[exim.git] / src / src / tlscert-openssl.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) Jeremy Harris 2014 */

/* This module provides TLS (aka SSL) support for Exim using the OpenSSL
library. It is #included into the tls.c file when that library is used.
*/


/* Heading stuff */

#include <openssl/lhash.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/rand.h>


/*****************************************************
*  Export/import a certificate, binary/printable
*****************************************************/
int
tls_export_cert(uschar * buf, size_t buflen, void * cert)
{
BIO * bp = BIO_new(BIO_s_mem());
int fail;

if ((fail = PEM_write_bio_X509(bp, (X509 *)cert) ? 0 : 1))
  log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
    ERR_error_string(ERR_get_error(), NULL));
else
  {
  char * cp = CS buf;
  int n;
  buflen -= 2;
  for(;;)
    {
    if ((n = BIO_gets(bp, cp, (int)buflen)) <= 0) break;
    cp += n+1;
    buflen -= n+1;
    cp[-2] = '\\'; cp[-1] = 'n'; /* newline->"\n" */
    }				 /* compat with string_printing() */
  *cp = '\0';
  }

BIO_free(bp);
return fail;
}

int
tls_import_cert(const uschar * buf, void ** cert)
{
void * reset_point = store_get(0);
const uschar * cp = string_unprinting(US buf);
BIO * bp;
X509 * x;

bp = BIO_new_mem_buf(US cp, -1);
x = PEM_read_bio_X509(bp, NULL, 0, NULL);
int fail = 0;
if (!x)
  fail = 1;
else
  *cert = (void *)x;
BIO_free(bp);
store_reset(reset_point);
return fail;
}

void
tls_free_cert(void * cert)
{
X509_free((X509 *)cert);
}

/*****************************************************
*  Certificate field extraction routines
*****************************************************/
static uschar *
bio_string_copy(BIO * bp, int len)
{
uschar * cp = "";
len = len > 0 ? (int) BIO_get_mem_data(bp, &cp) : 0;
cp = string_copyn(cp, len);
BIO_free(bp);
return cp;
}

static uschar *
asn1_time_copy(const ASN1_TIME * time)
{
BIO * bp = BIO_new(BIO_s_mem());
int len = ASN1_TIME_print(bp, time);
return bio_string_copy(bp, len);
}

static uschar *
x509_name_copy(X509_NAME * name)
{
BIO * bp = BIO_new(BIO_s_mem());
int len_good =
  X509_NAME_print_ex(bp, name, 0, XN_FLAG_RFC2253) >= 0
  ? 1 : 0;
return bio_string_copy(bp, len_good);
}

/**/

uschar *
tls_cert_issuer(void * cert)
{
return x509_name_copy(X509_get_issuer_name((X509 *)cert));
}

uschar *
tls_cert_not_before(void * cert)
{
return asn1_time_copy(X509_get_notBefore((X509 *)cert));
}

uschar *
tls_cert_not_after(void * cert)
{
return asn1_time_copy(X509_get_notAfter((X509 *)cert));
}

uschar *
tls_cert_serial_number(void * cert)
{
uschar txt[256];
BIO * bp = BIO_new(BIO_s_mem());
int len = i2a_ASN1_INTEGER(bp, X509_get_serialNumber((X509 *)cert));

if (len < sizeof(txt))
  BIO_read(bp, txt, len);
else
  len = 0;
BIO_free(bp);
return string_copynlc(txt, len);	/* lowercase */
}

uschar *
tls_cert_signature(void * cert)
{
BIO * bp = BIO_new(BIO_s_mem());
uschar * cp = NULL;

if (X509_print_ex(bp, (X509 *)cert, 0,
  X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION | X509_FLAG_NO_SERIAL | 
  X509_FLAG_NO_SIGNAME | X509_FLAG_NO_ISSUER | X509_FLAG_NO_VALIDITY | 
  X509_FLAG_NO_SUBJECT | X509_FLAG_NO_PUBKEY | X509_FLAG_NO_EXTENSIONS | 
  /* X509_FLAG_NO_SIGDUMP is the missing one */
  X509_FLAG_NO_AUX) == 1)
  {
  long len = BIO_get_mem_data(bp, &cp);
  cp = string_copyn(cp, len);
  }
BIO_free(bp);
return cp;
}

uschar *
tls_cert_signature_algorithm(void * cert)
{
return string_copy(OBJ_nid2ln(X509_get_signature_type((X509 *)cert)));
}

uschar *
tls_cert_subject(void * cert)
{
return x509_name_copy(X509_get_subject_name((X509 *)cert));
}

uschar *
tls_cert_version(void * cert)
{
return string_sprintf("%d", X509_get_version((X509 *)cert));
}

uschar *
tls_cert_ext_by_oid(void * cert, uschar * oid, int idx)
{
int nid = OBJ_create(oid, "", "");
int nidx = X509_get_ext_by_NID((X509 *)cert, nid, idx);
X509_EXTENSION * ex = X509_get_ext((X509 *)cert, nidx);
ASN1_OCTET_STRING * adata = X509_EXTENSION_get_data(ex);
BIO * bp = BIO_new(BIO_s_mem());
long len;
uschar * cp1;
uschar * cp2;
uschar * cp3;

