FreeRDP
Loading...
Searching...
No Matches
x509_utils.c
1
22#include <openssl/objects.h>
23#include <openssl/x509v3.h>
24#include <openssl/pem.h>
25#include <openssl/rsa.h>
26#include <openssl/err.h>
27
28#include <freerdp/config.h>
29
30#include <winpr/crt.h>
31#include <winpr/string.h>
32#include <winpr/assert.h>
33
34#include <freerdp/log.h>
35
36#include "x509_utils.h"
37
38#define TAG FREERDP_TAG("crypto")
39
40BYTE* x509_utils_get_hash(const X509* xcert, const char* hash, size_t* length)
41{
42 UINT32 fp_len = EVP_MAX_MD_SIZE;
43 BYTE* fp = NULL;
44 const EVP_MD* md = EVP_get_digestbyname(hash);
45 if (!md)
46 {
47 WLog_ERR(TAG, "System does not support %s hash!", hash);
48 return NULL;
49 }
50 if (!xcert || !length)
51 {
52 WLog_ERR(TAG, "Invalid arguments: xcert=%p, length=%p", xcert, length);
53 return NULL;
54 }
55
56 fp = calloc(fp_len + 1, sizeof(BYTE));
57 if (!fp)
58 {
59 WLog_ERR(TAG, "could not allocate %" PRIuz " bytes", fp_len);
60 return NULL;
61 }
62
63 if (X509_digest(xcert, md, fp, &fp_len) != 1)
64 {
65 free(fp);
66 WLog_ERR(TAG, "certificate does not have a %s hash!", hash);
67 return NULL;
68 }
69
70 *length = fp_len;
71 return fp;
72}
73
74static char* crypto_print_name(const X509_NAME* name)
75{
76 char* buffer = NULL;
77 BIO* outBIO = BIO_new(BIO_s_mem());
78
79 if (X509_NAME_print_ex(outBIO, name, 0, XN_FLAG_ONELINE) > 0)
80 {
81 UINT64 size = BIO_number_written(outBIO);
82 if (size > INT_MAX)
83 goto fail;
84 buffer = calloc(1, (size_t)size + 1);
85
86 if (!buffer)
87 goto fail;
88
89 ERR_clear_error();
90 const int rc = BIO_read(outBIO, buffer, (int)size);
91 if (rc <= 0)
92 {
93 free(buffer);
94 buffer = NULL;
95 goto fail;
96 }
97 }
98
99fail:
100 BIO_free_all(outBIO);
101 return buffer;
102}
103
104char* x509_utils_get_subject(const X509* xcert)
105{
106 char* subject = NULL;
107 if (!xcert)
108 {
109 WLog_ERR(TAG, "Invalid certificate %p", xcert);
110 return NULL;
111 }
112 subject = crypto_print_name(X509_get_subject_name(xcert));
113 if (!subject)
114 WLog_WARN(TAG, "certificate does not have a subject!");
115 return subject;
116}
117
118/* GENERAL_NAME type labels */
119
120static const char* general_name_type_labels[] = { "OTHERNAME", "EMAIL ", "DNS ",
121 "X400 ", "DIRNAME ", "EDIPARTY ",
122 "URI ", "IPADD ", "RID " };
123
124static const char* general_name_type_label(int general_name_type)
125{
126 if ((0 <= general_name_type) &&
127 ((size_t)general_name_type < ARRAYSIZE(general_name_type_labels)))
128 {
129 return general_name_type_labels[general_name_type];
130 }
131 else
132 {
133 static char buffer[80] = { 0 };
134 (void)snprintf(buffer, sizeof(buffer), "Unknown general name type (%d)", general_name_type);
135 return buffer;
136 }
137}
138
139/*
140
141map_subject_alt_name(x509, general_name_type, mapper, data)
142
143Call the function mapper with subjectAltNames found in the x509
144certificate and data. if generate_name_type is GEN_ALL, the the
145mapper is called for all the names, else it's called only for names
146of the given type.
147
148
149We implement two extractors:
150
151 - a string extractor that can be used to get the subjectAltNames of
152 the following types: GEN_URI, GEN_DNS, GEN_EMAIL
153
154 - a ASN1_OBJECT filter/extractor that can be used to get the
155 subjectAltNames of OTHERNAME type.
