FreeRDP
Loading...
Searching...
No Matches
x509_utils.c
1
22#include <openssl/objects.h>
23#include <openssl/x509v3.h>
24#include <openssl/pem.h>
25#include <openssl/rsa.h>
26#include <openssl/err.h>
27
28#include <freerdp/config.h>
29
30#include <winpr/crt.h>
31#include <winpr/string.h>
32#include <winpr/assert.h>
33
34#include <freerdp/log.h>
35
36#include "x509_utils.h"
37
38#define TAG FREERDP_TAG("crypto")
39
40BYTE* x509_utils_get_hash(const X509* xcert, const char* hash, size_t* length)
41{
42 UINT32 fp_len = EVP_MAX_MD_SIZE;
43 BYTE* fp = NULL;
44 const EVP_MD* md = EVP_get_digestbyname(hash);
45 if (!md)
46 {
47 WLog_ERR(TAG, "System does not support %s hash!", hash);
48 return NULL;
49 }
50 if (!xcert || !length)
51 {
52 WLog_ERR(TAG, "Invalid arguments: xcert=%p, length=%p",
53 WINPR_CXX_COMPAT_CAST(const void*, xcert),
54 WINPR_CXX_COMPAT_CAST(const void*, length));
55 return NULL;
56 }
57
58 fp = calloc(fp_len + 1, sizeof(BYTE));
59 if (!fp)
60 {
61 WLog_ERR(TAG, "could not allocate %" PRIu32 " bytes", fp_len);
62 return NULL;
63 }
64
65 if (X509_digest(xcert, md, fp, &fp_len) != 1)
66 {
67 free(fp);
68 WLog_ERR(TAG, "certificate does not have a %s hash!", hash);
69 return NULL;
70 }
71
72 *length = fp_len;
73 return fp;
74}
75
76static char* crypto_print_name(const X509_NAME* name)
77{
78 char* buffer = NULL;
79 BIO* outBIO = BIO_new(BIO_s_mem());
80
81 if (X509_NAME_print_ex(outBIO, name, 0, XN_FLAG_ONELINE) > 0)
82 {
83 UINT64 size = BIO_number_written(outBIO);
84 if (size > INT_MAX)
85 goto fail;
86 buffer = calloc(1, (size_t)size + 1);
87
88 if (!buffer)
89 goto fail;
90
91 ERR_clear_error();
92 const int rc = BIO_read(outBIO, buffer, (int)size);
93 if (rc <= 0)
94 {
95 free(buffer);
96 buffer = NULL;
97 goto fail;
98 }
99 }
100
101fail:
102 BIO_free_all(outBIO);
103 return buffer;
104}
105
106char* x509_utils_get_subject(const X509* xcert)
107{
108 char* subject = NULL;
109 if (!xcert)
110 {
111 WLog_ERR(TAG, "Invalid certificate NULL");
112 return NULL;
113 }
114 subject = crypto_print_name(X509_get_subject_name(xcert));
115 if (!subject)
116 WLog_WARN(TAG, "certificate does not have a subject!");
117 return subject;
118}
119
120/* GENERAL_NAME type labels */
121
122static const char* general_name_type_labels[] = { "OTHERNAME", "EMAIL ", "DNS ",
123 "X400 ", "DIRNAME ", "EDIPARTY ",
124 "URI ", "IPADD ", "RID " };
125
126static const char* general_name_type_label(int general_name_type)
127{
128 if ((0 <= general_name_type) &&
129 ((size_t)general_name_type < ARRAYSIZE(general_name_type_labels)))
130 {
131 return general_name_type_labels[general_name_type];
132 }
133 else
134 {
135 static char buffer[80] = { 0 };
136 (void)snprintf(buffer, sizeof(buffer), "Unknown general name type (%d)", general_name_type);
137 return buffer;
138 }
139}
140
141/*
142
143map_subject_alt_name(x509, general_name_type, mapper, data)
144
145Call the function mapper with subjectAltNames found in the x509
146certificate and data. if generate_name_type is GEN_ALL, the the
147mapper is called for all the names, else it's called only for names
148of the given type.
