x509asn1.c,x509asn1.h: new module to support ASN.1/X509 parsing & info extract

Use from qssl backend
2024-12-21 23:58:49 -05:00 · 2013-07-15 18:16:13 +02:00 · 2013-07-15 18:16:13 +02:00 · 3a24cb7bc4
commit 3a24cb7bc4
parent e839446c2a
6 changed files with 1319 additions and 17 deletions
--- a/lib/Makefile.inc
+++ b/lib/Makefile.inc
@ -25,7 +25,7 @@ CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c	\
  http_proxy.c non-ascii.c asyn-ares.c asyn-thread.c curl_gssapi.c	\
  curl_ntlm.c curl_ntlm_wb.c curl_ntlm_core.c curl_ntlm_msgs.c		\
  curl_sasl.c curl_schannel.c curl_multibyte.c curl_darwinssl.c		\
-  hostcheck.c bundles.c conncache.c pipeline.c dotdot.c
+  hostcheck.c bundles.c conncache.c pipeline.c dotdot.c x509asn1.c

 HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h	\
  progress.h formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h	\
@ -44,4 +44,4 @@ HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h	\
  asyn.h curl_ntlm.h curl_gssapi.h curl_ntlm_wb.h curl_ntlm_core.h	\
  curl_ntlm_msgs.h curl_sasl.h curl_schannel.h curl_multibyte.h		\
  curl_darwinssl.h hostcheck.h bundles.h conncache.h curl_setup_once.h	\
-  multihandle.h setup-vms.h pipeline.h dotdot.h
+  multihandle.h setup-vms.h pipeline.h dotdot.h x509asn1.h
--- a/lib/hostcheck.c
+++ b/lib/hostcheck.c
@ -22,8 +22,8 @@

 #include "curl_setup.h"

-#if defined(USE_SSLEAY) || defined(USE_AXTLS)
-/* these two backends use functions from this file */
+#if defined(USE_SSLEAY) || defined(USE_AXTLS) || defined(USE_QSOSSL)
+/* these backends use functions from this file */

 #include "hostcheck.h"
 #include "rawstr.h"
@ -93,4 +93,4 @@ int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
  return 0;
 }

-#endif /* SSLEAY or AXTLS */
+#endif /* SSLEAY or AXTLS or QSOSSL */
--- a/lib/qssl.c
+++ b/lib/qssl.c
@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@ -37,6 +37,7 @@
 #include "sslgen.h"
 #include "connect.h" /* for the connect timeout */
 #include "select.h"
+#include "x509asn1.h"
 #include "curl_memory.h"
 /* The last #include file should be: */
 #include "memdebug.h"
@ -169,10 +170,7 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)
  SSLHandle * h = connssl->handle;
  long timeout_ms;

-  h->exitPgm = NULL;
-
-  if(!data->set.ssl.verifyhost)
-    h->exitPgm = Curl_qsossl_trap_cert;
+  h->exitPgm = data->set.ssl.verifypeer? NULL: Curl_qsossl_trap_cert;

  /* figure out how long time we should wait at maximum */
  timeout_ms = Curl_timeleft(data, NULL, TRUE);
@ -208,6 +206,8 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)
    break;
  }

+  h->peerCert = NULL;
+  h->peerCertLen = 0;
  rc = SSL_Handshake(h, SSL_HANDSHAKE_AS_CLIENT);

  switch (rc) {
@ -238,6 +238,23 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)
    return CURLE_SSL_CONNECT_ERROR;
  }

+  /* Verify host. */
+  rc = Curl_verifyhost(conn, h->peerCert, h->peerCert + h->peerCertLen);
+  if(rc != CURLE_OK)
+    return rc;
+
+  /* Gather certificate info. */
+  if(data->set.ssl.certinfo) {
+    if(Curl_ssl_init_certinfo(data, 1))
+      return CURLE_OUT_OF_MEMORY;
+    if(h->peerCert) {
+      rc = Curl_extract_certinfo(conn, 0, h->peerCert,
+                                 h->peerCert + h->peerCertLen);
+      if(rc != CURLE_OK)
+        return rc;
+    }
+  }
+
  return CURLE_OK;
 }

@ -257,19 +274,22 @@ CURLcode Curl_qsossl_connect(struct connectdata * conn, int sockindex)
  if(rc == CURLE_OK) {
    rc = Curl_qsossl_create(conn, sockindex);