M_ASN1_OCTET_STRING_print(bp, adata);
/* binary data, DER encoded */

/* just dump for now */
len = BIO_get_mem_data(bp, &cp1);
cp3 = cp2 = store_get(len*3+1);

while(len)
  {
  sprintf(cp2, "%.2x ", *cp1++);
  cp2 += 3;
  len--;
  }
cp2[-1] = '\0';

return cp3;
}

uschar *
tls_cert_subject_altname(void * cert)
{
uschar * cp;
STACK_OF(GENERAL_NAME) * san = (STACK_OF(GENERAL_NAME) *)
  X509_get_ext_d2i((X509 *)cert, NID_subject_alt_name, NULL, NULL);

if (!san) return NULL;

while (sk_GENERAL_NAME_num(san) > 0)
  {
  GENERAL_NAME * namePart = sk_GENERAL_NAME_pop(san);
  switch (namePart->type)
    {
    case GEN_URI:
      cp = string_sprintf("URI=%s",
	    ASN1_STRING_data(namePart->d.uniformResourceIdentifier));
      return cp;
    case GEN_EMAIL:
      cp = string_sprintf("email=%s",
	    ASN1_STRING_data(namePart->d.rfc822Name));
      return cp;
    default:
      cp = string_sprintf("Unrecognisable");
      return cp;
    }
  }

/* sk_GENERAL_NAME_pop_free(gen_names, GENERAL_NAME_free);  ??? */
return cp;
}

uschar *
tls_cert_ocsp_uri(void * cert)
{
STACK_OF(ACCESS_DESCRIPTION) * ads = (STACK_OF(ACCESS_DESCRIPTION) *)
  X509_get_ext_d2i((X509 *)cert, NID_info_access, NULL, NULL);
int adsnum = sk_ACCESS_DESCRIPTION_num(ads);
int i;

for (i = 0; i < adsnum; i++)
  {
  ACCESS_DESCRIPTION * ad = sk_ACCESS_DESCRIPTION_value(ads, i);

  if (ad && OBJ_obj2nid(ad->method) == NID_ad_OCSP)
    return string_copy( ASN1_STRING_data(ad->location->d.ia5) );
  }

return NULL;
}

uschar *
tls_cert_crl_uri(void * cert)
{
STACK_OF(DIST_POINT) * dps = (STACK_OF(DIST_POINT) *)
  X509_get_ext_d2i((X509 *)cert,  NID_crl_distribution_points,
    NULL, NULL);
DIST_POINT * dp;
int dpsnum = sk_DIST_POINT_num(dps);
int i;

if (dps) for (i = 0; i < dpsnum; i++)
  if ((dp = sk_DIST_POINT_value(dps, i)))
    {
    STACK_OF(GENERAL_NAME) * names = dp->distpoint->name.fullname;
    GENERAL_NAME * np;
    int nnum = sk_GENERAL_NAME_num(names);
    int j;

    for (j = 0; j < nnum; j++)
      if (  (np = sk_GENERAL_NAME_value(names, j))
	 && np->type == GEN_URI
	 )
	return string_copy(ASN1_STRING_data(
	  np->d.uniformResourceIdentifier));
    }
return NULL;
}