149
150
151We implement two extractors:
152
153 - a string extractor that can be used to get the subjectAltNames of
154 the following types: GEN_URI, GEN_DNS, GEN_EMAIL
155
156 - a ASN1_OBJECT filter/extractor that can be used to get the
157 subjectAltNames of OTHERNAME type.
158
159 Note: usually, it's a string, but some type of otherNames can be
160 associated with different classes of objects. eg. a KPN may be a
161 sequence of realm and principal name, instead of a single string
162 object.
163
164Not implemented yet: extractors for the types: GEN_X400, GEN_DIRNAME,
165GEN_EDIPARTY, GEN_RID, GEN_IPADD (the later can contain nul-bytes).
166
167
168mapper(name, data, index, count)
169
170The mapper is passed:
171 - the GENERAL_NAME selected,
172 - the data,
173 - the index of the general name in the subjectAltNames,
174 - the total number of names in the subjectAltNames.
175
176The last parameter let's the mapper allocate arrays to collect objects.
177Note: if names are filtered, not all the indices from 0 to count-1 are
178passed to mapper, only the indices selected.
179
180When the mapper returns 0, map_subject_alt_name stops the iteration immediately.
181
182*/
183
184#define GEN_ALL (-1)
185
186typedef int (*general_name_mapper_pr)(GENERAL_NAME* name, void* data, int index, int count);
187
188static void map_subject_alt_name(const X509* x509, int general_name_type,
189 general_name_mapper_pr mapper, void* data)
190{
191 int num = 0;
192 STACK_OF(GENERAL_NAME)* gens = NULL;
193 gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL);
194
195 if (!gens)
196 {
197 return;
198 }
199
200 num = sk_GENERAL_NAME_num(gens);
201
202 for (int i = 0; (i < num); i++)
203 {
204 GENERAL_NAME* name = sk_GENERAL_NAME_value(gens, i);
205
206 if (name)
207 {
208 if ((general_name_type == GEN_ALL) || (general_name_type == name->type))
209 {
210 if (!mapper(name, data, i, num))
211 {
212 break;
213 }
214 }
215 }
216 }
217
218 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
219}
220
221/*
222extract_string -- string extractor
223
224- the strings array is allocated lazily, when we first have to store a
225 string.
226
227- allocated contains the size of the strings array, or -1 if
228 allocation failed.
229
230- count contains the actual count of strings in the strings array.
231
232- maximum limits the number of strings we can store in the strings
233 array: beyond, the extractor returns 0 to short-cut the search.
234
235extract_string stores in the string list OPENSSL strings,
236that must be freed with OPENSSL_free.
237
238*/
239
240typedef struct string_list
241{
242 char** strings;
243 size_t allocated;
244 size_t count;
245 size_t maximum;
246} string_list;
247
248static void string_list_initialize(string_list* list)
249{
250 list->strings = 0;
251 list->allocated = 0;
252 list->count = 0;
253 list->maximum = INT_MAX;
254}
255
256static void string_list_allocate(string_list* list, size_t allocate_count)
257{
258 if (!list->strings && list->allocated == 0)
259 {
260 list->strings = (char**)calloc(allocate_count, sizeof(char*));
261 list->allocated = list->strings ? allocate_count : 0;
262 list->count = 0;
263 }
264}
265
266static void string_list_free(string_list* list)
267{
268 /* Note: we don't free the contents of the strings array: this */
269 /* is handled by the caller, either by returning this */
270 /* content, or freeing it itself. */
271 free((void*)list->strings);
272}
273
274static int extract_string(GENERAL_NAME* name, void* data, int index, int count)
275{
276 string_list* list = data;
277 unsigned char* cstring = 0;
278 ASN1_STRING* str = NULL;
279
280 WINPR_UNUSED(index);
281
282 switch (name->type)
283 {
284 case GEN_URI:
285 str = name->d.uniformResourceIdentifier;
286 break;
287
288 case GEN_DNS:
289 str = name->d.dNSName;
290 break;
291
292 case GEN_EMAIL:
293 str = name->d.rfc822Name;
294 break;
295
296 default:
297 return 1;
298 }
299
300 if ((ASN1_STRING_to_UTF8(&cstring, str)) < 0)
301 {
302 WLog_ERR(TAG, "ASN1_STRING_to_UTF8() failed for %s: %s",
303 general_name_type_label(name->type), ERR_error_string(ERR_get_error(), NULL));
304 return 1;
305 }
306
307 string_list_allocate(list, WINPR_ASSERTING_INT_CAST(WINPR_CIPHER_TYPE, count));
308
309 if (list->allocated <= 0)
310 {
311 OPENSSL_free(cstring);
312 return 0;
313 }
314
315 list->strings[list->count] = (char*)cstring;
316 list->count++;
317
318 if (list->count >= list->maximum)
319 {
320 return 0;
321 }
322
323 return 1;
324}
325
326/*
327extract_othername_object -- object extractor.
