You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1190 lines
26 KiB
1190 lines
26 KiB
/*
|
|
* Copyright 2020 Vincent Sanders <vince@netsurf-browser.org>
|
|
*
|
|
* This file is part of NetSurf.
|
|
*
|
|
* NetSurf is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; version 2 of the License.
|
|
*
|
|
* NetSurf is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
/**
|
|
* \file
|
|
* content generator for the about scheme certificate page
|
|
*/
|
|
|
|
#include <stdbool.h>
|
|
#include <stdlib.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
#include "utils/errors.h"
|
|
#include "utils/log.h"
|
|
#include "utils/messages.h"
|
|
#include "netsurf/inttypes.h"
|
|
#include "netsurf/ssl_certs.h"
|
|
|
|
#include "private.h"
|
|
#include "certificate.h"
|
|
|
|
/**
|
|
* certificate name parameters
|
|
*/
|
|
struct ns_cert_name {
|
|
char *common_name;
|
|
char *organisation;
|
|
char *organisation_unit;
|
|
char *locality;
|
|
char *province;
|
|
char *country;
|
|
};
|
|
|
|
/**
|
|
* Certificate public key parameters
|
|
*/
|
|
struct ns_cert_pkey {
|
|
char *algor;
|
|
int size;
|
|
char *modulus;
|
|
char *exponent;
|
|
char *curve;
|
|
char *public;
|
|
};
|
|
|
|
/**
|
|
* Certificate subject alternative name
|
|
*/
|
|
struct ns_cert_san {
|
|
struct ns_cert_san *next;
|
|
char *name;
|
|
};
|
|
|
|
/**
|
|
* certificate information for certificate chain
|
|
*/
|
|
struct ns_cert_info {
|
|
struct ns_cert_name subject_name; /**< Subject details */
|
|
struct ns_cert_name issuer_name; /**< Issuer details */
|
|
struct ns_cert_pkey public_key; /**< public key details */
|
|
long version; /**< Certificate version */
|
|
char *not_before; /**< Valid from date */
|
|
char *not_after; /**< Valid to date */
|
|
int sig_type; /**< Signature type */
|
|
char *sig_algor; /**< Signature Algorithm */
|
|
char *serialnum; /**< Serial number */
|
|
char *sha1fingerprint; /**< fingerprint shar1 encoded */
|
|
char *sha256fingerprint; /**< fingerprint shar256 encoded */
|
|
struct ns_cert_san *san; /**< subject alternative names */
|
|
ssl_cert_err err; /**< Whatever is wrong with this certificate */
|
|
};
|
|
|
|
/**
|
|
* free all resources associated with a certificate information structure
|
|
*/
|
|
static nserror free_ns_cert_info(struct ns_cert_info *cinfo)
|
|
{
|
|
struct ns_cert_san *san;
|
|
|
|
free(cinfo->subject_name.common_name);
|
|
free(cinfo->subject_name.organisation);
|
|
free(cinfo->subject_name.organisation_unit);
|
|
free(cinfo->subject_name.locality);
|
|
free(cinfo->subject_name.province);
|
|
free(cinfo->subject_name.country);
|
|
free(cinfo->issuer_name.common_name);
|
|
free(cinfo->issuer_name.organisation);
|
|
free(cinfo->issuer_name.organisation_unit);
|
|
free(cinfo->issuer_name.locality);
|
|
free(cinfo->issuer_name.province);
|
|
free(cinfo->issuer_name.country);
|
|
free(cinfo->public_key.algor);
|
|
free(cinfo->public_key.modulus);
|
|
free(cinfo->public_key.exponent);
|
|
free(cinfo->public_key.curve);
|
|
free(cinfo->public_key.public);
|
|
free(cinfo->not_before);
|
|
free(cinfo->not_after);
|
|
free(cinfo->sig_algor);
|
|
free(cinfo->serialnum);
|
|
|
|
/* free san list avoiding use after free */
|
|
san = cinfo->san;
|
|
while (san != NULL) {
|
|
struct ns_cert_san *next;
|
|
next = san->next;
|
|
free(san);
|
|
san = next;
|
|
}
|
|
|
|
free(cinfo);
|
|
|
|
return NSERROR_OK;
|
|
}
|
|
|
|
#ifdef WITH_OPENSSL
|
|
|
|
#include <openssl/ssl.h>
|
|
#include <openssl/x509v3.h>
|
|
|
|
/* OpenSSL 1.0.x, 1.0.2, 1.1.0 and 1.1.1 API all changed
|
|
* LibreSSL declares its OpenSSL version as 2.1 but only supports 1.0.x API
|
|
*/
|
|
#if (defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x1010000fL))
|
|
/* 1.0.x */
|
|
|
|
#if (defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x1000200fL))
|
|
/* pre 1.0.2 */
|
|
static int ns_X509_get_signature_nid(X509 *cert)
|
