openvpn3/openssl_2pki_2x509certinfo_8hpp_source.html

//    OpenVPN -- An application to securely tunnel IP networks

//               over a single port, with support for SSL/TLS-based

//               session authentication and key exchange,

//               packet encryption, packet authentication, and

//               packet compression.

//

//    Copyright (C) 2012- OpenVPN Inc.

//

//    SPDX-License-Identifier: MPL-2.0 OR AGPL-3.0-only WITH openvpn3-openssl-exception

//

//

//

//  Generic functions for extracting X.509 Certificate info from

//  OpenSSL X509 objects


#pragma once


#include <cstring>

#include <string>

#include <vector>


#include <openssl/ssl.h>

#include <openssl/bio.h>

#include <openssl/x509v3.h>

#include <openssl/x509.h>


#include "openvpn/common/hexstr.hpp"

#include "openvpn/common/uniqueptr.hpp"


namespace openvpn::OpenSSLPKI {


static inline std::string x509_get_subject(::X509 *cert, bool new_format = false)

{

    if (!new_format)

    {

        unique_ptr_del<char> subject(

            X509_NAME_oneline(X509_get_subject_name(cert), nullptr, 0),

            [](char *p)

            { OPENSSL_free(p); });

        if (subject)

            return std::string(subject.get());

        return std::string("");

    }


    unique_ptr_del<BIO> subject_bio(BIO_new(BIO_s_mem()),

                                    [](BIO *p)

                                    { BIO_free(p); });

    if (subject_bio == nullptr)

    {

        return std::string("");

    }


    X509_NAME_print_ex(subject_bio.get(),

                       X509_get_subject_name(cert),

                       0,

                       XN_FLAG_SEP_CPLUS_SPC

                           | XN_FLAG_FN_SN

                           | ASN1_STRFLGS_UTF8_CONVERT

                           | ASN1_STRFLGS_ESC_CTRL);

    if (BIO_eof(subject_bio.get()))

    {

        return std::string("");

    }


    BUF_MEM *subject_mem = nullptr;

    BIO_get_mem_ptr(subject_bio.get(), &subject_mem);

    return std::string(subject_mem->data,

                       subject_mem->data + subject_mem->length);

}


static inline std::string X509_get_pem_encoding(::X509 *cert)

{

    char *data;

    BIO *bio = BIO_new(BIO_s_mem());

    /* Even though PEM_write_bio_X509 should not modify the argument the official API does not have a const argument */

    PEM_write_bio_X509(bio, cert);

    size_t len = BIO_get_mem_data(bio, &data);

    std::string certpem{data, len};

    BIO_free(bio);

    return certpem;

}


static inline std::string x509_get_signature_algorithm(const ::X509 *cert)

{

    int nid = X509_get_signature_nid(cert);

    const char *sig = OBJ_nid2sn(nid);


    if (sig)

    {

        return sig;

    }

    return "(error getting signature algorithm)";

}


static inline std::string x509_get_field(::X509 *cert, const int nid)

{

    static const char nullc = '\0';

    std::string ret;

    X509_NAME *x509_name = X509_get_subject_name(cert);

    int i = X509_NAME_get_index_by_NID(x509_name, nid, -1);

    if (i >= 0)

    {

        X509_NAME_ENTRY *ent = X509_NAME_get_entry(x509_name, i);

        if (ent)

        {

            ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent);

            unsigned char *buf;

            buf = (unsigned char *)1; // bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8

                                      // requires this workaround

            const int len = ASN1_STRING_to_UTF8(&buf, val);

            if (len > 0)

            {

                if (std::strlen((char *)buf) == static_cast<unsigned int>(len))

                    ret = (char *)buf;

                OPENSSL_free(buf);

            }

        }

    }

    else

    {

        i = X509_get_ext_by_NID(cert, nid, -1);

        if (i >= 0)

        {

            X509_EXTENSION *ext = X509_get_ext(cert, i);

            if (ext)

