FreeRDP
Loading...
Searching...
No Matches
x509_utils.c
1
22#include <openssl/objects.h>
23#include <openssl/x509v3.h>
24#include <openssl/pem.h>
25#include <openssl/rsa.h>
26#include <openssl/err.h>
27
28#include <freerdp/config.h>
29
30#include <winpr/crt.h>
31#include <winpr/string.h>
32#include <winpr/assert.h>
33
34#include <freerdp/log.h>
35
36#include "x509_utils.h"
37
38#define TAG FREERDP_TAG("crypto")
39
40BYTE* x509_utils_get_hash(const X509* xcert, const char* hash, size_t* length)
41{
42 UINT32 fp_len = EVP_MAX_MD_SIZE;
43 BYTE* fp = nullptr;
44 const EVP_MD* md = EVP_get_digestbyname(hash);
45 if (!md)
46 {
47 WLog_ERR(TAG, "System does not support %s hash!", hash);
48 return nullptr;
49 }
50 if (!xcert || !length)
51 {
52 WLog_ERR(TAG, "Invalid arguments: xcert=%p, length=%p",
53 WINPR_CXX_COMPAT_CAST(const void*, xcert),
54 WINPR_CXX_COMPAT_CAST(const void*, length));
55 return nullptr;
56 }
57
58 fp = calloc(fp_len + 1, sizeof(BYTE));
59 if (!fp)
60 {
61 WLog_ERR(TAG, "could not allocate %" PRIu32 " bytes", fp_len);
62 return nullptr;
63 }
64
65 if (X509_digest(xcert, md, fp, &fp_len) != 1)
66 {
67 free(fp);
68 WLog_ERR(TAG, "certificate does not have a %s hash!", hash);
69 return nullptr;
70 }
71
72 *length = fp_len;
73 return fp;
74}
75
76static char* crypto_print_name(const X509_NAME* name)
77{
78 char* buffer = nullptr;
79 BIO* outBIO = BIO_new(BIO_s_mem());
80 if (!outBIO)
81 return nullptr;
82
83 if (X509_NAME_print_ex(outBIO, name, 0, XN_FLAG_ONELINE) > 0)
84 buffer = x509_utils_bio_read(outBIO, nullptr);
85
86 BIO_free_all(outBIO);
87 return buffer;
88}
89
90char* x509_utils_get_subject(const X509* xcert)
91{
92 char* subject = nullptr;
93 if (!xcert)
94 {
95 WLog_ERR(TAG, "Invalid certificate nullptr");
96 return nullptr;
97 }
98 subject = crypto_print_name(X509_get_subject_name(xcert));
99 if (!subject)
100 WLog_WARN(TAG, "certificate does not have a subject!");
101 return subject;
102}
103
104/* GENERAL_NAME type labels */
105
106static const char* general_name_type_labels[] = { "OTHERNAME", "EMAIL ", "DNS ",
107 "X400 ", "DIRNAME ", "EDIPARTY ",
108 "URI ", "IPADD ", "RID " };
109
110static const char* general_name_type_label(int general_name_type)
111{
112 if ((0 <= general_name_type) &&
113 ((size_t)general_name_type < ARRAYSIZE(general_name_type_labels)))
114 {
115 return general_name_type_labels[general_name_type];
116 }
117 else
118 {
119 static char buffer[80] = WINPR_C_ARRAY_INIT;
120 (void)snprintf(buffer, sizeof(buffer), "Unknown general name type (%d)", general_name_type);
121 return buffer;
122 }
123}
124
125/*
126
127map_subject_alt_name(x509, general_name_type, mapper, data)
128
129Call the function mapper with subjectAltNames found in the x509
130certificate and data. if generate_name_type is GEN_ALL, the the
131mapper is called for all the names, else it's called only for names
132of the given type.
133
134
135We implement two extractors:
136
137 - a string extractor that can be used to get the subjectAltNames of
138 the following types: GEN_URI, GEN_DNS, GEN_EMAIL
139
140 - a ASN1_OBJECT filter/extractor that can be used to get the
141 subjectAltNames of OTHERNAME type.
142
143 Note: usually, it's a string, but some type of otherNames can be
144 associated with different classes of objects. eg. a KPN may be a
145 sequence of realm and principal name, instead of a single string
146 object.
