|
Packit Service |
4684c1 |
/*
|
|
Packit Service |
4684c1 |
* Copyright (C) 2006-2012 Free Software Foundation, Inc.
|
|
Packit Service |
4684c1 |
* Author: Simon Josefsson, Howard Chu
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This file is part of GnuTLS.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* GnuTLS is free software; you can redistribute it and/or modify it
|
|
Packit Service |
4684c1 |
* under the terms of the GNU General Public License as published by
|
|
Packit Service |
4684c1 |
* the Free Software Foundation; either version 3 of the License, or
|
|
Packit Service |
4684c1 |
* (at your option) any later version.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* GnuTLS is distributed in the hope that it will be useful, but
|
|
Packit Service |
4684c1 |
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
4684c1 |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit Service |
4684c1 |
* General Public License for more details.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* You should have received a copy of the GNU General Public License
|
|
Packit Service |
4684c1 |
* along with GnuTLS; if not, write to the Free Software Foundation,
|
|
Packit Service |
4684c1 |
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#ifdef HAVE_CONFIG_H
|
|
Packit Service |
4684c1 |
#include "config.h"
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#include <stdio.h>
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#include <gnutls/gnutls.h>
|
|
Packit Service |
4684c1 |
#include <gnutls/x509.h>
|
|
Packit Service |
4684c1 |
#include <gnutls/x509-ext.h>
|
|
Packit Service |
4684c1 |
#include "utils.h"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static char invalid_cert[] = /* v1 certificate with extensions */
|
|
Packit Service |
4684c1 |
"-----BEGIN CERTIFICATE-----\n"
|
|
Packit Service |
4684c1 |
"MIIDHjCCAgYCDFQ7zlUDsihSxVF4mDANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQD\n"
|
|
Packit Service |
4684c1 |
"EwRDQS0wMCIYDzIwMTQxMDEzMTMwNjI5WhgPOTk5OTEyMzEyMzU5NTlaMBMxETAP\n"
|
|
Packit Service |
4684c1 |
"BgNVBAMTCHNlcnZlci0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n"
|
|
Packit Service |
4684c1 |
"zoG3/1YtwGHh/5u3ex6xAmwO0/H4gdIy/yiYLxqWcy+HzyMBBZHNXuV7W0z7x+Qo\n"
|
|
Packit Service |
4684c1 |
"qCGtenWkzIQSgeYKyzdcpPDscZIYOgwHWUFczxgVGdLsBKPSczgqMHpSCLgMgnDM\n"
|
|
Packit Service |
4684c1 |
"RaN6SNQeTQdftkLt5wdBSzNaxhhPYsCEbopSeZ8250FCLS3gRpoMtYCBiy7cjSJB\n"
|
|
Packit Service |
4684c1 |
"zv6zmZStXNgTYr8pLwI0nyxPyRdB+TZyqAC6r9W154y51vsqUCGmC0I9hn1A5kkD\n"
|
|
Packit Service |
4684c1 |
"5057x+Ho1kDwPxOfObdOR+AJSAw/FeGuStzViJY0I68B90sEo/HD+h7mB+CwJ2Yf\n"
|
|
Packit Service |
4684c1 |
"64/xVdh+D8L65eYkM9z88wIDAQABo3cwdTAMBgNVHRMBAf8EAjAAMBQGA1UdEQQN\n"
|
|
Packit Service |
4684c1 |
"MAuCCWxvY2FsaG9zdDAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBT7Gk/u95zI\n"
|
|
Packit Service |
4684c1 |
"JTM89CXJ70IxxqhegDAfBgNVHSMEGDAWgBQ9X77/zddjG9ob2zrR/WuGmxwFGDAN\n"
|
|
Packit Service |
4684c1 |
"BgkqhkiG9w0BAQsFAAOCAQEAaTrAcTkQ7yqf6afoTkFXZuZ+jJXYNGkubxs8Jo/z\n"
|
|
Packit Service |
4684c1 |
"srJk/WWVGAKuxiBDumk88Gjm+WXGyIDA7Hq9fhGaklJV2PGRfNVx9No51HXeAToT\n"
|
|
Packit Service |
4684c1 |
"sHs2XKhk9SdKKR4UJkuX3U2malMlCpmFMtm3EieDVZLxeukhODJQtRa3vGg8QWoz\n"
|
|
Packit Service |
4684c1 |
"ODlewHSmQiXhnqq52fLCbdVUaBnaRGOIwNZ0FcBWv9n0ZCuhjg9908rUVH9/OjI3\n"
|
|
Packit Service |
4684c1 |
"AGVZcbN9Jac2ZO8NTxP5vS1hrG2wT9+sVRh1sD5ISZSM4gWdq9sK8d7j+SwOPBWY\n"
|
|
Packit Service |
4684c1 |
"3dcxQlfvWw2Dt876XYoyUZuKirmASVlMw+hkm1WXM7Svsw==\n"
|
|
Packit Service |
4684c1 |
"-----END CERTIFICATE-----\n";
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static char pem[] =
|
|
Packit Service |
4684c1 |
"-----BEGIN CERTIFICATE-----"
|
|
Packit Service |
4684c1 |
"MIIFdDCCBN2gAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBkzEVMBMGA1UEAxMMQ2lu"
|
|
Packit Service |
4684c1 |
"ZHkgTGF1cGVyMRcwFQYKCZImiZPyLGQBARMHY2xhdXBlcjERMA8GA1UECxMIQ0Eg"