/* vi: aw ai sw=2
*/
/* End of tlscert-openssl.c */
Commit	Line	Data
9d1c15ef JH	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
	5	/* Copyright (c) Jeremy Harris 2014 */
	6
	7	/* This module provides TLS (aka SSL) support for Exim using the OpenSSL
	8	library. It is #included into the tls.c file when that library is used.
	9	*/
	10
	11
	12	/* Heading stuff */
	13
	14	#include <openssl/lhash.h>
	15	#include <openssl/ssl.h>
	16	#include <openssl/err.h>
	17	#include <openssl/rand.h>
	18
	19
	20	/*****************************************************
	21	* Export/import a certificate, binary/printable
	22	*****************************************************/
	23	int
	24	tls_export_cert(uschar * buf, size_t buflen, void * cert)
	25	{
	26	BIO * bp = BIO_new(BIO_s_mem());
	27	int fail;
	28
	29	if ((fail = PEM_write_bio_X509(bp, (X509 *)cert) ? 0 : 1))
	30	log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
	31	ERR_error_string(ERR_get_error(), NULL));
	32	else
	33	{
	34	char * cp = CS buf;
	35	int n;
	36	buflen -= 2;
	37	for(;;)
	38	{
	39	if ((n = BIO_gets(bp, cp, (int)buflen)) <= 0) break;
	40	cp += n+1;
	41	buflen -= n+1;
	42	cp[-2] = '\\'; cp[-1] = 'n'; /* newline->"\n" */
	43	} /* compat with string_printing() */
	44	*cp = '\0';
	45	}
	46
	47	BIO_free(bp);
	48	return fail;
	49	}
	50
	51	int
	52	tls_import_cert(const uschar * buf, void ** cert)
	53	{
	54	void * reset_point = store_get(0);
	55	const uschar * cp = string_unprinting(US buf);
	56	BIO * bp;
	57	X509 * x;
	58
	59	bp = BIO_new_mem_buf(US cp, -1);
	60	x = PEM_read_bio_X509(bp, NULL, 0, NULL);
	61	int fail = 0;
	62	if (!x)
	63	fail = 1;
	64	else
65	cert = (void )x;
66	BIO_free(bp);
67	store_reset(reset_point);
68	return fail;
69	}
70
71	void
72	tls_free_cert(void * cert)
73	{
74	X509_free((X509 *)cert);
75	}
76
77	/*****************************************************
78	* Certificate field extraction routines
79	*****************************************************/
80	static uschar *
81	bio_string_copy(BIO * bp, int len)
82	{
83	uschar * cp = "";
84	len = len > 0 ? (int) BIO_get_mem_data(bp, &cp) : 0;
85	cp = string_copyn(cp, len);
86	BIO_free(bp);
87	return cp;
88	}
89
90	static uschar *
91	asn1_time_copy(const ASN1_TIME * time)
92	{
93	BIO * bp = BIO_new(BIO_s_mem());
94	int len = ASN1_TIME_print(bp, time);
95	return bio_string_copy(bp, len);
96	}
97
98	static uschar *
99	x509_name_copy(X509_NAME * name)
100	{
101	BIO * bp = BIO_new(BIO_s_mem());
102	int len_good =
103	X509_NAME_print_ex(bp, name, 0, XN_FLAG_RFC2253) >= 0
104	? 1 : 0;
105	return bio_string_copy(bp, len_good);
106	}
107
108	/**/
109
110	uschar *
111	tls_cert_issuer(void * cert)
112	{
113	return x509_name_copy(X509_get_issuer_name((X509 *)cert));
114	}
115
116	uschar *
117	tls_cert_not_before(void * cert)
118	{
119	return asn1_time_copy(X509_get_notBefore((X509 *)cert));
120	}
121
122	uschar *
123	tls_cert_not_after(void * cert)
124	{
125	return asn1_time_copy(X509_get_notAfter((X509 *)cert));
126	}
127
128	uschar *
129	tls_cert_serial_number(void * cert)
130	{
131	uschar txt[256];
132	BIO * bp = BIO_new(BIO_s_mem());
133	int len = i2a_ASN1_INTEGER(bp, X509_get_serialNumber((X509 *)cert));
134
135	if (len < sizeof(txt))
136	BIO_read(bp, txt, len);
137	else
138	len = 0;
139	BIO_free(bp);
140	return string_copynlc(txt, len); /* lowercase */
141	}
142
143	uschar *
144	tls_cert_signature(void * cert)
145	{
146	BIO * bp = BIO_new(BIO_s_mem());
147	uschar * cp = NULL;
148
149	if (X509_print_ex(bp, (X509 *)cert, 0,
150	X509_FLAG_NO_HEADER \| X509_FLAG_NO_VERSION \| X509_FLAG_NO_SERIAL \|