156
157 Note: usually, it's a string, but some type of otherNames can be
158 associated with different classes of objects. eg. a KPN may be a
159 sequence of realm and principal name, instead of a single string
160 object.
161
162Not implemented yet: extractors for the types: GEN_X400, GEN_DIRNAME,
163GEN_EDIPARTY, GEN_RID, GEN_IPADD (the later can contain nul-bytes).
164
165
166mapper(name, data, index, count)
167
168The mapper is passed:
169 - the GENERAL_NAME selected,
170 - the data,
171 - the index of the general name in the subjectAltNames,
172 - the total number of names in the subjectAltNames.
173
174The last parameter let's the mapper allocate arrays to collect objects.
175Note: if names are filtered, not all the indices from 0 to count-1 are
176passed to mapper, only the indices selected.
177
178When the mapper returns 0, map_subject_alt_name stops the iteration immediately.
179
180*/
181
182#define GEN_ALL (-1)
183
184typedef int (*general_name_mapper_pr)(GENERAL_NAME* name, void* data, int index, int count);
185
186static void map_subject_alt_name(const X509* x509, int general_name_type,
187 general_name_mapper_pr mapper, void* data)
188{
189 int num = 0;
190 STACK_OF(GENERAL_NAME)* gens = NULL;
191 gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL);
192
193 if (!gens)
194 {
195 return;
196 }
197
198 num = sk_GENERAL_NAME_num(gens);
199
200 for (int i = 0; (i < num); i++)
201 {
202 GENERAL_NAME* name = sk_GENERAL_NAME_value(gens, i);
203
204 if (name)
205 {
206 if ((general_name_type == GEN_ALL) || (general_name_type == name->type))
207 {
208 if (!mapper(name, data, i, num))
209 {
210 break;
211 }
212 }
213 }
214 }
215
216 sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
217}
218
219/*
220extract_string -- string extractor
221
222- the strings array is allocated lazily, when we first have to store a
223 string.
224
225- allocated contains the size of the strings array, or -1 if
226 allocation failed.
227
228- count contains the actual count of strings in the strings array.
229
230- maximum limits the number of strings we can store in the strings
231 array: beyond, the extractor returns 0 to short-cut the search.
232
233extract_string stores in the string list OPENSSL strings,
234that must be freed with OPENSSL_free.
235
236*/
237
238typedef struct string_list
239{
240 char** strings;
241 size_t allocated;
242 size_t count;
243 size_t maximum;
244} string_list;
245
246static void string_list_initialize(string_list* list)
247{
248 list->strings = 0;
249 list->allocated = 0;
250 list->count = 0;
251 list->maximum = INT_MAX;
252}
253
254static void string_list_allocate(string_list* list, size_t allocate_count)
255{
256 if (!list->strings && list->allocated == 0)
257 {
258 list->strings = (char**)calloc(allocate_count, sizeof(char*));
259 list->allocated = list->strings ? allocate_count : 0;
260 list->count = 0;
261 }
262}
263
264static void string_list_free(string_list* list)
265{
266 /* Note: we don't free the contents of the strings array: this */
267 /* is handled by the caller, either by returning this */
268 /* content, or freeing it itself. */
269 free((void*)list->strings);
270}
271
272static int extract_string(GENERAL_NAME* name, void* data, int index, int count)
273{
274 string_list* list = data;
275 unsigned char* cstring = 0;
276 ASN1_STRING* str = NULL;
277
278 WINPR_UNUSED(index);
279
280 switch (name->type)
281 {
282 case GEN_URI:
283 str = name->d.uniformResourceIdentifier;
284 break;
285
286 case GEN_DNS:
287 str = name->d.dNSName;
288 break;
289
290 case GEN_EMAIL:
291 str = name->d.rfc822Name;
292 break;
293
294 default:
295 return 1;
296 }
297
298 if ((ASN1_STRING_to_UTF8(&cstring, str)) < 0)
299 {
300 WLog_ERR(TAG, "ASN1_STRING_to_UTF8() failed for %s: %s",
301 general_name_type_label(name->type), ERR_error_string(ERR_get_error(), NULL));
302 return 1;
303 }
304
305 string_list_allocate(list, WINPR_ASSERTING_INT_CAST(WINPR_CIPHER_TYPE, count));
306
307 if (list->allocated <= 0)
308 {
309 OPENSSL_free(cstring);
310 return 0;
311 }
312
313 list->strings[list->count] = (char*)cstring;
314 list->count++;
315
316 if (list->count >= list->maximum)
317 {
318 return 0;
319 }
320
321 return 1;
322}
323
324/*
325extract_othername_object -- object extractor.