|
{
|
|
return OBJ_obj2nid(cert->cert_info->key->algor->algorithm);
|
|
}
|
|
#else
|
|
#define ns_X509_get_signature_nid X509_get_signature_nid
|
|
#endif
|
|
|
|
static const unsigned char *ns_ASN1_STRING_get0_data(ASN1_STRING *asn1str)
|
|
{
|
|
return (const unsigned char *)ASN1_STRING_data(asn1str);
|
|
}
|
|
|
|
static const BIGNUM *ns_RSA_get0_n(const RSA *d)
|
|
{
|
|
return d->n;
|
|
}
|
|
|
|
static const BIGNUM *ns_RSA_get0_e(const RSA *d)
|
|
{
|
|
return d->e;
|
|
}
|
|
|
|
static int ns_RSA_bits(const RSA *rsa)
|
|
{
|
|
return RSA_size(rsa) * 8;
|
|
}
|
|
|
|
static int ns_DSA_bits(const DSA *dsa)
|
|
{
|
|
return DSA_size(dsa) * 8;
|
|
}
|
|
|
|
static int ns_DH_bits(const DH *dh)
|
|
{
|
|
return DH_size(dh) * 8;
|
|
}
|
|
|
|
#elif (OPENSSL_VERSION_NUMBER < 0x1010100fL)
|
|
/* 1.1.0 */
|
|
#define ns_X509_get_signature_nid X509_get_signature_nid
|
|
#define ns_ASN1_STRING_get0_data ASN1_STRING_get0_data
|
|
|
|
static const BIGNUM *ns_RSA_get0_n(const RSA *r)
|
|
{
|
|
const BIGNUM *n;
|
|
const BIGNUM *e;
|
|
const BIGNUM *d;
|
|
RSA_get0_key(r, &n, &e, &d);
|
|
return n;
|
|
}
|
|
|
|
static const BIGNUM *ns_RSA_get0_e(const RSA *r)
|
|
{
|
|
const BIGNUM *n;
|
|
const BIGNUM *e;
|
|
const BIGNUM *d;
|
|
RSA_get0_key(r, &n, &e, &d);
|
|
return e;
|
|
}
|
|
|
|
#define ns_RSA_bits RSA_bits
|
|
#define ns_DSA_bits DSA_bits
|
|
#define ns_DH_bits DH_bits
|
|
|
|
#else
|
|
/* 1.1.1 and later */
|
|
#define ns_X509_get_signature_nid X509_get_signature_nid
|
|
#define ns_ASN1_STRING_get0_data ASN1_STRING_get0_data
|
|
#define ns_RSA_get0_n RSA_get0_n
|
|
#define ns_RSA_get0_e RSA_get0_e
|
|
#define ns_RSA_bits RSA_bits
|
|
#define ns_DSA_bits DSA_bits
|
|
#define ns_DH_bits DH_bits
|
|
#endif
|
|
|
|
/**
|
|
* extract certificate name information
|
|
*
|
|
* \param xname The X509 name to convert. The reference is borrowed so is not freeed
|
|
* \param iname The info structure to recive the extracted parameters.
|
|
* \return NSERROR_OK on success else error code
|
|
*/
|
|
static nserror
|
|
xname_to_info(X509_NAME *xname, struct ns_cert_name *iname)
|
|
{
|
|
int entryidx;
|
|
int entrycnt;
|
|
X509_NAME_ENTRY *entry; /* current name entry */
|
|
ASN1_STRING *value;
|
|
const unsigned char *value_str;
|
|
ASN1_OBJECT *name;
|
|
int name_nid;
|
|
char **field;
|
|
|
|
entrycnt = X509_NAME_entry_count(xname);
|
|
|
|
for (entryidx = 0; entryidx < entrycnt; entryidx++) {
|
|
entry = X509_NAME_get_entry(xname, entryidx);
|
|
name = X509_NAME_ENTRY_get_object(entry);
|
|
name_nid = OBJ_obj2nid(name);
|
|
value = X509_NAME_ENTRY_get_data(entry);
|
|
value_str = ns_ASN1_STRING_get0_data(value);
|
|
switch (name_nid) {
|
|
case NID_commonName:
|
|
field = &iname->common_name;
|
|
break;
|
|
case NID_countryName:
|
|
field = &iname->country;
|
|
break;
|
|
case NID_localityName:
|
|
field = &iname->locality;
|
|
break;
|
|
case NID_stateOrProvinceName:
|
|
field = &iname->province;
|
|
break;
|
|
case NID_organizationName:
|
|
field = &iname->organisation;
|
|
break;
|
|
case NID_organizationalUnitName:
|
|
field = &iname->organisation_unit;
|
|
break;
|
|
default :
|
|
field = NULL;
|
|
break;
|
|
}
|
|
if (field != NULL) {
|
|
*field = strdup((const char *)value_str);
|
|
NSLOG(netsurf, DEEPDEBUG,
|
|
"NID:%d value: %s", name_nid, *field);
|
|
} else {
|
|
NSLOG(netsurf, DEEPDEBUG, "NID:%d", name_nid);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* ensure the common name is set to something, this being
|
|
* missing means the certificate is broken but this should be
|
|
* robust in the face of bad data
|
|
*/
|
|
if (iname->common_name == NULL) {
|
|
iname->common_name = strdup("Unknown");
|
|
}
|
|
|
|
return NSERROR_OK;
|
|
}
|
|
|
|
|
|
/**
|
|
* duplicate a hex formatted string inserting the colons
|
|
*
|
|
* \todo only uses html entity as separator because netsurfs line breaking
|
|
* fails otherwise.