            {

                BIO *bio = BIO_new(BIO_s_mem());

                if (bio)

                {

                    if (X509V3_EXT_print(bio, ext, 0, 0))

                    {

                        if (BIO_write(bio, &nullc, 1) == 1)

                        {

                            char *str;

                            const long len = BIO_get_mem_data(bio, &str);

                            if (std::strlen(str) == static_cast<size_t>(len))

                                ret = str;

                        }

                    }

                    BIO_free(bio);

                }

            }

        }

    }

    return ret;

}


static inline std::string x509_get_serial(::X509 *cert)

{

    const ASN1_INTEGER *asn1_i = X509_get_serialNumber(cert);

    BIGNUM *bignum = ASN1_INTEGER_to_BN(asn1_i, NULL);

    char *openssl_serial = BN_bn2dec(bignum);

    BN_free(bignum);


    if (openssl_serial)

    {

        const std::string ret = openssl_serial;

        OPENSSL_free(openssl_serial);

        return ret;

    }

    return std::string();

}


static inline std::string x509_get_serial_hex(::X509 *cert)

{

    const ASN1_INTEGER *asn1_i = X509_get_serialNumber(cert);

    return render_hex_sep(asn1_i->data, asn1_i->length, ':', false);

}


static inline std::size_t x509_fingerprint_size()

{

    return EVP_MD_size(EVP_sha256());

}


static inline std::vector<uint8_t> x509_get_fingerprint(const ::X509 *cert)

{

    std::vector<uint8_t> fingerprint;

    fingerprint.resize(x509_fingerprint_size());


    if (::X509_digest(cert, EVP_sha256(), fingerprint.data(), NULL) != 1)

        throw OpenSSLException("OpenSSL error while calling X509_digest()");


    return fingerprint;

}


} // namespace openvpn::OpenSSLPKI

openvpn::OpenSSLException
Definition error.hpp:30

hexstr.hpp

openvpn::OpenSSLPKI
Definition crl.hpp:26

openvpn::OpenSSLPKI::x509_fingerprint_size
static std::size_t x509_fingerprint_size()
Definition x509certinfo.hpp:235

openvpn::OpenSSLPKI::x509_get_serial_hex
static std::string x509_get_serial_hex(::X509 *cert)
Definition x509certinfo.hpp:223

openvpn::OpenSSLPKI::x509_get_field
static std::string x509_get_field(::X509 *cert, const int nid)
Definition x509certinfo.hpp:136

openvpn::OpenSSLPKI::X509_get_pem_encoding
static std::string X509_get_pem_encoding(::X509 *cert)
Definition x509certinfo.hpp:95

openvpn::OpenSSLPKI::x509_get_serial
static std::string x509_get_serial(::X509 *cert)
Definition x509certinfo.hpp:198

openvpn::OpenSSLPKI::x509_get_fingerprint
static std::vector< uint8_t > x509_get_fingerprint(const ::X509 *cert)
Definition x509certinfo.hpp:240

openvpn::OpenSSLPKI::x509_get_subject
static std::string x509_get_subject(::X509 *cert, bool new_format=false)
Definition x509certinfo.hpp:56

openvpn::OpenSSLPKI::x509_get_signature_algorithm
static std::string x509_get_signature_algorithm(const ::X509 *cert)
Definition x509certinfo.hpp:112

openvpn::unique_ptr_del
std::unique_ptr< T, std::function< void(T *)> > unique_ptr_del
Definition uniqueptr.hpp:21

openvpn::render_hex_sep
std::string render_hex_sep(const unsigned char *data, size_t size, const char sep, const bool caps=false)
Definition hexstr.hpp:178

str
os<< "Session Name: "<< tbc-> session_name<< '\n';os<< "Layer: "<< tbc-> layer str()<< '\n'

ret
std::string ret
Definition test_capture.cpp:279

ext
void ext(const std::string &path)
Definition test_path.cpp:24

uniqueptr.hpp