326
327- the objects array is allocated lazily, when we first have to store a
328 string.
329
330- allocated contains the size of the objects array, or -1 if
331 allocation failed.
332
333- count contains the actual count of objects in the objects array.
334
335- maximum limits the number of objects we can store in the objects
336 array: beyond, the extractor returns 0 to short-cut the search.
337
338extract_othername_objects stores in the objects array ASN1_TYPE *
339pointers directly obtained from the GENERAL_NAME.
340*/
341
342typedef struct object_list
343{
344 ASN1_OBJECT* type_id;
345 char** strings;
346 size_t allocated;
347 size_t count;
348 size_t maximum;
349} object_list;
350
351static void object_list_initialize(object_list* list)
352{
353 list->type_id = 0;
354 list->strings = 0;
355 list->allocated = 0;
356 list->count = 0;
357 list->maximum = INT_MAX;
358}
359
360static void object_list_allocate(object_list* list, size_t allocate_count)
361{
362 if (!list->strings && (list->allocated == 0) && (allocate_count > 0))
363 {
364 list->strings = (char**)calloc(allocate_count, sizeof(list->strings[0]));
365 list->allocated = list->strings ? allocate_count : 0;
366 list->count = 0;
367 }
368}
369
370static char* object_string(ASN1_TYPE* object)
371{
372 char* result = NULL;
373 unsigned char* utf8String = NULL;
374
375 /* TODO: check that object.type is a string type. */
376 const int length = ASN1_STRING_to_UTF8(&utf8String, object->value.asn1_string);
377
378 if (length < 0)
379 {
380 return 0;
381 }
382
383 result = strndup((char*)utf8String, WINPR_ASSERTING_INT_CAST(size_t, length));
384 OPENSSL_free(utf8String);
385 return result;
386}
387
388static void object_list_free(object_list* list)
389{
390 WINPR_ASSERT(list);
391 free((void*)list->strings);
392}
393
394static int extract_othername_object_as_string(GENERAL_NAME* name, void* data, int index, int count)
395{
396 object_list* list = data;
397 WINPR_UNUSED(index);
398
399 if (count < 0)
400 return -1;
401
402 if (name->type != GEN_OTHERNAME)
403 {
404 return 1;
405 }
406
407 if (0 != OBJ_cmp(name->d.otherName->type_id, list->type_id))
408 {
409 return 1;
410 }
411
412 object_list_allocate(list, WINPR_ASSERTING_INT_CAST(size_t, count));
413
414 if (list->allocated <= 0)
415 {
416 return 0;
417 }
418
419 list->strings[list->count] = object_string(name->d.otherName->value);
420
421 if (list->strings[list->count])
422 {
423 list->count++;
424 }
425
426 if (list->count >= list->maximum)
427 {
428 return 0;
429 }
430
431 return 1;
432}
433
434char* x509_utils_get_email(const X509* x509)
435{
436 char* result = 0;
437 string_list list;
438 string_list_initialize(&list);
439 list.maximum = 1;
440 map_subject_alt_name(x509, GEN_EMAIL, extract_string, &list);
441
442 if (list.count == 0)
443 {
444 string_list_free(&list);
445 return 0;
446 }
447
448 result = _strdup(list.strings[0]);
449 OPENSSL_free(list.strings[0]);
450 string_list_free(&list);
