5 // Created by Martin Baulig on 14/11/15.
6 // Copyright (c) 2015 Xamarin. All rights reserved.
10 #include <openssl/x509v3.h>
11 #include <openssl/pkcs12.h>
14 mono_btls_x509_from_data (const void *buf, int len, MonoBtlsX509Format format)
19 bio = BIO_new_mem_buf ((void *)buf, len);
21 case MONO_BTLS_X509_FORMAT_DER:
22 cert = d2i_X509_bio (bio, NULL);
24 case MONO_BTLS_X509_FORMAT_PEM:
25 cert = PEM_read_bio_X509 (bio, NULL, NULL, NULL);
33 mono_btls_x509_up_ref (X509 *x509)
40 mono_btls_x509_free (X509 *x509)
46 mono_btls_x509_dup (X509 *x509)
48 return X509_dup (x509);
52 mono_btls_x509_get_subject_name (X509 *x509)
54 return mono_btls_x509_name_copy (X509_get_subject_name (x509));
58 mono_btls_x509_get_issuer_name (X509 *x509)
60 return mono_btls_x509_name_copy (X509_get_issuer_name (x509));
64 mono_btls_x509_get_subject_name_string (X509 *name, char *buffer, int size)
67 return X509_NAME_oneline (X509_get_subject_name (name), buffer, size) != NULL;
71 mono_btls_x509_get_issuer_name_string (X509 *name, char *buffer, int size)
74 return X509_NAME_oneline (X509_get_issuer_name (name), buffer, size) != NULL;
78 mono_btls_x509_get_raw_data (X509 *x509, BIO *bio, MonoBtlsX509Format format)
81 case MONO_BTLS_X509_FORMAT_DER:
82 return i2d_X509_bio (bio, x509);
83 case MONO_BTLS_X509_FORMAT_PEM:
84 return PEM_write_bio_X509 (bio, x509);
91 mono_btls_x509_cmp (const X509 *a, const X509 *b)
93 return X509_cmp (a, b);
97 mono_btls_x509_get_hash (X509 *x509, const void **data)
99 X509_check_purpose (x509, -1, 0);
100 *data = x509->sha1_hash;
101 return SHA_DIGEST_LENGTH;
105 mono_btls_x509_get_not_before (X509 *x509)
107 return mono_btls_util_asn1_time_to_ticks (X509_get_notBefore (x509));
111 mono_btls_x509_get_not_after (X509 *x509)
113 return mono_btls_util_asn1_time_to_ticks (X509_get_notAfter (x509));
117 mono_btls_x509_get_public_key (X509 *x509, BIO *bio)
120 uint8_t *data = NULL;
123 pkey = X509_get_pubkey (x509);
127 ret = i2d_PublicKey (pkey, &data);
129 if (ret > 0 && data) {
130 ret = BIO_write (bio, data, ret);
134 EVP_PKEY_free (pkey);
139 mono_btls_x509_get_serial_number (X509 *x509, char *buffer, int size, int mono_style)
141 ASN1_INTEGER *serial;
142 unsigned char *temp, *p;
145 serial = X509_get_serialNumber (x509);
146 if (serial->length == 0 || serial->length+1 > size)
150 memcpy (buffer, serial->data, serial->length);
151 return serial->length;
154 temp = OPENSSL_malloc (serial->length + 1);
159 len = i2c_ASN1_INTEGER (serial, &p);
166 for (idx = 0; idx < len; idx++) {
167 buffer [idx] = *(--p);
176 mono_btls_x509_get_public_key_algorithm (X509 *x509, char *buffer, int size)
183 pkey = X509_get_X509_PUBKEY (x509);
187 ret = X509_PUBKEY_get0_param (&ppkalg, NULL, NULL, NULL, pkey);
191 return OBJ_obj2txt (buffer, size, ppkalg, 1);
195 mono_btls_x509_get_version (X509 *x509)
197 return (int)X509_get_version (x509) + 1;
201 mono_btls_x509_get_signature_algorithm (X509 *x509, char *buffer, int size)
203 const ASN1_OBJECT *obj;
208 nid = X509_get_signature_nid (x509);
210 obj = OBJ_nid2obj (nid);
214 return OBJ_obj2txt (buffer, size, obj, 1);
218 mono_btls_x509_get_public_key_asn1 (X509 *x509, char *out_oid, int oid_len, uint8_t **buffer, int *size)
222 const unsigned char *pk;
