OpenVAS Libraries  9.0.3
nasl_cert.h File Reference

Protos and data structures for CERT functions used by NASL scripts. More...

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Functions

tree_cellnasl_cert_open (lex_ctxt *lexic)
 Create a certificate object. More...
 
tree_cellnasl_cert_close (lex_ctxt *lexic)
 Release a certificate object. More...
 
tree_cellnasl_cert_query (lex_ctxt *lexic)
 Query a certificate object. More...
 

Detailed Description

Protos and data structures for CERT functions used by NASL scripts.

This file contains the protos for nasl_cert.c

Definition in file nasl_cert.h.

Function Documentation

◆ nasl_cert_close()

tree_cell* nasl_cert_close ( lex_ctxt lexic)

Release a certificate object.

NASL Function: cert_close\n

Takes a cert identifier as returned by cert_open and releases the associated resources.

NASL Unnamed Parameters:\n
  • Object id of the certificate. 0 acts as a NOP.
NASL Returns:\n none
Parameters
[in]lexicLexical context of the NASL interpreter.
Returns
none

Definition at line 264 of file nasl_cert.c.

265 {
266  int object_id;
267  object_desc_t prevobj, obj;
268 
269  object_id = get_int_var_by_num (lexic, 0, -1);
270  if (!object_id)
271  return FAKE_CELL;
272  if (object_id < 0)
273  {
274  log_legacy_write ("Bad object id %d passed to cert_close", object_id);
275  return FAKE_CELL;
276  }
277 
278  for (prevobj = NULL, obj = object_list; obj; prevobj = obj, obj = obj->next)
279  if (obj->object_id == object_id)
280  break;
281  if (!obj)
282  {
283  log_legacy_write ("Unused object id %d passed to cert_close",
284  object_id);
285  return FAKE_CELL;
286  }
287 
288  if (prevobj)
289  prevobj->next = obj->next;
290  else
291  object_list = obj->next;
292 
293  ksba_cert_release (obj->cert);
294  g_free (obj);
295 
296  return FAKE_CELL;
297 }
#define FAKE_CELL
Definition: nasl_tree.h:120
void log_legacy_write(const char *format,...)
Legacy function to write a log message.
long int get_int_var_by_num(lex_ctxt *, int, int)
Definition: nasl_var.c:1226
object_desc_t next
Definition: nasl_cert.c:102

References FAKE_CELL, get_int_var_by_num(), and log_legacy_write().

Here is the call graph for this function:

◆ nasl_cert_open()

tree_cell* nasl_cert_open ( lex_ctxt lexic)

Create a certificate object.

NASL Function: cert_open\n

Takes a string/data as unnamed argument and returns an identifier used with the other cert functions. The data is usually the BER encoded certificate but the function will also try a PEM encoding on failure to parse BER encoded one.

NASL Unnamed Parameters:\n
  • String/data object with the certificate. Either binary or PEM encoded.
NASL Named Parameters:\n
  • errorvar Name of a variable used on error to return an error description.
NASL Returns:\n An integer used as an id for the certificate; on error 0
is returned.
Parameters
[in]lexicLexical context of the NASL interpreter.
Returns
On success the function returns a tree-cell with a non-zero object identifier for use with other cert functions; zero is returned on error.

Definition at line 176 of file nasl_cert.c.

