2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * @page page_print Hx509 printing functions
39 * See the library functions here: @ref hx509_print
42 struct hx509_validate_ctx_data {
44 hx509_vprint_func vprint_func;
49 unsigned int selfsigned:1;
51 unsigned int isproxy:1;
52 unsigned int haveSAN:1;
53 unsigned int haveIAN:1;
54 unsigned int haveSKI:1;
55 unsigned int haveAKI:1;
56 unsigned int haveCRLDP:1;
65 Time2string(const Time *T, char **str)
72 t = _hx509_Time2time_t(T);
77 strftime(s, 30, "%Y-%m-%d %H:%M:%S", tm);
83 * Helper function to print on stdout for:
84 * - hx509_oid_print(),
85 * - hx509_bitstring_print(),
86 * - hx509_validate_ctx_set_print().
88 * @param ctx the context to the print function. If the ctx is NULL,
90 * @param fmt the printing format.
91 * @param va the argumet list.
93 * @ingroup hx509_print
97 hx509_print_stdout(void *ctx, const char *fmt, va_list va)
102 vfprintf(f, fmt, va);
106 print_func(hx509_vprint_func func, void *ctx, const char *fmt, ...)
110 (*func)(ctx, fmt, va);
115 * Print a oid to a string.
117 * @param oid oid to print
118 * @param str allocated string, free with hx509_xfree().
120 * @return An hx509 error code, see hx509_get_error_string().
122 * @ingroup hx509_print
126 hx509_oid_sprint(const heim_oid *oid, char **str)
128 return der_print_heim_oid(oid, '.', str);
132 * Print a oid using a hx509_vprint_func function. To print to stdout
133 * use hx509_print_stdout().
135 * @param oid oid to print
136 * @param func hx509_vprint_func to print with.
137 * @param ctx context variable to hx509_vprint_func function.
139 * @ingroup hx509_print
143 hx509_oid_print(const heim_oid *oid, hx509_vprint_func func, void *ctx)
146 hx509_oid_sprint(oid, &str);
147 print_func(func, ctx, "%s", str);
152 * Print a bitstring using a hx509_vprint_func function. To print to
153 * stdout use hx509_print_stdout().
155 * @param b bit string to print.
156 * @param func hx509_vprint_func to print with.
157 * @param ctx context variable to hx509_vprint_func function.
159 * @ingroup hx509_print
163 hx509_bitstring_print(const heim_bit_string *b,
164 hx509_vprint_func func, void *ctx)
167 print_func(func, ctx, "\tlength: %d\n\t", b->length);
168 for (i = 0; i < (b->length + 7) / 8; i++)
169 print_func(func, ctx, "%02x%s%s",
170 ((unsigned char *)b->data)[i],
171 i < (b->length - 7) / 8
172 && (i == 0 || (i % 16) != 15) ? ":" : "",
173 i != 0 && (i % 16) == 15 ?
174 (i <= ((b->length + 7) / 8 - 2) ? "\n\t" : "\n"):"");
178 * Print certificate usage for a certificate to a string.
180 * @param context A hx509 context.
181 * @param c a certificate print the keyusage for.
182 * @param s the return string with the keysage printed in to, free
183 * with hx509_xfree().
185 * @return An hx509 error code, see hx509_get_error_string().
187 * @ingroup hx509_print
191 hx509_cert_keyusage_print(hx509_context context, hx509_cert c, char **s)
199 ret = _hx509_cert_get_keyusage(context, c, &ku);
202 unparse_flags(KeyUsage2int(ku), asn1_KeyUsage_units(), buf, sizeof(buf));
205 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
217 validate_vprint(void *c, const char *fmt, va_list va)
219 hx509_validate_ctx ctx = c;
220 if (ctx->vprint_func == NULL)
222 (ctx->vprint_func)(ctx->ctx, fmt, va);
226 validate_print(hx509_validate_ctx ctx, int flags, const char *fmt, ...)