451 return result;
452}
453
454char* x509_utils_get_upn(const X509* x509)
455{
456 char* result = 0;
457 object_list list = { 0 };
458 object_list_initialize(&list);
459 list.type_id = OBJ_nid2obj(NID_ms_upn);
460 list.maximum = 1;
461 map_subject_alt_name(x509, GEN_OTHERNAME, extract_othername_object_as_string, &list);
462
463 if (list.count == 0)
464 {
465 object_list_free(&list);
466 return 0;
467 }
468
469 result = list.strings[0];
470 object_list_free(&list);
471 return result;
472}
473
474char* x509_utils_get_date(const X509* x509, BOOL startDate)
475{
476 WINPR_ASSERT(x509);
477
478 const ASN1_TIME* date = startDate ? X509_get0_notBefore(x509) : X509_get0_notAfter(x509);
479 if (!date)
480 return NULL;
481
482 BIO* bmem = BIO_new(BIO_s_mem());
483 if (!bmem)
484 return NULL;
485
486 char* str = NULL;
487 if (ASN1_TIME_print(bmem, date))
488 {
489 BUF_MEM* bptr = NULL;
490
491 BIO_get_mem_ptr(bmem, &bptr);
492 str = strndup(bptr->data, bptr->length);
493 }
494 else
495 { // Log error
496 }
497 BIO_free_all(bmem);
498 return str;
499}
500
501void x509_utils_dns_names_free(size_t count, size_t* lengths, char** dns_names)
502{
503 free(lengths);
504
505 if (dns_names)
506 {
507 for (size_t i = 0; i < count; i++)
508 {
509 if (dns_names[i])
510 {
511 OPENSSL_free(dns_names[i]);
512 }
513 }
514
515 free((void*)dns_names);
516 }
517}
518
519char** x509_utils_get_dns_names(const X509* x509, size_t* count, size_t** lengths)
520{
521 char** result = 0;
522 string_list list = { 0 };
523 string_list_initialize(&list);
524 map_subject_alt_name(x509, GEN_DNS, extract_string, &list);
525 (*count) = list.count;
526
527 if (list.count <= 0)
528 {
529 string_list_free(&list);
530 return NULL;
531 }
532
533 /* lengths are not useful, since we converted the
534 strings to utf-8, there cannot be nul-bytes in them. */
535 result = (char**)calloc(list.count, sizeof(*result));
536 (*lengths) = calloc(list.count, sizeof(**lengths));
537
538 if (!result || !(*lengths))
539 {
540 string_list_free(&list);
541 free((void*)result);
542 free(*lengths);
543 (*lengths) = 0;
544 (*count) = 0;
545 return NULL;
546 }
547
548 for (size_t i = 0; i < list.count; i++)
549 {
550 result[i] = list.strings[i];
551 (*lengths)[i] = strlen(result[i]);
552 }
553
554 string_list_free(&list);
555 return result;
556}
557
558char* x509_utils_get_issuer(const X509* xcert)
559{
560 char* issuer = NULL;
561 if (!xcert)
562 {
563 WLog_ERR(TAG, "Invalid certificate %p", xcert);
564 return NULL;
565 }
566 issuer = crypto_print_name(X509_get_issuer_name(xcert));
567 if (!issuer)
568 WLog_WARN(TAG, "certificate does not have an issuer!");
569 return issuer;
570}
571
572static int asn1_object_cmp(const ASN1_OBJECT* const* a, const ASN1_OBJECT* const* b)
573{
574 if (!a || !b)
575 return (a == b) ? 0 : (a ? 1 : -1);
576
577 if (!*a || !*b)
578 return (*a == *b) ? 0 : (*a ? 1 : -1);
579
580 return OBJ_cmp(*a, *b);
581}
582