|
|
Packit Service |
4684c1 |
"ZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYD"
|
|
Packit Service |
4684c1 |
"VQQGEwJHUjEcMBoGCSqGSIb3DQEJARYNbm9uZUBub25lLm9yZzAiGA8yMDA3MDQy"
|
|
Packit Service |
4684c1 |
"MTIyMDAwMFoYDzk5OTkxMjMxMjM1OTU5WjCBkzEVMBMGA1UEAxMMQ2luZHkgTGF1"
|
|
Packit Service |
4684c1 |
"cGVyMRcwFQYKCZImiZPyLGQBARMHY2xhdXBlcjERMA8GA1UECxMIQ0EgZGVwdC4x"
|
|
Packit Service |
4684c1 |
"EjAQBgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJH"
|
|
Packit Service |
4684c1 |
"UjEcMBoGCSqGSIb3DQEJARYNbm9uZUBub25lLm9yZzCBnzANBgkqhkiG9w0BAQEF"
|
|
Packit Service |
4684c1 |
"AAOBjQAwgYkCgYEApcbOdUOEv2SeAicT8QNZ93ktku18L1CkA/EtebmGiwV+OrtE"
|
|
Packit Service |
4684c1 |
"qq+EzxOYHhxKOPczLXqfctRrbSawMTdwEPtC6didGGV+GUn8BZYEaIMed4a/7fXl"
|
|
Packit Service |
4684c1 |
"EjsT/jMYnBp6HWmvRwJgeh+56M/byDQwUZY9jJZcALxh3ggPsTYhf6kA4wUCAwEA"
|
|
Packit Service |
4684c1 |
"AaOCAtAwggLMMBIGA1UdEwEB/wQIMAYBAf8CAQQwagYDVR0RBGMwYYIMd3d3Lm5v"
|
|
Packit Service |
4684c1 |
"bmUub3JnghN3d3cubW9yZXRoYW5vbmUub3Jnghd3d3cuZXZlbm1vcmV0aGFub25l"
|
|
Packit Service |
4684c1 |
"Lm9yZ4cEwKgBAYENbm9uZUBub25lLm9yZ4EOd2hlcmVAbm9uZS5vcmcwgfcGA1Ud"
|
|
Packit Service |
4684c1 |
"IASB7zCB7DB3BgwrBgEEAapsAQpjAQAwZzAwBggrBgEFBQcCAjAkDCJUaGlzIGlz"
|
|
Packit Service |
4684c1 |
"IGEgbG9uZyBwb2xpY3kgdG8gc3VtbWFyaXplMDMGCCsGAQUFBwIBFidodHRwOi8v"
|
|
Packit Service |
4684c1 |
"d3d3LmV4YW1wbGUuY29tL2EtcG9saWN5LXRvLXJlYWQwcQYMKwYBBAGqbAEKYwEB"
|
|
Packit Service |
4684c1 |
"MGEwJAYIKwYBBQUHAgIwGAwWVGhpcyBpcyBhIHNob3J0IHBvbGljeTA5BggrBgEF"
|
|
Packit Service |
4684c1 |
"BQcCARYtaHR0cDovL3d3dy5leGFtcGxlLmNvbS9hbm90aGVyLXBvbGljeS10by1y"
|
|
Packit Service |
4684c1 |
"ZWFkMB0GA1UdJQQWMBQGCCsGAQUFBwMDBggrBgEFBQcDCTBYBgNVHR4BAf8ETjBM"
|
|
Packit Service |
4684c1 |
"oCQwDYILZXhhbXBsZS5jb20wE4ERbm1hdkBAZXhhbXBsZS5uZXShJDASghB0ZXN0"
|
|
Packit Service |
4684c1 |
"LmV4YW1wbGUuY29tMA6BDC5leGFtcGxlLmNvbTA2BggrBgEFBQcBAQQqMCgwJgYI"
|
|
Packit Service |
4684c1 |
"KwYBBQUHMAGGGmh0dHA6Ly9teS5vY3NwLnNlcnZlci9vY3NwMA8GA1UdDwEB/wQF"
|
|
Packit Service |
4684c1 |
"AwMHBgAwHQYDVR0OBBYEFF1ArfDOlECVi36ZlB2SVCLKcjZfMG8GA1UdHwRoMGYw"
|
|
Packit Service |
4684c1 |
"ZKBioGCGHmh0dHA6Ly93d3cuZ2V0Y3JsLmNybC9nZXRjcmwxL4YeaHR0cDovL3d3"
|
|
Packit Service |
4684c1 |
"dy5nZXRjcmwuY3JsL2dldGNybDIvhh5odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0"
|
|
Packit Service |
4684c1 |
"Y3JsMy8wDQYJKoZIhvcNAQELBQADgYEAdacOt4/Vgc9Y3pSkik3HBifDeK2OtiW0"
|
|
Packit Service |
4684c1 |
"BZ7xOXqXtL8Uwx6wx/DybZsUbzuR55GLUROYAc3cio5M/0pTwjqmmQ8vuHIt2p8A"
|
|
Packit Service |
4684c1 |
"2fegFcBbNLX38XxACQh4TDAT/4ftPwOtEol4UR4ItZ1d7faDzDXNpmGE+sp5s6ii"
|
|
Packit Service |
4684c1 |
"3cIIpInMKE8=" "-----END CERTIFICATE-----";
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define MAX_DATA_SIZE 1024
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
typedef int (*ext_parse_func) (const gnutls_datum_t * der);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
struct ext_handler_st {
|
|
Packit Service |
4684c1 |
const char *oid;
|
|
Packit Service |
4684c1 |
ext_parse_func handler;
|
|
Packit Service |
4684c1 |
unsigned critical;
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static int basic_constraints(const gnutls_datum_t * der)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret, pathlen;
|
|
Packit Service |
4684c1 |
unsigned ca;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/*
|
|
Packit Service |
4684c1 |
Basic Constraints (critical):
|
|
Packit Service |
4684c1 |
Certificate Authority (CA): TRUE
|
|
Packit Service |
4684c1 |
Path Length Constraint: 4
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_ext_import_basic_constraints(der, &ca, &pathlen);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (ca != 1) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (pathlen != 4) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static int cmp_name(unsigned type, gnutls_datum_t * name,
|
|
Packit Service |