328
329- the objects array is allocated lazily, when we first have to store a
330 string.
331
332- allocated contains the size of the objects array, or -1 if
333 allocation failed.
334
335- count contains the actual count of objects in the objects array.
336
337- maximum limits the number of objects we can store in the objects
338 array: beyond, the extractor returns 0 to short-cut the search.
339
340extract_othername_objects stores in the objects array ASN1_TYPE *
341pointers directly obtained from the GENERAL_NAME.
342*/
343
344typedef struct object_list
345{
346 ASN1_OBJECT* type_id;
347 char** strings;
348 size_t allocated;
349 size_t count;
350 size_t maximum;
351} object_list;
352
353static void object_list_initialize(object_list* list)
354{
355 list->type_id = 0;
356 list->strings = 0;
357 list->allocated = 0;
358 list->count = 0;
359 list->maximum = INT_MAX;
360}
361
362static void object_list_allocate(object_list* list, size_t allocate_count)
363{
364 if (!list->strings && (list->allocated == 0) && (allocate_count > 0))
365 {
366 list->strings = (char**)calloc(allocate_count, sizeof(list->strings[0]));
367 list->allocated = list->strings ? allocate_count : 0;
368 list->count = 0;
369 }
370}
371
372static char* object_string(ASN1_TYPE* object)
373{
374 char* result = NULL;
375 unsigned char* utf8String = NULL;
376
377 /* TODO: check that object.type is a string type. */
378 const int length = ASN1_STRING_to_UTF8(&utf8String, object->value.asn1_string);
379
380 if (length < 0)
381 {
382 return 0;
383 }
384
385 result = strndup((char*)utf8String, WINPR_ASSERTING_INT_CAST(size_t, length));
386 OPENSSL_free(utf8String);
387 return result;
388}
389
390static void object_list_free(object_list* list)
391{
392 WINPR_ASSERT(list);
393 free((void*)list->strings);
394}
395
396static int extract_othername_object_as_string(GENERAL_NAME* name, void* data, int index, int count)
397{
398 object_list* list = data;
399 WINPR_UNUSED(index);
400
401 if (count < 0)
402 return -1;
403
404 if (name->type != GEN_OTHERNAME)
405 {
406 return 1;
407 }
408
409 if (0 != OBJ_cmp(name->d.otherName->type_id, list->type_id))
410 {
411 return 1;
412 }
413
414 object_list_allocate(list, WINPR_ASSERTING_INT_CAST(size_t, count));
415
416 if (list->allocated <= 0)
417 {
418 return 0;
419 }
420
421 list->strings[list->count] = object_string(name->d.otherName->value);
422
423 if (list->strings[list->count])
424 {
425 list->count++;
426 }
427
428 if (list->count >= list->maximum)
429 {
430 return 0;
431 }
432
433 return 1;
434}
435
436char* x509_utils_get_email(const X509* x509)
437{
438 char* result = 0;
439 string_list list;
440 string_list_initialize(&list);
441 list.maximum = 1;
442 map_subject_alt_name(x509, GEN_EMAIL, extract_string, &list);
443
444 if (list.count == 0)
445 {
446 string_list_free(&list);
447 return 0;
448 }
449
450 result = _strdup(list.strings[0]);
451 OPENSSL_free(list.strings[0]);
452 string_list_free(&list);