|
|
*/
|
|
static char *hexdup(const char *hex)
|
|
{
|
|
int hexlen;
|
|
char *dst;
|
|
char *out;
|
|
int cn = 0;
|
|
|
|
hexlen = strlen(hex);
|
|
/* allow space fox XXYY to XX:YY: */
|
|
dst = malloc(((hexlen * 7) + 6) / 2);
|
|
|
|
if (dst != NULL) {
|
|
for (out = dst; *hex != 0; hex++) {
|
|
if (cn == 2) {
|
|
cn = 0;
|
|
*out++ = '&';
|
|
*out++ = '#';
|
|
*out++ = '5';
|
|
*out++ = '8';
|
|
*out++ = ';';
|
|
}
|
|
*out++ = *hex;
|
|
cn++;
|
|
}
|
|
*out = 0;
|
|
}
|
|
return dst;
|
|
}
|
|
|
|
|
|
/**
|
|
* create a hex formatted string inserting the colons from binary data
|
|
*
|
|
* \todo only uses html entity as separator because netsurfs line breaking
|
|
* fails otherwise.
|
|
*/
|
|
static char *bindup(unsigned char *bin, unsigned int binlen)
|
|
{
|
|
char *dst;
|
|
char *out;
|
|
unsigned int idx;
|
|
const char hex[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
|
'8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
|
|
|
|
/* allow space fox XY to expand to XX:YY: */
|
|
dst = malloc(binlen * 7);
|
|
|
|
if (dst != NULL) {
|
|
out = dst;
|
|
for (idx = 0; idx < binlen; idx++) {
|
|
*out++ = hex[(bin[idx] & 0xf0) >> 4];
|
|
*out++ = hex[bin[idx] & 0xf];
|
|
|
|
*out++ = '&';
|
|
*out++ = '#';
|
|
*out++ = '5';
|
|
*out++ = '8';
|
|
*out++ = ';';
|
|
}
|
|
out -= 5;
|
|
*out = 0;
|
|
}
|
|
return dst;
|
|
}
|
|
|
|
|
|
/**
|
|
* extract RSA key information to info structure
|
|
*
|
|
* \param rsa The RSA key to examine. The reference is dropped on return
|
|
* \param ikey The public key info structure to fill
|
|
* \rerun NSERROR_OK on success else error code.
|
|
*/
|
|
static nserror
|
|
rsa_to_info(RSA *rsa, struct ns_cert_pkey *ikey)
|
|
{
|
|
char *tmp;
|
|
|
|
if (rsa == NULL) {
|
|
return NSERROR_BAD_PARAMETER;
|
|
}
|
|
|
|
ikey->algor = strdup("RSA");
|
|
|
|
ikey->size = ns_RSA_bits(rsa);
|
|
|
|
tmp = BN_bn2hex(ns_RSA_get0_n(rsa));
|
|
if (tmp != NULL) {
|
|
ikey->modulus = hexdup(tmp);
|
|
OPENSSL_free(tmp);
|
|
}
|
|
|
|
tmp = BN_bn2dec(ns_RSA_get0_e(rsa));
|
|
if (tmp != NULL) {
|
|
ikey->exponent = strdup(tmp);
|
|
OPENSSL_free(tmp);
|
|
}
|
|
|
|
RSA_free(rsa);
|
|
|
|
return NSERROR_OK;
|
|
}
|
|
|
|
|
|
/**
|
|
* extract DSA key information to info structure
|
|
*
|
|
* \param dsa The RSA key to examine. The reference is dropped on return
|
|
* \param ikey The public key info structure to fill
|
|
* \rerun NSERROR_OK on success else error code.
