diff options
Diffstat (limited to 'sm/certdump.c')
-rw-r--r-- | sm/certdump.c | 940 |
1 files changed, 940 insertions, 0 deletions
diff --git a/sm/certdump.c b/sm/certdump.c new file mode 100644 index 0000000..57e8112 --- /dev/null +++ b/sm/certdump.c @@ -0,0 +1,940 @@ +/* certdump.c - Dump a certificate for debugging + * Copyright (C) 2001-2010, 2014-2015 g10 Code GmbH + * + * This file is part of GnuPG. + * + * GnuPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <https://www.gnu.org/licenses/>. + */ + +#include <config.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <unistd.h> +#include <time.h> +#include <assert.h> +#ifdef HAVE_LOCALE_H +#include <locale.h> +#endif +#ifdef HAVE_LANGINFO_CODESET +#include <langinfo.h> +#endif + +#include "gpgsm.h" +#include <gcrypt.h> +#include <ksba.h> + +#include "keydb.h" +#include "../common/i18n.h" +#include "../common/membuf.h" + +struct dn_array_s { + char *key; + char *value; + int multivalued; + int done; +}; + + +/* Print the first element of an S-Expression. */ +void +gpgsm_print_serial (estream_t fp, ksba_const_sexp_t sn) +{ + const char *p = (const char *)sn; + unsigned long n; + char *endp; + + if (!p) + es_fputs (_("none"), fp); + else if (*p != '(') + es_fputs ("[Internal error - not an S-expression]", fp); + else + { + p++; + n = strtoul (p, &endp, 10); + p = endp; + if (*p++ != ':') + es_fputs ("[Internal Error - invalid S-expression]", fp); + else + es_write_hexstring (fp, p, n, 0, NULL); + } +} + + +/* Print the first element of an S-Expression in decimal notation + * assuming it is a non-negative integer. */ +void +gpgsm_print_serial_decimal (estream_t fp, ksba_const_sexp_t sn) +{ + const char *p = (const char *)sn; + unsigned long n, i; + char *endp; + gcry_mpi_t a, r, ten; +#if GCRYPT_VERSION_NUMBER >= 0x010900 /* >= 1.9.0 */ + unsigned int dd; +#else + unsigned char numbuf[10]; +#endif + + if (!p) + es_fputs (_("none"), fp); + else if (*p != '(') + es_fputs ("[Internal error - not an S-expression]", fp); + else + { + p++; + n = strtoul (p, &endp, 10); + p = endp; + if (*p++ != ':') + es_fputs ("[Internal Error - invalid S-expression]", fp); + else if (gcry_mpi_scan (&a, GCRYMPI_FMT_USG, p, n, NULL)) + es_fputs ("[Internal Error - can't convert to decimal]", fp); + else + { + membuf_t mb = MEMBUF_ZERO; + char *buf; + int c; + + ten = gcry_mpi_set_ui (NULL, 10); + r = gcry_mpi_new (0); + + do + { + gcry_mpi_div (a, r, a, ten, 0); +#if GCRYPT_VERSION_NUMBER >= 0x010900 /* >= 1.9.0 */ + gcry_mpi_get_ui (&dd, r); + put_membuf_printf (&mb, "%u", dd); +#else + *numbuf = 0; /* Need to clear because USB format prints + * an empty string for a value of 0. */ + gcry_mpi_print (GCRYMPI_FMT_USG, numbuf, 10, NULL, r); + put_membuf_printf (&mb, "%u", (unsigned int)*numbuf); +#endif + } + while (gcry_mpi_cmp_ui (a, 0)); + + /* Make sure we have at least an empty string, get it, + * reverse it, and print it. */ + put_membuf (&mb, "", 1); + buf = get_membuf (&mb, NULL); + if (!buf) + es_fputs ("[Internal Error - out of core]", fp); + else + { + n = strlen (buf); + for (i=0; i < n/2; i++) + { + c = buf[i]; + buf[i] = buf[n-1-i]; + buf[n-1-i] = c; + } + es_fputs (buf, fp); + xfree (buf); + } + + gcry_mpi_release (r); + gcry_mpi_release (ten); + gcry_mpi_release (a); + } + } +} + + +/* Dump the serial number or any other simple S-expression. */ +void +gpgsm_dump_serial (ksba_const_sexp_t sn) +{ + const char *p = (const char *)sn; + unsigned long n; + char *endp; + + if (!p) + log_printf ("none"); + else if (*p != '(') + log_printf ("ERROR - not an S-expression"); + else + { + p++; + n = strtoul (p, &endp, 10); + p = endp; + if (*p!