2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * @page page_print Hx509 printing functions
40 * See the library functions here: @ref hx509_print
43 struct hx509_validate_ctx_data
{
45 hx509_vprint_func vprint_func
;
50 unsigned int selfsigned
:1;
52 unsigned int isproxy
:1;
53 unsigned int haveSAN
:1;
54 unsigned int haveIAN
:1;
55 unsigned int haveSKI
:1;
56 unsigned int haveAKI
:1;
57 unsigned int haveCRLDP
:1;
66 Time2string(const Time
*T
, char **str
)
73 t
= _hx509_Time2time_t(T
);
78 strftime(s
, 30, "%Y-%m-%d %H:%M:%S", tm
);
84 * Helper function to print on stdout for:
85 * - hx509_oid_print(),
86 * - hx509_bitstring_print(),
87 * - hx509_validate_ctx_set_print().
89 * @param ctx the context to the print function. If the ctx is NULL,
91 * @param fmt the printing format.
92 * @param va the argumet list.
94 * @ingroup hx509_print
98 hx509_print_stdout(void *ctx
, const char *fmt
, va_list va
)
103 vfprintf(f
, fmt
, va
);
107 print_func(hx509_vprint_func func
, void *ctx
, const char *fmt
, ...)
111 (*func
)(ctx
, fmt
, va
);
116 * Print a oid to a string.
118 * @param oid oid to print
119 * @param str allocated string, free with hx509_xfree().
121 * @return An hx509 error code, see hx509_get_error_string().
123 * @ingroup hx509_print
127 hx509_oid_sprint(const heim_oid
*oid
, char **str
)
129 return der_print_heim_oid(oid
, '.', str
);
133 * Print a oid using a hx509_vprint_func function. To print to stdout
134 * use hx509_print_stdout().
136 * @param oid oid to print
137 * @param func hx509_vprint_func to print with.
138 * @param ctx context variable to hx509_vprint_func function.
140 * @ingroup hx509_print
144 hx509_oid_print(const heim_oid
*oid
, hx509_vprint_func func
, void *ctx
)
147 hx509_oid_sprint(oid
, &str
);
148 print_func(func
, ctx
, "%s", str
);
153 * Print a bitstring using a hx509_vprint_func function. To print to
154 * stdout use hx509_print_stdout().
156 * @param b bit string to print.
157 * @param func hx509_vprint_func to print with.
158 * @param ctx context variable to hx509_vprint_func function.
160 * @ingroup hx509_print
164 hx509_bitstring_print(const heim_bit_string
*b
,
165 hx509_vprint_func func
, void *ctx
)
168 print_func(func
, ctx
, "\tlength: %d\n\t", b
->length
);
169 for (i
= 0; i
< (b
->length
+ 7) / 8; i
++)
170 print_func(func
, ctx
, "%02x%s%s",
171 ((unsigned char *)b
->data
)[i
],
172 i
< (b
->length
- 7) / 8
173 && (i
== 0 || (i
% 16) != 15) ? ":" : "",
174 i
!= 0 && (i
% 16) == 15 ?
175 (i
<= ((b
->length
+ 7) / 8 - 2) ? "\n\t" : "\n"):"");
179 * Print certificate usage for a certificate to a string.
181 * @param context A hx509 context.
182 * @param c a certificate print the keyusage for.
183 * @param s the return string with the keysage printed in to, free
184 * with hx509_xfree().
186 * @return An hx509 error code, see hx509_get_error_string().
188 * @ingroup hx509_print
192 hx509_cert_keyusage_print(hx509_context context
, hx509_cert c
, char **s
)
200 ret
= _hx509_cert_get_keyusage(context
, c
, &ku
);
203 unparse_flags(KeyUsage2int(ku
), asn1_KeyUsage_units(), buf
, sizeof(buf
));
206 hx509_set_error_string(context
, 0, ENOMEM
, "out of memory");
218 validate_vprint(void *c
, const char *fmt
, va_list va
)
220 hx509_validate_ctx ctx
= c
;
221 if (ctx
->vprint_func
== NULL
)
223 (ctx
->vprint_func
)(ctx
->ctx
, fmt
, va
);
227 validate_print(hx509_validate_ctx ctx
, int flags
, const char *fmt
, ...)