229 if ((ctx->flags & flags) == 0)
232 validate_vprint(ctx, fmt, va);
237 * Dont Care, SHOULD critical, SHOULD NOT critical, MUST critical,
240 enum critical_flag { D_C = 0, S_C, S_N_C, M_C, M_N_C };
243 check_Null(hx509_validate_ctx ctx,
244 struct cert_status *status,
245 enum critical_flag cf, const Extension *e)
252 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
253 "\tCritical not set on SHOULD\n");
257 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
258 "\tCritical set on SHOULD NOT\n");
262 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
263 "\tCritical not set on MUST\n");
267 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
268 "\tCritical set on MUST NOT\n");
271 _hx509_abort("internal check_Null state error");
277 check_subjectKeyIdentifier(hx509_validate_ctx ctx,
278 struct cert_status *status,
279 enum critical_flag cf,
282 SubjectKeyIdentifier si;
287 check_Null(ctx, status, cf, e);
289 ret = decode_SubjectKeyIdentifier(e->extnValue.data,
293 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
294 "Decoding SubjectKeyIdentifier failed: %d", ret);
297 if (size != e->extnValue.length) {
298 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
299 "Decoding SKI ahve extra bits on the end");
303 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
304 "SKI is too short (0 bytes)");
306 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
311 hex_encode(si.data, si.length, &id);
313 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
314 "\tsubject key id: %s\n", id);
319 free_SubjectKeyIdentifier(&si);
325 check_authorityKeyIdentifier(hx509_validate_ctx ctx,
326 struct cert_status *status,
327 enum critical_flag cf,
330 AuthorityKeyIdentifier ai;
335 check_Null(ctx, status, cf, e);
337 ret = decode_AuthorityKeyIdentifier(e->extnValue.data,
341 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
342 "Decoding AuthorityKeyIdentifier failed: %d", ret);
345 if (size != e->extnValue.length) {
346 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
347 "Decoding SKI ahve extra bits on the end");
351 if (ai.keyIdentifier) {
353 hex_encode(ai.keyIdentifier->data, ai.keyIdentifier->length, &id);
355 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
356 "\tauthority key id: %s\n", id);
365 check_extKeyUsage(hx509_validate_ctx ctx,
366 struct cert_status *status,
367 enum critical_flag cf,
374 check_Null(ctx, status, cf, e);
376 ret = decode_ExtKeyUsage(e->extnValue.data,
380 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
381 "Decoding ExtKeyUsage failed: %d", ret);
384 if (size != e->extnValue.length) {
385 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
386 "Padding data in EKU");
387 free_ExtKeyUsage(&eku);
391 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
392 "ExtKeyUsage length is 0");
396 for (i = 0; i < eku.len; i++) {
398 ret = der_print_heim_oid (&eku.val[i], '.', &str);
400 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
401 "\tEKU: failed to print oid %d", i);
402 free_ExtKeyUsage(&eku);
405 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
406 "\teku-%d: %s\n", i, str);;
410 free_ExtKeyUsage(&eku);
416 check_pkinit_san(hx509_validate_ctx ctx, heim_any *a)
418 KRB5PrincipalName kn;
423 ret = decode_KRB5PrincipalName(a->data, a->length, &kn, &size);
425 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
426 "Decoding kerberos name in SAN failed: %d", ret);
430 if (size != a->length) {
431 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
432 "Decoding kerberos name have extra bits on the end");
436 /* print kerberos principal, add code to quote / within components */
437 for (i = 0; i < kn.principalName.name_string.len; i++) {
438 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s",
439 kn.principalName.name_string.val[i]);
440 if (i + 1 < kn.principalName.name_string.len)
441 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "/");
443 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "@");
444 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", kn.realm);
446 free_KRB5PrincipalName(&kn);
451 check_utf8_string_san(hx509_validate_ctx ctx, heim_any *a)
457 ret = decode_PKIXXmppAddr(a->data, a->length, &jid, &size);
459 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
460 "Decoding JID in SAN failed: %d", ret);