147
148Not implemented yet: extractors for the types: GEN_X400, GEN_DIRNAME,
149GEN_EDIPARTY, GEN_RID, GEN_IPADD (the later can contain nul-bytes).
150
151
152mapper(name, data, index, count)
153
154The mapper is passed:
155 - the GENERAL_NAME selected,
156 - the data,
157 - the index of the general name in the subjectAltNames,
158 - the total number of names in the subjectAltNames.
159
160The last parameter let's the mapper allocate arrays to collect objects.
161Note: if names are filtered, not all the indices from 0 to count-1 are
162passed to mapper, only the indices selected.
163
164When the mapper returns 0, map_subject_alt_name stops the iteration immediately.
165
166*/
167
168#define GEN_ALL (-1)
169
170typedef int (*general_name_mapper_pr)(GENERAL_NAME* name, void* data, int index, int count);
171
172static void map_subject_alt_name(const X509* x509, int general_name_type,
173 general_name_mapper_pr mapper, void* data)
174{
175 int num = 0;
176 STACK_OF(GENERAL_NAME)* gens = nullptr;
177 gens = X509_get_ext_d2i(x509, NID_subject_alt_name, nullptr, nullptr);
178
179 if (!gens)
180 {
181 return;
182 }
183
184 num = sk_GENERAL_NAME_num(gens);
185
186 for (int i = 0; (i < num); i++)
187 {
188 GENERAL_NAME* name = sk_GENERAL_NAME_value(gens, i);
189
190 if (name)
191 {
192 if ((general_name_type == GEN_ALL) || (general_name_type == name->type))
193 {
194 if (!mapper(name, data, i, num))
195 {
196 break;
197 }
198 }
199 }
200 }
201
202 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
203}
204
205/*
206extract_string -- string extractor
207
208- the strings array is allocated lazily, when we first have to store a
209 string.
210
211- allocated contains the size of the strings array, or -1 if
212 allocation failed.
213
214- count contains the actual count of strings in the strings array.
215
216- maximum limits the number of strings we can store in the strings
217 array: beyond, the extractor returns 0 to short-cut the search.
218
219extract_string stores in the string list OPENSSL strings,
220that must be freed with OPENSSL_free.
221
222*/
223
224typedef struct string_list
225{
226 char** strings;
227 size_t allocated;
228 size_t count;
229 size_t maximum;
230} string_list;
231
232static void string_list_initialize(string_list* list)
233{
234 list->strings = nullptr;
235 list->allocated = 0;
236 list->count = 0;
237 list->maximum = INT_MAX;
238}
239
240static void string_list_allocate(string_list* list, size_t allocate_count)
241{
242 if (!list->strings && list->allocated == 0)
243 {
244 list->strings = (char**)calloc(allocate_count, sizeof(char*));
245 list->allocated = list->strings ? allocate_count : 0;
246 list->count = 0;
247 }
248}
249
250static void string_list_free(string_list* list)
251{
252 /* Note: we don't free the contents of the strings array: this */
253 /* is handled by the caller, either by returning this */
254 /* content, or freeing it itself. */
255 free((void*)list->strings);
256}
257
258static int extract_string(GENERAL_NAME* name, void* data, int index, int count)
259{
260 string_list* list = data;
261 unsigned char* cstring = nullptr;
262 ASN1_STRING* str = nullptr;
263
264 WINPR_UNUSED(index);
265
266 switch (name->type)
267 {
268 case GEN_URI:
269 str = name->d.uniformResourceIdentifier;
270 break;
271
272 case GEN_DNS:
273 str = name->d.dNSName;
274 break;
275
276 case GEN_EMAIL:
277 str = name->d.rfc822Name;
278 break;
279
280 default:
281 return 1;
282 }
283
284 if ((ASN1_STRING_to_UTF8(&cstring, str)) < 0)
285 {
286 WLog_ERR(TAG, "ASN1_STRING_to_UTF8() failed for %s: %s",
287 general_name_type_label(name->type), ERR_error_string(ERR_get_error(), nullptr));
288 return 1;
289 }
290
291 string_list_allocate(list, WINPR_ASSERTING_INT_CAST(WINPR_CIPHER_TYPE, count));
292
293 if (list->allocated <= 0)
294 {
295 OPENSSL_free(cstring);
296 return 0;
297 }
298
299 list->strings[list->count] = (char*)cstring;
300 list->count++;
301
302 if (list->count >= list->maximum)
303 {
304 return 0;
305 }
306
307 return 1;
308}
309
310/*
311extract_othername_object -- object extractor.
