/* * Copyright (C) 1997-2000 Sensus Consulting Ltd. * Matt Newman <matt@sensus.org> * Copyright (C) 2023 Brian O'Hagan */ #include <tcl.h> #include <stdio.h> #include <openssl/bio.h> #include <openssl/sha.h> #include <openssl/x509.h> #include <openssl/x509v3.h> #include <openssl/asn1.h> #include "tlsInt.h" /* * Ensure these are not macros - known to be defined on Win32 */ #ifdef min #undef min #endif #ifdef max #undef max #endif static int min(int a, int b) { return (a < b) ? a : b; } static int max(int a, int b) { return (a > b) ? a : b; } /* * Binary string to hex string */ int String_to_Hex(char* input, int len, char *output, int max) { int count = 0; for (int i = 0; i < len && count < max - 1; i++, count += 2) { sprintf(output + count, "%02X", input[i] & 0xff); } output[count] = 0; return count; } /* *------------------------------------------------------* * * Tls_NewX509Obj -- * * ------------------------------------------------* * Converts a X509 certificate into a Tcl_Obj * ------------------------------------------------* * * Side effects: * None * * Result: * A Tcl List Object representing the provided * X509 certificate. * *------------------------------------------------------* */ #define CERT_STR_SIZE 32768 Tcl_Obj* Tls_NewX509Obj(Tcl_Interp *interp, X509 *cert) { Tcl_Obj *certPtr = Tcl_NewListObj(0, NULL); BIO *bio; int mdnid, pknid, bits, num_of_exts, len; uint32_t xflags, usage; char subject[BUFSIZ]; char issuer[BUFSIZ]; char serial[BUFSIZ]; char notBefore[BUFSIZ]; char notAfter[BUFSIZ]; char buffer[BUFSIZ]; char certStr[CERT_STR_SIZE]; unsigned char md[EVP_MAX_MD_SIZE]; STACK_OF(GENERAL_NAME) *san; STACK_OF(DIST_POINT) *crl; STACK_OF(OPENSSL_STRING) *ocsp; certStr[0] = 0; subject[0] = 0; issuer[0] = 0; serial[0] = 0; notBefore[0] = 0; notAfter[0] = 0; if ((bio = BIO_new(BIO_s_mem())) != NULL) { int n; unsigned long flags = XN_FLAG_RFC2253 | ASN1_STRFLGS_UTF8_CONVERT; flags &= ~ASN1_STRFLGS_ESC_MSB; /* Get subject name */ if (X509_NAME_print_ex(bio, X509_get_subject_name(cert), 0, flags) > 0) { n = BIO_read(bio, subject, min(BIO_pending(bio), BUFSIZ - 1)); subject[max(n, 0)] = 0; (void)BIO_flush(bio); } /* Get issuer name */ if (X509_NAME_print_ex(bio, X509_get_issuer_name(cert), 0, flags) > 0) { n = BIO_read(bio, issuer, min(BIO_pending(bio), BUFSIZ - 1)); issuer[max(n, 0)] = 0; (void)BIO_flush(bio); } /* Get serial number */ if (i2a_ASN1_INTEGER(bio, X509_get0_serialNumber(cert)) > 0) { n = BIO_read(bio, serial, min(BIO_pending(bio), BUFSIZ - 1)); serial[max(n, 0)] = 0; (void)BIO_flush(bio); } /* Get certificate */ if (PEM_write_bio_X509(bio, cert)) { char *certStr_p = certStr; int certStr_len = 0; while (1) { int toRead = min(BIO_pending(bio), CERT_STR_SIZE - certStr_len - 1); toRead = min(toRead, BUFSIZ); if (toRead == 0) { break; } dprintf("Reading %i bytes from the certificate...", toRead); n = BIO_read(bio, certStr_p, toRead); if (n <= 0) { break; } certStr_len += n; certStr_p += n; } *certStr_p = '\0'; (void)BIO_flush(bio); } /* Get all cert info */ if (X509_print_ex(bio, cert, flags, 0)) { char all[65536]; n = BIO_read(bio, all, min(BIO_pending(bio), 65535)); all[max(n, 0)] = 0; (void)BIO_flush(bio); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("all", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(all, n)); } /* Get Validity - Not Before */ if (ASN1_TIME_print(bio, X509_get0_notBefore(cert))) { n = BIO_read(bio, notBefore, min(BIO_pending(bio), BUFSIZ - 1)); notBefore[max(n, 0)] = 0; (void)BIO_flush(bio); } /* Get Validity - Not After */ if (ASN1_TIME_print(bio, X509_get0_notAfter(cert))) { n = BIO_read(bio, notAfter, min(BIO_pending(bio), BUFSIZ - 1)); notAfter[max(n, 0)] = 0; (void)BIO_flush(bio); } BIO_free(bio); } /* The certificate data */ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("certificate", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(certStr, -1)); /* Signature algorithm and value - RFC 5280 section 4.1.1.2 and 4.1.1.3 */ /* The signatureAlgorithm field contains the identifier for the cryptographic algorithm used by the CA to sign this certificate. The signatureValue field contains a digital signature computed upon the ASN.1 DER encoded tbsCertificate. */ { const