2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * @page page_print Hx509 printing functions
40 * See the library functions here: @ref hx509_print
43 struct hx509_validate_ctx_data
{
45 hx509_vprint_func vprint_func
;
50 unsigned int selfsigned
:1;
52 unsigned int isproxy
:1;
53 unsigned int haveSAN
:1;
54 unsigned int haveIAN
:1;
55 unsigned int haveSKI
:1;
56 unsigned int haveAKI
:1;
57 unsigned int haveCRLDP
:1;
66 Time2string(const Time
*T
, char **str
)
73 t
= _hx509_Time2time_t(T
);
78 strftime(s
, 30, "%Y-%m-%d %H:%M:%S", tm
);
84 * Helper function to print on stdout for:
85 * - hx509_oid_print(),
86 * - hx509_bitstring_print(),
87 * - hx509_validate_ctx_set_print().
89 * @param ctx the context to the print function. If the ctx is NULL,
91 * @param fmt the printing format.
92 * @param va the argumet list.
94 * @ingroup hx509_print
98 hx509_print_stdout(void *ctx
, const char *fmt
, va_list va
)
103 vfprintf(f
, fmt
, va
);
107 print_func(hx509_vprint_func func
, void *ctx
, const char *fmt
, ...)
111 (*func
)(ctx
, fmt
, va
);
116 * Print a oid to a string.
118 * @param oid oid to print
119 * @param str allocated string, free with hx509_xfree().
121 * @return An hx509 error code, see hx509_get_error_string().
123 * @ingroup hx509_print
127 hx509_oid_sprint(const heim_oid
*oid
, char **str
)
129 return der_print_heim_oid(oid
, '.', str
);
133 * Print a oid using a hx509_vprint_func function. To print to stdout
134 * use hx509_print_stdout().
136 * @param oid oid to print
137 * @param func hx509_vprint_func to print with.
138 * @param ctx context variable to hx509_vprint_func function.
140 * @ingroup hx509_print
144 hx509_oid_print(const heim_oid
*oid
, hx509_vprint_func func
, void *ctx
)
147 hx509_oid_sprint(oid
, &str
);
148 print_func(func
, ctx
, "%s", str
);
153 * Print a bitstring using a hx509_vprint_func function. To print to
154 * stdout use hx509_print_stdout().
156 * @param b bit string to print.
157 * @param func hx509_vprint_func to print with.
158 * @param ctx context variable to hx509_vprint_func function.
160 * @ingroup hx509_print
164 hx509_bitstring_print(const heim_bit_string
*b
,
165 hx509_vprint_func func
, void *ctx
)
168 print_func(func
, ctx
, "\tlength: %d\n\t", b
->length
);
169 for (i
= 0; i
< (b
->length
+ 7) / 8; i
++)
170 print_func(func
, ctx
, "%02x%s%s",
171 ((unsigned char *)b
->data
)[i
],
172 i
< (b
->length
- 7) / 8
173 && (i
== 0 || (i
% 16) != 15) ? ":" : "",
174 i
!= 0 && (i
% 16) == 15 ?
175 (i
<= ((b
->length
+ 7) / 8 - 2) ? "\n\t" : "\n"):"");
179 * Print certificate usage for a certificate to a string.
181 * @param context A hx509 context.
182 * @param c a certificate print the keyusage for.
183 * @param s the return string with the keysage printed in to, free
184 * with hx509_xfree().
186 * @return An hx509 error code, see hx509_get_error_string().
188 * @ingroup hx509_print
192 hx509_cert_keyusage_print(hx509_context context
, hx509_cert c
, char **s
)
200 ret
= _hx509_cert_get_keyusage(context
, c
, &ku
);
203 unparse_flags(KeyUsage2int(ku
), asn1_KeyUsage_units(), buf
, sizeof(buf
));
206 hx509_set_error_string(context
, 0, ENOMEM
, "out of memory");
218 validate_vprint(void *c
, const char *fmt
, va_list va
)
220 hx509_validate_ctx ctx
= c
;
221 if (ctx
->vprint_func
== NULL
)
223 (ctx
->vprint_func
)(ctx
->ctx
, fmt
, va
);
227 validate_print(hx509_validate_ctx ctx
, int flags
, const char *fmt
, ...)
