAG_NO_EXTENSIONS))

  234.         X509V3_extensions_print(bp, "X509v3 extensions",

  235.                                 ci->extensions, cflag, 8);

  236. 

  237.     if (!(cflag & X509_FLAG_NO_SIGDUMP)) {

  238.         if (X509_signature_print(bp, x->sig_alg, x->signature) <= 0)

  239.             goto err;

  240.     }

  241.     if (!(cflag & X509_FLAG_NO_AUX)) {

  242.         if (!X509_CERT_AUX_print(bp, x->aux, 0))

  243.             goto err;

  244.     }

  245.     ret = 1;

  246.  err:

  247.     if (m != NULL)

  248.         OPENSSL_free(m);

  249.     return (ret);

  250. }

  251. 

  252. int X509_ocspid_print(BIO *bp, X509 *x)

  253. {

  254.     unsigned char *der = NULL;

  255.     unsigned char *dertmp;

  256.     int derlen;

  257.     int i;

  258.     unsigned char SHA1md[SHA_DIGEST_LENGTH];

  259. 

  260.     /*

  261.      * display the hash of the subject as it would appear in OCSP requests

  262.      */

  263.     if (BIO_printf(bp, "        Subject OCSP hash: ") <= 0)

  264.         goto err;

  265.     derlen = i2d_X509_NAME(x->cert_info->subject, NULL);

  266.     if ((der = dertmp = (unsigned char *)OPENSSL_malloc(derlen)) == NULL)

  267.         goto err;

  268.     i2d_X509_NAME(x->cert_info->subject, &dertmp);

  269. 

  270.     if (!EVP_Digest(der, derlen, SHA1md, NULL, EVP_sha1(), NULL))

  271.         goto err;

  272.     for (i = 0; i < SHA_DIGEST_LENGTH; i++) {

  273.         if (BIO_printf(bp, "%02X", SHA1md[i]) <= 0)

  274.             goto err;

  275.     }

  276.     OPENSSL_free(der);

  277.     der = NULL;

  278. 

  279.     /*

  280.      * display the hash of the public key as it would appear in OCSP requests

  281.      */

  282.     if (BIO_printf(bp, "\n        Public key OCSP hash: ") <= 0)

  283.         goto err;

  284. 

  285.     if (!EVP_Digest(x->cert_info->key->public_key->data,

  286.                     x->cert_info->key->public_key->length,

  287.                     SHA1md, NULL, EVP_sha1(), NULL))

  288.         goto err;

  289.     for (i = 0; i < SHA_DIGEST_LENGTH; i++) {

  290.         if (BIO_printf(bp, "%02X", SHA1md[i]) <= 0)

  291.             goto err;

  292.     }

  293.     BIO_printf(bp, "\n");

  294. 

  295.     return (1);

  296.  err:

  297.     if (der != NULL)

  298.         OPENSSL_free(der);

  299.     return (0);

  300. }

  301. 

  302. int X509_signature_print(BIO *bp, const X509_ALGOR *sigalg,

  303.                          const ASN1_STRING *sig)

  304. {

  305.     if (BIO_puts(bp, "    Signature Algorithm: ") <= 0)

  306.         return 0;

  307.     if (i2a_ASN1_OBJECT(bp, sigalg->algorithm) <= 0)

  308.         return 0;

  309. 

  310.     /* RSA-PSS signatures have parameters to print. */

  311.     int sig_nid = OBJ_obj2nid(sigalg->algorithm);

  312.     if (sig_nid == NID_rsassaPss &&

  313.         !x509_print_rsa_pss_params(bp, sigalg, 9, 0)) {

  314.         return 0;

  315.     }

  316. 

  317.     if (sig)

  318.         return X509_signature_dump(bp, sig, 9);

  319.     else if (BIO_puts(bp, "\n") <= 0)

  320.         return 0;

  321.     return 1;

  322. }

  323. 

  324. int ASN1_STRING_print(BIO *bp, const ASN1_STRING *v)

  325. {

  326.     int i, n;

  327.     char buf[80];

  328.     const char *p;

  329. 

