17 #include <sys/types.h>
18 #include <sys/socket.h>
22 #include <openssl/ssl.h>
23 #include <openssl/err.h>
24 #include <openssl/x509v3.h>
34 assert(tlsa_owner != NULL);
39 buf[0] = (char)(s - 1);
63 if (*tlsa_owner == NULL) {
76 unsigned char* buf = NULL;
82 unsigned char* digest;
90 len = (size_t)i2d_X509(cert, &buf);
96 xpubkey = X509_get_X509_PUBKEY(cert);
101 epubkey = X509_PUBKEY_get(xpubkey);
105 len = (size_t)i2d_PUBKEY(epubkey, &buf);
112 switch(matching_type) {
122 digest =
LDNS_XMALLOC(
unsigned char, SHA256_DIGEST_LENGTH);
123 if (digest == NULL) {
127 (void)
ldns_sha256(buf, (
unsigned int)len, digest);
137 digest =
LDNS_XMALLOC(
unsigned char, SHA512_DIGEST_LENGTH);
138 if (digest == NULL) {
142 (void)
ldns_sha512(buf, (
unsigned int)len, digest);
161 ldns_dane_pkix_validate(X509* cert, STACK_OF(X509)* extra_certs,
164 X509_STORE_CTX* vrfy_ctx;
170 vrfy_ctx = X509_STORE_CTX_new();
175 }
else if (X509_STORE_CTX_init(vrfy_ctx, store,
176 cert, extra_certs) != 1) {
179 }
else if (X509_verify_cert(vrfy_ctx) == 1) {
186 X509_STORE_CTX_free(vrfy_ctx);
195 ldns_dane_pkix_validate_and_get_chain(STACK_OF(X509)** chain, X509* cert,
196 STACK_OF(X509)* extra_certs, X509_STORE* store)
199 X509_STORE* empty_store = NULL;
200 X509_STORE_CTX* vrfy_ctx;
202 assert(chain != NULL);
205 store = empty_store = X509_STORE_new();
208 vrfy_ctx = X509_STORE_CTX_new();
211 goto exit_free_empty_store;
213 }
else if (X509_STORE_CTX_init(vrfy_ctx, store,
214 cert, extra_certs) != 1) {
215 goto exit_free_vrfy_ctx;
217 }
else if (X509_verify_cert(vrfy_ctx) == 1) {
224 *chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
230 X509_STORE_CTX_free(vrfy_ctx);
232 exit_free_empty_store:
234 X509_STORE_free(empty_store);
243 ldns_dane_pkix_get_chain(STACK_OF(X509)** chain,
244 X509* cert, STACK_OF(X509)* extra_certs)
247 X509_STORE* empty_store = NULL;
248 X509_STORE_CTX* vrfy_ctx;
250 assert(chain != NULL);
252 empty_store = X509_STORE_new();
254 vrfy_ctx = X509_STORE_CTX_new();
257 goto exit_free_empty_store;
259 }
else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
260 cert, extra_certs) != 1) {
261 goto exit_free_vrfy_ctx;
263 (void) X509_verify_cert(vrfy_ctx);
264 *chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
271 X509_STORE_CTX_free(vrfy_ctx);
273 exit_free_empty_store:
274 X509_STORE_free(empty_store);
282 ldns_dane_get_nth_cert_from_validation_chain(
283 X509** cert, STACK_OF(X509)* chain,
int n,
bool ca)
285 if (n >= sk_X509_num(chain) || n < 0) {
288 *cert = sk_X509_pop(chain);
291 *cert = sk_X509_pop(chain);
293 if (ca && ! X509_check_ca(*cert)) {
304 ldns_dane_pkix_get_last_self_signed(X509** out_cert,
305 X509* cert, STACK_OF(X509)* extra_certs)
308 X509_STORE* empty_store = NULL;
309 X509_STORE_CTX* vrfy_ctx;
311 assert(out_cert != NULL);
313 empty_store = X509_STORE_new();
315 vrfy_ctx = X509_STORE_CTX_new();
317 goto exit_free_empty_store;
319 }
else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
320 cert, extra_certs) != 1) {
321 goto exit_free_vrfy_ctx;
324 (void) X509_verify_cert(vrfy_ctx);
325 if (vrfy_ctx->error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