4684c1 |
unsigned expected_type, const char *expected_name)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
if (type != expected_type) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (name->size != strlen(expected_name)) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (strcmp((char *)name->data, expected_name) != 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static int subject_alt_name(const gnutls_datum_t * der)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
gnutls_subject_alt_names_t san;
|
|
Packit Service |
4684c1 |
gnutls_datum_t name;
|
|
Packit Service |
4684c1 |
unsigned type;
|
|
Packit Service |
4684c1 |
unsigned i = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_subject_alt_names_init(&san;;
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_ext_import_subject_alt_names(der, san, 0);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_subject_alt_names_get(san, i++, &type, &name, NULL);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/*
|
|
Packit Service |
4684c1 |
Subject Alternative Name (not critical):
|
|
Packit Service |
4684c1 |
DNSname: www.none.org
|
|
Packit Service |
4684c1 |
DNSname: www.morethanone.org
|
|
Packit Service |
4684c1 |
DNSname: www.evenmorethanone.org
|
|
Packit Service |
4684c1 |
IPAddress: 192.168.1.1
|
|
Packit Service |
4684c1 |
tRFC822Name: none@none.org
|
|
Packit Service |
4684c1 |
tRFC822Name: where@none.org
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
ret = cmp_name(type, &name, GNUTLS_SAN_DNSNAME, "www.none.org");
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_subject_alt_names_get(san, i++, &type, &name, NULL);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
ret = cmp_name(type, &name, GNUTLS_SAN_DNSNAME, "www.morethanone.org");
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_subject_alt_names_get(san, i++, &type, &name, NULL);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
ret =
|
|
Packit Service |
4684c1 |
cmp_name(type, &name, GNUTLS_SAN_DNSNAME,
|
|
Packit Service |
4684c1 |
"www.evenmorethanone.org");
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_subject_alt_names_get(san, i++, &type, &name, NULL);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
if (type != GNUTLS_SAN_IPADDRESS) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_subject_alt_names_get(san, i++, &type, &name, NULL);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
ret = cmp_name(type, &name, GNUTLS_SAN_RFC822NAME, "none@none.org");
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_subject_alt_names_get(san, i++, &type, &name, NULL);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
ret = cmp_name(type, &name, GNUTLS_SAN_RFC822NAME, "where@none.org");
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_subject_alt_names_get(san, i++, &type, &name, NULL);
|
|
Packit Service |
4684c1 |
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_subject_alt_names_deinit(san);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static int ext_key_usage(const gnutls_datum_t * der)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
/*
|
|
Packit Service |
4684c1 |
Key Purpose (not critical):
|
|
Packit Service |
4684c1 |
OCSP signing.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
gnutls_x509_key_purposes_t p;
|
|
Packit Service |
4684c1 |
unsigned i = 0;
|
|
Packit Service |
4684c1 |
gnutls_datum_t oid;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_key_purpose_init(&p);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_ext_import_key_purposes(der, p, 0);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_key_purpose_get(p, i++, &oid;;
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (strcmp((char *)oid.data, "1.3.6.1.5.5.7.3.3") != 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d: %s\n", __LINE__,
|
|
Packit Service |
4684c1 |
(char *)oid.data);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_key_purpose_get(p, i++, &oid;;
