123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867 |
- /*
- * Copyright(C) 2006 Cameron Rich
- *
- * This library is free software; you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation; either version 2.1 of the License, or
- * (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
- /**
- * @file asn1.c
- *
- * Some primitive asn methods for extraction rsa modulus information. It also
- * is used for retrieving information from X.509 certificates.
- */
-
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- #include <time.h>
- #include "crypto.h"
-
- #define SIG_OID_PREFIX_SIZE 8
-
- #define SIG_TYPE_MD2 0x02
- #define SIG_TYPE_MD5 0x04
- #define SIG_TYPE_SHA1 0x05
-
- /* Must be an RSA algorithm with either SHA1 or MD5 for verifying to work */
- static const uint8_t sig_oid_prefix[SIG_OID_PREFIX_SIZE] =
- {
- 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01
- };
-
- /* CN, O, OU */
- static const uint8_t g_dn_types[] = { 3, 10, 11 };
-
- static int get_asn1_length(const uint8_t *buf, int *offset)
- {
- int len, i;
-
- if (!(buf[*offset] & 0x80)) /* short form */
- {
- len = buf[(*offset)++];
- }
- else /* long form */
- {
- int length_bytes = buf[(*offset)++]&0x7f;
- len = 0;
- for (i = 0; i < length_bytes; i++)
- {
- len <<= 8;
- len += buf[(*offset)++];
- }
- }
-
- return len;
- }
-
- /**
- * Skip the ASN1.1 object type and its length. Get ready to read the object's
- * data.
- */
- int asn1_next_obj(const uint8_t *buf, int *offset, int obj_type)
- {
- if (buf[*offset] != obj_type)
- return X509_NOT_OK;
- (*offset)++;
- return get_asn1_length(buf, offset);
- }
-
- /**
- * Skip over an ASN.1 object type completely. Get ready to read the next
- * object.
- */
- int asn1_skip_obj(const uint8_t *buf, int *offset, int obj_type)
- {
- int len;
-
- if (buf[*offset] != obj_type)
- return X509_NOT_OK;
- (*offset)++;
- len = get_asn1_length(buf, offset);
- *offset += len;
- return 0;
- }
-
- /**
- * Read an integer value for ASN.1 data
- * Note: This function allocates memory which must be freed by the user.
- */
- int asn1_get_int(const uint8_t *buf, int *offset, uint8_t **object)
- {
- int len;
-
- if ((len = asn1_next_obj(buf, offset, ASN1_INTEGER)) < 0)
- goto end_int_array;
-
- *object = (uint8_t *)malloc(len);
- memcpy(*object, &buf[*offset], len);
- *offset += len;
-
- end_int_array:
- return len;
- }
-
- #if 0
-
- /**
- * Get all the RSA private key specifics from an ASN.1 encoded file
- */
- int asn1_get_private_key(const uint8_t *buf, int len, RSA_CTX **rsa_ctx)
- {
- int offset = 7;
- uint8_t *modulus, *priv_exp, *pub_exp;
- int mod_len, priv_len, pub_len;
- #ifdef CONFIG_BIGINT_CRT
- uint8_t *p, *q, *dP, *dQ, *qInv;
- int p_len, q_len, dP_len, dQ_len, qInv_len;
- #endif
-
- /* not in der format */
- if (buf[0] != ASN1_SEQUENCE) /* basic sanity check */
- {
- #ifdef CONFIG_SSL_FULL_MODE
- printf("Error: This is not a valid ASN.1 file\n");
- #endif
- return X509_INVALID_PRIV_KEY;
- }
-
- /* initialise the RNG */
- RNG_initialize(buf, len);
-
- mod_len = asn1_get_int(buf, &offset, &modulus);
- pub_len = asn1_get_int(buf, &offset, &pub_exp);
- priv_len = asn1_get_int(buf, &offset, &priv_exp);
-
- if (mod_len <= 0 || pub_len <= 0 || priv_len <= 0)
- return X509_INVALID_PRIV_KEY;
-
- #ifdef CONFIG_BIGINT_CRT
- p_len = asn1_get_int(buf, &offset, &p);
- q_len = asn1_get_int(buf, &offset, &q);
- dP_len = asn1_get_int(buf, &offset, &dP);
- dQ_len = asn1_get_int(buf, &offset, &dQ);
- qInv_len = asn1_get_int(buf, &offset, &qInv);
-
- if (p_len <= 0 || q_len <= 0 || dP_len <= 0 || dQ_len <= 0 || qInv_len <= 0)
- return X509_INVALID_PRIV_KEY;
-
- RSA_priv_key_new(rsa_ctx,
- modulus, mod_len, pub_exp, pub_len, priv_exp, priv_len,
- p, p_len, q, p_len, dP, dP_len, dQ, dQ_len, qInv, qInv_len);
-
- free(p);
- free(q);
- free(dP);
- free(dQ);
- free(qInv);
- #else
- RSA_priv_key_new(rsa_ctx,
- modulus, mod_len, pub_exp, pub_len, priv_exp, priv_len);
- #endif
-
- free(modulus);
- free(priv_exp);
- free(pub_exp);
- return X509_OK;
- }
-
- /**
- * Get the time of a certificate. Ignore hours/minutes/seconds.