230 if ((ctx
->flags
& flags
) == 0)
233 validate_vprint(ctx
, fmt
, va
);
238 * Dont Care, SHOULD critical, SHOULD NOT critical, MUST critical,
241 enum critical_flag
{ D_C
= 0, S_C
, S_N_C
, M_C
, M_N_C
};
244 check_Null(hx509_validate_ctx ctx
,
245 struct cert_status
*status
,
246 enum critical_flag cf
, const Extension
*e
)
253 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
254 "\tCritical not set on SHOULD\n");
258 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
259 "\tCritical set on SHOULD NOT\n");
263 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
264 "\tCritical not set on MUST\n");
268 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
269 "\tCritical set on MUST NOT\n");
272 _hx509_abort("internal check_Null state error");
278 check_subjectKeyIdentifier(hx509_validate_ctx ctx
,
279 struct cert_status
*status
,
280 enum critical_flag cf
,
283 SubjectKeyIdentifier si
;
288 check_Null(ctx
, status
, cf
, e
);
290 ret
= decode_SubjectKeyIdentifier(e
->extnValue
.data
,
294 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
295 "Decoding SubjectKeyIdentifier failed: %d", ret
);
298 if (size
!= e
->extnValue
.length
) {
299 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
300 "Decoding SKI ahve extra bits on the end");
304 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
305 "SKI is too short (0 bytes)");
307 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
312 hex_encode(si
.data
, si
.length
, &id
);
314 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
315 "\tsubject key id: %s\n", id
);
320 free_SubjectKeyIdentifier(&si
);
326 check_authorityKeyIdentifier(hx509_validate_ctx ctx
,
327 struct cert_status
*status
,
328 enum critical_flag cf
,
331 AuthorityKeyIdentifier ai
;
336 check_Null(ctx
, status
, cf
, e
);
338 ret
= decode_AuthorityKeyIdentifier(e
->extnValue
.data
,
342 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
343 "Decoding AuthorityKeyIdentifier failed: %d", ret
);
346 if (size
!= e
->extnValue
.length
) {
347 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
348 "Decoding SKI ahve extra bits on the end");
352 if (ai
.keyIdentifier
) {
354 hex_encode(ai
.keyIdentifier
->data
, ai
.keyIdentifier
->length
, &id
);
356 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
357 "\tauthority key id: %s\n", id
);
366 check_extKeyUsage(hx509_validate_ctx ctx
,
367 struct cert_status
*status
,
368 enum critical_flag cf
,
375 check_Null(ctx
, status
, cf
, e
);
377 ret
= decode_ExtKeyUsage(e
->extnValue
.data
,
381 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
382 "Decoding ExtKeyUsage failed: %d", ret
);
385 if (size
!= e
->extnValue
.length
) {
386 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
387 "Padding data in EKU");
388 free_ExtKeyUsage(&eku
);
392 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
393 "ExtKeyUsage length is 0");
397 for (i
= 0; i
< eku
.len
; i
++) {
399 ret
= der_print_heim_oid (&eku
.val
[i
], '.', &str
);
401 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
402 "\tEKU: failed to print oid %d", i
);
403 free_ExtKeyUsage(&eku
);
406 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
407 "\teku-%d: %s\n", i
, str
);;
411 free_ExtKeyUsage(&eku
);
417 check_pkinit_san(hx509_validate_ctx ctx
, heim_any
*a
)
419 KRB5PrincipalName kn
;
424 ret
= decode_KRB5PrincipalName(a
->data
, a
->length
, &kn
, &size
);
426 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