X509_ALGOR *sig_alg; const ASN1_BIT_STRING *sig; int sig_nid; X509_get0_signature(&sig, &sig_alg, cert); /* sig_nid = X509_get_signature_nid(cert) */ sig_nid = OBJ_obj2nid(sig_alg->algorithm); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("signatureAlgorithm", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(OBJ_nid2ln(sig_nid),-1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("signatureValue", -1)); if (sig_nid != NID_undef) { len = String_to_Hex(sig->data, sig->length, buffer, BUFSIZ); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len)); } else { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1)); } } /* Version of the encoded certificate - RFC 5280 section 4.1.2.1 */ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("version", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewLongObj(X509_get_version(cert)+1)); /* Unique number assigned by CA to certificate - RFC 5280 section 4.1.2.2 */ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("serialNumber", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(serial, -1)); /* Signature algorithm used by the CA to sign the certificate. Must match signatureAlgorithm. RFC 5280 section 4.1.2.3 */ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("signature", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(OBJ_nid2ln(X509_get_signature_nid(cert)),-1)); /* The issuer identifies the entity that has signed and issued the certificate. RFC 5280 section 4.1.2.4 */ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("issuer", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(issuer, -1)); /* Certificate validity period is the time interval during which the CA warrants that it will maintain information about the status of the certificate. RFC 5280 section 4.1.2.5 */ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("notBefore", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(notBefore, -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("notAfter", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(notAfter, -1)); /* The subject identifies the entity associated with the public key stored in the subject public key field. RFC 5280 section 4.1.2.6 */ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subject", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(subject, -1)); /* SHA1 Fingerprint of cert - DER representation */ X509_digest(cert, EVP_sha1(), md, &len); len = String_to_Hex(md, len, buffer, BUFSIZ); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("sha1_hash", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len)); /* SHA256 Fingerprint of cert - DER representation */ X509_digest(cert, EVP_sha256(), md, &len); len = String_to_Hex(md, len, buffer, BUFSIZ); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("sha256_hash", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len)); /* Subject Public Key Info specifies the public key and identifies the algorithm with which the key is used. RFC 5280 section 4.1.2.7 */ if (X509_get_signature_info(cert, &mdnid, &pknid, &bits, &xflags) == 1) { ASN1_BIT_STRING *key; unsigned int n; Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("signingDigest", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(OBJ_nid2ln(mdnid),-1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("publicKeyAlgorithm", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(OBJ_nid2ln(pknid),-1)); /* Effective security bits */ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("bits", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewIntObj(bits)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("extension_flags", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewIntObj(xflags)); key = X509_get0_pubkey_bitstr(cert); len = String_to_Hex(key->data, key->length, buffer, BUFSIZ); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("publicKey", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len)); /* Check if cert was issued by CA cert issuer or self signed */ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("self_signed", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewBooleanObj(X509_check_issued(cert, cert) == X509_V_OK)); if (X509_digest(cert, EVP_get_digestbynid(mdnid), md, &n)) { len = String_to_Hex(md, (int)n, buffer, BUFSIZ); } else { len = 0; } Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("signatureHash", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len)); } /* Check if cert was issued by CA cert issuer or self signed */ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("selfIssued", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewBooleanObj(xflags & EXFLAG_SI)); /* Check if cert was issued by CA cert issuer or self signed */ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("selfSigned", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewBooleanObj(xflags & EXFLAG_SS)); /* Unique Ids - The unique identifiers are present in the certificate to handle the possibility of reuse of subject and/or issuer names over time. RFC 5280 section 4.1.2.8 */ { const ASN1_BIT_STRING *iuid, *suid; X509_get0_uids(cert, &iuid, &suid); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("issuerUniqueId", -1)); if (iuid != NULL) { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj((char *)iuid->data, iuid->length)); } else { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1)); } Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectUniqueId", -1)); if (suid != NULL) { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj((char *)suid->data, suid->length)); } else { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1)); } } /* X509 v3 Extensions - RFC 5280 section 4.1.2.9 */ num_of_exts = X509_get_ext_count(cert); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("num_extensions", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewIntObj(num_of_exts)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("extensions", -1)); if (num_of_exts > 0) { Tcl_Obj *extsPtr = Tcl_NewListObj(0, NULL); const STACK_OF(X509_EXTENSION) *exts; exts = X509_get0_extensions(cert); for (int i=0; i < num_of_exts; i++) { X509_EXTENSION *ex = sk_X509_EXTENSION_value(exts, i); ASN1_OBJECT *obj = X509_EXTENSION_get_object(ex); unsigned nid2 = OBJ_obj2nid(obj); Tcl_ListObjAppendElement(interp, extsPtr, Tcl_NewStringObj(OBJ_nid2ln(nid2), -1)); } Tcl_ListObjAppendElement(interp, certPtr, extsPtr); } else { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1)); } /* Authority Key Identifier (AKI) of a certificate should be the Subject Key Identifier (SKI) of its signer (the CA). RFC 5280 section 4.2.1.1 */ { ASN1_OCTET_STRING *astring = X509_get0_authority_key_id(cert); if (astring != NULL) { len = String_to_Hex((char *)ASN1_STRING_get0_data(astring), ASN1_STRING_length(astring), buffer, BUFSIZ); } else { len = 0; } Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("authorityKeyIdentifier", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len)); } /* Subject Key Identifier (SKI) provides a means of identifying certificates that contain a particular public key. RFC 5280 section 4.2.1.2 */ { ASN1_OCTET_STRING *astring = X509_get0_subject_key_id(cert); if (astring != NULL) { len = String_to_Hex((char *)ASN1_STRING_get0_data(astring), ASN1_STRING_length(astring), buffer, BUFSIZ); } else { len = 0; } Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectKeyIdentifier", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len)); } /* Key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. RFC 5280 section 4.2.1.3 */ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("keyUsage", -1)); usage = X509_get_key_usage(cert); if ((xflags & EXFLAG_KUSAGE) || usage < 0xffff) { Tcl_Obj *tmpPtr = Tcl_NewListObj(0, NULL); if (usage & KU_DIGITAL_SIGNATURE) { Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj("Digital Signature", -1)); } if (usage & KU_NON_REPUDIATION) { Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj("Non-Repudiation", -1)); } if (usage & KU_KEY_ENCIPHERMENT) { Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj("Key Encipherment", -1)); } if (usage & KU_DATA_ENCIPHERMENT) { Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj("Data Encipherment", -1)); } if (usage & KU_KEY_AGREEMENT) { Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj("Key Agreement", -1)); } if (usage & KU_KEY_CERT_SIGN) { Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj("Certificate Signing", -1)); } if (usage & KU_CRL_SIGN) { Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj("CRL Signing", -1)); } if (usage & KU_ENCIPHER_ONLY) { Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj("Encipher Only", -1)); } if (usage & KU_DECIPHER_ONLY) { Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj("Decipher Only", -1)); } Tcl_ListObjAppendElement(interp, certPtr, tmpPtr); } else { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1)); } /* Purpose */ { char *purpose = NULL; Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("purpose", -1)); if (X509_check_purpose(cert, X509_PURPOSE_SSL_CLIENT, 0) > 0) { purpose = "SSL Client"; } else if (X509_check_purpose(cert, X509_PURPOSE_SSL_SERVER, 0) > 0) { purpose = "SSL Server"; } else if (X509_check_purpose(cert, X509_PURPOSE_NS_SSL_SERVER, 0) > 0) { purpose = "MSS SSL Server"; } else if (X509_check_purpose(cert, X509_PURPOSE_SMIME_SIGN, 0) > 0) { purpose = "SMIME Signing"; } else if (X509_check_purpose(cert, X509_PURPOSE_SMIME_ENCRYPT, 0) > 0) { purpose = "SMIME Encryption"; } else if (X509_check_purpose(cert, X509_PURPOSE_CRL_SIGN, 0) > 0) { purpose = "CRL Signing"; } else if (X509_check_purpose(cert, X509_PURPOSE_ANY, 0) > 0) { purpose = "Any"; } else if (X509_check_purpose(cert, X509_PURPOSE_OCSP_HELPER, 0) > 0) { purpose = "OCSP Helper"; } else if (X509_check_purpose(cert, X509_PURPOSE_TIMESTAMP_SIGN, 0) > 0) { purpose = "Timestamp Signing"; } else { purpose = ""; } Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(purpose, -1)); } { Tcl_Obj *purpPtr = Tcl_NewListObj(0, NULL); for (int j = 0; j < X509_PURPOSE_get_count(); j++) { X509_PURPOSE *ptmp = X509_PURPOSE_get0(j); Tcl_Obj *tmpPtr = Tcl_NewListObj(0, NULL); for (int i = 0; i < 2; i++) { int idret = X509_check_purpose(cert, X509_PURPOSE_get_id(ptmp), i); Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj(i ? "CA" : "nonCA", -1)); Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj(idret == 1 ? "Yes" : "No", -1)); } Tcl_ListObjAppendElement(interp, purpPtr, Tcl_NewStringObj(X509_PURPOSE_get0_name(ptmp), -1)); Tcl_ListObjAppendElement(interp, purpPtr, tmpPtr); } Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("certificatePurpose", -1)); Tcl_ListObjAppendElement(interp, certPtr, purpPtr); } /* Certificate Policies - indicates the issuing CA considers its issuerDomainPolicy equivalent to the subject CA's subjectDomainPolicy. RFC 5280 section 4.2.1.4 */ if (xflags & EXFLAG_INVALID_POLICY) { /* Reject cert */ } /* Policy Mappings - RFC 5280 section 4.2.1.5 */ /* Subject Alternative Name (SAN) contains additional URLs, DNS name, or IP addresses bound to certificate. RFC 5280 section 4.2.1.6 */ san = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); if (san) { Tcl_Obj *namesPtr = Tcl_NewListObj(0, NULL); bio = BIO_new(BIO_s_mem()); for (int i=0; i < sk_GENERAL_NAME_num(san); i++) { const GENERAL_NAME *name = sk_GENERAL_NAME_value(san, i); if (name && bio) { if (GENERAL_NAME_print(bio, name)) { int n = BIO_read(bio, buffer, min(BIO_pending(bio), BUFSIZ)); buffer[max(n, 0)] = 0; (void)BIO_flush(bio); Tcl_ListObjAppendElement(interp, namesPtr, Tcl_NewStringObj(buffer, n)); } } } BIO_free(bio); sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectAltName", -1)); Tcl_ListObjAppendElement(interp, certPtr, namesPtr); } /* Issuer Alternative Name (issuerAltName) is used to associate Internet style identities with the certificate issuer. RFC 5280 section 4.2.1.7 */ san = X509_get_ext_d2i(cert, NID_issuer_alt_name, NULL, NULL); if (san) { Tcl_Obj *namesPtr = Tcl_NewListObj(0, NULL); bio = BIO_new(BIO_s_mem()); for (int i=0; i < sk_GENERAL_NAME_num(san); i++) { const GENERAL_NAME *name = sk_GENERAL_NAME_value(san, i); if (name && bio) { if (GENERAL_NAME_print(bio, name)) { int n = BIO_read(bio, buffer, min(BIO_pending(bio), BUFSIZ)); buffer[max(n, 0)] = 0; (void)BIO_flush(bio); Tcl_ListObjAppendElement(interp, namesPtr, Tcl_NewStringObj(buffer, n)); } } } BIO_free(bio); sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("issuerAltName", -1)); Tcl_ListObjAppendElement(interp, certPtr, namesPtr); } /* Subject Directory Attributes provides identification attributes (e.g., nationality) of the subject. RFC 5280 section 4.2.1.8 (subjectDirectoryAttributes) */ /* Basic Constraints identifies whether the subject of the cert is a CA and the max depth of valid cert paths that include this cert. RFC 5280 section 4.2.1.9 (basicConstraints, NID_basic_constraints) */ if (xflags & EXFLAG_BCONS || xflags & EXFLAG_CA) { } /* Name Constraints is only used in CA certs to indicate a name space within which all subject names in subsequent certificates in a certification path MUST be located. RFC 5280 section 4.2.1.10 */ /* Policy Constraints is only used in CA certs to limit the length of a cert chain that may be issued from that CA. RFC 5280 section 4.2.1.11 */ /* Extended Key Usage indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes. RFC 5280 section 4.2.1.12 */ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("extendedKeyUsage", -1)); usage = X509_get_extended_key_usage(cert); if ((xflags & EXFLAG_XKUSAGE) || usage < 0xffff) { Tcl_Obj *tmpPtr = Tcl_NewListObj(0, NULL); if (usage & XKU_SSL_SERVER) { Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj("TLS Web Server Authentication", -1)); } if (usage & XKU_SSL_CLIENT) { Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj("TLS Web Client Authentication", -1)); } if (usage & XKU_SMIME) { Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj("E-mail Protection", -1)); } if (usage & XKU_CODE_SIGN) { Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj("Code Signing", -1)); } if (usage & XKU_SGC) { Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj("SGC", -1)); } if (usage & XKU_OCSP_SIGN) { Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj("OCSP Signing", -1)); } if (usage & XKU_TIMESTAMP) { Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj("Time Stamping", -1)); } if (usage & XKU_DVCS ) { Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj("DVCS", -1)); } if (usage & XKU_ANYEKU) { Tcl_ListObjAppendElement(interp, tmpPtr, Tcl_NewStringObj("Any Extended Key Usage", -1)); } Tcl_ListObjAppendElement(interp, certPtr, tmpPtr); } else { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewIntObj((int)X509_get_extended_key_usage(cert))); } /* CRL Distribution Points extension identifies how CRL information is obtained. RFC 5280 section 4.2.1.13*/ crl = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL); if (crl) { Tcl_Obj *namesPtr = Tcl_NewListObj(0, NULL); for (int i=0; i < sk_DIST_POINT_num(crl); i++) { DIST_POINT *dp = sk_DIST_POINT_value(crl, i); DIST_POINT_NAME *distpoint = dp->distpoint; if (distpoint->type == 0) { /* fullname GENERALIZEDNAME */ for (int j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) { GENERAL_NAME *gen = sk_GENERAL_NAME_value(distpoint->name.fullname, j); int type; ASN1_STRING *uri = GENERAL_NAME_get0_value(gen, &type); if (type == GEN_URI) { Tcl_ListObjAppendElement(interp, namesPtr, Tcl_NewStringObj((char*)ASN1_STRING_get0_data(uri), ASN1_STRING_length(uri))); } } } else if (distpoint->type == 1) { /* relativename X509NAME */ STACK_OF(X509_NAME_ENTRY) *sk_relname = distpoint->name.relativename; for (int j = 0; j < sk_X509_NAME_ENTRY_num(sk_relname); j++) { X509_NAME_ENTRY *e = sk_X509_NAME_ENTRY_value(sk_relname, j); ASN1_STRING *d = X509_NAME_ENTRY_get_data(e); Tcl_ListObjAppendElement(interp, namesPtr, Tcl_NewStringObj((char*)ASN1_STRING_data(d), ASN1_STRING_length(d))); } } } CRL_DIST_POINTS_free(crl); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("crlDistributionPoints", -1)); Tcl_ListObjAppendElement(interp, certPtr, namesPtr); } /* Freshest CRL extension */ if (xflags & EXFLAG_FRESHEST) { } /* Get OSCP URL */ ocsp = X509_get1_ocsp(cert); if (ocsp) { Tcl_Obj *urlsPtr = Tcl_NewListObj(0, NULL); for (int i = 0; i < sk_OPENSSL_STRING_num(ocsp); i++) { Tcl_ListObjAppendElement(interp, urlsPtr, Tcl_NewStringObj(sk_OPENSSL_STRING_value(ocsp, i), -1)); } X509_email_free(ocsp); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("ocsp", -1)); Tcl_ListObjAppendElement(interp, certPtr, urlsPtr); } /* Certificate Alias as UTF-8 string */ { unsigned char *bstring; len = 0; bstring = X509_alias_get0(cert, &len); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("alias", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj((char *)bstring, len)); } return certPtr; }