/*
- * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
+ * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
*
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
*
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
*
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
*
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
*
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
*/
#include "hx_locl.h"
/**
* Print a oid to a string.
- *
+ *
* @param oid oid to print
* @param str allocated string, free with hx509_xfree().
*
/**
* Print a oid using a hx509_vprint_func function. To print to stdout
* use hx509_print_stdout().
- *
+ *
* @param oid oid to print
* @param func hx509_vprint_func to print with.
* @param ctx context variable to hx509_vprint_func function.
/**
* Print a bitstring using a hx509_vprint_func function. To print to
* stdout use hx509_print_stdout().
- *
+ *
* @param b bit string to print.
* @param func hx509_vprint_func to print with.
* @param ctx context variable to hx509_vprint_func function.
print_func(func, ctx, "\tlength: %d\n\t", b->length);
for (i = 0; i < (b->length + 7) / 8; i++)
print_func(func, ctx, "%02x%s%s",
- ((unsigned char *)b->data)[i],
+ ((unsigned char *)b->data)[i],
i < (b->length - 7) / 8
&& (i == 0 || (i % 16) != 15) ? ":" : "",
i != 0 && (i % 16) == 15 ?
/**
* Print certificate usage for a certificate to a string.
- *
+ *
* @param context A hx509 context.
* @param c a certificate print the keyusage for.
* @param s the return string with the keysage printed in to, free
va_end(va);
}
-/*
+/*
* Dont Care, SHOULD critical, SHOULD NOT critical, MUST critical,
* MUST NOT critical
*/
}
static int
-check_subjectKeyIdentifier(hx509_validate_ctx ctx,
+check_subjectKeyIdentifier(hx509_validate_ctx ctx,
struct cert_status *status,
enum critical_flag cf,
const Extension *e)
status->haveSKI = 1;
check_Null(ctx, status, cf, e);
- ret = decode_SubjectKeyIdentifier(e->extnValue.data,
+ ret = decode_SubjectKeyIdentifier(e->extnValue.data,
e->extnValue.length,
&si, &size);
if (ret) {
}
static int
-check_authorityKeyIdentifier(hx509_validate_ctx ctx,
+check_authorityKeyIdentifier(hx509_validate_ctx ctx,
struct cert_status *status,
enum critical_flag cf,
const Extension *e)
status->haveAKI = 1;
check_Null(ctx, status, cf, e);
- ret = decode_AuthorityKeyIdentifier(e->extnValue.data,
+ ret = decode_AuthorityKeyIdentifier(e->extnValue.data,
e->extnValue.length,
&ai, &size);
if (ret) {
}
static int
-check_extKeyUsage(hx509_validate_ctx ctx,
+check_extKeyUsage(hx509_validate_ctx ctx,
struct cert_status *status,
enum critical_flag cf,
const Extension *e)
check_Null(ctx, status, cf, e);
- ret = decode_ExtKeyUsage(e->extnValue.data,
+ ret = decode_ExtKeyUsage(e->extnValue.data,
e->extnValue.length,
&eku, &size);
if (ret) {
/* print kerberos principal, add code to quote / within components */
for (i = 0; i < kn.principalName.name_string.len; i++) {
- validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s",
+ validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s",
kn.principalName.name_string.val[i]);
if (i + 1 < kn.principalName.name_string.len)
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "/");
}
static int
-check_CRLDistributionPoints(hx509_validate_ctx ctx,
+check_CRLDistributionPoints(hx509_validate_ctx ctx,
struct cert_status *status,
enum critical_flag cf,
const Extension *e)
check_Null(ctx, status, cf, e);
- ret = decode_CRLDistributionPoints(e->extnValue.data,
+ ret = decode_CRLDistributionPoints(e->extnValue.data,
e->extnValue.length,
&dp, &size);
if (ret) {
DistributionPointName dpname;
heim_any *data = dp.val[i].distributionPoint;
int j;
-
+
ret = decode_DistributionPointName(data->data, data->length,
&dpname, NULL);
if (ret) {
- validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
"Failed to parse CRL Distribution Point Name: %d\n", ret);
continue;
}
&gn, &size);
if (ret) {
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
- "\tret = %d while decoding %s GeneralNames\n",
+ "\tret = %d while decoding %s GeneralNames\n",
ret, name);
return 1;
}
"%sAltName otherName ", name);
for (j = 0; j < sizeof(check_altname)/sizeof(check_altname[0]); j++) {
- if (der_heim_oid_cmp((*check_altname[j].oid)(),
+ if (der_heim_oid_cmp((*check_altname[j].oid)(),
&gn.val[i].u.otherName.type_id) != 0)
continue;
- validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ",
+ validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ",
check_altname[j].name);
(*check_altname[j].func)(ctx, &gn.val[i].u.otherName.value);
break;
static int
-check_basicConstraints(hx509_validate_ctx ctx,
+check_basicConstraints(hx509_validate_ctx ctx,
struct cert_status *status,
- enum critical_flag cf,
+ enum critical_flag cf,
const Extension *e)
{
BasicConstraints b;
int ret;
check_Null(ctx, status, cf, e);
-
+
ret = decode_BasicConstraints(e->extnValue.data, e->extnValue.length,
&b, &size);
if (ret) {
}
static int
-check_proxyCertInfo(hx509_validate_ctx ctx,