312
313- the objects array is allocated lazily, when we first have to store a
314 string.
315
316- allocated contains the size of the objects array, or -1 if
317 allocation failed.
318
319- count contains the actual count of objects in the objects array.
320
321- maximum limits the number of objects we can store in the objects
322 array: beyond, the extractor returns 0 to short-cut the search.
323
324extract_othername_objects stores in the objects array ASN1_TYPE *
325pointers directly obtained from the GENERAL_NAME.
326*/
327
328typedef struct object_list
329{
330 ASN1_OBJECT* type_id;
331 char** strings;
332 size_t allocated;
333 size_t count;
334 size_t maximum;
335} object_list;
336
337static void object_list_initialize(object_list* list)
338{
339 list->type_id = nullptr;
340 list->strings = nullptr;
341 list->allocated = 0;
342 list->count = 0;
343 list->maximum = INT_MAX;
344}
345
346static void object_list_allocate(object_list* list, size_t allocate_count)
347{
348 if (!list->strings && (list->allocated == 0) && (allocate_count > 0))
349 {
350 list->strings = (char**)calloc(allocate_count, sizeof(list->strings[0]));
351 list->allocated = list->strings ? allocate_count : 0;
352 list->count = 0;
353 }
354}
355
356static char* object_string(ASN1_TYPE* object)
357{
358 char* result = nullptr;
359 unsigned char* utf8String = nullptr;
360
361 /* TODO: check that object.type is a string type. */
362 const int length = ASN1_STRING_to_UTF8(&utf8String, object->value.asn1_string);
363
364 if (length < 0)
365 {
366 return nullptr;
367 }
368
369 result = strndup((char*)utf8String, WINPR_ASSERTING_INT_CAST(size_t, length));
370 OPENSSL_free(utf8String);
371 return result;
372}
373
374static void object_list_free(object_list* list)
375{
376 WINPR_ASSERT(list);
377 free((void*)list->strings);
378}
379
380static int extract_othername_object_as_string(GENERAL_NAME* name, void* data, int index, int count)
381{
382 object_list* list = data;
383 WINPR_UNUSED(index);
384
385 if (count < 0)
386 return -1;
387
388 if (name->type != GEN_OTHERNAME)
389 {
390 return 1;
391 }
392
393 if (0 != OBJ_cmp(name->d.otherName->type_id, list->type_id))
394 {
395 return 1;
396 }
397
398 object_list_allocate(list, WINPR_ASSERTING_INT_CAST(size_t, count));
399
400 if (list->allocated <= 0)
401 {
402 return 0;
403 }
404
405 list->strings[list->count] = object_string(name->d.otherName->value);
406
407 if (list->strings[list->count])
408 {
409 list->count++;
410 }
411
412 if (list->count >= list->maximum)
413 {
414 return 0;
415 }
416
417 return 1;
418}
419
420char* x509_utils_get_email(const X509* x509)
421{
422 char* result = nullptr;
423 string_list list;
424 string_list_initialize(&list);
425 list.maximum = 1;
426 map_subject_alt_name(x509, GEN_EMAIL, extract_string, &list);
427
428 if (list.count == 0)
429 {
430 string_list_free(&list);
431 return nullptr;
432 }
433
434 result = _strdup(list.strings[0]);
435 OPENSSL_free(list.strings[0]);
436 string_list_free(&list);
437 return result;
438}
439
440char* x509_utils_get_upn(const X509* x509)
441{
442 char* result = nullptr;
443 object_list list = WINPR_C_ARRAY_INIT;
444 object_list_initialize(&list);
445 list.type_id = OBJ_nid2obj(NID_ms_upn);
446 list.maximum = 1;
447 map_subject_alt_name(x509, GEN_OTHERNAME, extract_othername_object_as_string, &list);
448
449 if (list.count == 0)
450 {
451 object_list_free(&list);
452 return nullptr;
453 }
454
455 result = list.strings[0];
456 object_list_free(&list);
457 return result;
458}
459
460char* x509_utils_get_date(const X509* x509, BOOL startDate)
461{
462 WINPR_ASSERT(x509);
463
464 const ASN1_TIME* date = startDate ? X509_get0_notBefore(x509) : X509_get0_notAfter(x509);
465 if (!date)
466 return nullptr;
467
468 BIO* bmem = BIO_new(BIO_s_mem());
469 if (!bmem)
470 return nullptr;
471
472 char* str = nullptr;
473 if (ASN1_TIME_print(bmem, date))
474 {
475 BUF_MEM* bptr = nullptr;
476
477 BIO_get_mem_ptr(bmem, &bptr);
478 str = strndup(bptr->data, bptr->length);
479 }
480 else
481 { // Log error
482 }
483 BIO_free_all(bmem);
484 return str;
485}
486
487void x509_utils_dns_names_free(size_t count, size_t* lengths, char** dns_names)
488{
489 free(lengths);
490
491 if (dns_names)
492 {
493 for (size_t i = 0; i < count; i++)
494 {
495 if (dns_names[i])
496 {
497 OPENSSL_free(dns_names[i]);
498 }
499 }
500
501 free((void*)dns_names);
502 }
503}
504
505char** x509_utils_get_dns_names(const X509* xcert, size_t* count, size_t** lengths)
506{
507 char** result = nullptr;
508 string_list list = WINPR_C_ARRAY_INIT;
509 string_list_initialize(&list);
510 map_subject_alt_name(xcert, GEN_DNS, extract_string, &list);
511 (*count) = list.count;
512
513 if (list.count <= 0)
514 {
515 string_list_free(&list);
516 return nullptr;
517 }
518
519 /* lengths are not useful, since we converted the
520 strings to utf-8, there cannot be nul-bytes in them. */
521 result = (char**)calloc(list.count, sizeof(*result));
522 (*lengths) = calloc(list.count, sizeof(**lengths));
523
524 if (!result || !(*lengths))
525 {
526 string_list_free(&list);
527 free((void*)result);
528 free(*lengths);
529 (*lengths) = nullptr;
530 (*count) = 0;
531 return nullptr;
532 }
533
534 for (size_t i = 0; i < list.count; i++)
535 {
536 result[i] = list.strings[i];
537 (*lengths)[i] = strlen(result[i]);
538 }
539
540 string_list_free(&list);
541 return result;
542}
543
544char* x509_utils_get_issuer(const X509* xcert)
545{
546 char* issuer = nullptr;
547 if (!xcert)
548 {
549 WLog_ERR(TAG, "Invalid certificate nullptr");
550 return nullptr;
551 }
552 issuer = crypto_print_name(X509_get_issuer_name(xcert));
553 if (!issuer)
554 WLog_WARN(TAG, "certificate does not have an issuer!");
555 return issuer;
556}
557
558static int asn1_object_cmp(const ASN1_OBJECT* const* a, const ASN1_OBJECT* const* b)
559{
560 if (!a || !b)
561 return (a == b) ? 0 : (a ? 1 : -1);
562
563 if (!*a || !*b)
564 return (*a == *b) ? 0 : (*a ? 1 : -1);
565
566 return OBJ_cmp(*a, *b);
567}
568
569BOOL x509_utils_check_eku(const X509* xcert, int nid)
570{
571 BOOL ret = FALSE;
572 STACK_OF(ASN1_OBJECT)* oid_stack = nullptr;
573 ASN1_OBJECT* oid = nullptr;
574
575 if (!xcert)
576 return FALSE;
577
578 oid = OBJ_nid2obj(nid);
579 if (!oid)
580 return FALSE;
581
582 oid_stack = X509_get_ext_d2i(xcert, NID_ext_key_usage, nullptr, nullptr);
583 if (!oid_stack)
584 return FALSE;
585
586 sk_ASN1_OBJECT_set_cmp_func(oid_stack, asn1_object_cmp);
587 if (sk_ASN1_OBJECT_find(oid_stack, oid) >= 0)
588 ret = TRUE;
589
590 sk_ASN1_OBJECT_pop_free(oid_stack, ASN1_OBJECT_free);
591 return ret;
592}
593
594void x509_utils_print_info(const X509* xcert)
595{
596 char* fp = nullptr;
597 char* issuer = nullptr;
598 char* subject = nullptr;
599 subject = x509_utils_get_subject(xcert);
600 issuer = x509_utils_get_issuer(xcert);
601 fp = (char*)x509_utils_get_hash(xcert, "sha256", nullptr);
602
603 if (!fp)
604 {
605 WLog_ERR(TAG, "error computing fingerprint");
606 goto out_free_issuer;
607 }
608
609 WLog_INFO(TAG, "Certificate details:");
610 WLog_INFO(TAG, "\tSubject: %s", subject);
611 WLog_INFO(TAG, "\tIssuer: %s", issuer);
612 WLog_INFO(TAG, "\tThumbprint: %s", fp);
613 WLog_INFO(TAG,
614 "The above X.509 certificate could not be verified, possibly because you do not have "
615 "the CA certificate in your certificate store, or the certificate has expired. "
616 "Please look at the OpenSSL documentation on how to add a private CA to the store.");
617 free(fp);
618out_free_issuer:
619 free(issuer);
620 free(subject);
621}
622
623X509* x509_utils_from_pem(const char* data, size_t len, BOOL fromFile)
624{
625 X509* x509 = nullptr;
626 BIO* bio = nullptr;
627 if (fromFile)
628 bio = BIO_new_file(data, "rb");
629 else
630 {
631 if (len > INT_MAX)
632 return nullptr;
633
634 bio = BIO_new_mem_buf(data, (int)len);
635 }
636
637 if (!bio)
638 {
639 WLog_ERR(TAG, "BIO_new failed for certificate");
640 return nullptr;
641 }
642
643 x509 = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
644 BIO_free_all(bio);
645 if (!x509)
646 WLog_ERR(TAG, "PEM_read_bio_X509 returned nullptr [input length %" PRIuz "]", len);
647
648 return x509;
649}
650
651static WINPR_MD_TYPE hash_nid_to_winpr(int hash_nid)
652{
653 switch (hash_nid)
654 {
655 case NID_md2:
656 return WINPR_MD_MD2;
657 case NID_md4:
658 return WINPR_MD_MD4;
659 case NID_md5:
660 return WINPR_MD_MD5;
661 case NID_sha1:
662 return WINPR_MD_SHA1;
663 case NID_sha224:
664 return WINPR_MD_SHA224;
665 case NID_sha256:
666 return WINPR_MD_SHA256;
667 case NID_sha384:
668 return WINPR_MD_SHA384;
669 case NID_sha512:
670 return WINPR_MD_SHA512;
671 case NID_ripemd160:
672 return WINPR_MD_RIPEMD160;
673#if (OPENSSL_VERSION_NUMBER >= 0x1010101fL) && !defined(LIBRESSL_VERSION_NUMBER)
674 case NID_sha3_224:
675 return WINPR_MD_SHA3_224;
676 case NID_sha3_256:
677 return WINPR_MD_SHA3_256;
678 case NID_sha3_384:
679 return WINPR_MD_SHA3_384;
680 case NID_sha3_512:
681 return WINPR_MD_SHA3_512;
682 case NID_shake128:
683 return WINPR_MD_SHAKE128;
684 case NID_shake256:
685 return WINPR_MD_SHAKE256;
686#endif
687 case NID_undef:
688 default:
689 return WINPR_MD_NONE;
690 }
691}
692
693static WINPR_MD_TYPE get_rsa_pss_digest(const X509_ALGOR* alg)
694{
695 WINPR_MD_TYPE ret = WINPR_MD_NONE;
696 WINPR_MD_TYPE message_digest = WINPR_MD_NONE;
697 WINPR_MD_TYPE mgf1_digest = WINPR_MD_NONE;
698 int param_type = 0;
699 const void* param_value = nullptr;
700 const ASN1_STRING* sequence = nullptr;
701 const unsigned char* inp = nullptr;
702 RSA_PSS_PARAMS* params = nullptr;
703 X509_ALGOR* mgf1_digest_alg = nullptr;
704
705 /* The RSA-PSS digest is encoded in a complex structure, defined in
706 https://www.rfc-editor.org/rfc/rfc4055.html. */
707 X509_ALGOR_get0(nullptr, &param_type, &param_value, alg);
708
709 /* param_type and param_value the parameter in ASN1_TYPE form, but split into two parameters. A
710 SEQUENCE is has type V_ASN1_SEQUENCE, and the value is an ASN1_STRING with the encoded
711 structure. */
712 if (param_type != V_ASN1_SEQUENCE)
713 goto end;
714 sequence = param_value;
715
716 /* Decode the structure. */
717 inp = ASN1_STRING_get0_data(sequence);
718 params = d2i_RSA_PSS_PARAMS(nullptr, &inp, ASN1_STRING_length(sequence));
719 if (params == nullptr)
720 goto end;
721
722 /* RSA-PSS uses two hash algorithms, a message digest and also an MGF function which is, itself,
723 parameterized by a hash function. Both fields default to SHA-1, so we must also check for the
724 value being nullptr. */
725 message_digest = WINPR_MD_SHA1;
726 if (params->hashAlgorithm != nullptr)
727 {
728 const ASN1_OBJECT* obj = nullptr;
729 X509_ALGOR_get0(&obj, nullptr, nullptr, params->hashAlgorithm);
730 message_digest = hash_nid_to_winpr(OBJ_obj2nid(obj));
731 if (message_digest == WINPR_MD_NONE)
732 goto end;
733 }
734
735 mgf1_digest = WINPR_MD_SHA1;
736 if (params->maskGenAlgorithm != nullptr)
737 {
738 const ASN1_OBJECT* obj = nullptr;
739 int mgf_param_type = 0;
740 const void* mgf_param_value = nullptr;
741 const ASN1_STRING* mgf_param_sequence = nullptr;
742 /* First, check this is MGF-1, the only one ever defined. */
743 X509_ALGOR_get0(&obj, &mgf_param_type, &mgf_param_value, params->maskGenAlgorithm);
744 if (OBJ_obj2nid(obj) != NID_mgf1)
745 goto end;
746
747 /* MGF-1 is, itself, parameterized by a hash function, encoded as an AlgorithmIdentifier. */
748 if (mgf_param_type != V_ASN1_SEQUENCE)
749 goto end;
750 mgf_param_sequence = mgf_param_value;
751 inp = ASN1_STRING_get0_data(mgf_param_sequence);
752 mgf1_digest_alg = d2i_X509_ALGOR(nullptr, &inp, ASN1_STRING_length(mgf_param_sequence));
753 if (mgf1_digest_alg == nullptr)
754 goto end;
755
756 /* Finally, extract the digest. */
757 X509_ALGOR_get0(&obj, nullptr, nullptr, mgf1_digest_alg);
758 mgf1_digest = hash_nid_to_winpr(OBJ_obj2nid(obj));
759 if (mgf1_digest == WINPR_MD_NONE)
760 goto end;
761 }
762
763 /* If the two digests do not match, it is ambiguous which to return. tls-server-end-point leaves
764 it undefined, so return none.
765 https://www.rfc-editor.org/rfc/rfc5929.html#section-4.1 */
766 if (message_digest != mgf1_digest)
767 goto end;
768 ret = message_digest;
769
770end:
771 RSA_PSS_PARAMS_free(params);
772 X509_ALGOR_free(mgf1_digest_alg);
773 return ret;
774}
775
776WINPR_MD_TYPE x509_utils_get_signature_alg(const X509* xcert)
777{
778 WINPR_ASSERT(xcert);
779
780 const int nid = X509_get_signature_nid(xcert);
781
782 if (nid == NID_rsassaPss)
783 {
784 const X509_ALGOR* alg = nullptr;
785 X509_get0_signature(nullptr, &alg, xcert);
786 return get_rsa_pss_digest(alg);
787 }
788
789 int hash_nid = 0;
790 if (OBJ_find_sigid_algs(nid, &hash_nid, nullptr) != 1)
791 return WINPR_MD_NONE;
792
793 return hash_nid_to_winpr(hash_nid);
794}
795
796char* x509_utils_get_common_name(const X509* xcert, size_t* plength)
797{
798 X509_NAME* subject_name = X509_get_subject_name(xcert);
799 if (subject_name == nullptr)
800 return nullptr;
801
802 const int index = X509_NAME_get_index_by_NID(subject_name, NID_commonName, -1);
803 if (index < 0)
804 return nullptr;
805
806 const X509_NAME_ENTRY* entry = X509_NAME_get_entry(subject_name, index);
807 if (entry == nullptr)
808 return nullptr;
809
810 const ASN1_STRING* entry_data = X509_NAME_ENTRY_get_data(entry);
811 if (entry_data == nullptr)
812 return nullptr;
813
814 BYTE* common_name_raw = nullptr;
815 const int length = ASN1_STRING_to_UTF8(&common_name_raw, entry_data);
816 if (length < 0)
817 return nullptr;
818
819 if (plength)
820 *plength = (size_t)length;
821
822 char* common_name = _strdup((char*)common_name_raw);
823 OPENSSL_free(common_name_raw);
824 return common_name;
825}
826
827static int verify_cb(int ok, X509_STORE_CTX* csc)
828{
829 if (ok != 1)
830 {
831 WINPR_ASSERT(csc);
832 int err = X509_STORE_CTX_get_error(csc);
833 int derr = X509_STORE_CTX_get_error_depth(csc);
834 X509* where = X509_STORE_CTX_get_current_cert(csc);
835 const char* what = X509_verify_cert_error_string(err);
836 char* name = x509_utils_get_subject(where);
837
838 WLog_WARN(TAG, "Certificate verification failure '%s (%d)' at stack position %d", what, err,
839 derr);
840 WLog_WARN(TAG, "%s", name);
841
842 free(name);
843 }
844 return ok;
845}
846
847BOOL x509_utils_verify(X509* xcert, STACK_OF(X509) * chain, const char* certificate_store_path)
848{
849 const int purposes[3] = { X509_PURPOSE_SSL_SERVER, X509_PURPOSE_SSL_CLIENT, X509_PURPOSE_ANY };
850 X509_STORE_CTX* csc = nullptr;
851 BOOL status = FALSE;
852 X509_LOOKUP* lookup = nullptr;
853
854 if (!xcert)
855 return FALSE;
856
857 X509_STORE* cert_ctx = X509_STORE_new();
858
859 if (cert_ctx == nullptr)
860 goto end;
861
862#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
863 OpenSSL_add_all_algorithms();
864#else
865 OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS |
866 OPENSSL_INIT_LOAD_CONFIG,
867 nullptr);
868#endif
869
870 if (X509_STORE_set_default_paths(cert_ctx) != 1)
871 goto end;
872
873 lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
874
875 if (lookup == nullptr)
876 goto end;
877
878 X509_LOOKUP_add_dir(lookup, nullptr, X509_FILETYPE_DEFAULT);
879
880 if (certificate_store_path != nullptr)
881 {
882 X509_LOOKUP_add_dir(lookup, certificate_store_path, X509_FILETYPE_PEM);
883 }
884
885 X509_STORE_set_flags(cert_ctx, 0);
886
887 for (size_t i = 0; i < ARRAYSIZE(purposes); i++)
888 {
889 int err = -1;
890 int rc = -1;
891 int purpose = purposes[i];
892 csc = X509_STORE_CTX_new();
893
894 if (csc == nullptr)
895 goto skip;
896 if (!X509_STORE_CTX_init(csc, cert_ctx, xcert, chain))
897 goto skip;
898
899 X509_STORE_CTX_set_purpose(csc, purpose);
900 X509_STORE_CTX_set_verify_cb(csc, verify_cb);
901
902 rc = X509_verify_cert(csc);
903 err = X509_STORE_CTX_get_error(csc);
904 skip:
905 X509_STORE_CTX_free(csc);
906 if (rc == 1)
907 {
908 status = TRUE;
909 break;
910 }
911 else if (err != X509_V_ERR_INVALID_PURPOSE)
912 break;
913 }
914
915 X509_STORE_free(cert_ctx);
916end:
917 return status;
918}
919
920char* x509_utils_bio_read(BIO* bio, size_t* plen)
921{
922 char* buffer = nullptr;
923 WINPR_ASSERT(bio);
924
925 if (plen)
926 *plen = 0;
927
928 BIO_flush(bio);
929
930 const UINT64 size = BIO_number_written(bio);
931 if (size > INT_MAX)
932 return nullptr;
933
934 buffer = calloc(1, (size_t)size + 1ull);
935
936 if (!buffer)
937 return nullptr;
938
939 ERR_clear_error();
940 const int rc = BIO_read(bio, buffer, (int)size);
941 if (rc <= 0)
942 goto fail;
943
944 if (plen)
945 *plen = size;
946 return buffer;
947
948fail:
949 free(buffer);
950 return nullptr;
951}