177 {
178  gpg_error_t err;
179  tree_cell *retc;
180  const char *data;
181  int datalen;
182  ksba_reader_t reader;
183  ksba_cert_t cert;
184  object_desc_t obj;
185 
186  data = get_str_var_by_num (lexic, 0);
187  if (!data || !(datalen = get_var_size_by_num (lexic, 0)))
188  {
189  log_legacy_write ("No certificate passed to cert_open");
190  return NULL;
191  }
192 
193  err = ksba_reader_new (&reader);
194  if (err)
195  {
196  log_legacy_write ("Opening reader object failed: %s",
197  gpg_strerror (err));
198  return NULL;
199  }
200  err = ksba_reader_set_mem (reader, data, datalen);
201  if (err)
202  {
203  log_legacy_write ("ksba_reader_set_mem failed: %s", gpg_strerror (err));
204  ksba_reader_release (reader);
205  return NULL;
206  }
207 
208  err = ksba_cert_new (&cert);
209  if (err)
210  {
211  log_legacy_write ("ksba_cert_new failed: %s", gpg_strerror (err));
212  ksba_reader_release (reader);
213  return NULL;
214  }
215 
216  err = ksba_cert_read_der (cert, reader);
217  if (err)
218  {
219  log_legacy_write ("Certificate parsing failed: %s", gpg_strerror (err));
220  /* FIXME: Try again this time assuming a PEM certificate. */
221  ksba_reader_release (reader);
222  ksba_cert_release (cert);
223  return NULL;
224  }
225  ksba_reader_release (reader);
226 
227  obj = g_try_malloc (sizeof *obj);
228  if (!obj)
229  {
230  log_legacy_write ("malloc failed in %s", __FUNCTION__);
231  ksba_cert_release (cert);
232  return NULL;
233  }
234  obj->object_id = next_object_id ();
235  obj->cert = cert;
236  obj->next = object_list;
237  object_list = obj;
238 
239  /* Return the session id. */
240  retc = alloc_typed_cell (CONST_INT);
241  retc->x.i_val = obj->object_id;
242  return retc;
243 }
#define err(x)
void log_legacy_write(const char *format,...)
Legacy function to write a log message.
union TC::@7 x
tree_cell * alloc_typed_cell(int typ)
Definition: nasl_tree.c:53
Definition: nasl_tree.h:105
int get_var_size_by_num(lex_ctxt *, int)
Definition: nasl_var.c:1305
char * get_str_var_by_num(lex_ctxt *, int)
Definition: nasl_var.c:1248
long int i_val
Definition: nasl_tree.h:114
object_desc_t next
Definition: nasl_cert.c:102
ksba_cert_t cert
Definition: nasl_cert.c:104

References err, get_str_var_by_num(), get_var_size_by_num(), log_legacy_write(), and object_desc_s::object_id.

Here is the call graph for this function:

◆ nasl_cert_query()

tree_cell* nasl_cert_query ( lex_ctxt lexic)

Query a certificate object.

NASL Function: cert_query\n

Takes a cert identifier as first unnamed argument and a command string as second argument. That command is used to select specific information from the certificate. For certain commands the named argument idx is used as well. Depending on this command the return value may be a number, a string, or an array of strings. Supported commands are:

  • serial The serial number of the certificate as a hex string.
  • issuer Returns the issuer. The returned value is a string in rfc-2253 format.
  • subject Returns the subject. The returned value is a string in rfc-2253 format. To query the subjectAltName the named parameters idx with values starting at 1 can be used. In this case the format is either an rfc2253 string as used above, an rfc2822 mailbox name indicated by the first character being a left angle bracket or an S-expression in advanced format for all other types of subjectAltnames which is indicated by an opening parentheses.
  • not-before The notBefore time as UTC value in ISO time format (e.g. "20120930T143521").
  • not-after The notAfter time as UTC value in ISO time format (e.g. "20280929T143520").
  • all Return all available information in a human readable format. Not yet implemented.
  • hostnames Return an array with all hostnames listed in the certificates, i.e. the CN part of the subject and all dns-name type subjectAltNames.
  • fpr-sha-256 The SHA-256 fingerprint of the certificate. The fingerprint is, as usual, computed over the entire DER encode certificate.
  • fpr-sha-1 The SHA-1 fingerprint of the certificate. The fingerprint is, as usual, computed over the entire DER encode certificate.
  • image Return the entire certificate as binary data.
NASL Unnamed Parameters:\n
  • Object id of the certificate.
  • A string with the command to select what to return; see above.
NASL Named Parameters:\n
  • idx Used by certain commands to select the n-th value of a set of values. If not given 0 is assumed.
NASL Returns:\n A NASL type depending on the used command. NULL is
returned on error.
Parameters
[in]lexicLexical context of the NASL interpreter.
Returns
none

Definition at line 765 of file nasl_cert.c.