=':') + log_printf ("ERROR - invalid S-expression"); + else + { + for (p++; n; n--, p++) + log_printf ("%02X", *(const unsigned char *)p); + } + } +} + + +char * +gpgsm_format_serial (ksba_const_sexp_t sn) +{ + const char *p = (const char *)sn; + unsigned long n; + char *endp; + char *buffer; + int i; + + if (!p) + return NULL; + + if (*p != '(') + BUG (); /* Not a valid S-expression. */ + + p++; + n = strtoul (p, &endp, 10); + p = endp; + if (*p!=':') + BUG (); /* Not a valid S-expression. */ + p++; + + buffer = xtrymalloc (n*2+1); + if (buffer) + { + for (i=0; n; n--, p++, i+=2) + sprintf (buffer+i, "%02X", *(unsigned char *)p); + buffer[i] = 0; + } + return buffer; +} + + + + +void +gpgsm_print_time (estream_t fp, ksba_isotime_t t) +{ + if (!t || !*t) + es_fputs (_("none"), fp); + else + es_fprintf (fp, "%.4s-%.2s-%.2s %.2s:%.2s:%s", + t, t+4, t+6, t+9, t+11, t+13); +} + + +void +gpgsm_dump_string (const char *string) +{ + + if (!string) + log_printf ("[error]"); + else + { + const unsigned char *s; + + for (s=(const unsigned char*)string; *s; s++) + { + if (*s < ' ' || (*s >= 0x7f && *s <= 0xa0)) + break; + } + if (!*s && *string != '[') + log_printf ("%s", string); + else + { + log_printf ( "[ "); + log_printhex (string, strlen (string), NULL); + log_printf ( " ]"); + } + } +} + + +/* This simple dump function is mainly used for debugging purposes. */ +void +gpgsm_dump_cert (const char *text, ksba_cert_t cert) +{ + ksba_sexp_t sexp; + char *p; + char *dn; + ksba_isotime_t t; + + log_debug ("BEGIN Certificate '%s':\n", text? text:""); + if (cert) + { + sexp = ksba_cert_get_serial (cert); + log_debug (" serial: "); + gpgsm_dump_serial (sexp); + ksba_free (sexp); + log_printf ("\n"); + + ksba_cert_get_validity (cert, 0, t); + log_debug (" notBefore: "); + dump_isotime (t); + log_printf ("\n"); + ksba_cert_get_validity (cert, 1, t); + log_debug (" notAfter: "); + dump_isotime (t); + log_printf ("\n"); + + dn = ksba_cert_get_issuer (cert, 0); + log_debug (" issuer: "); + gpgsm_dump_string (dn); + ksba_free (dn); + log_printf ("\n"); + + dn = ksba_cert_get_subject (cert, 0); + log_debug (" subject: "); + gpgsm_dump_string (dn); + ksba_free (dn); + log_printf ("\n"); + + log_debug (" hash algo: %s\n", ksba_cert_get_digest_algo (cert)); + + p = gpgsm_get_fingerprint_string (cert, 0); + log_debug (" SHA1 Fingerprint: %s\n", p); + xfree (p); + } + log_debug ("END Certificate\n"); +} + + +/* Return a new string holding the format serial number and issuer + ("#SN/issuer"). No filtering on invalid characters is done. + Caller must release the string. On memory failure NULL is + returned. */ +char * +gpgsm_format_sn_issuer (ksba_sexp_t sn, const char *issuer) +{ + char *p, *p1; + + if (sn && issuer) + { + p1 = gpgsm_format_serial (sn); + if (!p1) + p = xtrystrdup ("[invalid SN]"); + else + { + p = xtrymalloc (strlen (p1) + strlen (issuer) + 2 + 1); + if (p) + { + *p = '#'; + strcpy (stpcpy (stpcpy (p+1, p1),"/"), issuer); + } + xfree (p1); + } + } + else + p = xtrystrdup ("[invalid SN/issuer]"); + return p; +} + + +/* Log the certificate's name in "#SN/ISSUERDN" format along with + TEXT. */ +void +gpgsm_cert_log_name (const char *text, ksba_cert_t cert) +{ + log_info ("%s", text? text:"certificate" ); + if (cert) + { + ksba_sexp_t sn; + char *p; + + p = ksba_cert_get_issuer (cert, 0); + sn = ksba_cert_get_serial (cert); + if (p && sn) + { + log_printf (" #"); + gpgsm_dump_serial (sn); + log_printf ("/"); + gpgsm_dump_string (p); + } + else + log_printf (" [invalid]"); + ksba_free (sn); + xfree (p); + } + log_printf ("\n"); +} + + + + + + +/* helper for the rfc2253 string parser */ +static const unsigned char * +parse_dn_part (struct dn_array_s *array, const unsigned char *string) +{ + static struct { + const char *label; + const char *oid; + } label_map[] = { + /* Warning: When adding new labels, make sure that the buffer + below we be allocated large enough. */ + {"EMail", "1.2.840.113549.1.9.1" }, + {"T", "2.5.4.12" }, + {"GN", "2.5.4.42" }, + {"SN", "2.5.4.4" }, + {"NameDistinguisher", "0.2.262.1.10.7.20"}, + {"ADDR", "2.5.4.16" }, + {"BC", "2.5.4.15" }, + {"D", "2.5.4.13" }, + {"PostalCode", "2.5.4.17" }, + {"Pseudo", "2.5.4.65" }, + {"SerialNumber", "2.5.4.5" }, + {NULL, NULL} + }; + const unsigned char *s, *s1; + size_t n; + char *p; + int i; + + /* Parse attributeType */ + for (s = string+1; *s && *s != '='; s++) + ; + if (!*s) + return NULL; /* error */ + n = s - string; + if (!n) + return NULL; /* empty key */ + + /* We need to allocate a few bytes more due to the possible mapping + from the shorter OID to the longer label. */ + array->key = p = xtrymalloc (n+10); + if (!array->key) + return NULL; + memcpy (p, string, n); + p[n] = 0; + trim_trailing_spaces (p); + + if (digitp (p)) + { + for (i=0; label_map[i].label; i++ ) + if ( !strcmp (p, label_map[i].oid) ) + { + strcpy (p, label_map[i].label); + break; + } + } + string = s + 1; + + if (*string == '#') + { /* hexstring */ + string++; + for (s=string; hexdigitp (s); s++) + ; + n = s - string; + if (!n || (n & 1)) + return NULL; /* Empty or odd number of digits. */ + n /= 2; + array->value = p = xtrymalloc (n+1); + if (!p) + return NULL; + for (s1=string; n; s1 += 2, n--, p++) + { + *(unsigned char *)p = xtoi_2 (s1); + if (!*p) + *p = 0x01; /* Better print a wrong value than truncating + the string. */ + } + *p = 0; + } + else + { /* regular v3 quoted string */ + for (n=0, s=string; *s; s++) + { + if (*s == '\\') + { /* pair */ + s++; + if (*s == ',' || *s == '=' || *s == '+' + || *s == '<' || *s == '>' || *s == '#' || *s == ';' + || *s == '\\' || *s == '\"' || *s == ' ') + n++; + else if (hexdigitp (s) && hexdigitp (s+1)) + { + s++; + n++; + } + else + return NULL; /* invalid escape sequence */ + } + else if (*s == '\"') + return NULL; /* invalid encoding */ + else if (*s == ',' || *s == '=' || *s == '+' + || *s == '<' || *s == '>' || *s == ';' ) + break; + else + n++; + } + + array->value = p = xtrymalloc (n+1); + if (!p) + return NULL; + for (s=string; n; s++, n--) + { + if (*s == '\\') + { + s++; + if (hexdigitp (s)) + { + *(unsigned char *)p++ = xtoi_2 (s); + s++; + } + else + *p++ = *s; + } + else + *p++ = *s; + } + *p = 0; + } + return s; +} + + +/* Parse a DN and return an array-ized one. This is not a validating + parser and it does not support any old-stylish syntax; KSBA is + expected to return only rfc2253 compatible strings. */ +static struct dn_array_s * +parse_dn (const unsigned char *string) +{ + struct dn_array_s *array; + size_t arrayidx, arraysize; + int i; + + arraysize = 7; /* C,ST,L,O,OU,CN,email */ + arrayidx = 0; + array = xtrymalloc ((arraysize+1) * sizeof *array); + if (!array) + return NULL; + while (*string) + { + while (*string == ' ') + string++; + if (!