- */
- static int asn1_get_utc_time(const uint8_t *buf, int *offset, time_t *t)
- {
- int ret = X509_NOT_OK, len, t_offset;
- struct tm tm;
-
- if (buf[(*offset)++] != ASN1_UTC_TIME)
- goto end_utc_time;
- len = get_asn1_length(buf, offset);
- t_offset = *offset;
-
- memset(&tm, 0, sizeof(struct tm));
- tm.tm_year = (buf[t_offset] - '0')*10 + (buf[t_offset+1] - '0');
-
- if (tm.tm_year <= 50) /* 1951-2050 thing */
- {
- tm.tm_year += 100;
- }
-
- tm.tm_mon = (buf[t_offset+2] - '0')*10 + (buf[t_offset+3] - '0') - 1;
- tm.tm_mday = (buf[t_offset+4] - '0')*10 + (buf[t_offset+5] - '0');
- *t = mktime(&tm);
- *offset += len;
- ret = X509_OK;
-
- end_utc_time:
- return ret;
- }
-
- /**
- * Get the version type of a certificate (which we don't actually care about)
- */
- static int asn1_version(const uint8_t *cert, int *offset, X509_CTX *x509_ctx)
- {
- int ret = X509_NOT_OK;
-
- (*offset) += 2; /* get past explicit tag */
- if (asn1_skip_obj(cert, offset, ASN1_INTEGER))
- goto end_version;
-
- ret = X509_OK;
- end_version:
- return ret;
- }
-
- /**
- * Retrieve the notbefore and notafter certificate times.
- */
- static int asn1_validity(const uint8_t *cert, int *offset, X509_CTX *x509_ctx)
- {
- return (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0 ||
- asn1_get_utc_time(cert, offset, &x509_ctx->not_before) ||
- asn1_get_utc_time(cert, offset, &x509_ctx->not_after));
- }
-
- /**
- * Get the components of a distinguished name
- */
- static int asn1_get_oid_x520(const uint8_t *buf, int *offset)
- {
- int dn_type = 0;
- int len;
-
- if ((len = asn1_next_obj(buf, offset, ASN1_OID)) < 0)
- goto end_oid;
-
- /* expect a sequence of 2.5.4.[x] where x is a one of distinguished name
- components we are interested in. */
- if (len == 3 && buf[(*offset)++] == 0x55 && buf[(*offset)++] == 0x04)
- dn_type = buf[(*offset)++];
- else
- {
- *offset += len; /* skip over it */
- }
-
- end_oid:
- return dn_type;
- }
-
- /**
- * Obtain an ASN.1 printable string type.
- */
- static int asn1_get_printable_str(const uint8_t *buf, int *offset, char **str)
- {
- int len = X509_NOT_OK;
-
- /* some certs have this awful crud in them for some reason */
- if (buf[*offset] != ASN1_PRINTABLE_STR &&
- buf[*offset] != ASN1_TELETEX_STR && buf[*offset] != ASN1_IA5_STR)
- goto end_pnt_str;
-
- (*offset)++;
- len = get_asn1_length(buf, offset);
- *str = (char *)malloc(len+1); /* allow for null */
- memcpy(*str, &buf[*offset], len);
- (*str)[len] = 0; /* null terminate */
- *offset += len;
- end_pnt_str:
- return len;
- }
-
- /**
- * Get the subject name (or the issuer) of a certificate.
