2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 RCSID("$Id: print.c 22538 2008-01-27 13:05:47Z lha $");
38 * @page page_print Hx509 printing functions
40 * See the library functions here: @ref hx509_print
43 struct hx509_validate_ctx_data {
45 hx509_vprint_func vprint_func;
50 unsigned int selfsigned:1;
52 unsigned int isproxy:1;
53 unsigned int haveSAN:1;
54 unsigned int haveIAN:1;
55 unsigned int haveSKI:1;
56 unsigned int haveAKI:1;
57 unsigned int haveCRLDP:1;
66 Time2string(const Time *T, char **str)
73 t = _hx509_Time2time_t(T);
78 strftime(s, 30, "%Y-%m-%d %H:%M:%S", tm);
84 * Helper function to print on stdout for:
85 * - hx509_oid_print(),
86 * - hx509_bitstring_print(),
87 * - hx509_validate_ctx_set_print().
89 * @param ctx the context to the print function. If the ctx is NULL,
91 * @param fmt the printing format.
92 * @param va the argumet list.
94 * @ingroup hx509_print
98 hx509_print_stdout(void *ctx, const char *fmt, va_list va)
103 vfprintf(f, fmt, va);
107 print_func(hx509_vprint_func func, void *ctx, const char *fmt, ...)
111 (*func)(ctx, fmt, va);
116 * Print a oid to a string.
118 * @param oid oid to print
119 * @param str allocated string, free with hx509_xfree().
121 * @return An hx509 error code, see hx509_get_error_string().
123 * @ingroup hx509_print
127 hx509_oid_sprint(const heim_oid *oid, char **str)
129 return der_print_heim_oid(oid, '.', str);
133 * Print a oid using a hx509_vprint_func function. To print to stdout
134 * use hx509_print_stdout().
136 * @param oid oid to print
137 * @param func hx509_vprint_func to print with.
138 * @param ctx context variable to hx509_vprint_func function.
140 * @ingroup hx509_print
144 hx509_oid_print(const heim_oid *oid, hx509_vprint_func func, void *ctx)
147 hx509_oid_sprint(oid, &str);
148 print_func(func, ctx, "%s", str);
153 * Print a bitstring using a hx509_vprint_func function. To print to
154 * stdout use hx509_print_stdout().
156 * @param b bit string to print.
157 * @param func hx509_vprint_func to print with.
158 * @param ctx context variable to hx509_vprint_func function.
160 * @ingroup hx509_print
164 hx509_bitstring_print(const heim_bit_string *b,
165 hx509_vprint_func func, void *ctx)
168 print_func(func, ctx, "\tlength: %d\n\t", b->length);
169 for (i = 0; i < (b->length + 7) / 8; i++)
170 print_func(func, ctx, "%02x%s%s",
171 ((unsigned char *)b->data)[i],
172 i < (b->length - 7) / 8
173 && (i == 0 || (i % 16) != 15) ? ":" : "",
174 i != 0 && (i % 16) == 15 ?
175 (i <= ((b->length + 7) / 8 - 2) ? "\n\t" : "\n"):"");
179 * Print certificate usage for a certificate to a string.
181 * @param context A hx509 context.
182 * @param c a certificate print the keyusage for.
183 * @param s the return string with the keysage printed in to, free
184 * with hx509_xfree().
186 * @return An hx509 error code, see hx509_get_error_string().
188 * @ingroup hx509_print
192 hx509_cert_keyusage_print(hx509_context context, hx509_cert c, char **s)
200 ret = _hx509_cert_get_keyusage(context, c, &ku);
203 unparse_flags(KeyUsage2int(ku), asn1_KeyUsage_units(), buf, sizeof(buf));
206 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
218 validate_vprint(void *c, const char *fmt, va_list va)
220 hx509_validate_ctx ctx = c;
221 if (ctx->vprint_func == NULL)
223 (ctx->vprint_func)(ctx->ctx, fmt, va);
227 validate_print(hx509_validate_ctx ctx, int flags, const char *fmt, ...)