427 "Decoding kerberos name in SAN failed: %d", ret
);
431 if (size
!= a
->length
) {
432 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
433 "Decoding kerberos name have extra bits on the end");
437 /* print kerberos principal, add code to quote / within components */
438 for (i
= 0; i
< kn
.principalName
.name_string
.len
; i
++) {
439 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "%s",
440 kn
.principalName
.name_string
.val
[i
]);
441 if (i
+ 1 < kn
.principalName
.name_string
.len
)
442 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "/");
444 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "@");
445 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "%s", kn
.realm
);
447 free_KRB5PrincipalName(&kn
);
452 check_utf8_string_san(hx509_validate_ctx ctx
, heim_any
*a
)
458 ret
= decode_PKIXXmppAddr(a
->data
, a
->length
, &jid
, &size
);
460 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
461 "Decoding JID in SAN failed: %d", ret
);
465 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "%s", jid
);
466 free_PKIXXmppAddr(&jid
);
472 check_altnull(hx509_validate_ctx ctx
, heim_any
*a
)
478 check_CRLDistributionPoints(hx509_validate_ctx ctx
,
479 struct cert_status
*status
,
480 enum critical_flag cf
,
483 CRLDistributionPoints dp
;
487 check_Null(ctx
, status
, cf
, e
);
489 ret
= decode_CRLDistributionPoints(e
->extnValue
.data
,
493 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
494 "Decoding CRL Distribution Points failed: %d\n", ret
);
498 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "CRL Distribution Points:\n");
499 for (i
= 0 ; i
< dp
.len
; i
++) {
500 if (dp
.val
[i
].distributionPoint
) {
501 DistributionPointName dpname
;
502 heim_any
*data
= dp
.val
[i
].distributionPoint
;
505 ret
= decode_DistributionPointName(data
->data
, data
->length
,
508 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
509 "Failed to parse CRL Distribution Point Name: %d\n", ret
);
513 switch (dpname
.element
) {
514 case choice_DistributionPointName_fullName
:
515 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "Fullname:\n");
517 for (j
= 0 ; j
< dpname
.u
.fullName
.len
; j
++) {
519 GeneralName
*name
= &dpname
.u
.fullName
.val
[j
];
521 ret
= hx509_general_name_unparse(name
, &s
);
522 if (ret
== 0 && s
!= NULL
) {
523 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, " %s\n", s
);
528 case choice_DistributionPointName_nameRelativeToCRLIssuer
:
529 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
530 "Unknown nameRelativeToCRLIssuer");
533 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
534 "Unknown DistributionPointName");
537 free_DistributionPointName(&dpname
);
540 free_CRLDistributionPoints(&dp
);
542 status
->haveCRLDP
= 1;
550 const heim_oid
*(*oid
)(void);
551 int (*func
)(hx509_validate_ctx
, heim_any
*);
552 } check_altname
[] = {
553 { "pk-init", oid_id_pkinit_san
, check_pkinit_san
},
554 { "jabber", oid_id_pkix_on_xmppAddr
, check_utf8_string_san
},
555 { "dns-srv", oid_id_pkix_on_dnsSRV
, check_altnull
},
556 { "card-id", oid_id_uspkicommon_card_id
, check_altnull
},
557 { "Microsoft NT-PRINCIPAL-NAME", oid_id_pkinit_ms_san
, check_utf8_string_san
}
561 check_altName(hx509_validate_ctx ctx
,
562 struct cert_status
*status
,
564 enum critical_flag cf
,
571 check_Null(ctx
, status
, cf
, e
);
573 if (e
->extnValue
.length
== 0) {
574 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
