Check-in [3b068ff2f6]
Overview
Comment:Added CA Issuers URL to X509 status
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | status_x509
Files: files | file ages | folders
SHA3-256: 3b068ff2f6d394ebdbe628ad01d545b0cce1b43f36540c7c38860ad93062e6fb
User & Date: bohagan on 2023-08-19 22:14:31
Other Links: branch diff | manifest | tags
Context
2023-08-20
19:45
Moved X509 functions to separate procedures. check-in: 2186b86385 user: bohagan tags: status_x509
2023-08-19
22:14
Added CA Issuers URL to X509 status check-in: 3b068ff2f6 user: bohagan tags: status_x509
20:30
Updated ConnectionInfoObjCmd to localize variables check-in: 070af72ccb user: bohagan tags: status_x509
Changes
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
91
92
93
94
95
96
97

98
99
100
101
102
103
104







-







    Tcl_Obj *certPtr = Tcl_NewListObj(0, NULL), *listPtr;
    BIO *bio = BIO_new(BIO_s_mem());
    int mdnid, pknid, bits, len;
    uint32_t xflags, usage;
    char buffer[BUFSIZ];
    unsigned char md[EVP_MAX_MD_SIZE];
    STACK_OF(GENERAL_NAME) *names;
    STACK_OF(DIST_POINT) *crl;
    STACK_OF(OPENSSL_STRING) *ocsp;
    unsigned long flags = XN_FLAG_RFC2253 | ASN1_STRFLGS_UTF8_CONVERT;
    flags &= ~ASN1_STRFLGS_ESC_MSB;

    if (bio == NULL || certPtr == NULL) {
	return NULL;
    }
425
426
427
428
429
430
431


432
433
434




435
436
437
438



439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464


























465
466
467
468
469
470
471
472


473
474
475
476
477
478
479
480
481
482
483





































484
485
486
487
488
489
490
424
425
426
427
428
429
430
431
432



433
434
435
436
437



438
439
440
441

























442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477











478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521







+
+
-
-
-
+
+
+
+

-
-
-
+
+
+

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+








+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+







	    Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj("Any Extended Key Usage", -1));
	}
    }
    LAPPEND_LIST(interp, certPtr, "extendedKeyUsage", listPtr);

    /* CRL Distribution Points identifies where CRL information can be obtained.
	RFC 5280 section 4.2.1.13*/
    {
	STACK_OF(DIST_POINT) *crl;
    listPtr = Tcl_NewListObj(0, NULL);
    if (crl = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL)) {
	Tcl_Obj *namesPtr = Tcl_NewListObj(0, NULL);
	listPtr = Tcl_NewListObj(0, NULL);

	if (crl = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL)) {
	    Tcl_Obj *namesPtr = Tcl_NewListObj(0, NULL);

	for (int i=0; i < sk_DIST_POINT_num(crl); i++) {
	    DIST_POINT *dp = sk_DIST_POINT_value(crl, i);
	    DIST_POINT_NAME *distpoint = dp->distpoint;
	    for (int i=0; i < sk_DIST_POINT_num(crl); i++) {
		DIST_POINT *dp = sk_DIST_POINT_value(crl, i);
		DIST_POINT_NAME *distpoint = dp->distpoint;