230 if ((ctx->flags & flags) == 0)
233 validate_vprint(ctx, fmt, va);
238 * Dont Care, SHOULD critical, SHOULD NOT critical, MUST critical,
241 enum critical_flag { D_C = 0, S_C, S_N_C, M_C, M_N_C };
244 check_Null(hx509_validate_ctx ctx,
245 struct cert_status *status,
246 enum critical_flag cf, const Extension *e)
253 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
254 "\tCritical not set on SHOULD\n");
258 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
259 "\tCritical set on SHOULD NOT\n");
263 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
264 "\tCritical not set on MUST\n");
268 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
269 "\tCritical set on MUST NOT\n");
272 _hx509_abort("internal check_Null state error");
278 check_subjectKeyIdentifier(hx509_validate_ctx ctx,
279 struct cert_status *status,
280 enum critical_flag cf,
283 SubjectKeyIdentifier si;
288 check_Null(ctx, status, cf, e);
290 ret = decode_SubjectKeyIdentifier(e->extnValue.data,
294 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
295 "Decoding SubjectKeyIdentifier failed: %d", ret);
298 if (size != e->extnValue.length) {
299 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
300 "Decoding SKI ahve extra bits on the end");
304 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
305 "SKI is too short (0 bytes)");
307 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
312 hex_encode(si.data, si.length, &id);
314 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
315 "\tsubject key id: %s\n", id);
320 free_SubjectKeyIdentifier(&si);
326 check_authorityKeyIdentifier(hx509_validate_ctx ctx,
327 struct cert_status *status,
328 enum critical_flag cf,
331 AuthorityKeyIdentifier ai;
336 check_Null(ctx, status, cf, e);
338 ret = decode_AuthorityKeyIdentifier(e->extnValue.data,
342 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
343 "Decoding AuthorityKeyIdentifier failed: %d", ret);
346 if (size != e->extnValue.length) {
347 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
348 "Decoding SKI ahve extra bits on the end");
352 if (ai.keyIdentifier) {
354 hex_encode(ai.keyIdentifier->data, ai.keyIdentifier->length, &id);
356 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
357 "\tauthority key id: %s\n", id);
366 check_extKeyUsage(hx509_validate_ctx ctx,
367 struct cert_status *status,
368 enum critical_flag cf,
375 check_Null(ctx, status, cf, e);
377 ret = decode_ExtKeyUsage(e->extnValue.data,
381 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
382 "Decoding ExtKeyUsage failed: %d", ret);
385 if (size != e->extnValue.length) {
386 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
387 "Padding data in EKU");
388 free_ExtKeyUsage(&eku);
392 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
393 "ExtKeyUsage length is 0");
397 for (i = 0; i < eku.len; i++) {
399 ret = der_print_heim_oid (&eku.val[i], '.', &str);
401 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
402 "\tEKU: failed to print oid %d", i);
403 free_ExtKeyUsage(&eku);
406 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
407 "\teku-%d: %s\n", i, str);;
411 free_ExtKeyUsage(&eku);
417 check_pkinit_san(hx509_validate_ctx ctx, heim_any *a)
419 KRB5PrincipalName kn;
424 ret = decode_KRB5PrincipalName(a->data, a->length, &kn, &size);
426 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
427 "Decoding kerberos name in SAN failed: %d", ret);
431 if (size != a->length) {
432 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
433 "Decoding kerberos name have extra bits on the end");
437 /* print kerberos principal, add code to quote / within components */
438 for (i = 0; i < kn.principalName.name_string.len; i++) {
439 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s",
440 kn.principalName.name_string.val[i]);
441 if (i + 1 < kn.principalName.name_string.len)
442 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "/");
444 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "@");
445 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", kn.realm);
447 free_KRB5PrincipalName(&kn);
452 check_utf8_string_san(hx509_validate_ctx ctx, heim_any *a)
458 ret = decode_PKIXXmppAddr(a->data, a->length, &jid, &size);
460 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
461 "Decoding JID in SAN failed: %d", ret);