453 return result;
454}
455
456char* x509_utils_get_upn(const X509* x509)
457{
458 char* result = 0;
459 object_list list = { 0 };
460 object_list_initialize(&list);
461 list.type_id = OBJ_nid2obj(NID_ms_upn);
462 list.maximum = 1;
463 map_subject_alt_name(x509, GEN_OTHERNAME, extract_othername_object_as_string, &list);
464
465 if (list.count == 0)
466 {
467 object_list_free(&list);
468 return 0;
469 }
470
471 result = list.strings[0];
472 object_list_free(&list);
473 return result;
474}
475
476char* x509_utils_get_date(const X509* x509, BOOL startDate)
477{
478 WINPR_ASSERT(x509);
479
480 const ASN1_TIME* date = startDate ? X509_get0_notBefore(x509) : X509_get0_notAfter(x509);
481 if (!date)
482 return NULL;
483
484 BIO* bmem = BIO_new(BIO_s_mem());
485 if (!bmem)
486 return NULL;
487
488 char* str = NULL;
489 if (ASN1_TIME_print(bmem, date))
490 {
491 BUF_MEM* bptr = NULL;
492
493 BIO_get_mem_ptr(bmem, &bptr);
494 str = strndup(bptr->data, bptr->length);
495 }
496 else
497 { // Log error
498 }
499 BIO_free_all(bmem);
500 return str;
501}
502
503void x509_utils_dns_names_free(size_t count, size_t* lengths, char** dns_names)
504{
505 free(lengths);
506
507 if (dns_names)
508 {
509 for (size_t i = 0; i < count; i++)
510 {
511 if (dns_names[i])
512 {
513 OPENSSL_free(dns_names[i]);
514 }
515 }
516
517 free((void*)dns_names);
518 }
519}
520
521char** x509_utils_get_dns_names(const X509* x509, size_t* count, size_t** lengths)
522{
523 char** result = 0;
524 string_list list = { 0 };
525 string_list_initialize(&list);
526 map_subject_alt_name(x509, GEN_DNS, extract_string, &list);
527 (*count) = list.count;
528
529 if (list.count <= 0)
530 {
531 string_list_free(&list);
532 return NULL;
533 }
534
535 /* lengths are not useful, since we converted the
536 strings to utf-8, there cannot be nul-bytes in them. */
537 result = (char**)calloc(list.count, sizeof(*result));
538 (*lengths) = calloc(list.count, sizeof(**lengths));
539
540 if (!result || !(*lengths))
541 {
542 string_list_free(&list);
543 free((void*)result);
544 free(*lengths);
545 (*lengths) = 0;
546 (*count) = 0;
547 return NULL;
548 }
549
550 for (size_t i = 0; i < list.count; i++)
551 {
552 result[i] = list.strings[i];
553 (*lengths)[i] = strlen(result[i]);
554 }
555
556 string_list_free(&list);
557 return result;
558}
559
560char* x509_utils_get_issuer(const X509* xcert)
561{
562 char* issuer = NULL;
563 if (!xcert)
564 {
565 WLog_ERR(TAG, "Invalid certificate NULL");
566 return NULL;
567 }
568 issuer = crypto_print_name(X509_get_issuer_name(xcert));
569 if (!issuer)
570 WLog_WARN(TAG, "certificate does not have an issuer!");
571 return issuer;
572}
573
574static int asn1_object_cmp(const ASN1_OBJECT* const* a, const ASN1_OBJECT* const* b)
575{
576 if (!a || !b)
577 return (a == b) ? 0 : (a ? 1 : -1);
578
579 if (!*a || !*b)
580 return (*a == *b) ? 0 : (*a ? 1 : -1);
581
582 return OBJ_cmp(*a, *b);
583}
584