|
|
*/
|
|
static nserror
|
|
dsa_to_info(DSA *dsa, struct ns_cert_pkey *ikey)
|
|
{
|
|
if (dsa == NULL) {
|
|
return NSERROR_BAD_PARAMETER;
|
|
}
|
|
|
|
ikey->algor = strdup("DSA");
|
|
|
|
ikey->size = ns_DSA_bits(dsa);
|
|
|
|
DSA_free(dsa);
|
|
|
|
return NSERROR_OK;
|
|
}
|
|
|
|
|
|
/**
|
|
* extract DH key information to info structure
|
|
*
|
|
* \param dsa The RSA key to examine. The reference is dropped on return
|
|
* \param ikey The public key info structure to fill
|
|
* \rerun NSERROR_OK on success else error code.
|
|
*/
|
|
static nserror
|
|
dh_to_info(DH *dh, struct ns_cert_pkey *ikey)
|
|
{
|
|
if (dh == NULL) {
|
|
return NSERROR_BAD_PARAMETER;
|
|
}
|
|
|
|
ikey->algor = strdup("Diffie Hellman");
|
|
|
|
ikey->size = ns_DH_bits(dh);
|
|
|
|
DH_free(dh);
|
|
|
|
return NSERROR_OK;
|
|
}
|
|
|
|
|
|
/**
|
|
* extract EC key information to info structure
|
|
*
|
|
* \param ec The EC key to examine. The reference is dropped on return
|
|
* \param ikey The public key info structure to fill
|
|
* \rerun NSERROR_OK on success else error code.
|
|
*/
|
|
static nserror
|
|
ec_to_info(EC_KEY *ec, struct ns_cert_pkey *ikey)
|
|
{
|
|
const EC_GROUP *ecgroup;
|
|
const EC_POINT *ecpoint;
|
|
BN_CTX *bnctx;
|
|
char *ecpoint_hex;
|
|
|
|
if (ec == NULL) {
|
|
return NSERROR_BAD_PARAMETER;
|
|
}
|
|
|
|
ikey->algor = strdup("Elliptic Curve");
|
|
|
|
ecgroup = EC_KEY_get0_group(ec);
|
|
|
|
if (ecgroup != NULL) {
|
|
ikey->size = EC_GROUP_get_degree(ecgroup);
|
|
|
|
ikey->curve = strdup(OBJ_nid2ln(EC_GROUP_get_curve_name(ecgroup)));
|
|
|
|
ecpoint = EC_KEY_get0_public_key(ec);
|
|
if (ecpoint != NULL) {
|
|
bnctx = BN_CTX_new();
|
|
ecpoint_hex = EC_POINT_point2hex(ecgroup,
|
|
ecpoint,
|
|
POINT_CONVERSION_UNCOMPRESSED,
|
|
bnctx);
|
|
ikey->public = hexdup(ecpoint_hex);
|
|
OPENSSL_free(ecpoint_hex);
|
|
BN_CTX_free(bnctx);
|
|
}
|
|
}
|
|
EC_KEY_free(ec);
|
|
|
|
return NSERROR_OK;
|
|
}
|
|
|
|
|
|
/**
|
|
* extract public key information to info structure
|
|
*
|
|
* \param pkey the public key to examine. The reference is dropped on return
|
|
* \param ikey The public key info structure to fill
|
|
* \rerun NSERROR_OK on success else error code.
|
|
*/
|
|
static nserror
|
|
pkey_to_info(EVP_PKEY *pkey, struct ns_cert_pkey *ikey)
|
|
{
|
|
nserror res;
|
|
|
|
if (pkey == NULL) {
|
|
return NSERROR_BAD_PARAMETER;
|
|
}
|
|
|
|
switch (EVP_PKEY_base_id(pkey)) {
|
|
case EVP_PKEY_RSA:
|
|
res = rsa_to_info(EVP_PKEY_get1_RSA(pkey), ikey);
|
|
break;
|
|
|
|
case EVP_PKEY_DSA:
|
|
res = dsa_to_info(EVP_PKEY_get1_DSA(pkey), ikey);
|
|
break;
|
|
|
|
case EVP_PKEY_DH:
|
|
res = dh_to_info(EVP_PKEY_get1_DH(pkey), ikey);
|
|
break;
|
|
|
|
case EVP_PKEY_EC:
|
|
res = ec_to_info(EVP_PKEY_get1_EC_KEY(pkey), ikey);
|
|
break;
|
|
|
|
default:
|
|
res = NSERROR_NOT_IMPLEMENTED;
|
|
break;
|
|
}
|
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
return res;
|
|
}
|
|
|
|
static nserror san_to_info(X509 *cert, struct ns_cert_san **prev_next)
|
|
{
|
|
int idx;
|
|
int san_names_nb = -1;
|
|
const GENERAL_NAME *current_name;
|
|
const unsigned char *dns_name;
|
|
struct ns_cert_san *isan;
|
|
|
|
STACK_OF(GENERAL_NAME) *san_names = NULL;
|
|
|
|
san_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
|
|
if (san_names == NULL) {
|
|
return NSERROR_OK;
|
|
}
|
|
|
|
san_names_nb = sk_GENERAL_NAME_num(san_names);
|
|
|
|
/* Check each name within the extension */
|
|
for (idx = 0; idx < san_names_nb; idx++) {
|
|
current_name = sk_GENERAL_NAME_value(san_names, idx);
|
|
|
|
if (current_name->type == GEN_DNS) {
|
|
/* extract DNS name into info structure */
|
|
dns_name = ns_ASN1_STRING_get0_data(current_name->d.dNSName);
|
|
|
|
isan = malloc(sizeof(struct ns_cert_san));
|
|
if (isan != NULL) {
|
|
isan->name = strdup((const char *)dns_name);
|
|
isan->next = NULL;
|
|
*prev_next = isan;
|
|
prev_next = &isan->next;
|
|
}
|
|
}
|
|
}
|
|
|
|
/* AmiSSL can't cope with the "correct" mechanism of freeing
|
|
* the GENERAL_NAME stack, which is:
|
|
* sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