	    if (distpoint->type == 0) {
		/* fullname GENERALIZEDNAME */
		for (int j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) {
		    GENERAL_NAME *gen = sk_GENERAL_NAME_value(distpoint->name.fullname, j);
		    int type;
		    ASN1_STRING *uri = GENERAL_NAME_get0_value(gen, &type);
		    if (type == GEN_URI) {
			Tcl_ListObjAppendElement(interp, listPtr,
			    Tcl_NewStringObj((char*)ASN1_STRING_get0_data(uri), ASN1_STRING_length(uri)));
		    }
		}
	    } else if (distpoint->type == 1) {
		/* relativename X509NAME */
		STACK_OF(X509_NAME_ENTRY) *sk_relname = distpoint->name.relativename;
		for (int j = 0; j < sk_X509_NAME_ENTRY_num(sk_relname); j++) {
		    X509_NAME_ENTRY *e = sk_X509_NAME_ENTRY_value(sk_relname, j);
		    ASN1_STRING *d = X509_NAME_ENTRY_get_data(e);
		    Tcl_ListObjAppendElement(interp, listPtr,
			Tcl_NewStringObj((char*)ASN1_STRING_data(d), ASN1_STRING_length(d)));
		}
	    }
	}
	CRL_DIST_POINTS_free(crl);
    }
    LAPPEND_LIST(interp, certPtr, "crlDistributionPoints", listPtr);
		if (distpoint->type == 0) {
		    /* fullname GENERALIZEDNAME */
		    for (int j = 0; j < sk_GENERAL_NAME_num(distpoint->name.fullname); j++) {
			GENERAL_NAME *gen = sk_GENERAL_NAME_value(distpoint->name.fullname, j);
			int type;
			ASN1_STRING *uri = GENERAL_NAME_get0_value(gen, &type);
			if (type == GEN_URI) {
			    Tcl_ListObjAppendElement(interp, listPtr,
				Tcl_NewStringObj((char*)ASN1_STRING_get0_data(uri), ASN1_STRING_length(uri)));
			}
		    }
		} else if (distpoint->type == 1) {
		    /* relativename X509NAME */
		    STACK_OF(X509_NAME_ENTRY) *sk_relname = distpoint->name.relativename;
		    for (int j = 0; j < sk_X509_NAME_ENTRY_num(sk_relname); j++) {
			X509_NAME_ENTRY *e = sk_X509_NAME_ENTRY_value(sk_relname, j);
			ASN1_STRING *d = X509_NAME_ENTRY_get_data(e);
			Tcl_ListObjAppendElement(interp, listPtr,
			    Tcl_NewStringObj((char*)ASN1_STRING_data(d), ASN1_STRING_length(d)));
		    }
		}
	    }
	    CRL_DIST_POINTS_free(crl);
	}
	LAPPEND_LIST(interp, certPtr, "crlDistributionPoints", listPtr);
    }

    /* Freshest CRL extension */
    if (xflags & EXFLAG_FRESHEST) {
    }

    /* Authority Information Access indicates how to access info and services
	for the certificate issuer. RFC 5280 section 4.2.2.1, NID_info_access */
    /* Get On-line Certificate Status Protocol (OSCP) URL */
    {
	STACK_OF(OPENSSL_STRING) *ocsp;
    listPtr = Tcl_NewListObj(0, NULL);
    if (ocsp = X509_get1_ocsp(cert)) {
	for (int i = 0; i < sk_OPENSSL_STRING_num(ocsp); i++) {
	    Tcl_ListObjAppendElement(interp, listPtr,
		Tcl_NewStringObj(sk_OPENSSL_STRING_value(ocsp, i), -1));
	}
	X509_email_free(ocsp);
    }
    LAPPEND_LIST(interp, certPtr, "ocsp", listPtr);

    /* CA Issuers URL caIssuers */
	listPtr = Tcl_NewListObj(0, NULL);

	if (ocsp = X509_get1_ocsp(cert)) {
	    for (int i = 0; i < sk_OPENSSL_STRING_num(ocsp); i++) {
		Tcl_ListObjAppendElement(interp, listPtr,
		    Tcl_NewStringObj(sk_OPENSSL_STRING_value(ocsp, i), -1));
	    }
	    X509_email_free(ocsp);
	    /* sk_OPENSSL_STRING_free(ocsp); */
	}
	LAPPEND_LIST(interp, certPtr, "ocsp", listPtr);
    }

    /* CA Issuers URL, caIssuers */
    {
	STACK_OF(ACCESS_DESCRIPTION) *ads;
	listPtr = Tcl_NewListObj(0, NULL);

	if (ads = X509_get_ext_d2i(cert, NID_info_access, NULL, NULL)) {
	    for (int i = 0; i < sk_ACCESS_DESCRIPTION_num(ads); i++) {
		ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(ads, i);
		if (OBJ_obj2nid(ad->method) == NID_ad_ca_issuers && ad->location) {
		    if (ad->location->type == GEN_URI) {
			unsigned char *buf;

			len = ASN1_STRING_to_UTF8(&buf, ad->location->d.uniformResourceIdentifier);
			Tcl_ListObjAppendElement(interp, listPtr, Tcl_NewStringObj(buf, len));
			OPENSSL_free(buf);
			break;
		    }
		}
	    }
	    /* sk_ACCESS_DESCRIPTION_pop_free(ads, ACCESS_DESCRIPTION_free); */
	    AUTHORITY_INFO_ACCESS_free(ads);
	}
	LAPPEND_LIST(interp, certPtr, "caIssuers", listPtr);
    }

    /* Subject Information Access - RFC 5280 section 4.2.2.2, NID_sinfo_access */

    /* Certificate Alias. If uses a PKCS#12 structure, alias will reflect the
	friendlyName attribute (RFC 2985). */
    len = 0;
    LAPPEND_STR(interp, certPtr, "alias", X509_alias_get0(cert, &len), len);