575 "%sAltName empty, not allowed", name
);
578 ret
= decode_GeneralNames(e
->extnValue
.data
, e
->extnValue
.length
,
581 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
582 "\tret = %d while decoding %s GeneralNames\n",
587 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
588 "%sAltName generalName empty, not allowed\n", name
);
592 for (i
= 0; i
< gn
.len
; i
++) {
593 switch (gn
.val
[i
].element
) {
594 case choice_GeneralName_otherName
: {
597 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
598 "%sAltName otherName ", name
);
600 for (j
= 0; j
< sizeof(check_altname
)/sizeof(check_altname
[0]); j
++) {
601 if (der_heim_oid_cmp((*check_altname
[j
].oid
)(),
602 &gn
.val
[i
].u
.otherName
.type_id
) != 0)
605 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "%s: ",
606 check_altname
[j
].name
);
607 (*check_altname
[j
].func
)(ctx
, &gn
.val
[i
].u
.otherName
.value
);
610 if (j
== sizeof(check_altname
)/sizeof(check_altname
[0])) {
611 hx509_oid_print(&gn
.val
[i
].u
.otherName
.type_id
,
612 validate_vprint
, ctx
);
613 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, " unknown");
615 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "\n");
620 ret
= hx509_general_name_unparse(&gn
.val
[i
], &s
);
622 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
623 "ret = %d unparsing GeneralName\n", ret
);
626 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "%s\n", s
);
633 free_GeneralNames(&gn
);
639 check_subjectAltName(hx509_validate_ctx ctx
,
640 struct cert_status
*status
,
641 enum critical_flag cf
,
645 return check_altName(ctx
, status
, "subject", cf
, e
);
649 check_issuerAltName(hx509_validate_ctx ctx
,
650 struct cert_status
*status
,
651 enum critical_flag cf
,
655 return check_altName(ctx
, status
, "issuer", cf
, e
);
660 check_basicConstraints(hx509_validate_ctx ctx
,
661 struct cert_status
*status
,
662 enum critical_flag cf
,
669 check_Null(ctx
, status
, cf
, e
);
671 ret
= decode_BasicConstraints(e
->extnValue
.data
, e
->extnValue
.length
,
674 printf("\tret = %d while decoding BasicConstraints\n", ret
);
677 if (size
!= e
->extnValue
.length
)
678 printf("\tlength of der data isn't same as extension\n");
680 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
681 "\tis %sa CA\n", b
.cA
&& *b
.cA
? "" : "NOT ");
682 if (b
.pathLenConstraint
)
683 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
684 "\tpathLenConstraint: %d\n", *b
.pathLenConstraint
);
689 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
690 "Is a CA and not BasicConstraints CRITICAL\n");
694 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
695 "cA is FALSE, not allowed to be\n");
697 free_BasicConstraints(&b
);
703 check_proxyCertInfo(hx509_validate_ctx ctx
,
704 struct cert_status
*status
,
705 enum critical_flag cf
,
708 check_Null(ctx
, status
, cf
, e
);
714 check_authorityInfoAccess(hx509_validate_ctx ctx
,
715 struct cert_status
*status
,
716 enum critical_flag cf
,
719 AuthorityInfoAccessSyntax aia
;
723 check_Null(ctx
, status
, cf
, e
);
725 ret
= decode_AuthorityInfoAccessSyntax(e
->extnValue
.data
,
729 printf("\tret = %d while decoding AuthorityInfoAccessSyntax\n", ret
);
733 for (i
= 0; i
< aia
.len
; i
++) {
735 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
737 hx509_oid_print(&aia
.val
[i
].accessMethod
, validate_vprint
, ctx
);
738 hx509_general_name_unparse(&aia
.val
[i
].accessLocation
, &str
);