|
|
* So instead we do this open-coded loop which does the same:
|
|
*/
|
|
for (idx = 0; idx < san_names_nb; idx++) {
|
|
GENERAL_NAME *entry = sk_GENERAL_NAME_pop(san_names);
|
|
GENERAL_NAME_free(entry);
|
|
}
|
|
sk_GENERAL_NAME_free(san_names);
|
|
|
|
return NSERROR_OK;
|
|
}
|
|
|
|
static nserror
|
|
der_to_certinfo(const uint8_t *der,
|
|
size_t der_length,
|
|
struct ns_cert_info *info)
|
|
{
|
|
BIO *mem;
|
|
BUF_MEM *buf;
|
|
const ASN1_INTEGER *asn1_num;
|
|
BIGNUM *bignum;
|
|
X509 *cert; /**< Pointer to certificate */
|
|
|
|
if (der == NULL) {
|
|
return NSERROR_OK;
|
|
}
|
|
|
|
cert = d2i_X509(NULL, &der, der_length);
|
|
if (cert == NULL) {
|
|
return NSERROR_INVALID;
|
|
}
|
|
|
|
/*
|
|
* get certificate version
|
|
*
|
|
* \note this is defined by standards (X.509 et al) to be one
|
|
* less than the certificate version.
|
|
*/
|
|
info->version = X509_get_version(cert) + 1;
|
|
|
|
/* not before date */
|
|
mem = BIO_new(BIO_s_mem());
|
|
ASN1_TIME_print(mem, X509_get_notBefore(cert));
|
|
BIO_get_mem_ptr(mem, &buf);
|
|
(void) BIO_set_close(mem, BIO_NOCLOSE);
|
|
BIO_free(mem);
|
|
info->not_before = calloc(1, buf->length + 1);
|
|
if (info->not_before != NULL) {
|
|
memcpy(info->not_before, buf->data, (unsigned)buf->length);
|
|
}
|
|
BUF_MEM_free(buf);
|
|
|
|
/* not after date */
|
|
mem = BIO_new(BIO_s_mem());
|
|
ASN1_TIME_print(mem,
|
|
X509_get_notAfter(cert));
|
|
BIO_get_mem_ptr(mem, &buf);
|
|
(void) BIO_set_close(mem, BIO_NOCLOSE);
|
|
BIO_free(mem);
|
|
info->not_after = calloc(1, buf->length + 1);
|
|
if (info->not_after != NULL) {
|
|
memcpy(info->not_after, buf->data, (unsigned)buf->length);
|
|
}
|
|
BUF_MEM_free(buf);
|
|
|
|
/* signature type */
|
|
info->sig_type = X509_get_signature_type(cert);
|
|
|
|
/* signature algorithm */
|
|
int pkey_nid = ns_X509_get_signature_nid(cert);
|
|
if (pkey_nid != NID_undef) {
|
|
const char* sslbuf = OBJ_nid2ln(pkey_nid);
|
|
if (sslbuf != NULL) {
|
|
info->sig_algor = strdup(sslbuf);
|
|
}
|
|
}
|
|
|
|
/* serial number */
|
|
asn1_num = X509_get_serialNumber(cert);
|
|
if (asn1_num != NULL) {
|
|
bignum = ASN1_INTEGER_to_BN(asn1_num, NULL);
|
|
if (bignum != NULL) {
|
|
char *tmp = BN_bn2hex(bignum);
|
|
if (tmp != NULL) {
|
|
info->serialnum = hexdup(tmp);
|
|
OPENSSL_free(tmp);
|
|
}
|
|
BN_free(bignum);
|
|
bignum = NULL;
|
|
}
|
|
}
|
|
|
|
/* fingerprints */
|
|
const EVP_MD *digest;
|
|
unsigned int dig_len;
|
|
unsigned char *buff;
|
|
int rc;
|
|
|
|
digest = EVP_sha1();
|
|
buff = malloc(EVP_MD_size(digest));
|
|
if (buff != NULL) {
|
|
rc = X509_digest(cert, digest, buff, &dig_len);
|
|
if ((rc == 1) && (dig_len == (unsigned int)EVP_MD_size(digest))) {
|
|
info->sha1fingerprint = bindup(buff, dig_len);
|
|
}
|
|
free(buff);
|
|
}
|
|
|
|
digest = EVP_sha256();
|
|
buff = malloc(EVP_MD_size(digest));
|
|
if (buff != NULL) {
|
|
rc = X509_digest(cert, digest, buff, &dig_len);
|
|
if ((rc == 1) && (dig_len == (unsigned int)EVP_MD_size(digest))) {
|
|
info->sha256fingerprint = bindup(buff, dig_len);
|
|
}
|
|
free(buff);
|
|
}
|
|
|
|
/* subject alternative names */
|
|
san_to_info(cert, &info->san);
|
|
|
|
/* issuer name */
|
|
xname_to_info(X509_get_issuer_name(cert), &info->issuer_name);
|
|
|
|
/* subject */
|
|
xname_to_info(X509_get_subject_name(cert), &info->subject_name);
|
|
|
|
/* public key */
|
|
pkey_to_info(X509_get_pubkey(cert), &info->public_key);
|
|
|
|
X509_free(cert);
|
|
|
|
return NSERROR_OK;
|
|
}
|
|
|
|
/* copy certificate data */
|
|
static nserror
|
|
convert_chain_to_cert_info(const struct cert_chain *chain,
|
|
struct ns_cert_info **cert_info_out)
|
|
{
|
|
struct ns_cert_info *certs;
|
|
size_t depth;
|
|
nserror res;
|
|
|
|
certs = calloc(chain->depth, sizeof(struct ns_cert_info));
|
|
if (certs == NULL) {
|
|
return NSERROR_NOMEM;
|
|
}
|
|
|
|
for (depth = 0; depth < chain->depth;depth++) {
|
|
res = der_to_certinfo(chain->certs[depth].der,
|
|
chain->certs[depth].der_length,
|
|
certs + depth);
|
|
if (res != NSERROR_OK) {
|
|
free(certs);
|
|