  330.     if (v == NULL)

  331.         return (0);

  332.     n = 0;

  333.     p = (const char *)v->data;

  334.     for (i = 0; i < v->length; i++) {

  335.         if ((p[i] > '~') || ((p[i] < ' ') &&

  336.                              (p[i] != '\n') && (p[i] != '\r')))

  337.             buf[n] = '.';

  338.         else

  339.             buf[n] = p[i];

  340.         n++;

  341.         if (n >= 80) {

  342.             if (BIO_write(bp, buf, n) <= 0)

  343.                 return (0);

  344.             n = 0;

  345.         }

  346.     }

  347.     if (n > 0)

  348.         if (BIO_write(bp, buf, n) <= 0)

  349.             return (0);

  350.     return (1);

  351. }

  352. 

  353. int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm)

  354. {

  355.     if (tm->type == V_ASN1_UTCTIME)

  356.         return ASN1_UTCTIME_print(bp, tm);

  357.     if (tm->type == V_ASN1_GENERALIZEDTIME)

  358.         return ASN1_GENERALIZEDTIME_print(bp, tm);

  359.     BIO_write(bp, "Bad time value", 14);

  360.     return (0);

  361. }

  362. 

  363. static const char *const mon[12] = {

  364.     "Jan", "Feb", "Mar", "Apr", "May", "Jun",

  365.     "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"

  366. };

  367. 

  368. int ASN1_GENERALIZEDTIME_print(BIO *bp, const ASN1_GENERALIZEDTIME *tm)

  369. {

  370.     char *v;

  371.     int gmt = 0;

  372.     int i;

  373.     int y = 0, M = 0, d = 0, h = 0, m = 0, s = 0;

  374.     char *f = NULL;

  375.     int f_len = 0;

  376. 

  377.     i = tm->length;

  378.     v = (char *)tm->data;

  379. 

  380.     if (i < 12)

  381.         goto err;

  382.     if (v[i - 1] == 'Z')

  383.         gmt = 1;

  384.     for (i = 0; i < 12; i++)

  385.         if ((v[i] > '9') || (v[i] < '0'))

  386.             goto err;

  387.     y = (v[0] - '0') * 1000 + (v[1] - '0') * 100 + (v[2] - '0') * 10 + (v[3] -

  388.                                                                         '0');

  389.     M = (v[4] - '0') * 10 + (v[5] - '0');

  390.     if ((M > 12) || (M < 1))

  391.         goto err;

  392.     d = (v[6] - '0') * 10 + (v[7] - '0');

  393.     h = (v[8] - '0') * 10 + (v[9] - '0');

  394.     m = (v[10] - '0') * 10 + (v[11] - '0');

  395.     if (tm->length >= 14 &&

  396.         (v[12] >= '0') && (v[12] <= '9') &&

  397.         (v[13] >= '0') && (v[13] <= '9')) {

  398.         s = (v[12] - '0') * 10 + (v[13] - '0');

  399.         /* Check for fractions of seconds. */

  400.         if (tm->length >= 15 && v[14] == '.') {

  401.             int l = tm->length;

  402.             f = &v[14];         /* The decimal point. */

  403.             f_len = 1;

  404.             while (14 + f_len < l && f[f_len] >= '0' && f[f_len] <= '9')

  405.                 ++f_len;

  406.         }

  407.     }

  408. 

  409.     if (BIO_printf(bp, "%s %2d %02d:%02d:%02d%.*s %d%s",

  410.                    mon[M - 1], d, h, m, s, f_len, f, y,

  411.                    (gmt) ? " GMT" : "") <= 0)

  412.         return (0);

  413.     else

  414.         return (1);

  415.  err:

  416.     BIO_write(bp, "Bad time value", 14);

  417.     return (0);

  418. }

  419. 

  420. // consume_two_digits is a helper function for ASN1_UTCTIME_print. If |*v|,

  421. // assumed to be |*len| bytes long, has two leading digits, updates |*out| with

  422. // their value, updates |v| and |len|, and returns one. Otherwise, returns

  423. // zero.

  424. static int consume_two_digits(int* out, const char **v, int *len) {

  425.   if (*len < 2|| !isdigit((*v)[0]) || !isdigit((*v)[1])) {

  426.     return 0;

  427.   }

  428.   *out = ((*v)[0] - '0') * 10 + ((*v)[1] - '0');

  429.   *len -= 2;

  430.   *v += 2;

  431.   return 1;

  432. }

  433. 

  434. // consume_zulu_timezone is a helper function for ASN1_UTCTIME_print. If |*v|,

  435. // assumed to be |*len| bytes long, starts with "Z" then it updates |*v| and

  436. // |*len| and returns one. Otherwise returns zero.