766 {
767  int object_id;
768  object_desc_t obj;
769  const char *command;
770  int cmdidx;
771  char *result;
772  ksba_isotime_t isotime;
773  ksba_sexp_t sexp;
774  tree_cell *retc;
775 
776  object_id = get_int_var_by_num (lexic, 0, -1);
777  if (object_id <= 0)
778  {
779  log_legacy_write ("Bad object id %d passed to cert_query", object_id);
780  return NULL;
781  }
782 
783  for (obj = object_list; obj; obj = obj->next)
784  if (obj->object_id == object_id)
785  break;
786  if (!obj)
787  {
788  log_legacy_write ("Unused object id %d passed to cert_query", object_id);
789  return NULL;
790  }
791 
792  /* Check that the command is a string. */
793  command = get_str_var_by_num (lexic, 1);
794  if (!command || get_var_type_by_num (lexic, 1) != VAR2_STRING)
795  {
796  log_legacy_write ("No proper command passed to cert_query");
797  return NULL;
798  }
799 
800  /* Get the index which defaults to 0. */
801  cmdidx = get_int_local_var_by_name (lexic, "idx", 0);
802 
803  /* Command dispatcher. */
804  retc = NULL;
805  if (!strcmp (command, "serial"))
806  {
807  const unsigned char *s;
808  char *endp;
809  unsigned long n;
810 
811  sexp = ksba_cert_get_serial (obj->cert);
812  s = sexp;
813  if (!s || *s != '(')
814  return NULL; /* Ooops. */
815  s++;
816  n = strtoul ((const char*)s, &endp, 10);
817  s = (const unsigned char *)endp;
818  if (*s == ':')
819  {
820  s++;
821  retc = make_hexstring (s, n);
822  }
823  ksba_free (sexp);
824  }
825  else if (!strcmp (command, "issuer"))
826  {
827  result = ksba_cert_get_issuer (obj->cert, cmdidx);
828  if (!result)
829  return NULL;
830 
831  retc = get_name (result);
832  ksba_free (result);
833  }
834  else if (!strcmp (command, "subject"))
835  {
836  result = ksba_cert_get_subject (obj->cert, cmdidx);
837  if (!result)
838  return NULL;
839 
840  retc = get_name (result);
841  ksba_free (result);
842  }
843  else if (!strcmp (command, "not-before"))
844  {
845  ksba_cert_get_validity (obj->cert, 0, isotime);
846  retc = alloc_typed_cell (CONST_STR);
847  retc->x.str_val = g_strdup (isotime);
848  retc->size = strlen (isotime);
849  }
850  else if (!strcmp (command, "not-after"))
851  {
852  ksba_cert_get_validity (obj->cert, 1, isotime);
853  retc = alloc_typed_cell (CONST_STR);
854  retc->x.str_val = g_strdup (isotime);
855  retc->size = strlen (isotime);
856  }
857  else if (!strcmp (command, "fpr-sha-256"))
858  {
859  retc = get_fingerprint (obj->cert, GCRY_MD_SHA256);
860  }
861  else if (!strcmp (command, "fpr-sha-1"))
862  {
863  retc = get_fingerprint (obj->cert, GCRY_MD_SHA1);
864  }
865  else if (!strcmp (command, "all"))
866  {
867  /* FIXME */
868  }
869  else if (!strcmp (command, "hostnames"))
870  {
871  retc = build_hostname_list (obj->cert);
872  }
873  else if (!strcmp (command, "image"))
874  {
875  const unsigned char *der;
876  size_t derlen;
877 
878  der = ksba_cert_get_image (obj->cert, &derlen);
879  if (der && derlen)
880  {
881  retc = alloc_typed_cell (CONST_DATA);
882  retc->size = derlen;
883  retc->x.str_val = g_malloc0 (derlen);
884  memcpy (retc->x.str_val, der, derlen);
885  }
886  }
887  else if (!strcmp (command, "algorithm-name"))
888  {
889  const char *digest = ksba_cert_get_digest_algo (obj->cert);
890  if (digest)
891  {
892  const char *name = get_oid_name (digest);
893  if (!name)
894  name = digest;