return res;
|
|
}
|
|
certs[depth].err = chain->certs[depth].err;
|
|
}
|
|
|
|
*cert_info_out = certs;
|
|
return NSERROR_OK;
|
|
}
|
|
|
|
#else
|
|
static nserror
|
|
convert_chain_to_cert_info(const struct cert_chain *chain,
|
|
struct ns_cert_info **cert_info_out)
|
|
{
|
|
return NSERROR_NOT_IMPLEMENTED;
|
|
}
|
|
#endif
|
|
|
|
|
|
static nserror
|
|
format_certificate_name(struct fetch_about_context *ctx,
|
|
struct ns_cert_name *cert_name)
|
|
{
|
|
nserror res;
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<tr><th>Common Name</th><td>%s</td></tr>\n",
|
|
cert_name->common_name);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
|
|
if (cert_name->organisation != NULL) {
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<tr><th>Organisation</th><td>%s</td></tr>\n",
|
|
cert_name->organisation);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
}
|
|
|
|
if (cert_name->organisation_unit != NULL) {
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<tr><th>Organisation Unit</th><td>%s</td></tr>\n",
|
|
cert_name->organisation_unit);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
}
|
|
|
|
if (cert_name->locality != NULL) {
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<tr><th>Locality</th><td>%s</td></tr>\n",
|
|
cert_name->locality);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
}
|
|
|
|
if (cert_name->province != NULL) {
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<tr><th>Privince</th><td>%s</td></tr>\n",
|
|
cert_name->province);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
}
|
|
|
|
if (cert_name->country != NULL) {
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<tr><th>Country</th><td>%s</td></tr>\n",
|
|
cert_name->country);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
}
|
|
|
|
return res;
|
|
}
|
|
|
|
/**
|
|
* output formatted certificate subject alternate names
|
|
*/
|
|
static nserror
|
|
format_certificate_san(struct fetch_about_context *ctx,
|
|
struct ns_cert_san *san)
|
|
{
|
|
nserror res;
|
|
|
|
if (san == NULL) {
|
|
return NSERROR_OK;
|
|
}
|
|
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<table class=\"info\">\n"
|
|
"<tr><th>Alternative Names</th><td><hr></td></tr>\n");
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
|
|
while (san != NULL) {
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<tr><th>DNS Name</th><td>%s</td></tr>\n",
|
|
san->name);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
|
|
san = san->next;
|
|
}
|
|
|
|
res = fetch_about_ssenddataf(ctx, "</table>\n");
|
|
|
|
return res;
|
|
|
|
}
|
|
|
|
|
|
static nserror
|
|
format_certificate_public_key(struct fetch_about_context *ctx,
|
|
struct ns_cert_pkey *public_key)
|
|
{
|
|
nserror res;
|
|
|
|
if (public_key->algor == NULL) {
|
|
/* skip the table if no algorithm name */
|
|
return NSERROR_OK;
|
|
}
|
|
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<table class=\"info\">\n"
|
|
"<tr><th>Public Key</th><td><hr></td></tr>\n"
|
|
"<tr><th>Algorithm</th><td>%s</td></tr>\n"
|
|
"<tr><th>Key Size</th><td>%d</td></tr>\n",
|
|
public_key->algor,
|
|
public_key->size);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
|
|
|
|
if (public_key->exponent != NULL) {
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<tr><th>Exponent</th><td>%s</td></tr>\n",
|
|
public_key->exponent);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
}
|
|
|
|
if (public_key->modulus != NULL) {
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<tr><th>Modulus</th><td class=\"data\">%s</td></tr>\n",
|
|
public_key->modulus);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
}
|
|
|
|
if (public_key->curve != NULL) {
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<tr><th>Curve</th><td>%s</td></tr>\n",
|
|
public_key->curve);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
}
|
|
|
|
if (public_key->public != NULL) {
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<tr><th>Public Value</th><td>%s</td></tr>\n",
|
|
public_key->public);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
}
|
|
|
|