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (strcmp((char *)oid.data, "1.3.6.1.5.5.7.3.9") != 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d: %s\n", __LINE__,
|
|
Packit Service |
4684c1 |
(char *)oid.data);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_key_purpose_get(p, i++, &oid;;
|
|
Packit Service |
4684c1 |
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_x509_key_purpose_deinit(p);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static int crt_policies(const gnutls_datum_t * der)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
gnutls_x509_policies_t policies;
|
|
Packit Service |
4684c1 |
struct gnutls_x509_policy_st policy;
|
|
Packit Service |
4684c1 |
unsigned i = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_policies_init(&policies);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_ext_import_policies(der, policies, 0);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_policies_get(policies, i++, &policy);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
/*
|
|
Packit Service |
4684c1 |
Certificate Policies (not critical):
|
|
Packit Service |
4684c1 |
1.3.6.1.4.1.5484.1.10.99.1.0
|
|
Packit Service |
4684c1 |
Note: This is a long policy to summarize
|
|
Packit Service |
4684c1 |
URI: http://www.example.com/a-policy-to-read
|
|
Packit Service |
4684c1 |
1.3.6.1.4.1.5484.1.10.99.1.1
|
|
Packit Service |
4684c1 |
Note: This is a short policy
|
|
Packit Service |
4684c1 |
URI: http://www.example.com/another-policy-to-read
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
if (strcmp(policy.oid, "1.3.6.1.4.1.5484.1.10.99.1.0") != 0
|
|
Packit Service |
4684c1 |
|| policy.qualifiers != 2) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (policy.qualifier[0].type != GNUTLS_X509_QUALIFIER_NOTICE ||
|
|
Packit Service |
4684c1 |
policy.qualifier[0].size != 34) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (policy.qualifier[1].type != GNUTLS_X509_QUALIFIER_URI ||
|
|
Packit Service |
4684c1 |
policy.qualifier[1].size !=
|
|
Packit Service |
4684c1 |
strlen("http://www.example.com/a-policy-to-read")
|
|
Packit Service |
4684c1 |
|| strcmp("http://www.example.com/a-policy-to-read",
|
|
Packit Service |
4684c1 |
policy.qualifier[1].data) != 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* second policy */
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_policies_get(policies, i++, &policy);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
if (strcmp(policy.oid, "1.3.6.1.4.1.5484.1.10.99.1.1") != 0
|
|
Packit Service |
4684c1 |
|| policy.qualifiers != 2) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (policy.qualifier[0].type != GNUTLS_X509_QUALIFIER_NOTICE ||
|
|
Packit Service |
4684c1 |
policy.qualifier[0].size != 22) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (policy.qualifier[1].type != GNUTLS_X509_QUALIFIER_URI ||
|
|
Packit Service |
4684c1 |
policy.qualifier[1].size !=
|
|
Packit Service |
4684c1 |
strlen("http://www.example.com/another-policy-to-read")
|
|
Packit Service |
4684c1 |
|| strcmp("http://www.example.com/another-policy-to-read",
|
|
Packit Service |
4684c1 |
policy.qualifier[1].data) != 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_policies_get(policies, i++, &policy);
|
|
Packit Service |
4684c1 |
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_x509_policies_deinit(policies);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static int key_usage(const gnutls_datum_t * der)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
/*
|
|
Packit Service |
4684c1 |
Key Usage (critical):
|
|
Packit Service |
4684c1 |
Certificate signing.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
unsigned int usage = 0;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_ext_import_key_usage(der, &usage);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (usage != (GNUTLS_KEY_KEY_CERT_SIGN | GNUTLS_KEY_CRL_SIGN)) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static int subject_key_id(const gnutls_datum_t * der)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