465 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", jid);
466 free_PKIXXmppAddr(&jid);
472 check_altnull(hx509_validate_ctx ctx, heim_any *a)
478 check_CRLDistributionPoints(hx509_validate_ctx ctx,
479 struct cert_status *status,
480 enum critical_flag cf,
483 CRLDistributionPoints dp;
487 check_Null(ctx, status, cf, e);
489 ret = decode_CRLDistributionPoints(e->extnValue.data,
493 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
494 "Decoding CRL Distribution Points failed: %d\n", ret);
498 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "CRL Distribution Points:\n");
499 for (i = 0 ; i < dp.len; i++) {
500 if (dp.val[i].distributionPoint) {
501 DistributionPointName dpname;
502 heim_any *data = dp.val[i].distributionPoint;
505 ret = decode_DistributionPointName(data->data, data->length,
508 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
509 "Failed to parse CRL Distribution Point Name: %d\n", ret);
513 switch (dpname.element) {
514 case choice_DistributionPointName_fullName:
515 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n");
517 for (j = 0 ; j < dpname.u.fullName.len; j++) {
519 GeneralName *name = &dpname.u.fullName.val[j];
521 ret = hx509_general_name_unparse(name, &s);
522 if (ret == 0 && s != NULL) {
523 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " %s\n", s);
528 case choice_DistributionPointName_nameRelativeToCRLIssuer:
529 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
530 "Unknown nameRelativeToCRLIssuer");
533 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
534 "Unknown DistributionPointName");
537 free_DistributionPointName(&dpname);
540 free_CRLDistributionPoints(&dp);
542 status->haveCRLDP = 1;
550 const heim_oid *(*oid)(void);
551 int (*func)(hx509_validate_ctx, heim_any *);
552 } check_altname[] = {
553 { "pk-init", oid_id_pkinit_san, check_pkinit_san },
554 { "jabber", oid_id_pkix_on_xmppAddr, check_utf8_string_san },
555 { "dns-srv", oid_id_pkix_on_dnsSRV, check_altnull },
556 { "card-id", oid_id_uspkicommon_card_id, check_altnull },
557 { "Microsoft NT-PRINCIPAL-NAME", oid_id_pkinit_ms_san, check_utf8_string_san }
561 check_altName(hx509_validate_ctx ctx,
562 struct cert_status *status,
564 enum critical_flag cf,
571 check_Null(ctx, status, cf, e);
573 if (e->extnValue.length == 0) {
574 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
575 "%sAltName empty, not allowed", name);
578 ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length,
581 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
582 "\tret = %d while decoding %s GeneralNames\n",
587 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
588 "%sAltName generalName empty, not allowed\n", name);
592 for (i = 0; i < gn.len; i++) {
593 switch (gn.val[i].element) {
594 case choice_GeneralName_otherName: {
597 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
598 "%sAltName otherName ", name);
600 for (j = 0; j < sizeof(check_altname)/sizeof(check_altname[0]); j++) {
601 if (der_heim_oid_cmp((*check_altname[j].oid)(),
602 &gn.val[i].u.otherName.type_id) != 0)
605 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ",
606 check_altname[j].name);
607 (*check_altname[j].func)(ctx, &gn.val[i].u.otherName.value);
610 if (j == sizeof(check_altname)/sizeof(check_altname[0])) {
611 hx509_oid_print(&gn.val[i].u.otherName.type_id,
612 validate_vprint, ctx);
613 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " unknown");
615 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\n");
620 ret = hx509_general_name_unparse(&gn.val[i], &s);
622 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
623 "ret = %d unparsing GeneralName\n", ret);
626 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s\n", s);
633 free_GeneralNames(&gn);
639 check_subjectAltName(hx509_validate_ctx ctx,
640 struct cert_status *status,
641 enum critical_flag cf,
645 return check_altName(ctx, status, "subject", cf, e);
649 check_issuerAltName(hx509_validate_ctx ctx,
650 struct cert_status *status,
651 enum critical_flag cf,
655 return check_altName(ctx, status, "issuer", cf, e);
660 check_basicConstraints(hx509_validate_ctx ctx,
661 struct cert_status *status,
662 enum critical_flag cf,
669 check_Null(ctx, status, cf, e);
671 ret = decode_BasicConstraints(e->extnValue.data, e->extnValue.length,
674 printf("\tret = %d while decoding BasicConstraints\n", ret);