230 if ((ctx
->flags
& flags
) == 0)
233 validate_vprint(ctx
, fmt
, va
);
238 * Dont Care, SHOULD critical, SHOULD NOT critical, MUST critical,
241 enum critical_flag
{ D_C
= 0, S_C
, S_N_C
, M_C
, M_N_C
};
244 check_Null(hx509_validate_ctx ctx
,
245 struct cert_status
*status
,
246 enum critical_flag cf
, const Extension
*e
)
253 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
254 "\tCritical not set on SHOULD\n");
258 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
259 "\tCritical set on SHOULD NOT\n");
263 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
264 "\tCritical not set on MUST\n");
268 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
269 "\tCritical set on MUST NOT\n");
272 _hx509_abort("internal check_Null state error");
278 check_subjectKeyIdentifier(hx509_validate_ctx ctx
,
279 struct cert_status
*status
,
280 enum critical_flag cf
,
283 SubjectKeyIdentifier si
;
288 check_Null(ctx
, status
, cf
, e
);
290 ret
= decode_SubjectKeyIdentifier(e
->extnValue
.data
,
294 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
295 "Decoding SubjectKeyIdentifier failed: %d", ret
);
298 if (size
!= e
->extnValue
.length
) {
299 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
300 "Decoding SKI ahve extra bits on the end");
304 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
305 "SKI is too short (0 bytes)");
307 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
312 hex_encode(si
.data
, si
.length
, &id
);
314 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
315 "\tsubject key id: %s\n", id
);
320 free_SubjectKeyIdentifier(&si
);
326 check_authorityKeyIdentifier(hx509_validate_ctx ctx
,
327 struct cert_status
*status
,
328 enum critical_flag cf
,
331 AuthorityKeyIdentifier ai
;
336 check_Null(ctx
, status
, cf
, e
);
339 check_Null(ctx
, status
, cf
, e
);
341 ret
= decode_AuthorityKeyIdentifier(e
->extnValue
.data
,
345 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
346 "Decoding AuthorityKeyIdentifier failed: %d", ret
);
349 if (size
!= e
->extnValue
.length
) {
350 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
351 "Decoding SKI ahve extra bits on the end");
355 if (ai
.keyIdentifier
) {
357 hex_encode(ai
.keyIdentifier
->data
, ai
.keyIdentifier
->length
, &id
);
359 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
360 "\tauthority key id: %s\n", id
);
370 check_pkinit_san(hx509_validate_ctx ctx
, heim_any
*a
)
372 KRB5PrincipalName kn
;
377 ret
= decode_KRB5PrincipalName(a
->data
, a
->length
, &kn
, &size
);
379 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
380 "Decoding kerberos name in SAN failed: %d", ret
);
384 if (size
!= a
->length
) {
385 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
386 "Decoding kerberos name have extra bits on the end");
390 /* print kerberos principal, add code to quote / within components */
391 for (i
= 0; i
< kn
.principalName
.name_string
.len
; i
++) {
392 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "%s",
393 kn
.principalName
.name_string
.val
[i
]);
394 if (i
+ 1 < kn
.principalName
.name_string
.len
)
395 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "/");
397 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "@");
398 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "%s", kn
.realm
);
400 free_KRB5PrincipalName(&kn
);
405 check_utf8_string_san(hx509_validate_ctx ctx
, heim_any
*a
)
411 ret
= decode_PKIXXmppAddr(a
->data
, a
->length
, &jid
, &size
);
413 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
414 "Decoding JID in SAN failed: %d", ret
);
418 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "%s", jid
);
419 free_PKIXXmppAddr(&jid
);
425 check_altnull(hx509_validate_ctx ctx
, heim_any
*a
)
431 check_CRLDistributionPoints(hx509_validate_ctx ctx
,
432 struct cert_status
*status
,
433 enum critical_flag cf
,
436 CRLDistributionPoints dp
;
440 check_Null(ctx
, status
, cf
, e
);
442 ret
= decode_CRLDistributionPoints(e
->extnValue
.data
,
446 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
447 "Decoding CRL Distribution Points failed: %d\n", ret
);
451 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "CRL Distribution Points:\n");
452 for (i
= 0 ; i
< dp
.len
; i
++) {