/*
|
|
Packit Service |
4684c1 |
Subject Key Identifier (not critical):
|
|
Packit Service |
4684c1 |
5d40adf0ce9440958b7e99941d925422ca72365f
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
gnutls_datum_t id;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_ext_import_subject_key_id(der, &id;;
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (id.size != 20 ||
|
|
Packit Service |
4684c1 |
memcmp(id.data,
|
|
Packit Service |
4684c1 |
"\x5d\x40\xad\xf0\xce\x94\x40\x95\x8b\x7e\x99\x94\x1d\x92\x54\x22\xca\x72\x36\x5f",
|
|
Packit Service |
4684c1 |
20) != 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
gnutls_free(id.data);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static int crl_dist_points(const gnutls_datum_t * der)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
gnutls_x509_crl_dist_points_t dp = NULL;
|
|
Packit Service |
4684c1 |
unsigned i = 0;
|
|
Packit Service |
4684c1 |
unsigned flags;
|
|
Packit Service |
4684c1 |
gnutls_datum_t url;
|
|
Packit Service |
4684c1 |
unsigned type;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/*
|
|
Packit Service |
4684c1 |
CRL Distribution points (not critical):
|
|
Packit Service |
4684c1 |
URI: http://www.getcrl.crl/getcrl1/
|
|
Packit Service |
4684c1 |
URI: http://www.getcrl.crl/getcrl2/
|
|
Packit Service |
4684c1 |
URI: http://www.getcrl.crl/getcrl3/
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crl_dist_points_init(&dp;;
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_ext_import_crl_dist_points(der, dp, 0);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crl_dist_points_get(dp, i++, &type, &url, &flags);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (type != GNUTLS_SAN_URI || flags != 0 ||
|
|
Packit Service |
4684c1 |
strcmp((char *)url.data, "http://www.getcrl.crl/getcrl1/") != 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crl_dist_points_get(dp, i++, &type, &url, &flags);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (type != GNUTLS_SAN_URI || flags != 0 ||
|
|
Packit Service |
4684c1 |
strcmp((char *)url.data, "http://www.getcrl.crl/getcrl2/") != 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crl_dist_points_get(dp, i++, &type, &url, &flags);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (type != GNUTLS_SAN_URI || flags != 0 ||
|
|
Packit Service |
4684c1 |
strcmp((char *)url.data, "http://www.getcrl.crl/getcrl3/") != 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crl_dist_points_get(dp, i++, &type, &url, &flags);
|
|
Packit Service |
4684c1 |
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_x509_crl_dist_points_deinit(dp);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static int name_constraints(const gnutls_datum_t * der)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
gnutls_x509_name_constraints_t nc = NULL;
|
|
Packit Service |
4684c1 |
unsigned i = 0;
|
|
Packit Service |
4684c1 |
gnutls_datum_t name;
|
|
Packit Service |
4684c1 |
unsigned type;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/*
|
|
Packit Service |
4684c1 |
Name Constraints (critical):
|
|
Packit Service |
4684c1 |
Permitted:
|
|
Packit Service |
4684c1 |
DNSname: example.com
|
|
Packit Service |
4684c1 |
tRFC822Name: nmav@@example.net
|
|
Packit Service |
4684c1 |
Excluded:
|
|
Packit Service |
4684c1 |
DNSname: test.example.com
|
|
Packit Service |
4684c1 |
tRFC822Name: .example.com
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_name_constraints_init(&nc);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_ext_import_name_constraints(der, nc, 0);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_name_constraints_get_permitted(nc, i++, &type, &name);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (type != GNUTLS_SAN_DNSNAME || name.size != 11 ||
|
|
Packit Service |
4684c1 |