res = fetch_about_ssenddataf(ctx, "</table>\n");
|
|
|
|
return res;
|
|
}
|
|
|
|
static nserror
|
|
format_certificate_fingerprint(struct fetch_about_context *ctx,
|
|
struct ns_cert_info *cert_info)
|
|
{
|
|
nserror res;
|
|
|
|
if ((cert_info->sha1fingerprint == NULL) &&
|
|
(cert_info->sha256fingerprint == NULL)) {
|
|
/* skip the table if no fingerprints */
|
|
return NSERROR_OK;
|
|
}
|
|
|
|
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<table class=\"info\">\n"
|
|
"<tr><th>Fingerprints</th><td><hr></td></tr>\n");
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
|
|
if (cert_info->sha256fingerprint != NULL) {
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<tr><th>SHA-256</th><td class=\"data\">%s</td></tr>\n",
|
|
cert_info->sha256fingerprint);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
}
|
|
|
|
if (cert_info->sha1fingerprint != NULL) {
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<tr><th>SHA-1</th><td class=\"data\">%s</td></tr>\n",
|
|
cert_info->sha1fingerprint);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
}
|
|
|
|
res = fetch_about_ssenddataf(ctx, "</table>\n");
|
|
|
|
return res;
|
|
}
|
|
|
|
static nserror
|
|
format_certificate(struct fetch_about_context *ctx,
|
|
struct ns_cert_info *cert_info,
|
|
size_t depth)
|
|
{
|
|
nserror res;
|
|
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<h2 id=\"%"PRIsizet"\" class=\"ns-border\">%s</h2>\n",
|
|
depth, cert_info->subject_name.common_name);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
|
|
if (cert_info->err != SSL_CERT_ERR_OK) {
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<table class=\"info\">\n"
|
|
"<tr class=\"ns-even-fg-bad\">"
|
|
"<th>Fault</th>"
|
|
"<td>%s</td>"
|
|
"</tr>"
|
|
"</table>\n",
|
|
messages_get_sslcode(cert_info->err));
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
}
|
|
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<table class=\"info\">\n"
|
|
"<tr><th>Issued To</th><td><hr></td></tr>\n");
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
|
|
res = format_certificate_name(ctx, &cert_info->subject_name);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"</table>\n");
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<table class=\"info\">\n"
|
|
"<tr><th>Issued By</th><td><hr></td></tr>\n");
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
|
|
res = format_certificate_name(ctx, &cert_info->issuer_name);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"</table>\n");
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<table class=\"info\">\n"
|
|
"<tr><th>Validity</th><td><hr></td></tr>\n"
|
|
"<tr><th>Valid From</th><td>%s</td></tr>\n"
|
|
"<tr><th>Valid Until</th><td>%s</td></tr>\n"
|
|
"</table>\n",
|
|
cert_info->not_before,
|
|
cert_info->not_after);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
|
|
res = format_certificate_san(ctx, cert_info->san);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
|
|
res = format_certificate_public_key(ctx, &cert_info->public_key);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<table class=\"info\">\n"
|
|
"<tr><th>Miscellaneous</th><td><hr></td></tr>\n");
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
|
|
if (cert_info->serialnum != NULL) {
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<tr><th>Serial Number</th><td>%s</td></tr>\n",
|
|
cert_info->serialnum);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
}
|
|
|
|
if (cert_info->sig_algor != NULL) {
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<tr><th>Signature Algorithm</th>"
|
|
"<td>%s</td></tr>\n",
|
|
cert_info->sig_algor);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
}
|
|
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<tr><th>Version</th><td>%ld</td></tr>\n"
|
|
"</table>\n",
|
|
cert_info->version);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
|
|
res = format_certificate_fingerprint(ctx, cert_info);
|
|
if (res != NSERROR_OK) {
|
|
return res;
|
|
}
|
|
|
|
return res;
|
|
}
|
|
|
|
/**
|
|
* Handler to generate about:certificate page.