453 if (dp
.val
[i
].distributionPoint
) {
454 DistributionPointName dpname
;
455 heim_any
*data
= dp
.val
[i
].distributionPoint
;
458 ret
= decode_DistributionPointName(data
->data
, data
->length
,
461 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
462 "Failed to parse CRL Distribution Point Name: %d\n", ret
);
466 switch (dpname
.element
) {
467 case choice_DistributionPointName_fullName
:
468 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "Fullname:\n");
470 for (j
= 0 ; j
< dpname
.u
.fullName
.len
; j
++) {
472 GeneralName
*name
= &dpname
.u
.fullName
.val
[j
];
474 ret
= hx509_general_name_unparse(name
, &s
);
475 if (ret
== 0 && s
!= NULL
) {
476 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, " %s\n", s
);
481 case choice_DistributionPointName_nameRelativeToCRLIssuer
:
482 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
483 "Unknown nameRelativeToCRLIssuer");
486 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
487 "Unknown DistributionPointName");
490 free_DistributionPointName(&dpname
);
493 free_CRLDistributionPoints(&dp
);
495 status
->haveCRLDP
= 1;
503 const heim_oid
*(*oid
)(void);
504 int (*func
)(hx509_validate_ctx
, heim_any
*);
505 } check_altname
[] = {
506 { "pk-init", oid_id_pkinit_san
, check_pkinit_san
},
507 { "jabber", oid_id_pkix_on_xmppAddr
, check_utf8_string_san
},
508 { "dns-srv", oid_id_pkix_on_dnsSRV
, check_altnull
},
509 { "card-id", oid_id_uspkicommon_card_id
, check_altnull
},
510 { "Microsoft NT-PRINCIPAL-NAME", oid_id_pkinit_ms_san
, check_utf8_string_san
}
514 check_altName(hx509_validate_ctx ctx
,
515 struct cert_status
*status
,
517 enum critical_flag cf
,
524 check_Null(ctx
, status
, cf
, e
);
526 if (e
->extnValue
.length
== 0) {
527 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
528 "%sAltName empty, not allowed", name
);
531 ret
= decode_GeneralNames(e
->extnValue
.data
, e
->extnValue
.length
,
534 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
535 "\tret = %d while decoding %s GeneralNames\n",
540 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
541 "%sAltName generalName empty, not allowed\n", name
);
545 for (i
= 0; i
< gn
.len
; i
++) {
546 switch (gn
.val
[i
].element
) {
547 case choice_GeneralName_otherName
: {
550 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
551 "%sAltName otherName ", name
);
553 for (j
= 0; j
< sizeof(check_altname
)/sizeof(check_altname
[0]); j
++) {
554 if (der_heim_oid_cmp((*check_altname
[j
].oid
)(),
555 &gn
.val
[i
].u
.otherName
.type_id
) != 0)
558 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "%s: ",
559 check_altname
[j
].name
);
560 (*check_altname
[j
].func
)(ctx
, &gn
.val
[i
].u
.otherName
.value
);
563 if (j
== sizeof(check_altname
)/sizeof(check_altname
[0])) {
564 hx509_oid_print(&gn
.val
[i
].u
.otherName
.type_id
,
565 validate_vprint
, ctx
);
566 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, " unknown");
568 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "\n");
573 ret
= hx509_general_name_unparse(&gn
.val
[i
], &s
);
575 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
576 "ret = %d unparsing GeneralName\n", ret
);
579 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "%s\n", s
);
586 free_GeneralNames(&gn
);
592 check_subjectAltName(hx509_validate_ctx ctx
,
593 struct cert_status
*status
,
594 enum critical_flag cf
,
598 return check_altName(ctx
, status
, "subject", cf
, e
);
602 check_issuerAltName(hx509_validate_ctx ctx
,
603 struct cert_status
*status
,
604 enum critical_flag cf
,
608 return check_altName(ctx
, status
, "issuer", cf
, e
);
613 check_basicConstraints(hx509_validate_ctx ctx
,
614 struct cert_status
*status
,
615 enum critical_flag cf
,
622 check_Null(ctx
, status
, cf
, e
);
624 ret
= decode_BasicConstraints(e
->extnValue
.data
, e
->extnValue
.length
,
627 printf("\tret = %d while decoding BasicConstraints\n", ret
);
630 if (size
!= e
->extnValue
.length
)
631 printf("\tlength of der data isn't same as extension\n");
633 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
634 "\tis %sa CA\n", b
.cA
&& *b
.cA
? "" : "NOT ");
635 if (b
.pathLenConstraint
)
636 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
637 "\tpathLenConstraint: %d\n", *b