strcmp((char *)name.data, "example.com") != 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_name_constraints_get_permitted(nc, i++, &type, &name);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (type != GNUTLS_SAN_RFC822NAME || name.size != 17 ||
|
|
Packit Service |
4684c1 |
strcmp((char *)name.data, "nmav@@example.net") != 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_name_constraints_get_permitted(nc, i++, &type, &name);
|
|
Packit Service |
4684c1 |
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
i = 0;
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_name_constraints_get_excluded(nc, i++, &type, &name);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (type != GNUTLS_SAN_DNSNAME || name.size != 16 ||
|
|
Packit Service |
4684c1 |
strcmp((char *)name.data, "test.example.com") != 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_name_constraints_get_excluded(nc, i++, &type, &name);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (type != GNUTLS_SAN_RFC822NAME || name.size != 12 ||
|
|
Packit Service |
4684c1 |
strcmp((char *)name.data, ".example.com") != 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_name_constraints_get_excluded(nc, i++, &type, &name);
|
|
Packit Service |
4684c1 |
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_x509_name_constraints_deinit(nc);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static int ext_aia(const gnutls_datum_t * der)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
gnutls_x509_aia_t aia = NULL;
|
|
Packit Service |
4684c1 |
unsigned i = 0;
|
|
Packit Service |
4684c1 |
gnutls_datum_t oid;
|
|
Packit Service |
4684c1 |
gnutls_datum_t name;
|
|
Packit Service |
4684c1 |
unsigned type;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Authority Information Access (not critical):
|
|
Packit Service |
4684c1 |
Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
|
|
Packit Service |
4684c1 |
Access Location URI: http://my.ocsp.server/ocsp
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_aia_init(&aia);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_ext_import_aia(der, aia, 0);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_aia_get(aia, i++, &oid, &type, &name);
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return ret;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (strcmp((char *)oid.data, "1.3.6.1.5.5.7.48.1") != 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (type != GNUTLS_SAN_URI || name.size != 26 ||
|
|
Packit Service |
4684c1 |
strcmp((char *)name.data, "http://my.ocsp.server/ocsp") != 0) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_aia_get(aia, i++, &oid, &type, &name);
|
|
Packit Service |
4684c1 |
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
|
|
Packit Service |
4684c1 |
fprintf(stderr, "error in %d\n", __LINE__);
|
|
Packit Service |
4684c1 |
return -1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_x509_aia_deinit(aia);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
struct ext_handler_st handlers[] = {
|
|
Packit Service |
4684c1 |
{GNUTLS_X509EXT_OID_BASIC_CONSTRAINTS, basic_constraints, 1},
|
|
Packit Service |
4684c1 |
{GNUTLS_X509EXT_OID_SAN, subject_alt_name, 0},
|
|
Packit Service |
4684c1 |
{GNUTLS_X509EXT_OID_CRT_POLICY, crt_policies, 0},
|
|
Packit Service |
4684c1 |
{GNUTLS_X509EXT_OID_EXTENDED_KEY_USAGE, ext_key_usage, 0},
|
|
Packit Service |
4684c1 |
{GNUTLS_X509EXT_OID_KEY_USAGE, key_usage, 1},
|
|
Packit Service |
4684c1 |
{GNUTLS_X509EXT_OID_SUBJECT_KEY_ID, subject_key_id, 0},
|
|
Packit Service |
4684c1 |
{GNUTLS_X509EXT_OID_CRL_DIST_POINTS, crl_dist_points, 0},
|
|
Packit Service |
4684c1 |
{GNUTLS_X509EXT_OID_NAME_CONSTRAINTS, name_constraints, 1},
|
|
Packit Service |
4684c1 |
{GNUTLS_X509EXT_OID_AUTHORITY_INFO_ACCESS, ext_aia, 0},
|
|
Packit Service |
4684c1 |
{NULL, NULL}
|
|
Packit Service |
4684c1 |
};
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
void doit(void)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
gnutls_datum_t derCert = { (void *)pem, sizeof(pem)-1 };