|
|
*
|
|
* Shows details of a certificate chain
|
|
*
|
|
* \param ctx The fetcher context.
|
|
* \return true if handled false if aborted.
|
|
*/
|
|
bool fetch_about_certificate_handler(struct fetch_about_context *ctx)
|
|
{
|
|
int code = 200;
|
|
nserror res;
|
|
struct cert_chain *chain = NULL;
|
|
|
|
/* content is going to return ok */
|
|
fetch_about_set_http_code(ctx, code);
|
|
|
|
/* content type */
|
|
if (fetch_about_send_header(ctx, "Content-Type: text/html"))
|
|
goto fetch_about_certificate_handler_aborted;
|
|
|
|
/* page head */
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<html>\n<head>\n"
|
|
"<title>NetSurf Browser Certificate Viewer</title>\n"
|
|
"<link rel=\"stylesheet\" type=\"text/css\" "
|
|
"href=\"resource:internal.css\">\n"
|
|
"</head>\n"
|
|
"<body id=\"certificate\" class=\"ns-even-bg ns-even-fg ns-border\">\n"
|
|
"<h1 class=\"ns-border\">Certificate</h1>\n");
|
|
if (res != NSERROR_OK) {
|
|
goto fetch_about_certificate_handler_aborted;
|
|
}
|
|
|
|
res = cert_chain_from_query(fetch_about_get_url(ctx), &chain);
|
|
if (res != NSERROR_OK) {
|
|
res = fetch_about_ssenddataf(ctx, "<p>Could not process that</p>\n");
|
|
if (res != NSERROR_OK) {
|
|
goto fetch_about_certificate_handler_aborted;
|
|
}
|
|
} else {
|
|
struct ns_cert_info *cert_info;
|
|
res = convert_chain_to_cert_info(chain, &cert_info);
|
|
if (res == NSERROR_OK) {
|
|
size_t depth;
|
|
res = fetch_about_ssenddataf(ctx, "<ul>\n");
|
|
if (res != NSERROR_OK) {
|
|
free_ns_cert_info(cert_info);
|
|
goto fetch_about_certificate_handler_aborted;
|
|
}
|
|
|
|
for (depth = 0; depth < chain->depth; depth++) {
|
|
res = fetch_about_ssenddataf(ctx, "<li><a href=\"#%"PRIsizet"\">%s</a></li>\n",
|
|
depth, (cert_info + depth)
|
|
->subject_name
|
|
.common_name);
|
|
if (res != NSERROR_OK) {
|
|
free_ns_cert_info(cert_info);
|
|
goto fetch_about_certificate_handler_aborted;
|
|
}
|
|
|
|
}
|
|
|
|
res = fetch_about_ssenddataf(ctx, "</ul>\n");
|
|
if (res != NSERROR_OK) {
|
|
free_ns_cert_info(cert_info);
|
|
goto fetch_about_certificate_handler_aborted;
|
|
}
|
|
|
|
for (depth = 0; depth < chain->depth; depth++) {
|
|
res = format_certificate(ctx, cert_info + depth,
|
|
depth);
|
|
if (res != NSERROR_OK) {
|
|
free_ns_cert_info(cert_info);
|
|
goto fetch_about_certificate_handler_aborted;
|
|
}
|
|
|
|
}
|
|
free_ns_cert_info(cert_info);
|
|
|
|
} else {
|
|
res = fetch_about_ssenddataf(ctx,
|
|
"<p>Invalid certificate data</p>\n");
|
|
if (res != NSERROR_OK) {
|
|
goto fetch_about_certificate_handler_aborted;
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
/* page footer */
|
|
res = fetch_about_ssenddataf(ctx, "</body>\n</html>\n");
|
|
if (res != NSERROR_OK) {
|
|
goto fetch_about_certificate_handler_aborted;
|
|
}
|
|
|
|
fetch_about_send_finished(ctx);
|
|
|
|
cert_chain_free(chain);
|
|
|
|
return true;
|
|
|
|
fetch_about_certificate_handler_aborted:
|
|
cert_chain_free(chain);
|
|
return false;
|
|
}
|