464 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", jid);
465 free_PKIXXmppAddr(&jid);
471 check_altnull(hx509_validate_ctx ctx, heim_any *a)
477 check_CRLDistributionPoints(hx509_validate_ctx ctx,
478 struct cert_status *status,
479 enum critical_flag cf,
482 CRLDistributionPoints dp;
486 check_Null(ctx, status, cf, e);
488 ret = decode_CRLDistributionPoints(e->extnValue.data,
492 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
493 "Decoding CRL Distribution Points failed: %d\n", ret);
497 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "CRL Distribution Points:\n");
498 for (i = 0 ; i < dp.len; i++) {
499 if (dp.val[i].distributionPoint) {
500 DistributionPointName dpname;
501 heim_any *data = dp.val[i].distributionPoint;
504 ret = decode_DistributionPointName(data->data, data->length,
507 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
508 "Failed to parse CRL Distribution Point Name: %d\n", ret);
512 switch (dpname.element) {
513 case choice_DistributionPointName_fullName:
514 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n");
516 for (j = 0 ; j < dpname.u.fullName.len; j++) {
518 GeneralName *name = &dpname.u.fullName.val[j];
520 ret = hx509_general_name_unparse(name, &s);
521 if (ret == 0 && s != NULL) {
522 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " %s\n", s);
527 case choice_DistributionPointName_nameRelativeToCRLIssuer:
528 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
529 "Unknown nameRelativeToCRLIssuer");
532 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
533 "Unknown DistributionPointName");
536 free_DistributionPointName(&dpname);
539 free_CRLDistributionPoints(&dp);
541 status->haveCRLDP = 1;
550 int (*func)(hx509_validate_ctx, heim_any *);
551 } altname_types[] = {
552 { "pk-init", &asn1_oid_id_pkinit_san, check_pkinit_san },
553 { "jabber", &asn1_oid_id_pkix_on_xmppAddr, check_utf8_string_san },
554 { "dns-srv", &asn1_oid_id_pkix_on_dnsSRV, check_altnull },
555 { "card-id", &asn1_oid_id_uspkicommon_card_id, check_altnull },
556 { "Microsoft NT-PRINCIPAL-NAME", &asn1_oid_id_pkinit_ms_san, check_utf8_string_san }
560 check_altName(hx509_validate_ctx ctx,
561 struct cert_status *status,
563 enum critical_flag cf,
570 check_Null(ctx, status, cf, e);
572 if (e->extnValue.length == 0) {
573 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
574 "%sAltName empty, not allowed", name);
577 ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length,
580 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
581 "\tret = %d while decoding %s GeneralNames\n",
586 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
587 "%sAltName generalName empty, not allowed\n", name);
591 for (i = 0; i < gn.len; i++) {
592 switch (gn.val[i].element) {
593 case choice_GeneralName_otherName: {
596 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
597 "%sAltName otherName ", name);
599 for (j = 0; j < sizeof(altname_types)/sizeof(altname_types[0]); j++) {
600 if (der_heim_oid_cmp(altname_types[j].oid,
601 &gn.val[i].u.otherName.type_id) != 0)
604 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ",
605 altname_types[j].name);
606 (*altname_types[j].func)(ctx, &gn.val[i].u.otherName.value);
609 if (j == sizeof(altname_types)/sizeof(altname_types[0])) {
610 hx509_oid_print(&gn.val[i].u.otherName.type_id,
611 validate_vprint, ctx);
612 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " unknown");
614 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\n");
619 ret = hx509_general_name_unparse(&gn.val[i], &s);
621 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
622 "ret = %d unparsing GeneralName\n", ret);
625 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s\n", s);
632 free_GeneralNames(&gn);
638 check_subjectAltName(hx509_validate_ctx ctx,
639 struct cert_status *status,
640 enum critical_flag cf,
644 return check_altName(ctx, status, "subject", cf, e);
648 check_issuerAltName(hx509_validate_ctx ctx,
649 struct cert_status *status,
650 enum critical_flag cf,
654 return check_altName(ctx, status, "issuer", cf, e);
659 check_basicConstraints(hx509_validate_ctx ctx,
660 struct cert_status *status,
661 enum critical_flag cf,
668 check_Null(ctx, status, cf, e);
670 ret = decode_BasicConstraints(e->extnValue.data, e->extnValue.length,
673 printf("\tret = %d while decoding BasicConstraints\n", ret);