-    if(rc == CURLE_OK)
+    if(rc == CURLE_OK) {
      rc = Curl_qsossl_handshake(conn, sockindex);
-    else {
-      SSL_Destroy(connssl->handle);
-      connssl->handle = NULL;
-      connssl->use = FALSE;
-      connssl->state = ssl_connection_none;
+      if(rc != CURLE_OK)
+        SSL_Destroy(connssl->handle);
    }
  }
+
  if(rc == CURLE_OK) {
-    connssl->state = ssl_connection_complete;
    conn->recv[sockindex] = qsossl_recv;
    conn->send[sockindex] = qsossl_send;
+    connssl->state = ssl_connection_complete;
+  }
+  else {
+    connssl->handle = NULL;
+    connssl->use = FALSE;
+    connssl->state = ssl_connection_none;
  }

  return rc;
--- a/lib/url.c
+++ b/lib/url.c
@ -1900,6 +1900,8 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
     */
    data->set.ssl.fsslctxp = va_arg(param, void *);
    break;
+#endif
+#if defined(USE_SSLEAY) || defined(USE_QSOSSL)
  case CURLOPT_CERTINFO:
    data->set.ssl.certinfo = (0 != va_arg(param, long))?TRUE:FALSE;
    break;
--- a/lib/x509asn1.c
+++ b/lib/x509asn1.c
--- a/lib/x509asn1.h
+++ b/lib/x509asn1.h
@ -0,0 +1,129 @@
+#ifndef HEADER_CURL_X509ASN1_H
+#define HEADER_CURL_X509ASN1_H
+
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at http://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+#include "curl_setup.h"
+
+#if defined(USE_QSOSSL)
+
+#include "urldata.h"
+
+/*
+ * Constants.
+ */
+
+/* ASN.1 classes. */
+#define CURL_ASN1_UNIVERSAL             0
+#define CURL_ASN1_APPLICATION           1
+#define CURL_ASN1_CONTEXT_SPECIFIC      2
+#define CURL_ASN1_PRIVATE               3
+
+/* ASN.1 types. */
+#define CURL_ASN1_BOOLEAN               1
+#define CURL_ASN1_INTEGER               2
+#define CURL_ASN1_BIT_STRING            3
+#define CURL_ASN1_OCTET_STRING          4
+#define CURL_ASN1_NULL                  5
+#define CURL_ASN1_OBJECT_IDENTIFIER     6
+#define CURL_ASN1_OBJECT_DESCRIPTOR     7
+#define CURL_ASN1_INSTANCE_OF           8
+#define CURL_ASN1_REAL                  9
+#define CURL_ASN1_ENUMERATED            10
+#define CURL_ASN1_EMBEDDED              11
+#define CURL_ASN1_UTF8_STRING           12
+#define CURL_ASN1_RELATIVE_OID          13
+#define CURL_ASN1_SEQUENCE              16
+#define CURL_ASN1_SET                   17
+#define CURL_ASN1_NUMERIC_STRING        18
+#define CURL_ASN1_PRINTABLE_STRING      19
+#define CURL_ASN1_TELETEX_STRING        20
+#define CURL_ASN1_VIDEOTEX_STRING       21
+#define CURL_ASN1_IA5_STRING            22
+#define CURL_ASN1_UTC_TIME              23
+#define CURL_ASN1_GENERALIZED_TIME      24
+#define CURL_ASN1_GRAPHIC_STRING        25
+#define CURL_ASN1_VISIBLE_STRING        26
+#define CURL_ASN1_GENERAL_STRING        27
+#define CURL_ASN1_UNIVERSAL_STRING      28
+#define CURL_ASN1_CHARACTER_STRING      29
+#define CURL_ASN1_BMP_STRING            30
+
+
+/*
+ * Types.
+ */
+
+/* ASN.1 parsed element. */
+typedef struct {
+  const char *  beg;            /* Pointer to element data. */
+  const char *  end;            /* Pointer to 1st byte after element data. */
+  unsigned char class;          /* ASN.1 element class. */
+  unsigned char tag;            /* ASN.1 element tag. */
+  bool          constructed;    /* Element is constructed. */
+}  curl_asn1Element;
+
+
+/* ASN.1 OID table entry. */
+typedef struct {
+  const char *  numoid;         /* Dotted-numeric OID. */
+  const char *  textoid;        /* OID name. */
+}  curl_OID;
+
+
+/* X509 certificate: RFC 5280. */
+typedef struct {
+  curl_asn1Element      certificate;
+  curl_asn1Element      version;
+  curl_asn1Element      serialNumber;
+  curl_asn1Element      signatureAlgorithm;
+  curl_asn1Element      signature;
+  curl_asn1Element      issuer;
+  curl_asn1Element      notBefore;
+  curl_asn1Element      notAfter;
+  curl_asn1Element      subject;
+  curl_asn1Element      subjectPublicKeyAlgorithm;
+  curl_asn1Element      subjectPublicKey;
+  curl_asn1Element      issuerUniqueID;
+  curl_asn1Element      subjectUniqueID;
+  curl_asn1Element      extensions;
+}  curl_X509certificate;
+
+
+/*
+ * Prototypes.
+ */
+
+const char * Curl_getASN1Element(curl_asn1Element * elem,
+                                 const char * beg, const char * end);
+const char * Curl_ASN1tostr(curl_asn1Element * elem, int type);
+const char * Curl_DNtostr(curl_asn1Element * dn);
+void Curl_parseX509(curl_X509certificate * cert,
+                    const char * beg, const char * end);
+CURLcode Curl_extract_certinfo(struct connectdata * conn, int certnum,
+                               const char * beg, const char * end);
+CURLcode Curl_verifyhost(struct connectdata * conn,
+                         const char * beg, const char * end);
+
+#endif /* USE_QSOSSL */
+#endif /* HEADER_CURL_X509ASN1_H */