.pathLenConstraint
);
642 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
643 "Is a CA and not BasicConstraints CRITICAL\n");
647 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
648 "cA is FALSE, not allowed to be\n");
650 free_BasicConstraints(&b
);
656 check_proxyCertInfo(hx509_validate_ctx ctx
,
657 struct cert_status
*status
,
658 enum critical_flag cf
,
661 check_Null(ctx
, status
, cf
, e
);
667 check_authorityInfoAccess(hx509_validate_ctx ctx
,
668 struct cert_status
*status
,
669 enum critical_flag cf
,
672 AuthorityInfoAccessSyntax aia
;
676 check_Null(ctx
, status
, cf
, e
);
678 ret
= decode_AuthorityInfoAccessSyntax(e
->extnValue
.data
,
682 printf("\tret = %d while decoding AuthorityInfoAccessSyntax\n", ret
);
686 for (i
= 0; i
< aia
.len
; i
++) {
688 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
690 hx509_oid_print(&aia
.val
[i
].accessMethod
, validate_vprint
, ctx
);
691 hx509_general_name_unparse(&aia
.val
[i
].accessLocation
, &str
);
692 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
693 "\n\tdirname: %s\n", str
);
696 free_AuthorityInfoAccessSyntax(&aia
);
707 const heim_oid
*(*oid
)(void);
708 int (*func
)(hx509_validate_ctx ctx
,
709 struct cert_status
*status
,
710 enum critical_flag cf
,
712 enum critical_flag cf
;
713 } check_extension
[] = {
714 #define ext(name, checkname) #name, &oid_id_x509_ce_##name, check_##checkname
715 { ext(subjectDirectoryAttributes
, Null
), M_N_C
},
716 { ext(subjectKeyIdentifier
, subjectKeyIdentifier
), M_N_C
},
717 { ext(keyUsage
, Null
), S_C
},
718 { ext(subjectAltName
, subjectAltName
), M_N_C
},
719 { ext(issuerAltName
, issuerAltName
), S_N_C
},
720 { ext(basicConstraints
, basicConstraints
), D_C
},
721 { ext(cRLNumber
, Null
), M_N_C
},
722 { ext(cRLReason
, Null
), M_N_C
},
723 { ext(holdInstructionCode
, Null
), M_N_C
},
724 { ext(invalidityDate
, Null
), M_N_C
},
725 { ext(deltaCRLIndicator
, Null
), M_C
},
726 { ext(issuingDistributionPoint
, Null
), M_C
},
727 { ext(certificateIssuer
, Null
), M_C
},
728 { ext(nameConstraints
, Null
), M_C
},
729 { ext(cRLDistributionPoints
, CRLDistributionPoints
), S_N_C
},
730 { ext(certificatePolicies
, Null
) },
731 { ext(policyMappings
, Null
), M_N_C
},
732 { ext(authorityKeyIdentifier
, authorityKeyIdentifier
), M_N_C
},
733 { ext(policyConstraints
, Null
), D_C
},
734 { ext(extKeyUsage
, Null
), D_C
},
735 { ext(freshestCRL
, Null
), M_N_C
},
736 { ext(inhibitAnyPolicy
, Null
), M_C
},
738 #define ext(name, checkname) #name, &oid_id_pkix_pe_##name, check_##checkname
739 { ext(proxyCertInfo
, proxyCertInfo
), M_C
},
740 { ext(authorityInfoAccess
, authorityInfoAccess
), M_C
},
742 { "US Fed PKI - PIV Interim", oid_id_uspkicommon_piv_interim
,
744 { "Netscape cert comment", oid_id_netscape_cert_comment
,
750 * Allocate a hx509 validation/printing context.
752 * @param context A hx509 context.
753 * @param ctx a new allocated hx509 validation context, free with
754 * hx509_validate_ctx_free().
756 * @return An hx509 error code, see hx509_get_error_string().
758 * @ingroup hx509_print
762 hx509_validate_ctx_init(hx509_context context
, hx509_validate_ctx
*ctx
)
764 *ctx
= malloc(sizeof(**ctx
));
767 memset(*ctx
, 0, sizeof(**ctx
));
772 * Set the printing functions for the validation context.
774 * @param ctx a hx509 valication context.
775 * @param func the printing function to usea.
776 * @param c the context variable to the printing function.
778 * @return An hx509 error code, see hx509_get_error_string().
780 * @ingroup hx509_print
784 hx509_validate_ctx_set_print(hx509_validate_ctx ctx
,
785 hx509_vprint_func func
,
788 ctx
->vprint_func
= func
;
793 * Add flags to control the behaivor of the hx509_validate_cert()
796 * @param ctx A hx509 validation context.
797 * @param flags flags to add to the validation context.
799 * @return An hx509 error code, see hx509_get_error_string().
801 * @ingroup hx509_print
805 hx509_validate_ctx_add_flags(hx509_validate_ctx ctx
, int flags
)
811 * Free an hx509 validate context.
813 * @param ctx the hx509 validate context to free.
815 * @ingroup hx509_print
819 hx509_validate_ctx_free(hx509_validate_ctx ctx
)
825 * Validate/Print the status of the certificate.
