36 #if defined(ENABLE_CRYPTO_OPENSSL)
46 #include <openssl/bn.h>
47 #include <openssl/err.h>
48 #include <openssl/x509v3.h>
59 ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
64 X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
69 if (!preverify_ok && !
session->opt->verify_hash_no_ca)
77 subject =
"(Failed to retrieve certificate subject)";
81 if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL)
84 X509_STORE_CTX_get_error_depth(ctx),
85 X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)),
93 X509_STORE_CTX_get_error_depth(ctx),
94 X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)),
95 subject, serial ? serial :
"<not available>");
116 #ifdef ENABLE_X509ALTUSERNAME
118 x509_username_field_ext_supported(
const char *fieldname)
120 int nid = OBJ_txt2nid(fieldname);
121 return nid == NID_subject_alt_name || nid == NID_issuer_alt_name;
126 extract_x509_extension(X509 *cert,
char *fieldname,
char *out,
int size)
131 if (!x509_username_field_ext_supported(fieldname))
134 "ERROR: --x509-username-field 'ext:%s' not supported", fieldname);
138 int nid = OBJ_txt2nid(fieldname);
139 GENERAL_NAMES *extensions = X509_get_ext_d2i(cert, nid, NULL, NULL);
149 numalts = sk_GENERAL_NAME_num(extensions);
152 for (i = 0; i<numalts; i++)
155 const GENERAL_NAME *name = sk_GENERAL_NAME_value(extensions, i );
160 if (ASN1_STRING_to_UTF8((
unsigned char **)&buf, name->d.ia5) < 0)
164 if (strlen(buf) != name->d.ia5->length)
179 __func__, name->type);
183 GENERAL_NAMES_free(extensions);
207 X509_NAME_ENTRY *x509ne = NULL;
208 ASN1_STRING *asn1 = NULL;
209 unsigned char *buf = NULL;
210 ASN1_OBJECT *field_name_obj = OBJ_txt2obj(field_name, 0);
212 if (field_name_obj == NULL)
223 tmp = X509_NAME_get_index_by_OBJ(x509, field_name_obj, lastpos);
226 ASN1_OBJECT_free(field_name_obj);
234 x509ne = X509_NAME_get_entry(x509, lastpos);
240 asn1 = X509_NAME_ENTRY_get_data(x509ne);
245 if (ASN1_STRING_to_UTF8(&buf, asn1) < 0)
261 char *x509_username_field, X509 *peer_cert)
263 #ifdef ENABLE_X509ALTUSERNAME
264 if (strncmp(
"ext:", x509_username_field, 4) == 0)
266 if (!extract_x509_extension(peer_cert, x509_username_field+4, common_name, cn_len))
271 else if (strcmp(LN_serialNumber, x509_username_field) == 0)
273 ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert);
278 if (!serial || cn_len <= strlen(serial)+2)
283 snprintf(common_name, cn_len,
"0x%s", serial);
289 x509_username_field, common_name, cn_len))
300 ASN1_INTEGER *asn1_i;
302 char *openssl_serial, *serial;
304 asn1_i = X509_get_serialNumber(cert);
305 bignum = ASN1_INTEGER_to_BN(asn1_i, NULL);
306 openssl_serial = BN_bn2dec(bignum);
311 OPENSSL_free(openssl_serial);
319 const ASN1_INTEGER *asn1_i = X509_get_serialNumber(cert);
327 BIO *out = BIO_new_file(filename,
"w");
333 if (!PEM_write_bio_X509(out, cert))
350 const EVP_MD *sha1 = EVP_sha1();
352 X509_digest(cert, EVP_sha1(),
BPTR(&
hash), NULL);
360 const EVP_MD *sha256 = EVP_sha256();
362 X509_digest(cert, EVP_sha256(),
BPTR(&
hash), NULL);
370 BIO *subject_bio = NULL;
371 BUF_MEM *subject_mem;
372 char *subject = NULL;
374 subject_bio = BIO_new(BIO_s_mem());
375 if (subject_bio == NULL)
380 X509_NAME_print_ex(subject_bio, X509_get_subject_name(cert),
381 0, XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_FN_SN
382 |ASN1_STRFLGS_UTF8_CONVERT | ASN1_STRFLGS_ESC_CTRL);
384 if (BIO_eof(subject_bio))
389 BIO_get_mem_ptr(subject_bio, &subject_mem);
391 subject =
gc_malloc(subject_mem->length + 1,
false,
gc);
393 memcpy(subject, subject_mem->data, subject_mem->length);
394 subject[subject_mem->length] =
'\0';
397 BIO_free(subject_bio);
435 if (xt->
nid != NID_undef)
442 msg(msglevel,
"x509_track: no such attribute '%s'",
name);
451 size_t name_expand_size;