739 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
740 "\n\tdirname: %s\n", str
);
743 free_AuthorityInfoAccessSyntax(&aia
);
754 const heim_oid
*(*oid
)(void);
755 int (*func
)(hx509_validate_ctx ctx
,
756 struct cert_status
*status
,
757 enum critical_flag cf
,
759 enum critical_flag cf
;
760 } check_extension
[] = {
761 #define ext(name, checkname) #name, &oid_id_x509_ce_##name, check_##checkname
762 { ext(subjectDirectoryAttributes
, Null
), M_N_C
},
763 { ext(subjectKeyIdentifier
, subjectKeyIdentifier
), M_N_C
},
764 { ext(keyUsage
, Null
), S_C
},
765 { ext(subjectAltName
, subjectAltName
), M_N_C
},
766 { ext(issuerAltName
, issuerAltName
), S_N_C
},
767 { ext(basicConstraints
, basicConstraints
), D_C
},
768 { ext(cRLNumber
, Null
), M_N_C
},
769 { ext(cRLReason
, Null
), M_N_C
},
770 { ext(holdInstructionCode
, Null
), M_N_C
},
771 { ext(invalidityDate
, Null
), M_N_C
},
772 { ext(deltaCRLIndicator
, Null
), M_C
},
773 { ext(issuingDistributionPoint
, Null
), M_C
},
774 { ext(certificateIssuer
, Null
), M_C
},
775 { ext(nameConstraints
, Null
), M_C
},
776 { ext(cRLDistributionPoints
, CRLDistributionPoints
), S_N_C
},
777 { ext(certificatePolicies
, Null
) },
778 { ext(policyMappings
, Null
), M_N_C
},
779 { ext(authorityKeyIdentifier
, authorityKeyIdentifier
), M_N_C
},
780 { ext(policyConstraints
, Null
), D_C
},
781 { ext(extKeyUsage
, extKeyUsage
), D_C
},
782 { ext(freshestCRL
, Null
), M_N_C
},
783 { ext(inhibitAnyPolicy
, Null
), M_C
},
785 #define ext(name, checkname) #name, &oid_id_pkix_pe_##name, check_##checkname
786 { ext(proxyCertInfo
, proxyCertInfo
), M_C
},
787 { ext(authorityInfoAccess
, authorityInfoAccess
), M_C
},
789 { "US Fed PKI - PIV Interim", oid_id_uspkicommon_piv_interim
,
791 { "Netscape cert comment", oid_id_netscape_cert_comment
,
797 * Allocate a hx509 validation/printing context.
799 * @param context A hx509 context.
800 * @param ctx a new allocated hx509 validation context, free with
801 * hx509_validate_ctx_free().
803 * @return An hx509 error code, see hx509_get_error_string().
805 * @ingroup hx509_print
809 hx509_validate_ctx_init(hx509_context context
, hx509_validate_ctx
*ctx
)
811 *ctx
= malloc(sizeof(**ctx
));
814 memset(*ctx
, 0, sizeof(**ctx
));
819 * Set the printing functions for the validation context.
821 * @param ctx a hx509 valication context.
822 * @param func the printing function to usea.
823 * @param c the context variable to the printing function.
825 * @return An hx509 error code, see hx509_get_error_string().
827 * @ingroup hx509_print
831 hx509_validate_ctx_set_print(hx509_validate_ctx ctx
,
832 hx509_vprint_func func
,
835 ctx
->vprint_func
= func
;
840 * Add flags to control the behaivor of the hx509_validate_cert()
843 * @param ctx A hx509 validation context.
844 * @param flags flags to add to the validation context.
846 * @return An hx509 error code, see hx509_get_error_string().
848 * @ingroup hx509_print
852 hx509_validate_ctx_add_flags(hx509_validate_ctx ctx
, int flags
)
858 * Free an hx509 validate context.
860 * @param ctx the hx509 validate context to free.
862 * @ingroup hx509_print
866 hx509_validate_ctx_free(hx509_validate_ctx ctx
)
872 * Validate/Print the status of the certificate.
874 * @param context A hx509 context.
875 * @param ctx A hx509 validation context.
876 * @param cert the cerificate to validate/print.
878 * @return An hx509 error code, see hx509_get_error_string().
