Overview
Comment: | Added X509 authorityKeyIdentifier and OCSP URL parameters Fixed subjectKeyIdentifier Moved extension parameters to end of Tls_NewX509Obj |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | status_x509 |
Files: | files | file ages | folders |
SHA3-256: |
a7be3ce74dd2e4ccd6346ab726374739 |
User & Date: | bohagan on 2023-07-16 00:24:15 |
Other Links: | branch diff | manifest | tags |
Context
2023-07-16
| ||
03:33 | X509 status optimizations to reduce number of buffers and reordered parameters to match certificate order. check-in: 335b04b2fe user: bohagan tags: status_x509 | |
00:24 | Added X509 authorityKeyIdentifier and OCSP URL parameters Fixed subjectKeyIdentifier Moved extension parameters to end of Tls_NewX509Obj check-in: a7be3ce74d user: bohagan tags: status_x509 | |
2023-07-15
| ||
23:00 | Added unique ids and signature value to status check-in: 8e446cb0bb user: bohagan tags: status_x509 | |
Changes
Modified doc/tls.html
from [4994e38911]
to [a1837c5221].
︙ | ︙ | |||
286 287 288 289 290 291 292 293 | <dt><strong>subjectUniqueID</strong> <em>string</em></dt> <dd>The subject unique id.</dd> <dt><strong>num_extensions</strong> <em>n</em></dt> <dd>Number of certificate extensions.</dd> <dt><strong>extensions</strong> <em>list</em></dt> <dd>List of certificate extension names.</dd> <dt><strong>subjectKeyIdentifier</strong> <em>string</em></dt> | > > > > | > > > | 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 | <dt><strong>subjectUniqueID</strong> <em>string</em></dt> <dd>The subject unique id.</dd> <dt><strong>num_extensions</strong> <em>n</em></dt> <dd>Number of certificate extensions.</dd> <dt><strong>extensions</strong> <em>list</em></dt> <dd>List of certificate extension names.</dd> <dt><strong>authorityKeyIdentifier</strong> <em>string</em></dt> <dd>(AKI) Key identifier of the Issuing CA certificate that signed the SSL certificate. This value matches the SKI value of the Intermediate CA certificate.</dd> <dt><strong>subjectKeyIdentifier</strong> <em>string</em></dt> <dd>(SKI) Hash of the public key inside the certificate. Used to identify certificates that contain a particular public key.</dd> <dt><strong>subjectAltName</strong> <em>list</em></dt> <dd>List of all of the alternative domain names, sub domains, and IP addresses that are secured by the certificate.</dd> <dt><strong>ocsp</strong> <em>list</em></dt> <dd>List of all OCSP URLs.</dd> <dt><strong>certificate</strong> <em>cert</em></dt> <dd>The PEM encoded certificate.</dd> <dt><strong>signatureAlgorithm</strong> <em>algorithm</em></dt> <dd>Cipher algorithm used for certificate signature.</dd> <dt><strong>signatureValue</strong> <em>string</em></dt> |
︙ | ︙ |
Modified generic/tlsX509.c
from [ea7d376422]
to [6244907670].