677 if (size != e->extnValue.length)
678 printf("\tlength of der data isn't same as extension\n");
680 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
681 "\tis %sa CA\n", b.cA && *b.cA ? "" : "NOT ");
682 if (b.pathLenConstraint)
683 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
684 "\tpathLenConstraint: %d\n", *b.pathLenConstraint);
689 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
690 "Is a CA and not BasicConstraints CRITICAL\n");
694 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
695 "cA is FALSE, not allowed to be\n");
697 free_BasicConstraints(&b);
703 check_proxyCertInfo(hx509_validate_ctx ctx,
704 struct cert_status *status,
705 enum critical_flag cf,
708 check_Null(ctx, status, cf, e);
714 check_authorityInfoAccess(hx509_validate_ctx ctx,
715 struct cert_status *status,
716 enum critical_flag cf,
719 AuthorityInfoAccessSyntax aia;
723 check_Null(ctx, status, cf, e);
725 ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data,
729 printf("\tret = %d while decoding AuthorityInfoAccessSyntax\n", ret);
733 for (i = 0; i < aia.len; i++) {
735 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
737 hx509_oid_print(&aia.val[i].accessMethod, validate_vprint, ctx);
738 hx509_general_name_unparse(&aia.val[i].accessLocation, &str);
739 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
740 "\n\tdirname: %s\n", str);
743 free_AuthorityInfoAccessSyntax(&aia);
754 const heim_oid *(*oid)(void);
755 int (*func)(hx509_validate_ctx ctx,
756 struct cert_status *status,
757 enum critical_flag cf,
759 enum critical_flag cf;
760 } check_extension[] = {
761 #define ext(name, checkname) #name, &oid_id_x509_ce_##name, check_##checkname
762 { ext(subjectDirectoryAttributes, Null), M_N_C },
763 { ext(subjectKeyIdentifier, subjectKeyIdentifier), M_N_C },
764 { ext(keyUsage, Null), S_C },
765 { ext(subjectAltName, subjectAltName), M_N_C },
766 { ext(issuerAltName, issuerAltName), S_N_C },
767 { ext(basicConstraints, basicConstraints), D_C },
768 { ext(cRLNumber, Null), M_N_C },
769 { ext(cRLReason, Null), M_N_C },
770 { ext(holdInstructionCode, Null), M_N_C },
771 { ext(invalidityDate, Null), M_N_C },
772 { ext(deltaCRLIndicator, Null), M_C },
773 { ext(issuingDistributionPoint, Null), M_C },
774 { ext(certificateIssuer, Null), M_C },
775 { ext(nameConstraints, Null), M_C },
776 { ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C },
777 { ext(certificatePolicies, Null) },
778 { ext(policyMappings, Null), M_N_C },
779 { ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C },
780 { ext(policyConstraints, Null), D_C },
781 { ext(extKeyUsage, extKeyUsage), D_C },
782 { ext(freshestCRL, Null), M_N_C },
783 { ext(inhibitAnyPolicy, Null), M_C },
785 #define ext(name, checkname) #name, &oid_id_pkix_pe_##name, check_##checkname
786 { ext(proxyCertInfo, proxyCertInfo), M_C },
787 { ext(authorityInfoAccess, authorityInfoAccess), M_C },
789 { "US Fed PKI - PIV Interim", oid_id_uspkicommon_piv_interim,
791 { "Netscape cert comment", oid_id_netscape_cert_comment,
797 * Allocate a hx509 validation/printing context.
799 * @param context A hx509 context.
800 * @param ctx a new allocated hx509 validation context, free with
801 * hx509_validate_ctx_free().
803 * @return An hx509 error code, see hx509_get_error_string().
805 * @ingroup hx509_print
809 hx509_validate_ctx_init(hx509_context context, hx509_validate_ctx *ctx)
811 *ctx = malloc(sizeof(**ctx));
814 memset(*ctx, 0, sizeof(**ctx));
819 * Set the printing functions for the validation context.
821 * @param ctx a hx509 valication context.
822 * @param func the printing function to usea.
823 * @param c the context variable to the printing function.
825 * @return An hx509 error code, see hx509_get_error_string().
827 * @ingroup hx509_print
831 hx509_validate_ctx_set_print(hx509_validate_ctx ctx,
832 hx509_vprint_func func,
835 ctx->vprint_func = func;
840 * Add flags to control the behaivor of the hx509_validate_cert()
843 * @param ctx A hx509 validation context.
844 * @param flags flags to add to the validation context.
846 * @return An hx509 error code, see hx509_get_error_string().
848 * @ingroup hx509_print
852 hx509_validate_ctx_add_flags(hx509_validate_ctx ctx, int flags)
858 * Free an hx509 validate context.
860 * @param ctx the hx509 validate context to free.