880 * @ingroup hx509_print
884 hx509_validate_cert(hx509_context context
,
885 hx509_validate_ctx ctx
,
888 Certificate
*c
= _hx509_get_cert(cert
);
889 TBSCertificate
*t
= &c
->tbsCertificate
;
890 hx509_name issuer
, subject
;
892 struct cert_status status
;
895 memset(&status
, 0, sizeof(status
));
897 if (_hx509_cert_get_version(c
) != 3)
898 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
899 "Not version 3 certificate\n");
901 if ((t
->version
== NULL
|| *t
->version
< 2) && t
->extensions
)
902 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
903 "Not version 3 certificate with extensions\n");
905 if (_hx509_cert_get_version(c
) >= 3 && t
->extensions
== NULL
)
906 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
907 "Version 3 certificate without extensions\n");
909 ret
= hx509_cert_get_subject(cert
, &subject
);
911 hx509_name_to_string(subject
, &str
);
912 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
913 "subject name: %s\n", str
);
916 ret
= hx509_cert_get_issuer(cert
, &issuer
);
918 hx509_name_to_string(issuer
, &str
);
919 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
920 "issuer name: %s\n", str
);
923 if (hx509_name_cmp(subject
, issuer
) == 0) {
924 status
.selfsigned
= 1;
925 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
926 "\tis a self-signed certificate\n");
929 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
932 Time2string(&t
->validity
.notBefore
, &str
);
933 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "\tnotBefore %s\n", str
);
935 Time2string(&t
->validity
.notAfter
, &str
);
936 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "\tnotAfter %s\n", str
);
942 if (t
->extensions
->len
== 0) {
944 HX509_VALIDATE_F_VALIDATE
|HX509_VALIDATE_F_VERBOSE
,
945 "The empty extensions list is not "
946 "allowed by PKIX\n");
949 for (i
= 0; i
< t
->extensions
->len
; i
++) {
951 for (j
= 0; check_extension
[j
].name
; j
++)
952 if (der_heim_oid_cmp((*check_extension
[j
].oid
)(),
953 &t
->extensions
->val
[i
].extnID
) == 0)
955 if (check_extension
[j
].name
== NULL
) {
956 int flags
= HX509_VALIDATE_F_VERBOSE
;
957 if (t
->extensions
->val
[i
].critical
)
958 flags
|= HX509_VALIDATE_F_VALIDATE
;
959 validate_print(ctx
, flags
, "don't know what ");
960 if (t
->extensions
->val
[i
].critical
)
961 validate_print(ctx
, flags
, "and is CRITICAL ");
962 if (ctx
->flags
& flags
)
963 hx509_oid_print(&t
->extensions
->val
[i
].extnID
,
964 validate_vprint
, ctx
);
965 validate_print(ctx
, flags
, " is\n");
969 HX509_VALIDATE_F_VALIDATE
|HX509_VALIDATE_F_VERBOSE
,
970 "checking extention: %s\n",
971 check_extension
[j
].name
);
972 (*check_extension
[j
].func
)(ctx
,
974 check_extension
[j
].cf
,
975 &t
->extensions
->val
[i
]);
978 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
, "no extentions\n");
982 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
983 "CA certificate have no SubjectKeyIdentifier\n");
987 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
988 "Is not CA and doesn't have "
989 "AuthorityKeyIdentifier\n");
994 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
995 "Doesn't have SubjectKeyIdentifier\n");
997 if (status
.isproxy
&& status
.isca
)
998 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
999 "Proxy and CA at the same time!\n");
1001 if (status
.isproxy
) {
1003 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
1004 "Proxy and have SAN\n");
1006 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
1007 "Proxy and have IAN\n");
1010 if (hx509_name_is_null_p(subject
) && !status
.haveSAN
)
1011 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
1012 "NULL subject DN and doesn't have a SAN\n");
1014 if (!status
.selfsigned
&& !status
.haveCRLDP
)
1015 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
1016 "Not a CA nor PROXY and doesn't have"
1017 "CRL Dist Point\n");
1019 if (status
.selfsigned
) {
1020 ret
= _hx509_verify_signature_bitstring(context
,
1022 &c
->signatureAlgorithm
,
1023 &c
->tbsCertificate
._save
,
1024 &c
->signatureValue
);
1026 validate_print(ctx
, HX509_VALIDATE_F_VERBOSE
,
1027 "Self-signed certificate was self-signed\n");
1029 validate_print(ctx
, HX509_VALIDATE_F_VALIDATE
,
1030 "Self-signed certificate NOT really self-signed!\n");
1033 hx509_name_free(&subject
);
1034 hx509_name_free(&issuer
);