- */
- static int asn1_name(const uint8_t *cert, int *offset, char *dn[])
- {
- int ret = X509_NOT_OK;
- int dn_type;
- char *tmp = NULL;
-
- if (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0)
- goto end_name;
-
- while (asn1_next_obj(cert, offset, ASN1_SET) >= 0)
- {
- int i, found = 0;
-
- if (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0 ||
- (dn_type = asn1_get_oid_x520(cert, offset)) < 0)
- goto end_name;
-
- if (asn1_get_printable_str(cert, offset, &tmp) < 0)
- {
- free(tmp);
- goto end_name;
- }
-
- /* find the distinguished named type */
- for (i = 0; i < X509_NUM_DN_TYPES; i++)
- {
- if (dn_type == g_dn_types[i])
- {
- if (dn[i] == NULL)
- {
- dn[i] = tmp;
- found = 1;
- break;
- }
- }
- }
-
- if (found == 0) /* not found so get rid of it */
- {
- free(tmp);
- }
- }
-
- ret = X509_OK;
- end_name:
- return ret;
- }
-
- /**
- * Read the modulus and public exponent of a certificate.
- */
- static int asn1_public_key(const uint8_t *cert, int *offset, X509_CTX *x509_ctx)
- {
- int ret = X509_NOT_OK, mod_len, pub_len;
- uint8_t *modulus, *pub_exp;
-
- if (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0 ||
- asn1_skip_obj(cert, offset, ASN1_SEQUENCE) ||
- asn1_next_obj(cert, offset, ASN1_BIT_STRING) < 0)
- goto end_pub_key;
-
- (*offset)++;
-
- if (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0)
- goto end_pub_key;
-
- mod_len = asn1_get_int(cert, offset, &modulus);
- pub_len = asn1_get_int(cert, offset, &pub_exp);
-
- RSA_pub_key_new(&x509_ctx->rsa_ctx, modulus, mod_len, pub_exp, pub_len);
-
- free(modulus);
- free(pub_exp);
- ret = X509_OK;
-
- end_pub_key:
- return ret;
- }
-
- #ifdef CONFIG_SSL_CERT_VERIFICATION
- /**
- * Read the signature of the certificate.
- */
- static int asn1_signature(const uint8_t *cert, int *offset, X509_CTX *x509_ctx)
- {
- int ret = X509_NOT_OK;
-
- if (cert[(*offset)++] != ASN1_BIT_STRING)
- goto end_sig;
-
- x509_ctx->sig_len = get_asn1_length(cert, offset);
- x509_ctx->signature = (uint8_t *)malloc(x509_ctx->sig_len);
- memcpy(x509_ctx->signature, &cert[*offset], x509_ctx->sig_len);
- *offset += x509_ctx->sig_len;
- ret = X509_OK;
-
- end_sig:
- return ret;
- }
-
- /*
- * Compare 2 distinguished name components for equality
- * @return 0 if a match
- */
- static int asn1_compare_dn_comp(const char *dn1, const char *dn2)
- {
- int ret = 1;
-
- if ((dn1 && dn2 == NULL) || (dn1 == NULL && dn2)) goto err_no_match;
-
- ret = (dn1 && dn2) ? strcmp(dn1, dn2) : 0;
-
- err_no_match:
- return ret;
- }
-
- /**
- * Clean up all of the CA certificates.
- */
- void remove_ca_certs(CA_CERT_CTX *ca_cert_ctx)
- {
- int i = 0;
-
- while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i])
- {
- x509_free(ca_cert_ctx->cert[i]);
- ca_cert_ctx->cert[i++] = NULL;
- }
-
- free(ca_cert_ctx);
- }
-
- /*
- * Compare 2 distinguished names for equality
- * @return 0 if a match
- */
- static int asn1_compare_dn(char * const dn1[], char * const dn2[])
- {
- int i;
-
- for (i = 0; i < X509_NUM_DN_TYPES; i++)
- {
- if (asn1_compare_dn_comp(dn1[i], dn2[i]))
- {
- return 1;
- }
- }
-
- return 0; /* all good */
- }
-
- /**
- * Retrieve the signature from a certificate.