583BOOL x509_utils_check_eku(const X509* xcert, int nid)
584{
585 BOOL ret = FALSE;
586 STACK_OF(ASN1_OBJECT)* oid_stack = NULL;
587 ASN1_OBJECT* oid = NULL;
588
589 if (!xcert)
590 return FALSE;
591
592 oid = OBJ_nid2obj(nid);
593 if (!oid)
594 return FALSE;
595
596 oid_stack = X509_get_ext_d2i(xcert, NID_ext_key_usage, NULL, NULL);
597 if (!oid_stack)
598 return FALSE;
599
600 sk_ASN1_OBJECT_set_cmp_func(oid_stack, asn1_object_cmp);
601 if (sk_ASN1_OBJECT_find(oid_stack, oid) >= 0)
602 ret = TRUE;
603
604 sk_ASN1_OBJECT_pop_free(oid_stack, ASN1_OBJECT_free);
605 return ret;
606}
607
608void x509_utils_print_info(const X509* xcert)
609{
610 char* fp = NULL;
611 char* issuer = NULL;
612 char* subject = NULL;
613 subject = x509_utils_get_subject(xcert);
614 issuer = x509_utils_get_issuer(xcert);
615 fp = (char*)x509_utils_get_hash(xcert, "sha256", NULL);
616
617 if (!fp)
618 {
619 WLog_ERR(TAG, "error computing fingerprint");
620 goto out_free_issuer;
621 }
622
623 WLog_INFO(TAG, "Certificate details:");
624 WLog_INFO(TAG, "\tSubject: %s", subject);
625 WLog_INFO(TAG, "\tIssuer: %s", issuer);
626 WLog_INFO(TAG, "\tThumbprint: %s", fp);
627 WLog_INFO(TAG,
628 "The above X.509 certificate could not be verified, possibly because you do not have "
629 "the CA certificate in your certificate store, or the certificate has expired. "
630 "Please look at the OpenSSL documentation on how to add a private CA to the store.");
631 free(fp);
632out_free_issuer:
633 free(issuer);
634 free(subject);
635}
636
637X509* x509_utils_from_pem(const char* data, size_t len, BOOL fromFile)
638{
639 X509* x509 = NULL;
640 BIO* bio = NULL;
641 if (fromFile)
642 bio = BIO_new_file(data, "rb");
643 else
644 {
645 if (len > INT_MAX)
646 return NULL;
647
648 bio = BIO_new_mem_buf(data, (int)len);
649 }
650
651 if (!bio)
652 {
653 WLog_ERR(TAG, "BIO_new failed for certificate");
654 return NULL;
655 }
656
657 x509 = PEM_read_bio_X509(bio, NULL, NULL, 0);
658 BIO_free_all(bio);
659 if (!x509)
660 WLog_ERR(TAG, "PEM_read_bio_X509 returned NULL [input length %" PRIuz "]", len);
661
662 return x509;
663}
664
665static WINPR_MD_TYPE hash_nid_to_winpr(int hash_nid)
666{
667 switch (hash_nid)
668 {
669 case NID_md2:
670 return WINPR_MD_MD2;
671 case NID_md4:
672 return WINPR_MD_MD4;
673 case NID_md5:
674 return WINPR_MD_MD5;
675 case NID_sha1:
676 return WINPR_MD_SHA1;
677 case NID_sha224:
678 return WINPR_MD_SHA224;
679 case NID_sha256:
680 return WINPR_MD_SHA256;
681 case NID_sha384:
682 return WINPR_MD_SHA384;
683 case NID_sha512:
684 return WINPR_MD_SHA512;
685 case NID_ripemd160:
686 return WINPR_MD_RIPEMD160;
687#if (OPENSSL_VERSION_NUMBER >= 0x1010101fL) && !defined(LIBRESSL_VERSION_NUMBER)
688 case NID_sha3_224:
689 return WINPR_MD_SHA3_224;
690 case NID_sha3_256:
691 return WINPR_MD_SHA3_256;
692 case NID_sha3_384:
693 return WINPR_MD_SHA3_384;
694 case NID_sha3_512:
695 return WINPR_MD_SHA3_512;
696 case NID_shake128:
697 return WINPR_MD_SHAKE128;