229 pkey = X509_get_X509_PUBKEY (x509);
230 if (!pkey || !pkey->public_key)
233 ret = X509_PUBKEY_get0_param (&ppkalg, &pk, &pk_len, NULL, pkey);
234 if (ret != 1 || !ppkalg || !pk)
238 OBJ_obj2txt (out_oid, oid_len, ppkalg, 1);
243 *buffer = OPENSSL_malloc (pk_len);
247 memcpy (*buffer, pk, pk_len);
255 mono_btls_x509_get_public_key_parameters (X509 *x509, char *out_oid, int oid_len, uint8_t **buffer, int *size)
267 pkey = X509_get_X509_PUBKEY (x509);
269 ret = X509_PUBKEY_get0_param (NULL, NULL, NULL, &algor, pkey);
270 if (ret != 1 || !algor)
273 X509_ALGOR_get0 (&paobj, &ptype, &pval, algor);
275 if (ptype != V_ASN1_NULL && ptype != V_ASN1_SEQUENCE)
278 if (ptype == V_ASN1_NULL) {
282 *buffer = OPENSSL_malloc (2);
291 OBJ_obj2txt (out_oid, oid_len, paobj, 1);
294 } else if (ptype == V_ASN1_SEQUENCE) {
295 ASN1_STRING *pstr = pval;
297 *size = pstr->length;
298 *buffer = OPENSSL_malloc (pstr->length);
302 memcpy (*buffer, pstr->data, pstr->length);
305 OBJ_obj2txt (out_oid, oid_len, paobj, 1);
314 mono_btls_x509_get_pubkey (X509 *x509)
316 return X509_get_pubkey (x509);
320 mono_btls_x509_get_subject_key_identifier (X509 *x509, uint8_t **buffer, int *size)
322 ASN1_OCTET_STRING *skid;
327 if (X509_get_version (x509) != 2)
330 skid = X509_get_ext_d2i (x509, NID_subject_key_identifier, NULL, NULL);
334 *size = skid->length;
335 *buffer = OPENSSL_malloc (*size);
339 memcpy (*buffer, skid->data, *size);
344 mono_btls_x509_print (X509 *x509, BIO *bio)
346 return X509_print_ex (bio, x509, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
350 get_trust_nid (MonoBtlsX509Purpose purpose)
353 case MONO_BTLS_X509_PURPOSE_SSL_CLIENT:
354 return NID_client_auth;
355 case MONO_BTLS_X509_PURPOSE_SSL_SERVER:
356 return NID_server_auth;
363 mono_btls_x509_add_trust_object (X509 *x509, MonoBtlsX509Purpose purpose)
368 nid = get_trust_nid (purpose);
372 trust = ASN1_OBJECT_new ();
377 return X509_add1_trust_object (x509, trust);
381 mono_btls_x509_add_reject_object (X509 *x509, MonoBtlsX509Purpose purpose)
386 nid = get_trust_nid (purpose);
390 reject = ASN1_OBJECT_new ();
395 return X509_add1_reject_object (x509, reject);
399 mono_btls_x509_add_explicit_trust (X509 *x509, MonoBtlsX509TrustKind kind)
403 if ((kind & MONO_BTLS_X509_TRUST_KIND_REJECT_ALL) != 0)
404 kind |= MONO_BTLS_X509_TRUST_KIND_REJECT_CLIENT | MONO_BTLS_X509_TRUST_KIND_REJECT_SERVER;
406 if ((kind & MONO_BTLS_X509_TRUST_KIND_TRUST_ALL) != 0)
407 kind |= MONO_BTLS_X509_TRUST_KIND_TRUST_CLIENT | MONO_BTLS_X509_TRUST_KIND_TRUST_SERVER;
410 if ((kind & MONO_BTLS_X509_TRUST_KIND_REJECT_CLIENT) != 0) {
411 ret = mono_btls_x509_add_reject_object (x509, MONO_BTLS_X509_PURPOSE_SSL_CLIENT);
416 if ((kind & MONO_BTLS_X509_TRUST_KIND_REJECT_SERVER) != 0) {
417 ret = mono_btls_x509_add_reject_object (x509, MONO_BTLS_X509_PURPOSE_SSL_SERVER);
423 // Ignore any MONO_BTLS_X509_TRUST_KIND_TRUST_* settings if we added
424 // any kind of MONO_BTLS_X509_TRUST_KIND_REJECT_* before.
428 if ((kind & MONO_BTLS_X509_TRUST_KIND_TRUST_CLIENT) != 0) {
429 ret = mono_btls_x509_add_trust_object (x509, MONO_BTLS_X509_PURPOSE_SSL_CLIENT);
434 if ((kind & MONO_BTLS_X509_TRUST_KIND_TRUST_SERVER) != 0) {
435 ret = mono_btls_x509_add_trust_object (x509, MONO_BTLS_X509_PURPOSE_SSL_SERVER);