455 name_expand_size = 64 + strlen(
name);
456 name_expand = (
char *) malloc(name_expand_size);
458 snprintf(name_expand, name_expand_size,
"X509_%d_%s", depth,
name);
467 X509_NAME *x509_name = X509_get_subject_name(x509);
468 const char nullc =
'\0';
482 if (xt->
nid == NID_sha1)
499 int i = X509_NAME_get_index_by_NID(x509_name, xt->
nid, -1);
502 X509_NAME_ENTRY *ent = X509_NAME_get_entry(x509_name, i);
505 ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent);
506 unsigned char *buf = NULL;
507 if (ASN1_STRING_to_UTF8(&buf, val) >= 0)
516 i = X509_get_ext_by_NID(x509, xt->
nid, -1);
519 X509_EXTENSION *ext = X509_get_ext(x509, i);
522 BIO *bio = BIO_new(BIO_s_mem());
525 if (X509V3_EXT_print(bio, ext, 0, 0))
527 if (BIO_write(bio, &nullc, 1) == 1)
530 BIO_get_mem_data(bio, &str);
559 X509_NAME_ENTRY *ent;
561 unsigned char *buf = NULL;
563 size_t name_expand_size;
564 X509_NAME *x509 = X509_get_subject_name(peer_cert);
566 n = X509_NAME_entry_count(x509);
567 for (i = 0; i < n; ++i)
569 ent = X509_NAME_get_entry(x509, i);
574 fn = X509_NAME_ENTRY_get_object(ent);
579 val = X509_NAME_ENTRY_get_data(ent);
584 fn_nid = OBJ_obj2nid(fn);
585 if (fn_nid == NID_undef)
589 objbuf = OBJ_nid2sn(fn_nid);
594 if (ASN1_STRING_to_UTF8(&buf, val) < 0)
598 name_expand_size = 64 + strlen(objbuf);
599 name_expand = (
char *) malloc(name_expand_size);
601 snprintf(name_expand, name_expand_size,
"X509_%d_%s", cert_depth,
624 result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_CLIENT, 0) ?
635 ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL);
636 result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_CLIENT)) ?
SUCCESS :
FAILURE;
639 msg(
M_WARN,
"X509: Certificate is a client certificate yet it's purpose "
640 "cannot be verified (check may fail in the future)");
642 ASN1_BIT_STRING_free(ns);
652 result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_SERVER, 0) ?
663 ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL);
664 result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_SERVER)) ?
SUCCESS :
FAILURE;
667 msg(
M_WARN,
"X509: Certificate is a server certificate yet it's purpose "
668 "cannot be verified (check may fail in the future)");
670 ASN1_BIT_STRING_free(ns);
682 ASN1_BIT_STRING *ku = X509_get_ext_d2i(x509, NID_key_usage, NULL, NULL);
693 ASN1_BIT_STRING_free(ku);
698 for (
size_t i = 0; i < 8; i++)
700 if (ASN1_BIT_STRING_get_bit(ku, i))
709 if ((nku & 0xff) == 0)
716 for (
size_t i = 0; fFound !=
SUCCESS && i < expected_len; i++)
718 if (expected_ku[i] != 0 && (nku & expected_ku[i]) == expected_ku[i])
727 "ERROR: Certificate has key usage %04x, expected one of:", nku);
728 for (
size_t i = 0; i < expected_len && expected_ku[i]; i++)
734 ASN1_BIT_STRING_free(ku);
742 EXTENDED_KEY_USAGE *eku = NULL;
745 if ((eku = (EXTENDED_KEY_USAGE *) X509_get_ext_d2i(x509, NID_ext_key_usage,
746 NULL, NULL)) == NULL)
748 msg(
D_HANDSHAKE,
"Certificate does not have extended key usage extension");
755 for (i = 0;
SUCCESS != fFound && i < sk_ASN1_OBJECT_num(eku); i++)
757 ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(eku, i);
760 if (
SUCCESS != fFound && OBJ_obj2txt(szOid,
sizeof(szOid), oid, 0) != -1)
763 szOid, expected_oid);
764 if (!strcmp(expected_oid, szOid))
769 if (
SUCCESS != fFound && OBJ_obj2txt(szOid,
sizeof(szOid), oid, 1) != -1)
772 szOid, expected_oid);
773 if (!strcmp(expected_oid, szOid))
783 sk_ASN1_OBJECT_pop_free(eku, ASN1_OBJECT_free);
797 X509_STORE *store = SSL_CTX_get_cert_store(opt->
ssl_ctx.
ctx);
803 STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store);
804 for (
int i = 0; i < sk_X509_OBJECT_num(objs); i++)
806 X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i);
808 if (X509_OBJECT_get_type(obj) == X509_LU_CRL)