676 if (size != e->extnValue.length)
677 printf("\tlength of der data isn't same as extension\n");
679 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
680 "\tis %sa CA\n", b.cA && *b.cA ? "" : "NOT ");
681 if (b.pathLenConstraint)
682 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
683 "\tpathLenConstraint: %d\n", *b.pathLenConstraint);
688 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
689 "Is a CA and not BasicConstraints CRITICAL\n");
693 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
694 "cA is FALSE, not allowed to be\n");
696 free_BasicConstraints(&b);
702 check_proxyCertInfo(hx509_validate_ctx ctx,
703 struct cert_status *status,
704 enum critical_flag cf,
707 check_Null(ctx, status, cf, e);
713 check_authorityInfoAccess(hx509_validate_ctx ctx,
714 struct cert_status *status,
715 enum critical_flag cf,
718 AuthorityInfoAccessSyntax aia;
722 check_Null(ctx, status, cf, e);
724 ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data,
728 printf("\tret = %d while decoding AuthorityInfoAccessSyntax\n", ret);
732 for (i = 0; i < aia.len; i++) {
734 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
736 hx509_oid_print(&aia.val[i].accessMethod, validate_vprint, ctx);
737 hx509_general_name_unparse(&aia.val[i].accessLocation, &str);
738 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
739 "\n\tdirname: %s\n", str);
742 free_AuthorityInfoAccessSyntax(&aia);
754 int (*func)(hx509_validate_ctx ctx,
755 struct cert_status *status,
756 enum critical_flag cf,
758 enum critical_flag cf;
759 } check_extension[] = {
760 #define ext(name, checkname) #name, &asn1_oid_id_x509_ce_##name, check_##checkname
761 { ext(subjectDirectoryAttributes, Null), M_N_C },
762 { ext(subjectKeyIdentifier, subjectKeyIdentifier), M_N_C },
763 { ext(keyUsage, Null), S_C },
764 { ext(subjectAltName, subjectAltName), M_N_C },
765 { ext(issuerAltName, issuerAltName), S_N_C },
766 { ext(basicConstraints, basicConstraints), D_C },
767 { ext(cRLNumber, Null), M_N_C },
768 { ext(cRLReason, Null), M_N_C },
769 { ext(holdInstructionCode, Null), M_N_C },
770 { ext(invalidityDate, Null), M_N_C },
771 { ext(deltaCRLIndicator, Null), M_C },
772 { ext(issuingDistributionPoint, Null), M_C },
773 { ext(certificateIssuer, Null), M_C },
774 { ext(nameConstraints, Null), M_C },
775 { ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C },
776 { ext(certificatePolicies, Null) },
777 { ext(policyMappings, Null), M_N_C },
778 { ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C },
779 { ext(policyConstraints, Null), D_C },
780 { ext(extKeyUsage, extKeyUsage), D_C },
781 { ext(freshestCRL, Null), M_N_C },
782 { ext(inhibitAnyPolicy, Null), M_C },
784 #define ext(name, checkname) #name, &asn1_oid_id_pkix_pe_##name, check_##checkname
785 { ext(proxyCertInfo, proxyCertInfo), M_C },
786 { ext(authorityInfoAccess, authorityInfoAccess), M_C },
788 { "US Fed PKI - PIV Interim", &asn1_oid_id_uspkicommon_piv_interim,
790 { "Netscape cert comment", &asn1_oid_id_netscape_cert_comment,
796 * Allocate a hx509 validation/printing context.
798 * @param context A hx509 context.
799 * @param ctx a new allocated hx509 validation context, free with
800 * hx509_validate_ctx_free().
802 * @return An hx509 error code, see hx509_get_error_string().
804 * @ingroup hx509_print
808 hx509_validate_ctx_init(hx509_context context, hx509_validate_ctx *ctx)
810 *ctx = malloc(sizeof(**ctx));
813 memset(*ctx, 0, sizeof(**ctx));
818 * Set the printing functions for the validation context.
820 * @param ctx a hx509 valication context.
821 * @param func the printing function to usea.
822 * @param c the context variable to the printing function.
824 * @return An hx509 error code, see hx509_get_error_string().
826 * @ingroup hx509_print
830 hx509_validate_ctx_set_print(hx509_validate_ctx ctx,
831 hx509_vprint_func func,
834 ctx->vprint_func = func;
839 * Add flags to control the behaivor of the hx509_validate_cert()
842 * @param ctx A hx509 validation context.
843 * @param flags flags to add to the validation context.
845 * @return An hx509 error code, see hx509_get_error_string().
847 * @ingroup hx509_print
851 hx509_validate_ctx_add_flags(hx509_validate_ctx ctx, int flags)
857 * Free an hx509 validate context.
859 * @param ctx the hx509 validate context to free.