698 case NID_shake256:
699 return WINPR_MD_SHAKE256;
700#endif
701 case NID_undef:
702 default:
703 return WINPR_MD_NONE;
704 }
705}
706
707static WINPR_MD_TYPE get_rsa_pss_digest(const X509_ALGOR* alg)
708{
709 WINPR_MD_TYPE ret = WINPR_MD_NONE;
710 WINPR_MD_TYPE message_digest = WINPR_MD_NONE;
711 WINPR_MD_TYPE mgf1_digest = WINPR_MD_NONE;
712 int param_type = 0;
713 const void* param_value = NULL;
714 const ASN1_STRING* sequence = NULL;
715 const unsigned char* inp = NULL;
716 RSA_PSS_PARAMS* params = NULL;
717 X509_ALGOR* mgf1_digest_alg = NULL;
718
719 /* The RSA-PSS digest is encoded in a complex structure, defined in
720 https://www.rfc-editor.org/rfc/rfc4055.html. */
721 X509_ALGOR_get0(NULL, &param_type, &param_value, alg);
722
723 /* param_type and param_value the parameter in ASN1_TYPE form, but split into two parameters. A
724 SEQUENCE is has type V_ASN1_SEQUENCE, and the value is an ASN1_STRING with the encoded
725 structure. */
726 if (param_type != V_ASN1_SEQUENCE)
727 goto end;
728 sequence = param_value;
729
730 /* Decode the structure. */
731 inp = ASN1_STRING_get0_data(sequence);
732 params = d2i_RSA_PSS_PARAMS(NULL, &inp, ASN1_STRING_length(sequence));
733 if (params == NULL)
734 goto end;
735
736 /* RSA-PSS uses two hash algorithms, a message digest and also an MGF function which is, itself,
737 parameterized by a hash function. Both fields default to SHA-1, so we must also check for the
738 value being NULL. */
739 message_digest = WINPR_MD_SHA1;
740 if (params->hashAlgorithm != NULL)
741 {
742 const ASN1_OBJECT* obj = NULL;
743 X509_ALGOR_get0(&obj, NULL, NULL, params->hashAlgorithm);
744 message_digest = hash_nid_to_winpr(OBJ_obj2nid(obj));
745 if (message_digest == WINPR_MD_NONE)
746 goto end;
747 }
748
749 mgf1_digest = WINPR_MD_SHA1;
750 if (params->maskGenAlgorithm != NULL)
751 {
752 const ASN1_OBJECT* obj = NULL;
753 int mgf_param_type = 0;
754 const void* mgf_param_value = NULL;
755 const ASN1_STRING* mgf_param_sequence = NULL;
756 /* First, check this is MGF-1, the only one ever defined. */
757 X509_ALGOR_get0(&obj, &mgf_param_type, &mgf_param_value, params->maskGenAlgorithm);
758 if (OBJ_obj2nid(obj) != NID_mgf1)
759 goto end;
760
761 /* MGF-1 is, itself, parameterized by a hash function, encoded as an AlgorithmIdentifier. */
762 if (mgf_param_type != V_ASN1_SEQUENCE)
763 goto end;
764 mgf_param_sequence = mgf_param_value;
765 inp = ASN1_STRING_get0_data(mgf_param_sequence);
766 mgf1_digest_alg = d2i_X509_ALGOR(NULL, &inp, ASN1_STRING_length(mgf_param_sequence));
767 if (mgf1_digest_alg == NULL)
768 goto end;
769
770 /* Finally, extract the digest. */
771 X509_ALGOR_get0(&obj, NULL, NULL, mgf1_digest_alg);
772 mgf1_digest = hash_nid_to_winpr(OBJ_obj2nid(obj));
773 if (mgf1_digest == WINPR_MD_NONE)
774 goto end;
775 }
776
777 /* If the two digests do not match, it is ambiguous which to return. tls-server-end-point leaves
778 it undefined, so return none.