+check_proxyCertInfo(hx509_validate_ctx ctx,
struct cert_status *status,
- enum critical_flag cf,
+ enum critical_flag cf,
const Extension *e)
{
check_Null(ctx, status, cf, e);
}
static int
-check_authorityInfoAccess(hx509_validate_ctx ctx,
+check_authorityInfoAccess(hx509_validate_ctx ctx,
struct cert_status *status,
- enum critical_flag cf,
+ enum critical_flag cf,
const Extension *e)
{
AuthorityInfoAccessSyntax aia;
check_Null(ctx, status, cf, e);
- ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data,
+ ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data,
e->extnValue.length,
&aia, &size);
if (ret) {
struct {
const char *name;
const heim_oid *(*oid)(void);
- int (*func)(hx509_validate_ctx ctx,
+ int (*func)(hx509_validate_ctx ctx,
struct cert_status *status,
- enum critical_flag cf,
+ enum critical_flag cf,
const Extension *);
enum critical_flag cf;
} check_extension[] = {
-#define ext(name, checkname) #name, &oid_id_x509_ce_##name, check_##checkname
+#define ext(name, checkname) #name, &oid_id_x509_ce_##name, check_##checkname
{ ext(subjectDirectoryAttributes, Null), M_N_C },
{ ext(subjectKeyIdentifier, subjectKeyIdentifier), M_N_C },
{ ext(keyUsage, Null), S_C },
{ ext(freshestCRL, Null), M_N_C },
{ ext(inhibitAnyPolicy, Null), M_C },
#undef ext
-#define ext(name, checkname) #name, &oid_id_pkix_pe_##name, check_##checkname
+#define ext(name, checkname) #name, &oid_id_pkix_pe_##name, check_##checkname
{ ext(proxyCertInfo, proxyCertInfo), M_C },
{ ext(authorityInfoAccess, authorityInfoAccess), M_C },
#undef ext
- { "US Fed PKI - PIV Interim", oid_id_uspkicommon_piv_interim,
+ { "US Fed PKI - PIV Interim", oid_id_uspkicommon_piv_interim,
check_Null, D_C },
- { "Netscape cert comment", oid_id_netscape_cert_comment,
+ { "Netscape cert comment", oid_id_netscape_cert_comment,
check_Null, D_C },
{ NULL }
};
/**
* Allocate a hx509 validation/printing context.
- *
+ *
* @param context A hx509 context.
* @param ctx a new allocated hx509 validation context, free with
* hx509_validate_ctx_free().
/**
* Set the printing functions for the validation context.
- *
+ *
* @param ctx a hx509 valication context.
* @param func the printing function to usea.
* @param c the context variable to the printing function.
*/
void
-hx509_validate_ctx_set_print(hx509_validate_ctx ctx,
+hx509_validate_ctx_set_print(hx509_validate_ctx ctx,
hx509_vprint_func func,
void *c)
{
/**
* Add flags to control the behaivor of the hx509_validate_cert()
* function.
- *
+ *
* @param ctx A hx509 validation context.
* @param flags flags to add to the validation context.
*
/**
* Free an hx509 validate context.
- *
+ *
* @param ctx the hx509 validate context to free.
*
* @ingroup hx509_print
/**
* Validate/Print the status of the certificate.
- *
+ *
* @param context A hx509 context.
* @param ctx A hx509 validation context.
* @param cert the cerificate to validate/print.
if (_hx509_cert_get_version(c) != 3)
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
"Not version 3 certificate\n");
-
+
if ((t->version == NULL || *t->version < 2) && t->extensions)
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
"Not version 3 certificate with extensions\n");
if (t->extensions->val[i].critical)
validate_print(ctx, flags, "and is CRITICAL ");
if (ctx->flags & flags)
- hx509_oid_print(&t->extensions->val[i].extnID,
+ hx509_oid_print(&t->extensions->val[i].extnID,
validate_vprint, ctx);
validate_print(ctx, flags, " is\n");
continue;
if (status.isca) {
if (!status.haveSKI)
- validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
"CA certificate have no SubjectKeyIdentifier\n");
} else {
if (!status.haveAKI)
- validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
"Is not CA and doesn't have "
"AuthorityKeyIdentifier\n");
}
-
+
if (!status.haveSKI)
- validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
"Doesn't have SubjectKeyIdentifier\n");
if (status.isproxy && status.isca)
- validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
"Proxy and CA at the same time!\n");
if (status.isproxy) {
if (status.haveSAN)
- validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
"Proxy and have SAN\n");
if (status.haveIAN)
- validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
"Proxy and have IAN\n");
}
if (hx509_name_is_null_p(subject) && !status.haveSAN)
- validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
"NULL subject DN and doesn't have a SAN\n");
if (!status.selfsigned && !status.haveCRLDP)
- validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
"Not a CA nor PROXY and doesn't have"
"CRL Dist Point\n");
&c->tbsCertificate._save,
&c->signatureValue);
if (ret == 0)
- validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+ validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
"Self-signed certificate was self-signed\n");
else
- validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
+ validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
"Self-signed certificate NOT really self-signed!\n");
}