861 * @ingroup hx509_print
865 hx509_validate_ctx_free(hx509_validate_ctx ctx)
871 * Validate/Print the status of the certificate.
873 * @param context A hx509 context.
874 * @param ctx A hx509 validation context.
875 * @param cert the cerificate to validate/print.
877 * @return An hx509 error code, see hx509_get_error_string().
879 * @ingroup hx509_print
883 hx509_validate_cert(hx509_context context,
884 hx509_validate_ctx ctx,
887 Certificate *c = _hx509_get_cert(cert);
888 TBSCertificate *t = &c->tbsCertificate;
889 hx509_name issuer, subject;
891 struct cert_status status;
894 memset(&status, 0, sizeof(status));
896 if (_hx509_cert_get_version(c) != 3)
897 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
898 "Not version 3 certificate\n");
900 if ((t->version == NULL || *t->version < 2) && t->extensions)
901 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
902 "Not version 3 certificate with extensions\n");
904 if (_hx509_cert_get_version(c) >= 3 && t->extensions == NULL)
905 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
906 "Version 3 certificate without extensions\n");
908 ret = hx509_cert_get_subject(cert, &subject);
910 hx509_name_to_string(subject, &str);
911 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
912 "subject name: %s\n", str);
915 ret = hx509_cert_get_issuer(cert, &issuer);
917 hx509_name_to_string(issuer, &str);
918 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
919 "issuer name: %s\n", str);
922 if (hx509_name_cmp(subject, issuer) == 0) {
923 status.selfsigned = 1;
924 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
925 "\tis a self-signed certificate\n");
928 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
931 Time2string(&t->validity.notBefore, &str);
932 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotBefore %s\n", str);
934 Time2string(&t->validity.notAfter, &str);
935 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotAfter %s\n", str);
941 if (t->extensions->len == 0) {
943 HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
944 "The empty extensions list is not "
945 "allowed by PKIX\n");
948 for (i = 0; i < t->extensions->len; i++) {
950 for (j = 0; check_extension[j].name; j++)
951 if (der_heim_oid_cmp(check_extension[j].oid,
952 &t->extensions->val[i].extnID) == 0)
954 if (check_extension[j].name == NULL) {
955 int flags = HX509_VALIDATE_F_VERBOSE;
956 if (t->extensions->val[i].critical)
957 flags |= HX509_VALIDATE_F_VALIDATE;
958 validate_print(ctx, flags, "don't know what ");
959 if (t->extensions->val[i].critical)
960 validate_print(ctx, flags, "and is CRITICAL ");
961 if (ctx->flags & flags)
962 hx509_oid_print(&t->extensions->val[i].extnID,
963 validate_vprint, ctx);
964 validate_print(ctx, flags, " is\n");
968 HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
969 "checking extention: %s\n",
970 check_extension[j].name);
971 (*check_extension[j].func)(ctx,
973 check_extension[j].cf,
974 &t->extensions->val[i]);
977 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extentions\n");
981 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
982 "CA certificate have no SubjectKeyIdentifier\n");
986 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
987 "Is not CA and doesn't have "
988 "AuthorityKeyIdentifier\n");
993 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
994 "Doesn't have SubjectKeyIdentifier\n");
996 if (status.isproxy && status.isca)
997 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
998 "Proxy and CA at the same time!\n");
1000 if (status.isproxy) {
1002 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1003 "Proxy and have SAN\n");
1005 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1006 "Proxy and have IAN\n");
1009 if (hx509_name_is_null_p(subject) && !status.haveSAN)
1010 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1011 "NULL subject DN and doesn't have a SAN\n");
1013 if (!status.selfsigned && !status.haveCRLDP)
1014 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1015 "Not a CA nor PROXY and doesn't have"
1016 "CRL Dist Point\n");
1018 if (status.selfsigned) {
1019 ret = _hx509_verify_signature_bitstring(context,
1021 &c->signatureAlgorithm,
1022 &c->tbsCertificate._save,
1023 &c->signatureValue);
1025 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
1026 "Self-signed certificate was self-signed\n");
1028 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1029 "Self-signed certificate NOT really self-signed!\n");
1032 hx509_name_free(&subject);
1033 hx509_name_free(&issuer);
git.samba.org / amitay / samba.git / blob