Artifact 2e798742d932bb20fc4aabbdba45447b0d392cb08eb9136f5a4823f9f554370a:
- File
src/X509Certificate.m
— part of check-in
[071d74e840]
at
2015-05-24 19:33:09
on branch trunk
— Conform to OFTLSSocket
This also introduces automatic certificate verification and enables it
by default, as required by OFTLSSocket.There are still TODOs until OFTLSSocket is fully implemented. (user: js, size: 11596) [annotate] [blame] [check-ins using]
/* * Copyright (c) 2011, Florian Zeitz <florob@babelmonkeys.de> * Copyright (c) 2011, 2013, Jonathan Schleifer <js@webkeks.org> * * https://webkeks.org/git/?p=objopenssl.git * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice is present in all copies. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ #if defined(__clang__) # pragma clang diagnostic push # pragma clang diagnostic ignored "-Wdocumentation" #endif #include <openssl/crypto.h> #include <openssl/x509v3.h> #if defined(__clang__) # pragma clang diagnostic pop #endif #import "X509Certificate.h" #import <ObjFW/OFAutoreleasePool.h> #import <ObjFW/OFArray.h> #import <ObjFW/OFDataArray.h> #import <ObjFW/OFDictionary.h> #import <ObjFW/OFFile.h> #import <ObjFW/OFInitializationFailedException.h> #import <ObjFW/OFInvalidEncodingException.h> #import <ObjFW/OFList.h> #import <ObjFW/OFMutableDictionary.h> #import <ObjFW/OFString.h> #import <ObjFW/macros.h> @implementation X509Certificate - initWithFile: (OFString*)path { self = [self init]; @try { OFAutoreleasePool *pool = [[OFAutoreleasePool alloc] init]; OFDataArray *data = [OFDataArray dataArrayWithContentsOfFile: path]; const unsigned char *dataCArray = [data items]; _certificate = d2i_X509(NULL, &dataCArray, [data count]); if (_certificate == NULL) @throw [OFInitializationFailedException exceptionWithClass: [self class]]; [pool release]; } @catch (id e) { [self release]; @throw e; } return self; } - initWithX509Struct: (X509*)certificate { self = [self init]; @try { _certificate = X509_dup(certificate); if (_certificate == NULL) @throw [OFInitializationFailedException exceptionWithClass: [self class]]; } @catch (id e) { [self release]; @throw e; } return self; } - (void)dealloc { [_issuer release]; [_subject release]; [_subjectAlternativeName release]; if (_certificate != NULL) X509_free(_certificate); [super dealloc]; } - (OFString*)description { OFMutableString *ret = [OFMutableString string]; [ret appendFormat: @"Issuer: %@\n\n", [self issuer]]; [ret appendFormat: @"Subject: %@\n\n", [self subject]]; [ret appendFormat: @"SANs: %@", [self subjectAlternativeName]]; [ret makeImmutable]; return ret; } - (OFDictionary*)issuer { X509_NAME *name; if (_issuer != nil) return [[_issuer copy] autorelease]; name = X509_get_issuer_name(_certificate); _issuer = [[self X509_dictionaryFromX509Name: name] retain]; return _issuer; } - (OFDictionary*)subject { X509_NAME *name; if (_subject != nil) return [[_subject copy] autorelease]; name = X509_get_subject_name(_certificate); _subject = [[self X509_dictionaryFromX509Name: name] retain]; return _subject; } - (OFDictionary*)subjectAlternativeName { OFAutoreleasePool *pool; OFMutableDictionary *ret; int i; if (_subjectAlternativeName != nil) return [[_subjectAlternativeName copy] autorelease]; ret = [OFMutableDictionary dictionary]; pool = [[OFAutoreleasePool alloc] init]; i = -1; while ((i = X509_get_ext_by_NID(_certificate, NID_subject_alt_name, i)) != -1) { X509_EXTENSION *extension; STACK_OF(GENERAL_NAME) *values; int j, count; if ((extension = X509_get_ext(_certificate, i)) == NULL) break; if ((values = X509V3_EXT_d2i(extension)) == NULL) break; count = sk_GENERAL_NAME_num(values); for (j = 0; j < count; j++) { GENERAL_NAME *generalName; OFList *list; generalName = sk_GENERAL_NAME_value(values, j); switch(generalName->type) { case GEN_OTHERNAME:; OTHERNAME *otherName = generalName->d.otherName; OFMutableDictionary *types; X509OID *key; types = [ret objectForKey: @"otherName"]; if (types == nil) { types = [OFMutableDictionary dictionary]; [ret setObject: types forKey: @"otherName"]; } key = [self X509_stringFromASN1Object: otherName->type_id]; list = [types objectForKey: key]; if (list == nil) { list = [OFList list]; [types setObject: list forKey: key]; } [list appendObject: [self X509_stringFromASN1String: otherName->value->value.asn1_string]]; break; case GEN_EMAIL: list = [ret objectForKey: @"rfc822Name"]; if (list == nil) { list = [OFList list]; [ret setObject: list forKey: @"rfc822Name"]; } [list appendObject: [self X509_stringFromASN1String: generalName->d.rfc822Name]]; break; case GEN_DNS: list = [ret objectForKey: @"dNSName"]; if (list == nil) { list = [OFList list]; [ret setObject: list forKey: @"dNSName"]; } [list appendObject: [self X509_stringFromASN1String: generalName->d.dNSName]]; break; case GEN_URI: list = [ret objectForKey: @"uniformResourceIdentifier"]; if (list == nil) { list = [OFList list]; [ret setObject: list forKey: @"uniformResource" @"Identifier"]; } [list appendObject: [self X509_stringFromASN1String: generalName->d.uniformResourceIdentifier]]; break; case GEN_IPADD: list = [ret objectForKey: @"iPAddress"]; if (list == nil) { list = [OFList list]; [ret setObject: list forKey: @"iPAddress"]; } [list appendObject: [self X509_stringFromASN1String: generalName->d.iPAddress]]; break; default: break; } } i++; /* Next extension */ [pool releaseObjects]; } [pool release]; [ret makeImmutable]; _subjectAlternativeName = [ret retain]; return ret; } - (bool)hasCommonNameMatchingDomain: (OFString*)domain { OFString *name; OFAutoreleasePool *pool = [[OFAutoreleasePool alloc] init]; OFList *CNs = [[self subject] objectForKey: OID_commonName]; OFEnumerator *enumerator = [CNs objectEnumerator]; while ((name = [enumerator nextObject]) != nil) { if ([self X509_isAssertedDomain: name equalDomain: domain]) { [pool release]; return true; } } [pool release]; return false; } - (bool)hasDNSNameMatchingDomain: (OFString*)domain { OFString *name; OFAutoreleasePool *pool = [[OFAutoreleasePool alloc] init]; OFDictionary *SANs = [self subjectAlternativeName]; OFList *assertedNames = [SANs objectForKey: @"dNSName"]; OFEnumerator *enumerator = [assertedNames objectEnumerator]; while ((name = [enumerator nextObject]) != nil) { if ([self X509_isAssertedDomain: name equalDomain: domain]) { [pool release]; return true; } } [pool release]; return false; } - (bool)hasSRVNameMatchingDomain: (OFString*)domain service: (OFString*)service { size_t serviceLength; OFString *name; OFAutoreleasePool *pool = [[OFAutoreleasePool alloc] init]; OFDictionary *SANs = [self subjectAlternativeName]; OFList *assertedNames = [[SANs objectForKey: @"otherName"] objectForKey: OID_SRVName]; OFEnumerator *enumerator = [assertedNames objectEnumerator]; if (![service hasPrefix: @"_"]) service = [service stringByPrependingString: @"_"]; service = [service stringByAppendingString: @"."]; serviceLength = [service length]; while ((name = [enumerator nextObject]) != nil) { if ([name hasPrefix: service]) { OFString *asserted; asserted = [name substringWithRange: of_range( serviceLength, [name length] - serviceLength)]; if ([self X509_isAssertedDomain: asserted equalDomain: domain]) { [pool release]; return true; } } } [pool release]; return false; } - (bool)X509_isAssertedDomain: (OFString*)asserted equalDomain: (OFString*)domain { /* * In accordance with RFC 6125 this only allows a wildcard as the * left-most label and matches only the left-most label with it. * E.g. *.example.com matches foo.example.com, * but not foo.bar.example.com */ size_t firstDot; if ([asserted caseInsensitiveCompare: domain] == OF_ORDERED_SAME) return true; if (![asserted hasPrefix: @"*."]) return false; asserted = [asserted substringWithRange: of_range(2, [asserted length] - 2)]; firstDot = [domain rangeOfString: @"."].location; if (firstDot == OF_NOT_FOUND) return false; domain = [domain substringWithRange: of_range(firstDot + 1, [domain length] - firstDot - 1)]; if (![asserted caseInsensitiveCompare: domain]) return true; return false; } - (OFDictionary*)X509_dictionaryFromX509Name: (X509_NAME*)name { OFMutableDictionary *dict = [OFMutableDictionary dictionary]; OFAutoreleasePool *pool = [[OFAutoreleasePool alloc] init]; int i, count = X509_NAME_entry_count(name); for (i = 0; i < count; i++) { X509OID *key; OFString *value; X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, i); ASN1_OBJECT *obj = X509_NAME_ENTRY_get_object(entry); ASN1_STRING *str = X509_NAME_ENTRY_get_data(entry); key = [self X509_stringFromASN1Object: obj]; if ([dict objectForKey: key] == nil) [dict setObject: [OFList list] forKey: key]; value = [self X509_stringFromASN1String: str]; [[dict objectForKey: key] appendObject: value]; [pool releaseObjects]; } [pool release]; [dict makeImmutable]; return dict; } - (X509OID*)X509_stringFromASN1Object: (ASN1_OBJECT*)object { X509OID *ret; int length, bufferLength = 256; char *buffer = [self allocMemoryWithSize: bufferLength]; @try { while ((length = OBJ_obj2txt(buffer, bufferLength, object, 1)) > bufferLength) { bufferLength = length; buffer = [self resizeMemory: buffer size: bufferLength]; } ret = [[[X509OID alloc] initWithUTF8String: buffer] autorelease]; } @finally { [self freeMemory: buffer]; } return ret; } - (OFString*)X509_stringFromASN1String: (ASN1_STRING*)str { OFString *ret; char *buffer; if (ASN1_STRING_to_UTF8((unsigned char**)&buffer, str) < 0) @throw [OFInvalidEncodingException exception]; @try { ret = [OFString stringWithUTF8String: buffer]; } @finally { OPENSSL_free(buffer); } return ret; } @end @implementation X509OID - initWithUTF8String: (const char*)string { self = [self init]; @try { _string = [[OFString alloc] initWithUTF8String: string]; } @catch (id e) { [self release]; @throw e; } return self; } - (void)dealloc { [_string release]; [super dealloc]; } - (OFString*)description { char tmp[1024]; OBJ_obj2txt(tmp, sizeof(tmp), OBJ_txt2obj([_string UTF8String], 1), 0); return [OFString stringWithUTF8String: tmp]; } - (bool)isEqual: (id)object { if ([object isKindOfClass: [X509OID class]]) { X509OID *OID = object; return [OID->_string isEqual: _string]; } if ([object isKindOfClass: [OFString class]]) return [_string isEqual: object]; return false; } - (uint32_t)hash { return [_string hash]; } - copy { return [self retain]; } @end