779 https://www.rfc-editor.org/rfc/rfc5929.html#section-4.1 */
780 if (message_digest != mgf1_digest)
781 goto end;
782 ret = message_digest;
783
784end:
785 RSA_PSS_PARAMS_free(params);
786 X509_ALGOR_free(mgf1_digest_alg);
787 return ret;
788}
789
790WINPR_MD_TYPE x509_utils_get_signature_alg(const X509* xcert)
791{
792 WINPR_ASSERT(xcert);
793
794 const int nid = X509_get_signature_nid(xcert);
795
796 if (nid == NID_rsassaPss)
797 {
798 const X509_ALGOR* alg = NULL;
799 X509_get0_signature(NULL, &alg, xcert);
800 return get_rsa_pss_digest(alg);
801 }
802
803 int hash_nid = 0;
804 if (OBJ_find_sigid_algs(nid, &hash_nid, NULL) != 1)
805 return WINPR_MD_NONE;
806
807 return hash_nid_to_winpr(hash_nid);
808}
809
810char* x509_utils_get_common_name(const X509* xcert, size_t* plength)
811{
812 X509_NAME* subject_name = X509_get_subject_name(xcert);
813 if (subject_name == NULL)
814 return NULL;
815
816 const int index = X509_NAME_get_index_by_NID(subject_name, NID_commonName, -1);
817 if (index < 0)
818 return NULL;
819
820 const X509_NAME_ENTRY* entry = X509_NAME_get_entry(subject_name, index);
821 if (entry == NULL)
822 return NULL;
823
824 const ASN1_STRING* entry_data = X509_NAME_ENTRY_get_data(entry);
825 if (entry_data == NULL)
826 return NULL;
827
828 BYTE* common_name_raw = NULL;
829 const int length = ASN1_STRING_to_UTF8(&common_name_raw, entry_data);
830 if (length < 0)
831 return NULL;
832
833 if (plength)
834 *plength = (size_t)length;
835
836 char* common_name = _strdup((char*)common_name_raw);
837 OPENSSL_free(common_name_raw);
838 return common_name;
839}
840
841static int verify_cb(int ok, X509_STORE_CTX* csc)
842{
843 if (ok != 1)
844 {
845 WINPR_ASSERT(csc);
846 int err = X509_STORE_CTX_get_error(csc);
847 int derr = X509_STORE_CTX_get_error_depth(csc);
848 X509* where = X509_STORE_CTX_get_current_cert(csc);
849 const char* what = X509_verify_cert_error_string(err);
850 char* name = x509_utils_get_subject(where);
851
852 WLog_WARN(TAG, "Certificate verification failure '%s (%d)' at stack position %d", what, err,
853 derr);
854 WLog_WARN(TAG, "%s", name);
855
856 free(name);
857 }
858 return ok;
859}
860
861BOOL x509_utils_verify(X509* xcert, STACK_OF(X509) * chain, const char* certificate_store_path)
862{
863 const int purposes[3] = { X509_PURPOSE_SSL_SERVER, X509_PURPOSE_SSL_CLIENT, X509_PURPOSE_ANY };
864 X509_STORE_CTX* csc = NULL;
865 BOOL status = FALSE;
866 X509_LOOKUP* lookup = NULL;
867
868 if (!xcert)
869 return FALSE;
870
871 X509_STORE* cert_ctx = X509_STORE_new();
872
873 if (cert_ctx == NULL)
874 goto end;
875
876#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
877 OpenSSL_add_all_algorithms();
878#else
879 OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS |
880 OPENSSL_INIT_LOAD_CONFIG,
881 NULL);
882#endif
883
884 if (X509_STORE_set_default_paths(cert_ctx) != 1)
885 goto end;
886
887 lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
888
889 if (lookup == NULL)
890 goto end;
891
892 X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
893
894 if (certificate_store_path != NULL)
895 {
896 X509_LOOKUP_add_dir(lookup, certificate_store_path, X509_FILETYPE_PEM);
897 }
898
899 X509_STORE_set_flags(cert_ctx, 0);
900
901 for (size_t i = 0; i < ARRAYSIZE(purposes); i++)
902 {
903 int err = -1;
904 int rc = -1;
905 int purpose = purposes[i];
906 csc = X509_STORE_CTX_new();
907
908 if (csc == NULL)
909 goto skip;
910 if (!X509_STORE_CTX_init(csc, cert_ctx, xcert, chain))
911 goto skip;
912
913 X509_STORE_CTX_set_purpose(csc, purpose);
914 X509_STORE_CTX_set_verify_cb(csc, verify_cb);
915
916 rc = X509_verify_cert(csc);
917 err = X509_STORE_CTX_get_error(csc);
918 skip:
919 X509_STORE_CTX_free(csc);
920 if (rc == 1)
921 {
922 status = TRUE;
923 break;
924 }
925 else if (err != X509_V_ERR_INVALID_PURPOSE)
926 break;
927 }
928
929 X509_STORE_free(cert_ctx);
930end:
931 return status;
932}