151	X509_FLAG_NO_SIGNAME \| X509_FLAG_NO_ISSUER \| X509_FLAG_NO_VALIDITY \|
152	X509_FLAG_NO_SUBJECT \| X509_FLAG_NO_PUBKEY \| X509_FLAG_NO_EXTENSIONS \|
153	/* X509_FLAG_NO_SIGDUMP is the missing one */
154	X509_FLAG_NO_AUX) == 1)
155	{
156	long len = BIO_get_mem_data(bp, &cp);
157	cp = string_copyn(cp, len);
158	}
159	BIO_free(bp);
160	return cp;
161	}
162
163	uschar *
164	tls_cert_signature_algorithm(void * cert)
165	{
166	return string_copy(OBJ_nid2ln(X509_get_signature_type((X509 *)cert)));
167	}
168
169	uschar *
170	tls_cert_subject(void * cert)
171	{
172	return x509_name_copy(X509_get_subject_name((X509 *)cert));
173	}
174
175	uschar *
176	tls_cert_version(void * cert)
177	{
178	return string_sprintf("%d", X509_get_version((X509 *)cert));
179	}
180
181	uschar *
182	tls_cert_ext_by_oid(void * cert, uschar * oid, int idx)
183	{
184	int nid = OBJ_create(oid, "", "");
185	int nidx = X509_get_ext_by_NID((X509 *)cert, nid, idx);
186	X509_EXTENSION * ex = X509_get_ext((X509 *)cert, nidx);
187	ASN1_OCTET_STRING * adata = X509_EXTENSION_get_data(ex);
188	BIO * bp = BIO_new(BIO_s_mem());
189	long len;
190	uschar * cp1;
191	uschar * cp2;
192	uschar * cp3;
193
194	M_ASN1_OCTET_STRING_print(bp, adata);
195	/* binary data, DER encoded */
196
197	/* just dump for now */
198	len = BIO_get_mem_data(bp, &cp1);
199	cp3 = cp2 = store_get(len*3+1);
200
201	while(len)
202	{
203	sprintf(cp2, "%.2x ", *cp1++);
204	cp2 += 3;
205	len--;
206	}
207	cp2[-1] = '\0';
208
209	return cp3;
210	}
211
212	uschar *
213	tls_cert_subject_altname(void * cert)
214	{
215	uschar * cp;
216	STACK_OF(GENERAL_NAME) * san = (STACK_OF(GENERAL_NAME) *)
217	X509_get_ext_d2i((X509 *)cert, NID_subject_alt_name, NULL, NULL);
218
219	if (!san) return NULL;
220
221	while (sk_GENERAL_NAME_num(san) > 0)
222	{
223	GENERAL_NAME * namePart = sk_GENERAL_NAME_pop(san);
224	switch (namePart->type)
225	{
226	case GEN_URI:
227	cp = string_sprintf("URI=%s",
228	ASN1_STRING_data(namePart->d.uniformResourceIdentifier));
229	return cp;
230	case GEN_EMAIL:
231	cp = string_sprintf("email=%s",
232	ASN1_STRING_data(namePart->d.rfc822Name));
233	return cp;
234	default:
235	cp = string_sprintf("Unrecognisable");
236	return cp;
237	}
238	}
239
240	/* sk_GENERAL_NAME_pop_free(gen_names, GENERAL_NAME_free); ??? */
241	return cp;
242	}
243
244	uschar *
245	tls_cert_ocsp_uri(void * cert)
246	{
247	STACK_OF(ACCESS_DESCRIPTION) * ads = (STACK_OF(ACCESS_DESCRIPTION) *)
248	X509_get_ext_d2i((X509 *)cert, NID_info_access, NULL, NULL);
249	int adsnum = sk_ACCESS_DESCRIPTION_num(ads);
250	int i;
251
252	for (i = 0; i < adsnum; i++)
253	{
254	ACCESS_DESCRIPTION * ad = sk_ACCESS_DESCRIPTION_value(ads, i);
255
256	if (ad && OBJ_obj2nid(ad->method) == NID_ad_OCSP)
257	return string_copy( ASN1_STRING_data(ad->location->d.ia5) );
258	}
259
260	return NULL;
261	}
262
263	uschar *
264	tls_cert_crl_uri(void * cert)
265	{
266	STACK_OF(DIST_POINT) * dps = (STACK_OF(DIST_POINT) *)
267	X509_get_ext_d2i((X509 *)cert, NID_crl_distribution_points,
268	NULL, NULL);
269	DIST_POINT * dp;
270	int dpsnum = sk_DIST_POINT_num(dps);
271	int i;
272
273	if (dps) for (i = 0; i < dpsnum; i++)
274	if ((dp = sk_DIST_POINT_value(dps, i)))
275	{
276	STACK_OF(GENERAL_NAME) * names = dp->distpoint->name.fullname;
277	GENERAL_NAME * np;
278	int nnum = sk_GENERAL_NAME_num(names);
279	int j;
280
281	for (j = 0; j < nnum; j++)
282	if ( (np = sk_GENERAL_NAME_value(names, j))
283	&& np->type == GEN_URI
284	)
285	return string_copy(ASN1_STRING_data(
286	np->d.uniformResourceIdentifier));
287	}
288	return NULL;
289	}
290
291	/* vi: aw ai sw=2
292	*/
293	/* End of tlscert-openssl.c */