585BOOL x509_utils_check_eku(const X509* xcert, int nid)
586{
587 BOOL ret = FALSE;
588 STACK_OF(ASN1_OBJECT)* oid_stack = NULL;
589 ASN1_OBJECT* oid = NULL;
590
591 if (!xcert)
592 return FALSE;
593
594 oid = OBJ_nid2obj(nid);
595 if (!oid)
596 return FALSE;
597
598 oid_stack = X509_get_ext_d2i(xcert, NID_ext_key_usage, NULL, NULL);
599 if (!oid_stack)
600 return FALSE;
601
602 sk_ASN1_OBJECT_set_cmp_func(oid_stack, asn1_object_cmp);
603 if (sk_ASN1_OBJECT_find(oid_stack, oid) >= 0)
604 ret = TRUE;
605
606 sk_ASN1_OBJECT_pop_free(oid_stack, ASN1_OBJECT_free);
607 return ret;
608}
609
610void x509_utils_print_info(const X509* xcert)
611{
612 char* fp = NULL;
613 char* issuer = NULL;
614 char* subject = NULL;
615 subject = x509_utils_get_subject(xcert);
616 issuer = x509_utils_get_issuer(xcert);
617 fp = (char*)x509_utils_get_hash(xcert, "sha256", NULL);
618
619 if (!fp)
620 {
621 WLog_ERR(TAG, "error computing fingerprint");
622 goto out_free_issuer;
623 }
624
625 WLog_INFO(TAG, "Certificate details:");
626 WLog_INFO(TAG, "\tSubject: %s", subject);
627 WLog_INFO(TAG, "\tIssuer: %s", issuer);
628 WLog_INFO(TAG, "\tThumbprint: %s", fp);
629 WLog_INFO(TAG,
630 "The above X.509 certificate could not be verified, possibly because you do not have "
631 "the CA certificate in your certificate store, or the certificate has expired. "
632 "Please look at the OpenSSL documentation on how to add a private CA to the store.");
633 free(fp);
634out_free_issuer:
635 free(issuer);
636 free(subject);
637}
638
639X509* x509_utils_from_pem(const char* data, size_t len, BOOL fromFile)
640{
641 X509* x509 = NULL;
642 BIO* bio = NULL;
643 if (fromFile)
644 bio = BIO_new_file(data, "rb");
645 else
646 {
647 if (len > INT_MAX)
648 return NULL;
649
650 bio = BIO_new_mem_buf(data, (int)len);
651 }
652
653 if (!bio)
654 {
655 WLog_ERR(TAG, "BIO_new failed for certificate");
656 return NULL;
657 }
658
659 x509 = PEM_read_bio_X509(bio, NULL, NULL, 0);
660 BIO_free_all(bio);
661 if (!x509)
662 WLog_ERR(TAG, "PEM_read_bio_X509 returned NULL [input length %" PRIuz "]", len);
663
664 return x509;
665}
666
667static WINPR_MD_TYPE hash_nid_to_winpr(int hash_nid)
668{
669 switch (hash_nid)
670 {
671 case NID_md2:
672 return WINPR_MD_MD2;
673 case NID_md4:
674 return WINPR_MD_MD4;
675 case NID_md5:
676 return WINPR_MD_MD5;
677 case NID_sha1:
678 return WINPR_MD_SHA1;
679 case NID_sha224:
680 return WINPR_MD_SHA224;
681 case NID_sha256:
682 return WINPR_MD_SHA256;
683 case NID_sha384:
684 return WINPR_MD_SHA384;
685 case NID_sha512:
686 return WINPR_MD_SHA512;
687 case NID_ripemd160:
688 return WINPR_MD_RIPEMD160;
689#if (OPENSSL_VERSION_NUMBER >= 0x1010101fL) && !defined(LIBRESSL_VERSION_NUMBER)
690 case NID_sha3_224:
691 return WINPR_MD_SHA3_224;
692 case NID_sha3_256:
693 return WINPR_MD_SHA3_256;
694 case NID_sha3_384:
695 return WINPR_MD_SHA3_384;
696 case NID_sha3_512:
697 return WINPR_MD_SHA3_512;
698 case NID_shake128:
699 return WINPR_MD_SHAKE128;
700 case NID_shake256:
701 return WINPR_MD_SHAKE256;
702#endif
703 case NID_undef:
704 default:
705 return WINPR_MD_NONE;
706 }
707}
708
709static WINPR_MD_TYPE get_rsa_pss_digest(const X509_ALGOR* alg)
710{
711 WINPR_MD_TYPE ret = WINPR_MD_NONE;
712 WINPR_MD_TYPE message_digest = WINPR_MD_NONE;
713 WINPR_MD_TYPE mgf1_digest = WINPR_MD_NONE;
714 int param_type = 0;
715 const void* param_value = NULL;
716 const ASN1_STRING* sequence = NULL;
717 const unsigned char* inp = NULL;
718 RSA_PSS_PARAMS* params = NULL;
719 X509_ALGOR* mgf1_digest_alg = NULL;
720
721 /* The RSA-PSS digest is encoded in a complex structure, defined in
722 https://www.rfc-editor.org/rfc/rfc4055.html. */
723 X509_ALGOR_get0(NULL, &param_type, &param_value, alg);
724
725 /* param_type and param_value the parameter in ASN1_TYPE form, but split into two parameters. A
726 SEQUENCE is has type V_ASN1_SEQUENCE, and the value is an ASN1_STRING with the encoded
727 structure. */
728 if (param_type != V_ASN1_SEQUENCE)
729 goto end;
730 sequence = param_value;
731
732 /* Decode the structure. */
733 inp = ASN1_STRING_get0_data(sequence);
734 params = d2i_RSA_PSS_PARAMS(NULL, &inp, ASN1_STRING_length(sequence));
735 if (params == NULL)
736 goto end;
737
738 /* RSA-PSS uses two hash algorithms, a message digest and also an MGF function which is, itself,
739 parameterized by a hash function. Both fields default to SHA-1, so we must also check for the
740 value being NULL. */
741 message_digest = WINPR_MD_SHA1;
742 if (params->hashAlgorithm != NULL)
743 {
744 const ASN1_OBJECT* obj = NULL;
745 X509_ALGOR_get0(&obj, NULL, NULL, params->hashAlgorithm);
746 message_digest = hash_nid_to_winpr(OBJ_obj2nid(obj));
747 if (message_digest == WINPR_MD_NONE)
748 goto end;
749 }
750
751 mgf1_digest = WINPR_MD_SHA1;
752 if (params->maskGenAlgorithm != NULL)
753 {
754 const ASN1_OBJECT* obj = NULL;
755 int mgf_param_type = 0;
756 const void* mgf_param_value = NULL;
757 const ASN1_STRING* mgf_param_sequence = NULL;
758 /* First, check this is MGF-1, the only one ever defined. */
759 X509_ALGOR_get0(&obj, &mgf_param_type, &mgf_param_value, params->maskGenAlgorithm);
760 if (OBJ_obj2nid(obj) != NID_mgf1)
761 goto end;
762
763 /* MGF-1 is, itself, parameterized by a hash function, encoded as an AlgorithmIdentifier. */
764 if (mgf_param_type != V_ASN1_SEQUENCE)
765 goto end;
766 mgf_param_sequence = mgf_param_value;
767 inp = ASN1_STRING_get0_data(mgf_param_sequence);
768 mgf1_digest_alg = d2i_X509_ALGOR(NULL, &inp, ASN1_STRING_length(mgf_param_sequence));
769 if (mgf1_digest_alg == NULL)
770 goto end;
771
772 /* Finally, extract the digest. */
773 X509_ALGOR_get0(&obj, NULL, NULL, mgf1_digest_alg);
774 mgf1_digest = hash_nid_to_winpr(OBJ_obj2nid(obj));
775 if (mgf1_digest == WINPR_MD_NONE)
776 goto end;
777 }
778
779 /* If the two digests do not match, it is ambiguous which to return. tls-server-end-point leaves
780 it undefined, so return none.