895  retc = alloc_typed_cell (CONST_STR);
896  retc->x.str_val = g_strdup (name);
897  retc->size = strlen (name);
898  }
899  }
900  else if (!strcmp (command, "modulus"))
901  {
902  gnutls_datum_t datum, m, e;
903  gnutls_x509_crt_t cert = NULL;
904 
905  datum.data = (void *) ksba_cert_get_image (obj->cert, (size_t *)
906  &datum.size);
907  if (!datum.data)
908  return NULL;
909  if (gnutls_x509_crt_init (&cert) != GNUTLS_E_SUCCESS)
910  return NULL;
911  if (gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER)
912  != GNUTLS_E_SUCCESS)
913  return NULL;
914  if (gnutls_x509_crt_get_pk_rsa_raw (cert, &m, &e) != GNUTLS_E_SUCCESS)
915  return NULL;
916 
917  retc = alloc_typed_cell (CONST_DATA);
918  retc->size = m.size;
919  retc->x.str_val = g_memdup (m.data, m.size);
920  gnutls_free (m.data);
921  gnutls_free (e.data);
922  gnutls_x509_crt_deinit (cert);
923  }
924  else if (!strcmp (command, "exponent"))
925  {
926  gnutls_datum_t datum, m, e;
927  gnutls_x509_crt_t cert = NULL;
928 
929  datum.data = (void *) ksba_cert_get_image (obj->cert, (size_t *)
930  &datum.size);
931  if (!datum.data)
932  return NULL;
933  if (gnutls_x509_crt_init (&cert) != GNUTLS_E_SUCCESS)
934  return NULL;
935  if (gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER)
936  != GNUTLS_E_SUCCESS)
937  return NULL;
938  if (gnutls_x509_crt_get_pk_rsa_raw (cert, &m, &e) != GNUTLS_E_SUCCESS)
939  return NULL;
940 
941  retc = alloc_typed_cell (CONST_DATA);
942  retc->size = e.size;
943  retc->x.str_val = g_memdup (e.data, e.size);
944  gnutls_free (m.data);
945  gnutls_free (e.data);
946  gnutls_x509_crt_deinit (cert);
947  }
948  else if (!strcmp (command, "key-size"))
949  {
950  gnutls_datum_t datum;
951  gnutls_x509_crt_t cert = NULL;
952  unsigned int bits = 0;
953 
954  datum.data = (void *) ksba_cert_get_image (obj->cert, (size_t *)
955  &datum.size);
956  if (!datum.data)
957  return NULL;
958  if (gnutls_x509_crt_init (&cert) != GNUTLS_E_SUCCESS)
959  return NULL;
960  if (gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER)
961  != GNUTLS_E_SUCCESS)
962  return NULL;
963  gnutls_x509_crt_get_pk_algorithm (cert, &bits);
964  gnutls_free (datum.data);
965  gnutls_x509_crt_deinit (cert);
966 
967  retc = alloc_typed_cell (CONST_INT);
968  retc->x.i_val = bits;
969  }
970  else
971  {
972  log_legacy_write ("Unknown command '%s' passed to cert_query", command);
973  }
974 
975  return retc;
976 }
char * str_val
Definition: nasl_tree.h:113
void log_legacy_write(const char *format,...)
Legacy function to write a log message.
long int get_int_local_var_by_name(lex_ctxt *, const char *, int)
Definition: nasl_var.c:1240
union TC::@7 x
tree_cell * alloc_typed_cell(int typ)
Definition: nasl_tree.c:53
Definition: nasl_tree.h:105
const char * name
Definition: nasl_init.c:524
long int get_int_var_by_num(lex_ctxt *, int, int)
Definition: nasl_var.c:1226
char * get_str_var_by_num(lex_ctxt *, int)
Definition: nasl_var.c:1248
long int i_val
Definition: nasl_tree.h:114
object_desc_t next
Definition: nasl_cert.c:102
ksba_cert_t cert
Definition: nasl_cert.c:104
int get_var_type_by_num(lex_ctxt *, int)
Returns NASL variable/cell type, VAR2_UNDEF if value is NULL.
Definition: nasl_var.c:1315
int size
Definition: nasl_tree.h:110

References get_int_var_by_num(), and log_legacy_write().

Here is the call graph for this function: