22#include <openssl/objects.h>
23#include <openssl/x509v3.h>
24#include <openssl/pem.h>
25#include <openssl/rsa.h>
26#include <openssl/err.h>
28#include <freerdp/config.h>
31#include <winpr/string.h>
32#include <winpr/assert.h>
34#include <freerdp/log.h>
36#include "x509_utils.h"
38#define TAG FREERDP_TAG("crypto")
40BYTE* x509_utils_get_hash(
const X509* xcert,
const char* hash,
size_t* length)
42 UINT32 fp_len = EVP_MAX_MD_SIZE;
44 const EVP_MD* md = EVP_get_digestbyname(hash);
47 WLog_ERR(TAG,
"System does not support %s hash!", hash);
50 if (!xcert || !length)
52 WLog_ERR(TAG,
"Invalid arguments: xcert=%p, length=%p",
53 WINPR_CXX_COMPAT_CAST(
const void*, xcert),
54 WINPR_CXX_COMPAT_CAST(
const void*, length));
58 fp = calloc(fp_len + 1,
sizeof(BYTE));
61 WLog_ERR(TAG,
"could not allocate %" PRIu32
" bytes", fp_len);
65 if (X509_digest(xcert, md, fp, &fp_len) != 1)
68 WLog_ERR(TAG,
"certificate does not have a %s hash!", hash);
76static char* crypto_print_name(
const X509_NAME* name)
78 char* buffer =
nullptr;
79 BIO* outBIO = BIO_new(BIO_s_mem());
83 if (X509_NAME_print_ex(outBIO, name, 0, XN_FLAG_ONELINE) > 0)
84 buffer = x509_utils_bio_read(outBIO,
nullptr);
90char* x509_utils_get_subject(
const X509* xcert)
92 char* subject =
nullptr;
95 WLog_ERR(TAG,
"Invalid certificate nullptr");
98 subject = crypto_print_name(X509_get_subject_name(xcert));
100 WLog_WARN(TAG,
"certificate does not have a subject!");
106static const char* general_name_type_labels[] = {
"OTHERNAME",
"EMAIL ",
"DNS ",
107 "X400 ",
"DIRNAME ",
"EDIPARTY ",
108 "URI ",
"IPADD ",
"RID " };
110static const char* general_name_type_label(
int general_name_type)
112 if ((0 <= general_name_type) &&
113 ((
size_t)general_name_type < ARRAYSIZE(general_name_type_labels)))
115 return general_name_type_labels[general_name_type];
119 static char buffer[80] = WINPR_C_ARRAY_INIT;
120 (void)snprintf(buffer,
sizeof(buffer),
"Unknown general name type (%d)", general_name_type);
170typedef int (*general_name_mapper_pr)(
const X509* x509, GENERAL_NAME* name,
void* data,
int index,
173static void map_subject_alt_name(
const X509* x509,
int general_name_type,
174 general_name_mapper_pr mapper,
void* data)
176 STACK_OF(GENERAL_NAME)* gens = X509_get_ext_d2i(x509, NID_subject_alt_name,
nullptr,
nullptr);
181 const int num = sk_GENERAL_NAME_num(gens);
183 for (
int i = 0; (i < num); i++)
185 GENERAL_NAME* name = sk_GENERAL_NAME_value(gens, i);
189 if ((general_name_type == GEN_ALL) || (general_name_type == name->type))
191 if (!mapper(x509, name, data, i, num))
199 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
221typedef struct string_list
230static string_list string_list_initialize(
void)
232 const string_list empty = {
233 .strings =
nullptr, .lengths =
nullptr, .allocated = 0, .count = 0, .maximum = INT_MAX
238static BOOL string_list_allocate(string_list* list,
size_t allocate_count)
241 if (!list->strings && (list->allocated == 0) && (allocate_count > 0))
243 list->strings = (
char**)calloc(allocate_count,
sizeof(
char*));
244 list->lengths = calloc(allocate_count,
sizeof(
size_t));
246 if (!list->strings || !list->lengths)
248 free((
void*)list->strings);
250 list->strings =
nullptr;
251 list->lengths =
nullptr;
254 list->allocated = allocate_count;
259static void string_list_free(string_list* list)
264 free((
void*)list->strings);
268static BOOL check_string_is_host_or_ip(WINPR_ATTR_UNUSED
const X509* x509,
269 const unsigned char* ustr,
size_t length)
271 const char* str = (
const char*)ustr;
272 if (strnlen(str, length) != length)
274 return winpr_str_is_valid_urlN(str, length);
278extract_string_generic(
const X509* x509, GENERAL_NAME* name,
void* data,
int index,
int count,
279 BOOL (*fkt)(
const X509* x509,
const unsigned char* str,
size_t length))
281 string_list* list = data;
288 const ASN1_STRING* str =
nullptr;
292 str = name->d.uniformResourceIdentifier;
296 str = name->d.dNSName;
300 str = name->d.rfc822Name;
307 unsigned char* cstring =
nullptr;
308 const int rc = ASN1_STRING_to_UTF8(&cstring, str);
311 WLog_ERR(TAG,
"ASN1_STRING_to_UTF8() failed for %s: %s",
312 general_name_type_label(name->type), ERR_error_string(ERR_get_error(),
nullptr));
316 if (!fkt(x509, cstring, WINPR_ASSERTING_INT_CAST(
size_t, rc)))
318 OPENSSL_free(cstring);
322 if (!string_list_allocate(list, WINPR_ASSERTING_INT_CAST(WINPR_CIPHER_TYPE, count)) ||
323 (list->allocated <= 0))
325 OPENSSL_free(cstring);
329 list->strings[list->count] = (
char*)cstring;
330 list->lengths[list->count] = WINPR_ASSERTING_INT_CAST(
size_t, rc);
333 if (list->count >= list->maximum)
341static int extract_string(
const X509* x509, GENERAL_NAME* name,
void* data,
int index,
int count)
343 return extract_string_generic(x509, name, data, index, count, check_string_is_host_or_ip);
346static BOOL check_string_is_email(WINPR_ATTR_UNUSED
const X509* x509,
const unsigned char* ustr,
349 const char* str = (
const char*)ustr;
350 return (strnlen(str, length) == length);
353static int extract_email(
const X509* x509, GENERAL_NAME* name,
void* data,
int index,
int count)
355 return extract_string_generic(x509, name, data, index, count, check_string_is_email);
376typedef struct object_list
378 ASN1_OBJECT* type_id;
387static object_list object_list_initialize(
void)
389 const object_list empty = { .type_id =
nullptr,
394 .maximum = INT_MAX };
398static BOOL object_list_allocate(object_list* list,
size_t allocate_count)
400 if (!list->strings && (list->allocated == 0) && (allocate_count > 0))
402 list->strings = (
char**)calloc(allocate_count,
sizeof(list->strings[0]));
403 list->lengths = calloc(allocate_count,
sizeof(
size_t));
405 if (!list->strings || !list->lengths)
407 free((
void*)list->strings);
409 list->strings =
nullptr;
410 list->lengths =
nullptr;
413 list->allocated = allocate_count;
418static char* object_string(
const X509* x509, ASN1_TYPE*
object,
size_t* pLength)
420 unsigned char* utf8String =
nullptr;
422 WINPR_ASSERT(
object);
423 WINPR_ASSERT(pLength);
428 const int length = ASN1_STRING_to_UTF8(&utf8String, object->value.asn1_string);
433 char* result =
nullptr;
434 if (check_string_is_host_or_ip(x509, utf8String, WINPR_ASSERTING_INT_CAST(
size_t, length)))
436 result = strndup((
char*)utf8String, WINPR_ASSERTING_INT_CAST(
size_t, length));
438 *pLength = WINPR_ASSERTING_INT_CAST(
size_t, length);
440 OPENSSL_free(utf8String);
444static void object_list_free(object_list* list)
447 free((
void*)list->strings);
451static int extract_othername_object_as_string(
const X509* x509, GENERAL_NAME* name,
void* data,
452 int index,
int count)
454 object_list* list = data;
461 if (name->type != GEN_OTHERNAME)
466 if (0 != OBJ_cmp(name->d.otherName->type_id, list->type_id))
471 if (!object_list_allocate(list, WINPR_ASSERTING_INT_CAST(
size_t, count)) ||
472 (list->allocated <= 0))
477 list->strings[list->count] =
478 object_string(x509, name->d.otherName->value, &list->lengths[list->count]);
479 if (list->strings[list->count])
484 if (list->count >= list->maximum)
492char* x509_utils_get_email(
const X509* x509)
494 string_list list = string_list_initialize();
496 map_subject_alt_name(x509, GEN_EMAIL, extract_email, &list);
500 string_list_free(&list);
504 char* result = strndup(list.strings[0], list.lengths[0]);
505 OPENSSL_free(list.strings[0]);
506 string_list_free(&list);
510char* x509_utils_get_upn(
const X509* x509)
512 object_list list = object_list_initialize();
514 list.type_id = OBJ_nid2obj(NID_ms_upn);
516 map_subject_alt_name(x509, GEN_OTHERNAME, extract_othername_object_as_string, &list);
520 object_list_free(&list);
524 char* result = list.strings[0];
525 object_list_free(&list);
529char* x509_utils_get_date(
const X509* x509, BOOL startDate)
533 const ASN1_TIME* date = startDate ? X509_get0_notBefore(x509) : X509_get0_notAfter(x509);
537 BIO* bmem = BIO_new(BIO_s_mem());
542 if (ASN1_TIME_print(bmem, date))
544 BUF_MEM* bptr =
nullptr;
546 BIO_get_mem_ptr(bmem, &bptr);
547 str = strndup(bptr->data, bptr->length);
556void x509_utils_dns_names_free(
size_t count,
size_t* lengths,
char** dns_names)
562 for (
size_t i = 0; i < count; i++)
566 OPENSSL_free(dns_names[i]);
570 free((
void*)dns_names);
574char** x509_utils_get_dns_names(
const X509* xcert,
size_t* count,
size_t** lengths)
576 string_list list = string_list_initialize();
577 map_subject_alt_name(xcert, GEN_DNS, extract_string, &list);
578 (*count) = list.count;
582 string_list_free(&list);
588 char** result = (
char**)calloc(list.count,
sizeof(*result));
589 (*lengths) = calloc(list.count,
sizeof(**lengths));
591 if (!result || !(*lengths))
593 string_list_free(&list);
596 (*lengths) =
nullptr;
601 for (
size_t i = 0; i < list.count; i++)
603 result[i] = list.strings[i];
604 (*lengths)[i] = list.lengths[i];
607 string_list_free(&list);
611char* x509_utils_get_issuer(
const X509* xcert)
613 char* issuer =
nullptr;
616 WLog_ERR(TAG,
"Invalid certificate nullptr");
619 issuer = crypto_print_name(X509_get_issuer_name(xcert));
621 WLog_WARN(TAG,
"certificate does not have an issuer!");
625static int asn1_object_cmp(
const ASN1_OBJECT*
const* a,
const ASN1_OBJECT*
const* b)
628 return (a == b) ? 0 : (a ? 1 : -1);
631 return (*a == *b) ? 0 : (*a ? 1 : -1);
633 return OBJ_cmp(*a, *b);
636BOOL x509_utils_check_eku(
const X509* xcert,
int nid)
639 STACK_OF(ASN1_OBJECT)* oid_stack =
nullptr;
640 ASN1_OBJECT* oid =
nullptr;
645 oid = OBJ_nid2obj(nid);
649 oid_stack = X509_get_ext_d2i(xcert, NID_ext_key_usage,
nullptr,
nullptr);
653 sk_ASN1_OBJECT_set_cmp_func(oid_stack, asn1_object_cmp);
654 if (sk_ASN1_OBJECT_find(oid_stack, oid) >= 0)
657 sk_ASN1_OBJECT_pop_free(oid_stack, ASN1_OBJECT_free);
661void x509_utils_print_info(
const X509* xcert)
663 char* subject = x509_utils_get_subject(xcert);
664 char* issuer = x509_utils_get_issuer(xcert);
665 char* fp = (
char*)x509_utils_get_hash(xcert,
"sha256",
nullptr);
669 WLog_ERR(TAG,
"error computing fingerprint");
670 goto out_free_issuer;
673 WLog_INFO(TAG,
"Certificate details:");
674 WLog_INFO(TAG,
"\tSubject: %s", subject);
675 WLog_INFO(TAG,
"\tIssuer: %s", issuer);
676 WLog_INFO(TAG,
"\tThumbprint: %s", fp);
678 "The above X.509 certificate could not be verified, possibly because you do not have "
679 "the CA certificate in your certificate store, or the certificate has expired. "
680 "Please look at the OpenSSL documentation on how to add a private CA to the store.");
687X509* x509_utils_from_pem(
const char* data,
size_t len, BOOL fromFile)
691 bio = BIO_new_file(data,
"rb");
697 bio = BIO_new_mem_buf(data, (
int)len);
702 WLog_ERR(TAG,
"BIO_new failed for certificate");
706 X509* x509 = PEM_read_bio_X509(bio,
nullptr,
nullptr,
nullptr);
709 WLog_ERR(TAG,
"PEM_read_bio_X509 returned nullptr [input length %" PRIuz
"]", len);
714static WINPR_MD_TYPE hash_nid_to_winpr(
int hash_nid)
725 return WINPR_MD_SHA1;
727 return WINPR_MD_SHA224;
729 return WINPR_MD_SHA256;
731 return WINPR_MD_SHA384;
733 return WINPR_MD_SHA512;
735 return WINPR_MD_RIPEMD160;
736#if (OPENSSL_VERSION_NUMBER >= 0x1010101fL) && !defined(LIBRESSL_VERSION_NUMBER)
738 return WINPR_MD_SHA3_224;
740 return WINPR_MD_SHA3_256;
742 return WINPR_MD_SHA3_384;
744 return WINPR_MD_SHA3_512;
746 return WINPR_MD_SHAKE128;
748 return WINPR_MD_SHAKE256;
752 return WINPR_MD_NONE;
756static WINPR_MD_TYPE get_rsa_pss_digest(
const X509_ALGOR* alg)
758 WINPR_MD_TYPE ret = WINPR_MD_NONE;
759 WINPR_MD_TYPE message_digest = WINPR_MD_NONE;
760 WINPR_MD_TYPE mgf1_digest = WINPR_MD_NONE;
762 const void* param_value =
nullptr;
763 const ASN1_STRING* sequence =
nullptr;
764 const unsigned char* inp =
nullptr;
765 RSA_PSS_PARAMS* params =
nullptr;
766 X509_ALGOR* mgf1_digest_alg =
nullptr;
770 X509_ALGOR_get0(
nullptr, ¶m_type, ¶m_value, alg);
775 if (param_type != V_ASN1_SEQUENCE)
777 sequence = param_value;
780 inp = ASN1_STRING_get0_data(sequence);
781 params = d2i_RSA_PSS_PARAMS(
nullptr, &inp, ASN1_STRING_length(sequence));
782 if (params ==
nullptr)
788 message_digest = WINPR_MD_SHA1;
789 if (params->hashAlgorithm !=
nullptr)
791 const ASN1_OBJECT* obj =
nullptr;
792 X509_ALGOR_get0(&obj,
nullptr,
nullptr, params->hashAlgorithm);
793 message_digest = hash_nid_to_winpr(OBJ_obj2nid(obj));
794 if (message_digest == WINPR_MD_NONE)
798 mgf1_digest = WINPR_MD_SHA1;
799 if (params->maskGenAlgorithm !=
nullptr)
801 const ASN1_OBJECT* obj =
nullptr;
802 int mgf_param_type = 0;
803 const void* mgf_param_value =
nullptr;
804 const ASN1_STRING* mgf_param_sequence =
nullptr;
806 X509_ALGOR_get0(&obj, &mgf_param_type, &mgf_param_value, params->maskGenAlgorithm);
807 if (OBJ_obj2nid(obj) != NID_mgf1)
811 if (mgf_param_type != V_ASN1_SEQUENCE)
813 mgf_param_sequence = mgf_param_value;
814 inp = ASN1_STRING_get0_data(mgf_param_sequence);
815 mgf1_digest_alg = d2i_X509_ALGOR(
nullptr, &inp, ASN1_STRING_length(mgf_param_sequence));
816 if (mgf1_digest_alg ==
nullptr)
820 X509_ALGOR_get0(&obj,
nullptr,
nullptr, mgf1_digest_alg);
821 mgf1_digest = hash_nid_to_winpr(OBJ_obj2nid(obj));
822 if (mgf1_digest == WINPR_MD_NONE)
829 if (message_digest != mgf1_digest)
831 ret = message_digest;
834 RSA_PSS_PARAMS_free(params);
835 X509_ALGOR_free(mgf1_digest_alg);
839WINPR_MD_TYPE x509_utils_get_signature_alg(
const X509* xcert)
843 const int nid = X509_get_signature_nid(xcert);
845 if (nid == NID_rsassaPss)
847 const X509_ALGOR* alg =
nullptr;
848 X509_get0_signature(
nullptr, &alg, xcert);
849 return get_rsa_pss_digest(alg);
853 if (OBJ_find_sigid_algs(nid, &hash_nid,
nullptr) != 1)
854 return WINPR_MD_NONE;
856 return hash_nid_to_winpr(hash_nid);
859char* x509_utils_get_common_name(
const X509* xcert,
size_t* plength)
861 X509_NAME* subject_name = X509_get_subject_name(xcert);
862 if (subject_name ==
nullptr)
865 const int index = X509_NAME_get_index_by_NID(subject_name, NID_commonName, -1);
869 const X509_NAME_ENTRY* entry = X509_NAME_get_entry(subject_name, index);
870 if (entry ==
nullptr)
873 const ASN1_STRING* entry_data = X509_NAME_ENTRY_get_data(entry);
874 if (entry_data ==
nullptr)
877 BYTE* common_name_raw =
nullptr;
878 const int length = ASN1_STRING_to_UTF8(&common_name_raw, entry_data);
882 char* common_name =
nullptr;
883 if (check_string_is_host_or_ip(xcert, common_name_raw,
884 WINPR_ASSERTING_INT_CAST(
size_t, length)))
887 *plength = (size_t)length;
889 common_name = strndup((
char*)common_name_raw, (
size_t)length);
891 OPENSSL_free(common_name_raw);
895static int verify_cb(
int ok, X509_STORE_CTX* csc)
900 int err = X509_STORE_CTX_get_error(csc);
901 int derr = X509_STORE_CTX_get_error_depth(csc);
902 X509* where = X509_STORE_CTX_get_current_cert(csc);
903 const char* what = X509_verify_cert_error_string(err);
904 char* name = x509_utils_get_subject(where);
906 WLog_WARN(TAG,
"Certificate verification failure '%s (%d)' at stack position %d", what, err,
908 WLog_WARN(TAG,
"%s", name);
915BOOL x509_utils_verify(X509* xcert, STACK_OF(X509) * chain,
const char* certificate_store_path)
917 const int purposes[] = { X509_PURPOSE_SSL_SERVER };
923 X509_STORE* cert_ctx = X509_STORE_new();
925 if (cert_ctx ==
nullptr)
928#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
929 OpenSSL_add_all_algorithms();
931 OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS |
932 OPENSSL_INIT_LOAD_CONFIG,
936 if (X509_STORE_set_default_paths(cert_ctx) != 1)
939 X509_LOOKUP* lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
941 if (lookup ==
nullptr)
944 X509_LOOKUP_add_dir(lookup,
nullptr, X509_FILETYPE_DEFAULT);
946 if (certificate_store_path !=
nullptr)
948 X509_LOOKUP_add_dir(lookup, certificate_store_path, X509_FILETYPE_PEM);
951 X509_STORE_set_flags(cert_ctx, 0);
953 for (
size_t i = 0; i < ARRAYSIZE(purposes); i++)
957 int purpose = purposes[i];
958 X509_STORE_CTX* csc = X509_STORE_CTX_new();
962 if (!X509_STORE_CTX_init(csc, cert_ctx, xcert, chain))
965 X509_STORE_CTX_set_purpose(csc, purpose);
966 X509_STORE_CTX_set_verify_cb(csc, verify_cb);
968 rc = X509_verify_cert(csc);
969 err = X509_STORE_CTX_get_error(csc);
971 X509_STORE_CTX_free(csc);
977 else if (err != X509_V_ERR_INVALID_PURPOSE)
981 X509_STORE_free(cert_ctx);
986char* x509_utils_bio_read(BIO* bio,
size_t* plen)
988 char* buffer =
nullptr;
996 const UINT64 size = BIO_number_written(bio);
1000 buffer = calloc(1, (
size_t)size + 1ull);
1006 const int rc = BIO_read(bio, buffer, (
int)size);