|
|
Packit Service |
4684c1 |
gnutls_datum_t v1Cert = { (void *)invalid_cert, sizeof(invalid_cert)-1 };
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_t cert;
|
|
Packit Service |
4684c1 |
size_t oid_len = MAX_DATA_SIZE;
|
|
Packit Service |
4684c1 |
gnutls_datum_t ext;
|
|
Packit Service |
4684c1 |
char oid[MAX_DATA_SIZE];
|
|
Packit Service |
4684c1 |
unsigned int critical = 0;
|
|
Packit Service |
4684c1 |
unsigned i, j;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = global_init();
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
fail("init %d\n", ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crt_init(&cert);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
fail("crt_init %d\n", ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crt_import(cert, &v1Cert, GNUTLS_X509_FMT_PEM);
|
|
Packit Service |
4684c1 |
if (ret >= 0)
|
|
Packit Service |
4684c1 |
fail("crt_import of v1 cert with extensions should have failed: %d\n", ret);
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_deinit(cert);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crt_init(&cert);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
fail("crt_init %d\n", ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crt_import(cert, &derCert, GNUTLS_X509_FMT_PEM);
|
|
Packit Service |
4684c1 |
if (ret < 0)
|
|
Packit Service |
4684c1 |
fail("crt_import %d\n", ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
for (i = 0;; i++) {
|
|
Packit Service |
4684c1 |
oid_len = sizeof(oid);
|
|
Packit Service |
4684c1 |
ret =
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_get_extension_info(cert, i, oid, &oid_len,
|
|
Packit Service |
4684c1 |
&critical);
|
|
Packit Service |
4684c1 |
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
|
|
Packit Service |
4684c1 |
if (i != 9) {
|
|
Packit Service |
4684c1 |
fail("unexpected number of extensions: %d\n",
|
|
Packit Service |
4684c1 |
i);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fail("error in %d: %s\n", __LINE__,
|
|
Packit Service |
4684c1 |
gnutls_strerror(ret));
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = gnutls_x509_crt_get_extension_data2(cert, i, &ext;;
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fail("error in %d: %s\n", __LINE__,
|
|
Packit Service |
4684c1 |
gnutls_strerror(ret));
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* find the handler for this extension and run it */
|
|
Packit Service |
4684c1 |
for (j = 0;; j++) {
|
|
Packit Service |
4684c1 |
if (handlers[j].oid == NULL) {
|
|
Packit Service |
4684c1 |
fail("could not find handler for extension %s\n", oid);
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (strcmp(handlers[j].oid, oid) == 0) {
|
|
Packit Service |
4684c1 |
if (critical != handlers[j].critical) {
|
|
Packit Service |
4684c1 |
fail("error in %d (%s)\n", __LINE__,
|
|
Packit Service |
4684c1 |
oid);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret = handlers[j].handler(&ext;;
|
|
Packit Service |
4684c1 |
if (ret < 0) {
|
|
Packit Service |
4684c1 |
fail("error in %d (%s): %s\n", __LINE__,
|
|
Packit Service |
4684c1 |
oid, gnutls_strerror(ret));
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
break;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
gnutls_free(ext.data);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (debug)
|
|
Packit Service |
4684c1 |
success("done\n");
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
gnutls_x509_crt_deinit(cert);
|
|
Packit Service |
4684c1 |
gnutls_global_deinit();
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* The template used to generate the certificate */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/*
|
|
Packit Service |
4684c1 |
# X.509 Certificate options
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# DN options
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The organization of the subject.
|
|
Packit Service |
4684c1 |
organization = "Koko inc."