- */
- const uint8_t *x509_get_signature(const uint8_t *asn1_sig, int *len)
- {
- int offset = 0;
- const uint8_t *ptr = NULL;
-
- if (asn1_next_obj(asn1_sig, &offset, ASN1_SEQUENCE) < 0 ||
- asn1_skip_obj(asn1_sig, &offset, ASN1_SEQUENCE))
- goto end_get_sig;
-
- if (asn1_sig[offset++] != ASN1_OCTET_STRING)
- goto end_get_sig;
- *len = get_asn1_length(asn1_sig, &offset);
- ptr = &asn1_sig[offset]; /* all ok */
-
- end_get_sig:
- return ptr;
- }
-
- #endif
-
- /**
- * Read the signature type of the certificate. We only support RSA-MD5 and
- * RSA-SHA1 signature types.
- */
- static int asn1_signature_type(const uint8_t *cert,
- int *offset, X509_CTX *x509_ctx)
- {
- int ret = X509_NOT_OK, len;
-
- if (cert[(*offset)++] != ASN1_OID)
- goto end_check_sig;
-
- len = get_asn1_length(cert, offset);
-
- if (memcmp(sig_oid_prefix, &cert[*offset], SIG_OID_PREFIX_SIZE))
- goto end_check_sig; /* unrecognised cert type */
-
- x509_ctx->sig_type = cert[*offset + SIG_OID_PREFIX_SIZE];
-
- *offset += len;
- if (asn1_skip_obj(cert, offset, ASN1_NULL))
- goto end_check_sig;
- ret = X509_OK;
-
- end_check_sig:
- return ret;
- }
-
- /**
- * Construct a new x509 object.
- * @return 0 if ok. < 0 if there was a problem.
- */
- int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
- {
- int begin_tbs, end_tbs;
- int ret = X509_NOT_OK, offset = 0, cert_size = 0;
- X509_CTX *x509_ctx;
- BI_CTX *bi_ctx;
-
- *ctx = (X509_CTX *)calloc(1, sizeof(X509_CTX));
- x509_ctx = *ctx;
-
- /* get the certificate size */
- asn1_skip_obj(cert, &cert_size, ASN1_SEQUENCE);
-
- if (asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0)
- goto end_cert;
-
- begin_tbs = offset; /* start of the tbs */
- end_tbs = begin_tbs; /* work out the end of the tbs */
- asn1_skip_obj(cert, &end_tbs, ASN1_SEQUENCE);
-
- if (asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0)
- goto end_cert;
-
- if (cert[offset] == ASN1_EXPLICIT_TAG) /* optional version */
- {
- if (asn1_version(cert, &offset, x509_ctx))
- goto end_cert;
- }
-
- if (asn1_skip_obj(cert, &offset, ASN1_INTEGER) || /* serial number */
- asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0)
- goto end_cert;
-
- /* make sure the signature is ok */
- if (asn1_signature_type(cert, &offset, x509_ctx))
- {
- ret = X509_VFY_ERROR_UNSUPPORTED_DIGEST;
- goto end_cert;
- }
-
- if (asn1_name(cert, &offset, x509_ctx->ca_cert_dn) ||
- asn1_validity(cert, &offset, x509_ctx) ||
- asn1_name(cert, &offset, x509_ctx->cert_dn) ||
- asn1_public_key(cert, &offset, x509_ctx))
- goto end_cert;
-
- bi_ctx = x509_ctx->rsa_ctx->bi_ctx;
-
- #ifdef CONFIG_SSL_CERT_VERIFICATION /* only care if doing verification */
- /* use the appropriate signature algorithm (either SHA1 or MD5) */
- if (x509_ctx->sig_type == SIG_TYPE_MD5)
- {
- MD5_CTX md5_ctx;
- uint8_t md5_dgst[MD5_SIZE];
- MD5Init(&md5_ctx);
- MD5Update(&md5_ctx, &cert[begin_tbs], end_tbs-begin_tbs);
- MD5Final(&md5_ctx, md5_dgst);
- x509_ctx->digest = bi_import(bi_ctx, md5_dgst, MD5_SIZE);
- }
- else if (x509_ctx->sig_type == SIG_TYPE_SHA1)
- {
- SHA1_CTX sha_ctx;
- uint8_t sha_dgst[SHA1_SIZE];
- SHA1Init(&sha_ctx);
- SHA1Update(&sha_ctx, &cert[begin_tbs], end_tbs-begin_tbs);
- SHA1Final(&sha_ctx, sha_dgst);
- x509_ctx->digest = bi_import(bi_ctx, sha_dgst, SHA1_SIZE);
- }
-
- offset = end_tbs; /* skip the v3 data */
- if (asn1_skip_obj(cert, &offset, ASN1_SEQUENCE) ||
- asn1_signature(cert, &offset, x509_ctx))
- goto end_cert;
- #endif
-
- if (len)
- {
- *len = cert_size;
- }
-
- ret = X509_OK;
- end_cert:
-
- #ifdef CONFIG_SSL_FULL_MODE
- if (ret)
- {
- printf("Error: Invalid X509 ASN.1 file\n");
- }
- #endif
-
- return ret;
- }
-
- /**
- * Free an X.509 object's resources.