862 * @ingroup hx509_print
866 hx509_validate_ctx_free(hx509_validate_ctx ctx)
872 * Validate/Print the status of the certificate.
874 * @param context A hx509 context.
875 * @param ctx A hx509 validation context.
876 * @param cert the cerificate to validate/print.
878 * @return An hx509 error code, see hx509_get_error_string().
880 * @ingroup hx509_print
884 hx509_validate_cert(hx509_context context,
885 hx509_validate_ctx ctx,
888 Certificate *c = _hx509_get_cert(cert);
889 TBSCertificate *t = &c->tbsCertificate;
890 hx509_name issuer, subject;
892 struct cert_status status;
895 memset(&status, 0, sizeof(status));
897 if (_hx509_cert_get_version(c) != 3)
898 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
899 "Not version 3 certificate\n");
901 if ((t->version == NULL || *t->version < 2) && t->extensions)
902 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
903 "Not version 3 certificate with extensions\n");
905 if (_hx509_cert_get_version(c) >= 3 && t->extensions == NULL)
906 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
907 "Version 3 certificate without extensions\n");
909 ret = hx509_cert_get_subject(cert, &subject);
911 hx509_name_to_string(subject, &str);
912 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
913 "subject name: %s\n", str);
916 ret = hx509_cert_get_issuer(cert, &issuer);
918 hx509_name_to_string(issuer, &str);
919 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
920 "issuer name: %s\n", str);
923 if (hx509_name_cmp(subject, issuer) == 0) {
924 status.selfsigned = 1;
925 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
926 "\tis a self-signed certificate\n");
929 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
932 Time2string(&t->validity.notBefore, &str);
933 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotBefore %s\n", str);
935 Time2string(&t->validity.notAfter, &str);
936 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotAfter %s\n", str);
942 if (t->extensions->len == 0) {
944 HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
945 "The empty extensions list is not "
946 "allowed by PKIX\n");
949 for (i = 0; i < t->extensions->len; i++) {
951 for (j = 0; check_extension[j].name; j++)
952 if (der_heim_oid_cmp((*check_extension[j].oid)(),
953 &t->extensions->val[i].extnID) == 0)
955 if (check_extension[j].name == NULL) {
956 int flags = HX509_VALIDATE_F_VERBOSE;
957 if (t->extensions->val[i].critical)
958 flags |= HX509_VALIDATE_F_VALIDATE;
959 validate_print(ctx, flags, "don't know what ");
960 if (t->extensions->val[i].critical)
961 validate_print(ctx, flags, "and is CRITICAL ");
962 if (ctx->flags & flags)
963 hx509_oid_print(&t->extensions->val[i].extnID,
964 validate_vprint, ctx);
965 validate_print(ctx, flags, " is\n");
969 HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
970 "checking extention: %s\n",
971 check_extension[j].name);
972 (*check_extension[j].func)(ctx,
974 check_extension[j].cf,
975 &t->extensions->val[i]);
978 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extentions\n");
982 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
983 "CA certificate have no SubjectKeyIdentifier\n");
987 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
988 "Is not CA and doesn't have "
989 "AuthorityKeyIdentifier\n");
994 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
995 "Doesn't have SubjectKeyIdentifier\n");
997 if (status.isproxy && status.isca)
998 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
999 "Proxy and CA at the same time!\n");
1001 if (status.isproxy) {
1003 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1004 "Proxy and have SAN\n");
1006 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1007 "Proxy and have IAN\n");
1010 if (hx509_name_is_null_p(subject) && !status.haveSAN)
1011 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1012 "NULL subject DN and doesn't have a SAN\n");
1014 if (!status.selfsigned && !status.haveCRLDP)
1015 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1016 "Not a CA nor PROXY and doesn't have"
1017 "CRL Dist Point\n");
1019 if (status.selfsigned) {
1020 ret = _hx509_verify_signature_bitstring(context,
1022 &c->signatureAlgorithm,
1023 &c->tbsCertificate._save,
1024 &c->signatureValue);
1026 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
1027 "Self-signed certificate was self-signed\n");
1029 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
1030 "Self-signed certificate NOT really self-signed!\n");
1033 hx509_name_free(&subject);
1034 hx509_name_free(&issuer);
git.samba.org / tprouty / samba.git / blob