  437. static int consume_zulu_timezone(const char **v, int *len) {

  438.   if (*len == 0 || (*v)[0] != 'Z') {

  439.     return 0;

  440.   }

  441. 

  442.   *len -= 1;

  443.   *v += 1;

  444.   return 1;

  445. }

  446. 

  447. int ASN1_UTCTIME_print(BIO *bp, const ASN1_UTCTIME *tm) {

  448.   const char *v = (const char *)tm->data;

  449.   int len = tm->length;

  450.   int Y = 0, M = 0, D = 0, h = 0, m = 0, s = 0;

  451. 

  452.   // YYMMDDhhmm are required to be present.

  453.   if (!consume_two_digits(&Y, &v, &len) ||

  454.       !consume_two_digits(&M, &v, &len) ||

  455.       !consume_two_digits(&D, &v, &len) ||

  456.       !consume_two_digits(&h, &v, &len) ||

  457.       !consume_two_digits(&m, &v, &len)) {

  458.     goto err;

  459.   }

  460.   // https://tools.ietf.org/html/rfc5280, section 4.1.2.5.1, requires seconds

  461.   // to be present, but historically this code has forgiven its absence.

  462.   consume_two_digits(&s, &v, &len);

  463. 

  464.   // https://tools.ietf.org/html/rfc5280, section 4.1.2.5.1, specifies this

  465.   // interpretation of the year.

  466.   if (Y < 50) {

  467.     Y += 2000;

  468.   } else {

  469.     Y += 1900;

  470.   }

  471.   if (M > 12 || M == 0) {

  472.     goto err;

  473.   }

  474.   if (D > 31 || D == 0) {

  475.     goto err;

  476.   }

  477.   if (h > 23 || m > 59 || s > 60) {

  478.     goto err;

  479.   }

  480. 

  481.   // https://tools.ietf.org/html/rfc5280, section 4.1.2.5.1, requires the "Z"

  482.   // to be present, but historically this code has forgiven its absence.

  483.   const int is_gmt = consume_zulu_timezone(&v, &len);

  484. 

  485.   // https://tools.ietf.org/html/rfc5280, section 4.1.2.5.1, does not permit

  486.   // the specification of timezones using the +hhmm / -hhmm syntax, which is

  487.   // the only other thing that might legitimately be found at the end.

  488.   if (len) {

  489.     goto err;

  490.   }

  491. 

  492.   return BIO_printf(bp, "%s %2d %02d:%02d:%02d %d%s", mon[M - 1], D, h, m, s, Y,

  493.                     is_gmt ? " GMT" : "") > 0;

  494. 

  495. err:

  496.   BIO_write(bp, "Bad time value", 14);

  497.   return 0;

  498. }

  499. 

  500. int X509_NAME_print(BIO *bp, X509_NAME *name, int obase)

  501. {

  502.     char *s, *c, *b;

  503.     int ret = 0, l, i;

  504. 

  505.     l = 80 - 2 - obase;

  506. 

  507.     b = X509_NAME_oneline(name, NULL, 0);

  508.     if (!b)

  509.         return 0;

  510.     if (!*b) {

  511.         OPENSSL_free(b);

  512.         return 1;

  513.     }

  514.     s = b + 1;                  /* skip the first slash */

  515. 

  516.     c = s;

  517.     for (;;) {

  518.         if (((*s == '/') &&

  519.              ((s[1] >= 'A') && (s[1] <= 'Z') && ((s[2] == '=') ||

  520.                                                  ((s[2] >= 'A')

  521.                                                   && (s[2] <= 'Z')

  522.                                                   && (s[3] == '='))

  523.               ))) || (*s == '\0')) {

  524.             i = s - c;

  525.             if (BIO_write(bp, c, i) != i)

  526.                 goto err;

  527.             c = s + 1;          /* skip following slash */

  528.             if (*s != '\0') {

  529.                 if (BIO_write(bp, ", ", 2) != 2)

  530.                     goto err;

  531.             }

  532.             l--;

  533.         }

  534.         if (*s == '\0')

  535.             break;

  536.         s++;

  537.         l--;

  538.     }

  539. 

  540.     ret = 1;

  541.     if (0) {

  542.  err:

  543.         OPENSSL_PUT_ERROR(X509, ERR_R_BUF_LIB);

  544.     }

  545.     OPENSSL_free(b);

  546.     return (ret);

  547. }