- */
- void x509_free(X509_CTX *x509_ctx)
- {
- X509_CTX *next;
- int i;
-
- if (x509_ctx == NULL) /* if already null, then don't bother */
- return;
-
- for (i = 0; i < X509_NUM_DN_TYPES; i++)
- {
- free(x509_ctx->ca_cert_dn[i]);
- free(x509_ctx->cert_dn[i]);
- }
-
- free(x509_ctx->signature);
-
- #ifdef CONFIG_SSL_CERT_VERIFICATION
- if (x509_ctx->digest)
- {
- bi_free(x509_ctx->rsa_ctx->bi_ctx, x509_ctx->digest);
- }
- #endif
-
- RSA_free(x509_ctx->rsa_ctx);
-
- next = x509_ctx->next;
- free(x509_ctx);
- x509_free(next); /* clear the chain */
- }
-
- #ifdef CONFIG_SSL_CERT_VERIFICATION
- /**
- * Do some basic checks on the certificate chain.
- *
- * Certificate verification consists of a number of checks:
- * - A root certificate exists in the certificate store.
- * - The date of the certificate is after the start date.
- * - The date of the certificate is before the finish date.
- * - The certificate chain is valid.
- * - That the certificate(s) are not self-signed.
- * - The signature of the certificate is valid.
- */
- int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert)
- {
- int ret = X509_OK, i = 0;
- bigint *cert_sig;
- X509_CTX *next_cert = NULL;
- BI_CTX *ctx;
- bigint *mod, *expn;
- struct timeval tv;
- int match_ca_cert = 0;
-
- if (cert == NULL || ca_cert_ctx == NULL)
- {
- ret = X509_VFY_ERROR_NO_TRUSTED_CERT;
- goto end_verify;
- }
-
- /* last cert in the chain - look for a trusted cert */
- if (cert->next == NULL)
- {
- while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i])
- {
- if (asn1_compare_dn(cert->ca_cert_dn,
- ca_cert_ctx->cert[i]->cert_dn) == 0)
- {
- match_ca_cert = 1;
- break;
- }
-
- i++;
- }
-
- if (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i])
- {
- next_cert = ca_cert_ctx->cert[i];
- }
- else /* trusted cert not found */
- {
- ret = X509_VFY_ERROR_NO_TRUSTED_CERT;
- goto end_verify;
- }
- }
- else
- {
- next_cert = cert->next;
- }
-
- gettimeofday(&tv, NULL);
-
- /* check the not before date */
- if (tv.tv_sec < cert->not_before)
- {
- ret = X509_VFY_ERROR_NOT_YET_VALID;
- goto end_verify;
- }
-
- /* check the not after date */
- if (tv.tv_sec > cert->not_after)
- {
- ret = X509_VFY_ERROR_EXPIRED;
- goto end_verify;
- }
-
- /* check the chain integrity */
- if (asn1_compare_dn(cert->ca_cert_dn, next_cert->cert_dn))
- {
- ret = X509_VFY_ERROR_INVALID_CHAIN;
- goto end_verify;
- }
-
- /* check for self-signing */
- if (!match_ca_cert && asn1_compare_dn(cert->ca_cert_dn, cert->cert_dn) == 0)
- {
- ret = X509_VFY_ERROR_SELF_SIGNED;
- goto end_verify;
- }
-
- /* check the signature */
- ctx = cert->rsa_ctx->bi_ctx;
- mod = next_cert->rsa_ctx->m;
- expn = next_cert->rsa_ctx->e;
- cert_sig = RSA_sign_verify(ctx, cert->signature, cert->sig_len,
- bi_clone(ctx, mod), bi_clone(ctx, expn));
-
- if (cert_sig)
- {
- ret = cert->digest ? /* check the signature */
- bi_compare(cert_sig, cert->digest) :
- X509_VFY_ERROR_UNSUPPORTED_DIGEST;
- bi_free(ctx, cert_sig);
-
- if (ret)
- goto end_verify;
- }
- else
- {
- ret = X509_VFY_ERROR_BAD_SIGNATURE;
- goto end_verify;
- }
-
- /* go down the certificate chain using recursion. */
- if (ret == 0 && cert->next)
- {
- ret = x509_verify(ca_cert_ctx, next_cert);
- }
-
- end_verify:
- return ret;
- }
- #endif
-
- #if defined (CONFIG_SSL_FULL_MODE)
- /**
- * Used for diagnostics.