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The organizational unit of the subject.
|
|
Packit Service |
4684c1 |
unit = "CA dept."
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The locality of the subject.
|
|
Packit Service |
4684c1 |
# locality =
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The state of the certificate owner.
|
|
Packit Service |
4684c1 |
state = "Attiki"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The country of the subject. Two letter code.
|
|
Packit Service |
4684c1 |
country = GR
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The common name of the certificate owner.
|
|
Packit Service |
4684c1 |
cn = "Cindy Lauper"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# A user id of the certificate owner.
|
|
Packit Service |
4684c1 |
uid = "clauper"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# This is deprecated and should not be used in new
|
|
Packit Service |
4684c1 |
# certificates.
|
|
Packit Service |
4684c1 |
pkcs9_email = "none@none.org"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# The serial number of the certificate
|
|
Packit Service |
4684c1 |
serial = 7
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# In how many days, counting from today, this certificate will expire.
|
|
Packit Service |
4684c1 |
expiration_days = -1
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# X.509 v3 extensions
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# A dnsname in case of a WWW server.
|
|
Packit Service |
4684c1 |
dns_name = "www.none.org"
|
|
Packit Service |
4684c1 |
dns_name = "www.morethanone.org"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# An IP address in case of a server.
|
|
Packit Service |
4684c1 |
ip_address = "192.168.1.1"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
dns_name = "www.evenmorethanone.org"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# An email in case of a person
|
|
Packit Service |
4684c1 |
email = "none@none.org"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# An URL that has CRLs (certificate revocation lists)
|
|
Packit Service |
4684c1 |
# available. Needed in CA certificates.
|
|
Packit Service |
4684c1 |
crl_dist_points = "http://www.getcrl.crl/getcrl1/"
|
|
Packit Service |
4684c1 |
crl_dist_points = "http://www.getcrl.crl/getcrl2/"
|
|
Packit Service |
4684c1 |
crl_dist_points = "http://www.getcrl.crl/getcrl3/"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
email = "where@none.org"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this is a CA certificate or not
|
|
Packit Service |
4684c1 |
ca
|
|
Packit Service |
4684c1 |
path_len = 4
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
nc_permit_dns = example.com
|
|
Packit Service |
4684c1 |
nc_exclude_dns = test.example.com
|
|
Packit Service |
4684c1 |
nc_permit_email = nmav@@example.net
|
|
Packit Service |
4684c1 |
nc_exclude_email = .example.com
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
proxy_policy_language = 1.3.6.1.5.5.7.21.1
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
|
|
Packit Service |
4684c1 |
policy1_txt = "This is a long policy to summarize"
|
|
Packit Service |
4684c1 |
policy1_url = http://www.example.com/a-policy-to-read
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
|
|
Packit Service |
4684c1 |
policy2_txt = "This is a short policy"
|
|
Packit Service |
4684c1 |
policy2_url = http://www.example.com/another-policy-to-read
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ocsp_uri = http://my.ocsp.server/ocsp
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this certificate will be used for a TLS client
|
|
Packit Service |
4684c1 |
#tls_www_client
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this certificate will be used for a TLS server
|
|
Packit Service |
4684c1 |
#tls_www_server
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this certificate will be used to sign data (needed
|
|
Packit Service |
4684c1 |
# in TLS DHE ciphersuites).
|
|
Packit Service |
4684c1 |
signing_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this certificate will be used to encrypt data (needed
|
|
Packit Service |
4684c1 |
# in TLS RSA ciphersuites). Note that it is preferred to use different
|
|
Packit Service |
4684c1 |
# keys for encryption and signing.
|
|
Packit Service |
4684c1 |
#encryption_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used to sign other certificates.
|
|
Packit Service |
4684c1 |
cert_signing_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used to sign CRLs.
|
|
Packit Service |
4684c1 |
crl_signing_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used to sign code.
|
|
Packit Service |
4684c1 |
code_signing_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used to sign OCSP data.
|
|
Packit Service |
4684c1 |
ocsp_signing_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used for time stamping.
|
|
Packit Service |
4684c1 |
#time_stamping_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
# Whether this key will be used for IPsec IKE operations.
|
|
Packit Service |
4684c1 |
#ipsec_ike_key
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
*/
|