326 vrfy_ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT){
328 *out_cert = X509_STORE_CTX_get_current_cert( vrfy_ctx);
334 X509_STORE_CTX_free(vrfy_ctx);
336 exit_free_empty_store:
337 X509_STORE_free(empty_store);
344 X509* cert, STACK_OF(X509)* extra_certs,
345 X509_STORE* pkix_validation_store,
349 STACK_OF(X509)* pkix_validation_chain = NULL;
351 assert(selected_cert != NULL);
352 assert(cert != NULL);
359 if (pkix_validation_store == NULL) {
360 switch (cert_usage) {
379 switch (cert_usage) {
383 s = ldns_dane_pkix_validate_and_get_chain(
384 &pkix_validation_chain,
386 pkix_validation_store);
387 if (! pkix_validation_chain) {
394 s = ldns_dane_get_nth_cert_from_validation_chain(
395 selected_cert, pkix_validation_chain,
398 sk_X509_pop_free(pkix_validation_chain, X509_free);
405 *selected_cert = cert;
406 return ldns_dane_pkix_validate(cert, extra_certs,
407 pkix_validation_store);
414 s = ldns_dane_pkix_get_last_self_signed(
415 selected_cert, cert, extra_certs);
418 s = ldns_dane_pkix_get_chain(
419 &pkix_validation_chain,
423 ldns_dane_get_nth_cert_from_validation_chain(
424 selected_cert, pkix_validation_chain,
426 }
else if (! pkix_validation_chain) {
429 sk_X509_pop_free(pkix_validation_chain, X509_free);
437 *selected_cert = cert;
458 assert(tlsa != NULL);
459 assert(cert != NULL);
468 (uint8_t)certificate_usage);
506 ldns_dane_filter_unusable_records(
const ldns_rr_list* tlsas)
558 ldns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
567 n = (size_t)sk_X509_num(chain);
568 for (i = 0; i < n; i++) {
569 cert = sk_X509_pop(chain);
574 s = ldns_dane_match_cert_with_data(cert,
575 selector, matching_type, data);
593 X509* cert, STACK_OF(X509)* extra_certs,
594 X509_STORE* pkix_validation_store)
598 STACK_OF(X509)* pkix_validation_chain = NULL;
608 return ldns_dane_pkix_validate(cert, extra_certs,
609 pkix_validation_store);
616 switch (cert_usage) {
618 s = ldns_dane_pkix_validate_and_get_chain(
619 &pkix_validation_chain,
621 pkix_validation_store);
622 if (! pkix_validation_chain) {
634 s = ldns_dane_match_any_cert_with_data(
635 pkix_validation_chain,
636 selector, matching_type, data,
true);
649 s = ldns_dane_match_any_cert_with_data(
650 pkix_validation_chain,
651 selector, matching_type, data,
true);
653 sk_X509_pop_free(pkix_validation_chain, X509_free);
658 s = ldns_dane_match_cert_with_data(cert,
659 selector, matching_type, data);
662 return ldns_dane_pkix_validate(cert, extra_certs,
663 pkix_validation_store);
669 s = ldns_dane_pkix_get_chain(&pkix_validation_chain,
673 s = ldns_dane_match_any_cert_with_data(
674 pkix_validation_chain,
675 selector, matching_type, data,
false);
677 }
else if (! pkix_validation_chain) {
680 sk_X509_pop_free(pkix_validation_chain, X509_free);
685 return ldns_dane_match_cert_with_data(cert,
686 selector, matching_type, data);
698 X509* cert, STACK_OF(X509)* extra_certs,
699 X509_STORE* pkix_validation_store)
705 assert(cert != NULL);
708 tlsas = ldns_dane_filter_unusable_records(tlsas);
716 return ldns_dane_pkix_validate(cert, extra_certs,
717 pkix_validation_store);
723 pkix_validation_store);
734 s = (s > ps ? s : ps);