- */
- void x509_print(CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert)
- {
- if (cert == NULL)
- return;
-
- printf("---------------- CERT DEBUG ----------------\n");
- printf("* CA Cert Distinguished Name\n");
- if (cert->ca_cert_dn[X509_COMMON_NAME])
- {
- printf("Common Name (CN):\t%s\n", cert->ca_cert_dn[X509_COMMON_NAME]);
- }
-
- if (cert->ca_cert_dn[X509_ORGANIZATION])
- {
- printf("Organization (O):\t%s\n", cert->ca_cert_dn[X509_ORGANIZATION]);
- }
-
- if (cert->ca_cert_dn[X509_ORGANIZATIONAL_TYPE])
- {
- printf("Organizational Unit (OU): %s\n",
- cert->ca_cert_dn[X509_ORGANIZATIONAL_TYPE]);
- }
-
- printf("* Cert Distinguished Name\n");
- if (cert->cert_dn[X509_COMMON_NAME])
- {
- printf("Common Name (CN):\t%s\n", cert->cert_dn[X509_COMMON_NAME]);
- }
-
- if (cert->cert_dn[X509_ORGANIZATION])
- {
- printf("Organization (O):\t%s\n", cert->cert_dn[X509_ORGANIZATION]);
- }
-
- if (cert->cert_dn[X509_ORGANIZATIONAL_TYPE])
- {
- printf("Organizational Unit (OU): %s\n",
- cert->cert_dn[X509_ORGANIZATIONAL_TYPE]);
- }
-
- printf("Not Before:\t\t%s", ctime(&cert->not_before));
- printf("Not After:\t\t%s", ctime(&cert->not_after));
- printf("RSA bitsize:\t\t%d\n", cert->rsa_ctx->num_octets*8);
- printf("Sig Type:\t\t");
- switch (cert->sig_type)
- {
- case SIG_TYPE_MD5:
- printf("MD5\n");
- break;
- case SIG_TYPE_SHA1:
- printf("SHA1\n");
- break;
- case SIG_TYPE_MD2:
- printf("MD2\n");
- break;
- default:
- printf("Unrecognized: %d\n", cert->sig_type);
- break;
- }
-
- printf("Verify:\t\t\t");
-
- if (ca_cert_ctx)
- {
- x509_display_error(x509_verify(ca_cert_ctx, cert));
- }
-
- printf("\n");
- #if 0
- print_blob("Signature", cert->signature, cert->sig_len);
- bi_print("Modulus", cert->rsa_ctx->m);
- bi_print("Pub Exp", cert->rsa_ctx->e);
- #endif
-
- if (ca_cert_ctx)
- {
- x509_print(ca_cert_ctx, cert->next);
- }
- }
-
- void x509_display_error(int error)
- {
- switch (error)
- {
- case X509_NOT_OK:
- printf("X509 not ok");
- break;
-
- case X509_VFY_ERROR_NO_TRUSTED_CERT:
- printf("No trusted cert is available");
- break;
-
- case X509_VFY_ERROR_BAD_SIGNATURE:
- printf("Bad signature");
- break;
-
- case X509_VFY_ERROR_NOT_YET_VALID:
- printf("Cert is not yet valid");
- break;
-
- case X509_VFY_ERROR_EXPIRED:
- printf("Cert has expired");
- break;
-
- case X509_VFY_ERROR_SELF_SIGNED:
- printf("Cert is self-signed");
- break;
-
- case X509_VFY_ERROR_INVALID_CHAIN:
- printf("Chain is invalid (check order of certs)");
- break;
-
- case X509_VFY_ERROR_UNSUPPORTED_DIGEST:
- printf("Unsupported digest");
- break;
-
- case X509_INVALID_PRIV_KEY:
- printf("Invalid private key");
- break;
- }
- }
- #endif /* CONFIG_SSL_FULL_MODE */
-
- #endif
|