827 * @param context A hx509 context.
828 * @param ctx A hx509 validation context.
829 * @param cert the cerificate to validate/print.
831 * @return An hx509 error code, see hx509_get_error_string().
833 * @ingroup hx509_print
837 hx509_validate_cert(hx509_context context
,
838 hx509_validate_ctx ctx
,
841 Certificate
*c
= _hx509_get_cert(cert
);
842 TBSCertificate
*t
= &c
->tbsCertificate
;
843 hx509_name issuer
, subject
;
845 struct cert_status status
;
848 memset(&status
, 0, sizeof(status
));
850 if (_hx509_cert_get_version(c
) != 3)
851 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
852 "Not version 3 certificate\n");
854 if ((t
->version
== NULL
|| *t
->version
< 2) && t
->extensions
)
855 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
856 "Not version 3 certificate with extensions\n");
858 if (_hx509_cert_get_version(c
) >= 3 && t
->extensions
== NULL
)
859 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
860 "Version 3 certificate without extensions\n");
862 ret
= hx509_cert_get_subject(cert
, &subject
);
864 hx509_name_to_string(subject
, &str
);
865 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
866 "subject name: %s\n", str
);
869 ret
= hx509_cert_get_issuer(cert
, &issuer
);
871 hx509_name_to_string(issuer
, &str
);
872 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
873 "issuer name: %s\n", str
);
876 if (hx509_name_cmp(subject
, issuer
) == 0) {
877 status
.selfsigned
= 1;
878 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
879 "\tis a self-signed certificate\n");
882 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
885 Time2string(&t
->validity
.notBefore
, &str
);
886 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "\tnotBefore %s\n", str
);
888 Time2string(&t
->validity
.notAfter
, &str
);
889 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "\tnotAfter %s\n", str
);
895 if (t
->extensions
->len
== 0) {
897 HX509_VALIDATE_F_VALIDATE
|HX509_VALIDATE_F_VERBOSE
,
898 "The empty extensions list is not "
899 "allowed by PKIX\n");
902 for (i
= 0; i
< t
->extensions
->len
; i
++) {
904 for (j
= 0; check_extension
[j
].name
; j
++)
905 if (der_heim_oid_cmp((*check_extension
[j
].oid
)(),
906 &t
->extensions
->val
[i
].extnID
) == 0)
908 if (check_extension
[j
].name
== NULL
) {
909 int flags
= HX509_VALIDATE_F_VERBOSE
;
910 if (t
->extensions
->val
[i
].critical
)
911 flags
|= HX509_VALIDATE_F_VALIDATE
;
912 validate_print(ctx
, flags
, "don't know what ");
913 if (t
->extensions
->val
[i
].critical
)
914 validate_print(ctx
, flags
, "and is CRITICAL ");
915 if (ctx
->flags
& flags
)
916 hx509_oid_print(&t
->extensions
->val
[i
].extnID
,
917 validate_vprint
, ctx
);
918 validate_print(ctx
, flags
, " is\n");
922 HX509_VALIDATE_F_VALIDATE
|HX509_VALIDATE_F_VERBOSE
,
923 "checking extention: %s\n",
924 check_extension
[j
].name
);
925 (*check_extension
[j
].func
)(ctx
,
927 check_extension
[j
].cf
,
928 &t
->extensions
->val
[i
]);
931 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "no extentions\n");
935 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
936 "CA certificate have no SubjectKeyIdentifier\n");
940 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
941 "Is not CA and doesn't have "
942 "AuthorityKeyIdentifier\n");
947 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
948 "Doesn't have SubjectKeyIdentifier\n");
950 if (status
.isproxy
&& status
.isca
)
951 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
952 "Proxy and CA at the same time!\n");
954 if (status
.isproxy
) {
956 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
957 "Proxy and have SAN\n");
959 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
960 "Proxy and have IAN\n");
963 if (hx509_name_is_null_p(subject
) && !status
.haveSAN
)
964 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
965 "NULL subject DN and doesn't have a SAN\n");
967 if (!status
.selfsigned
&& !status
.haveCRLDP
)
968 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
969 "Not a CA nor PROXY and doesn't have"
972 if (status
.selfsigned
) {
973 ret
= _hx509_verify_signature_bitstring(context
,
975 &c
->signatureAlgorithm
,
976 &c
->tbsCertificate
._save
,
979 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
980 "Self-signed certificate was self-signed\n");
982 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
983 "Self-signed certificate NOT really self-signed!\n");
986 hx509_name_free(&subject
);
987 hx509_name_free(&issuer
);