︙ | ︙ | |||
111 112 113 114 115 116 117 | int n; unsigned long flags; char subject[BUFSIZ]; char issuer[BUFSIZ]; char serial[BUFSIZ]; char notBefore[BUFSIZ]; char notAfter[BUFSIZ]; | | | 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 | int n; unsigned long flags; char subject[BUFSIZ]; char issuer[BUFSIZ]; char serial[BUFSIZ]; char notBefore[BUFSIZ]; char notAfter[BUFSIZ]; char buffer[BUFSIZ]; char certStr[CERT_STR_SIZE], *certStr_p; int certStr_len, toRead; char sha1_hash_ascii[SHA_DIGEST_LENGTH * 2 + 1]; unsigned char sha1_hash_binary[SHA_DIGEST_LENGTH]; char sha256_hash_ascii[SHA256_DIGEST_LENGTH * 2 + 1]; unsigned char sha256_hash_binary[SHA256_DIGEST_LENGTH]; int nid, pknid, bits, num_of_exts, len; |
︙ | ︙ | |||
215 216 217 218 219 220 221 | Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("bits", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewIntObj(bits)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("extension_flags", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewIntObj(xflags)); /* Public key - X509_get0_pubkey */ key = X509_get0_pubkey_bitstr(cert); | | | | 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 | Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("bits", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewIntObj(bits)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("extension_flags", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewIntObj(xflags)); /* Public key - X509_get0_pubkey */ key = X509_get0_pubkey_bitstr(cert); len = String_to_Hex(key->data, key->length, buffer, BUFSIZ); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("publicKey", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len)); /* Check if cert was issued by CA cert issuer or self signed */ Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("self_signed", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewBooleanObj(X509_check_issued(cert, cert) == X509_V_OK)); } /* Unique Ids */ |
︙ | ︙ | |||
243 244 245 246 247 248 249 | if (suid != NULL) { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj((char *)suid->data, suid->length)); } else { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1)); } } | < < < < < < < < < < < < < | 243 244 245 246 247 248 249 250 251 252 253 254 255 256 | if (suid != NULL) { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj((char *)suid->data, suid->length)); } else { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1)); } } /* SHA1 Fingerprint of cert - DER representation */ X509_digest(cert, EVP_sha1(), sha1_hash_binary, &len); len = String_to_Hex(sha1_hash_binary, len, sha1_hash_ascii, BUFSIZ); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("sha1_hash", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(sha1_hash_ascii, len)); /* SHA256 Fingerprint of cert - DER representation */ |
︙ | ︙ | |||
332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 | } } sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectAltName", -1)); Tcl_ListObjAppendElement(interp, certPtr, namesPtr); } /* Signature algorithm and value */ { const X509_ALGOR *sig_alg; const ASN1_BIT_STRING *sig; int sig_nid; X509_get0_signature(&sig, &sig_alg, cert); /* sig_nid = X509_get_signature_nid(cert) */ sig_nid = OBJ_obj2nid(sig_alg->algorithm); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("signatureAlgorithm", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(OBJ_nid2ln(sig_nid),-1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("signatureValue", -1)); if (sig_nid != NID_undef) { | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | | | 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 | } } sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectAltName", -1)); Tcl_ListObjAppendElement(interp, certPtr, namesPtr); } /* Certificate Alias */ len = 0; bstring = X509_alias_get0(cert, &len); len = String_to_Hex(bstring, len, buffer, BUFSIZ); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("alias", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len)); /* Get Subject Key id, Authority Key id */ { ASN1_OCTET_STRING *astring; /* X509_keyid_get0 */ astring = X509_get0_subject_key_id(cert); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("subjectKeyIdentifier", -1)); if (astring != NULL) { len = String_to_Hex((char *)ASN1_STRING_get0_data(astring), ASN1_STRING_length(astring), buffer, BUFSIZ); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj(buffer, len)); } else { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1)); } astring = X509_get0_authority_key_id(cert); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("authorityKeyIdentifier", -1)); if (astring != NULL) { len = String_to_Hex((char *)ASN1_STRING_get0_data(astring), ASN1_STRING_length(astring), buffer, BUFSIZ); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewByteArrayObj(buffer, len)); } else { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1)); } /* const GENERAL_NAMES *X509_get0_authority_issuer(cert); const ASN1_INTEGER *X509_get0_authority_serial(cert); */ } /* Get OSCP URL */ { STACK_OF(OPENSSL_STRING) *str_stack = X509_get1_ocsp(cert); Tcl_Obj *urlsPtr = Tcl_NewListObj(0, NULL); for (int i = 0; i < sk_OPENSSL_STRING_num(str_stack); i++) { Tcl_ListObjAppendElement(interp, urlsPtr, Tcl_NewStringObj(sk_OPENSSL_STRING_value(str_stack, i), -1)); } X509_email_free(str_stack); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("ocsp", -1)); Tcl_ListObjAppendElement(interp, certPtr, urlsPtr); } /* Signature algorithm and value */ { const X509_ALGOR *sig_alg; const ASN1_BIT_STRING *sig; int sig_nid; X509_get0_signature(&sig, &sig_alg, cert); /* sig_nid = X509_get_signature_nid(cert) */ sig_nid = OBJ_obj2nid(sig_alg->algorithm); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("signatureAlgorithm", -1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(OBJ_nid2ln(sig_nid),-1)); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("signatureValue", -1)); if (sig_nid != NID_undef) { len = String_to_Hex(sig->data, sig->length, buffer, BUFSIZ); Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj(buffer, len)); } else { Tcl_ListObjAppendElement(interp, certPtr, Tcl_NewStringObj("", -1)); } } return certPtr; } |