781 https://www.rfc-editor.org/rfc/rfc5929.html#section-4.1 */
782 if (message_digest != mgf1_digest)
783 goto end;
784 ret = message_digest;
785
786end:
787 RSA_PSS_PARAMS_free(params);
788 X509_ALGOR_free(mgf1_digest_alg);
789 return ret;
790}
791
792WINPR_MD_TYPE x509_utils_get_signature_alg(const X509* xcert)
793{
794 WINPR_ASSERT(xcert);
795
796 const int nid = X509_get_signature_nid(xcert);
797
798 if (nid == NID_rsassaPss)
799 {
800 const X509_ALGOR* alg = NULL;
801 X509_get0_signature(NULL, &alg, xcert);
802 return get_rsa_pss_digest(alg);
803 }
804
805 int hash_nid = 0;
806 if (OBJ_find_sigid_algs(nid, &hash_nid, NULL) != 1)
807 return WINPR_MD_NONE;
808
809 return hash_nid_to_winpr(hash_nid);
810}
811
812char* x509_utils_get_common_name(const X509* xcert, size_t* plength)
813{
814 X509_NAME* subject_name = X509_get_subject_name(xcert);
815 if (subject_name == NULL)
816 return NULL;
817
818 const int index = X509_NAME_get_index_by_NID(subject_name, NID_commonName, -1);
819 if (index < 0)
820 return NULL;
821
822 const X509_NAME_ENTRY* entry = X509_NAME_get_entry(subject_name, index);
823 if (entry == NULL)
824 return NULL;
825
826 const ASN1_STRING* entry_data = X509_NAME_ENTRY_get_data(entry);
827 if (entry_data == NULL)
828 return NULL;
829
830 BYTE* common_name_raw = NULL;
831 const int length = ASN1_STRING_to_UTF8(&common_name_raw, entry_data);
832 if (length < 0)
833 return NULL;
834
835 if (plength)
836 *plength = (size_t)length;
837
838 char* common_name = _strdup((char*)common_name_raw);
839 OPENSSL_free(common_name_raw);
840 return common_name;
841}
842
843static int verify_cb(int ok, X509_STORE_CTX* csc)
844{
845 if (ok != 1)
846 {
847 WINPR_ASSERT(csc);
848 int err = X509_STORE_CTX_get_error(csc);
849 int derr = X509_STORE_CTX_get_error_depth(csc);
850 X509* where = X509_STORE_CTX_get_current_cert(csc);
851 const char* what = X509_verify_cert_error_string(err);
852 char* name = x509_utils_get_subject(where);
853
854 WLog_WARN(TAG, "Certificate verification failure '%s (%d)' at stack position %d", what, err,
855 derr);
856 WLog_WARN(TAG, "%s", name);
857
858 free(name);
859 }
860 return ok;
861}
862
863BOOL x509_utils_verify(X509* xcert, STACK_OF(X509) * chain, const char* certificate_store_path)
864{
865 const int purposes[3] = { X509_PURPOSE_SSL_SERVER, X509_PURPOSE_SSL_CLIENT, X509_PURPOSE_ANY };
866 X509_STORE_CTX* csc = NULL;
867 BOOL status = FALSE;
868 X509_LOOKUP* lookup = NULL;
869
870 if (!xcert)
871 return FALSE;
872
873 X509_STORE* cert_ctx = X509_STORE_new();
874
875 if (cert_ctx == NULL)
876 goto end;
877
878#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
879 OpenSSL_add_all_algorithms();
880#else
881 OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS |
882 OPENSSL_INIT_LOAD_CONFIG,
883 NULL);
884#endif
885
886 if (X509_STORE_set_default_paths(cert_ctx) != 1)
887 goto end;
888
889 lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
890
891 if (lookup == NULL)
892 goto end;
893
894 X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
895
896 if (certificate_store_path != NULL)
897 {
898 X509_LOOKUP_add_dir(lookup, certificate_store_path, X509_FILETYPE_PEM);
899 }
900
901 X509_STORE_set_flags(cert_ctx, 0);
902
903 for (size_t i = 0; i < ARRAYSIZE(purposes); i++)
904 {
905 int err = -1;
906 int rc = -1;
907 int purpose = purposes[i];
908 csc = X509_STORE_CTX_new();
909
910 if (csc == NULL)
911 goto skip;
912 if (!X509_STORE_CTX_init(csc, cert_ctx, xcert, chain))
913 goto skip;
914
915 X509_STORE_CTX_set_purpose(csc, purpose);
916 X509_STORE_CTX_set_verify_cb(csc, verify_cb);
917
918 rc = X509_verify_cert(csc);
919 err = X509_STORE_CTX_get_error(csc);
920 skip:
921 X509_STORE_CTX_free(csc);
922 if (rc == 1)
923 {
924 status = TRUE;
925 break;
926 }
927 else if (err != X509_V_ERR_INVALID_PURPOSE)
928 break;
929 }
930
931 X509_STORE_free(cert_ctx);
932end:
933 return status;
934}