*string) + break; /* ready */ + if (arrayidx >= arraysize) + { + struct dn_array_s *a2; + + arraysize += 5; + a2 = xtryrealloc (array, (arraysize+1) * sizeof *array); + if (!a2) + goto failure; + array = a2; + } + array[arrayidx].key = NULL; + array[arrayidx].value = NULL; + string = parse_dn_part (array+arrayidx, string); + if (!string) + goto failure; + while (*string == ' ') + string++; + array[arrayidx].multivalued = (*string == '+'); + array[arrayidx].done = 0; + arrayidx++; + if (*string && *string != ',' && *string != ';' && *string != '+') + goto failure; /* invalid delimiter */ + if (*string) + string++; + } + array[arrayidx].key = NULL; + array[arrayidx].value = NULL; + return array; + + failure: + for (i=0; i < arrayidx; i++) + { + xfree (array[i].key); + xfree (array[i].value); + } + xfree (array); + return NULL; +} + + +/* Print a DN part to STREAM. */ +static void +print_dn_part (estream_t stream, + struct dn_array_s *dn, const char *key, int translate) +{ + struct dn_array_s *first_dn = dn; + + for (; dn->key; dn++) + { + if (!dn->done && !strcmp (dn->key, key)) + { + /* Forward to the last multi-valued RDN, so that we can + print them all in reverse in the correct order. Note + that this overrides the standard sequence but that + seems to a reasonable thing to do with multi-valued + RDNs. */ + while (dn->multivalued && dn[1].key) + dn++; + next: + if (!dn->done && dn->value && *dn->value) + { + es_fprintf (stream, "/%s=", dn->key); + if (translate) + print_utf8_buffer3 (stream, dn->value, strlen (dn->value), + "/"); + else + es_write_sanitized (stream, dn->value, strlen (dn->value), + "/", NULL); + } + dn->done = 1; + if (dn > first_dn && dn[-1].multivalued) + { + dn--; + goto next; + } + } + } +} + +/* Print all parts of a DN in a "standard" sequence. We first print + all the known parts, followed by the uncommon ones */ +static void +print_dn_parts (estream_t stream, + struct dn_array_s *dn, int translate) +{ + const char *stdpart[] = { + "CN", "OU", "O", "STREET", "L", "ST", "C", "EMail", NULL + }; + int i; + + for (i=0; stdpart[i]; i++) + print_dn_part (stream, dn, stdpart[i], translate); + + /* Now print the rest without any specific ordering */ + for (; dn->key; dn++) + print_dn_part (stream, dn, dn->key, translate); +} + + +/* Print the S-Expression in BUF to extended STREAM, which has a valid + length of BUFLEN, as a human readable string in one line to FP. */ +static void +pretty_es_print_sexp (estream_t fp, const unsigned char *buf, size_t buflen) +{ + size_t len; + gcry_sexp_t sexp; + char *result, *p; + + if ( gcry_sexp_sscan (&sexp, NULL, (const char*)buf, buflen) ) + { + es_fputs (_("[Error - invalid encoding]"), fp); + return; + } + len = gcry_sexp_sprint (sexp, GCRYSEXP_FMT_ADVANCED, NULL, 0); + assert (len); + result = xtrymalloc (len); + if (!result) + { + es_fputs (_("[Error - out of core]"), fp); + gcry_sexp_release (sexp); + return; + } + len = gcry_sexp_sprint (sexp, GCRYSEXP_FMT_ADVANCED, result, len); + assert (len); + for (p = result; len; len--, p++) + { + if (*p == '\n') + { + if (len > 1) /* Avoid printing the trailing LF. */ + es_fputs ("\\n", fp); + } + else if (*p == '\r') + es_fputs ("\\r", fp); + else if (*p == '\v') + es_fputs ("\\v", fp); + else if (*p == '\t') + es_fputs ("\\t", fp); + else + es_putc (*p, fp); + } + xfree (result); + gcry_sexp_release (sexp); +} + + +/* This is a variant of gpgsm_print_name sending it output to an estream. */ +void +gpgsm_es_print_name2 (estream_t fp, const char *name, int translate) +{ + const unsigned char *s = (const unsigned char *)name; + int i; + + if (!s) + { + es_fputs (_("[Error - No name]"), fp); + } + else if (*s == '<') + { + const char *s2 = strchr ( (char*)s+1, '>'); + + if (s2) + { + if (translate) + print_utf8_buffer (fp, s + 1, s2 - (char*)s - 1); + else + es_write_sanitized (fp, s + 1, s2 - (char*)s - 1, NULL, NULL); + } + } + else if (*s == '(') + { + pretty_es_print_sexp (fp, s, gcry_sexp_canon_len (s, 0, NULL, NULL)); + } + else if (!((*s >= '0' && *s < '9') + || (*s >= 'A' && *s <= 'Z') + || (*s >= 'a' && *s <= 'z'))) + es_fputs (_("[Error - invalid encoding]"), fp); + else + { + struct dn_array_s *dn = parse_dn (s); + + if (!dn) + es_fputs (_("[Error - invalid DN]"), fp); + else + { + print_dn_parts (fp, dn, translate); + for (i=0; dn[i].key; i++) + { + xfree (dn[i].key); + xfree (dn[i].value); + } + xfree (dn); + } + } +} + + +void +gpgsm_es_print_name (estream_t fp, const char *name) +{ + gpgsm_es_print_name2 (fp, name, 1); +} + + +/* A cookie structure used for the memory stream. */ +struct format_name_cookie +{ + char *buffer; /* Malloced buffer with the data to deliver. */ + size_t size; /* Allocated size of this buffer. */ + size_t len; /* strlen (buffer). */ + int error; /* system error code if any. */ +}; + +/* The writer function for the memory stream. */ +static gpgrt_ssize_t +format_name_writer (void *cookie, const void *buffer, size_t size) +{ + struct format_name_cookie *c = cookie; + char *p; + + if (!buffer) /* Flush. */ + return 0; /* (Actually we could use SIZE because that should be 0 too.) */ + + if (!c->buffer) + { + p = xtrymalloc (size + 1 + 1); + if (p) + { + c->size = size + 1; + c->buffer = p; + c->len = 0; + } + } + else if (c->len + size < c->len) + { + p = NULL; + gpg_err_set_errno (ENOMEM); + } + else if (c->size < c->len + size) + { + p = xtryrealloc (c->buffer, c->len + size + 1); + if (p) + { + c->size = c->len + size; + c->buffer = p; + } + } + else + p = c->buffer; + if (!p) + { + c->error = errno; + xfree (c->buffer); + c->buffer = NULL; + gpg_err_set_errno (c->error); + return -1; + } + memcpy (p + c->len, buffer, size); + c->len += size; + p[c->len] = 0; /* Terminate string. */ + + return (gpgrt_ssize_t)size; +} + + +/* Format NAME which is expected to be in rfc2253 format into a better + human readable format. Caller must free the returned string. NULL + is returned in case of an error. With TRANSLATE set to true the + name will be translated to the native encoding. Note that NAME is + internally always UTF-8 encoded. */ +char * +gpgsm_format_name2 (const char *name, int translate) +{ + estream_t fp; + struct format_name_cookie cookie; + es_cookie_io_functions_t io = { NULL }; + + memset (&cookie, 0, sizeof cookie); + + io.func_write = format_name_writer; + fp = es_fopencookie (&cookie, "w", io); + if (!fp) + { + int save_errno = errno; + log_error ("error creating memory stream: %s\n", strerror (save_errno)); + gpg_err_set_errno (save_errno); + return NULL; + } + gpgsm_es_print_name2 (fp, name, translate); + es_fclose (fp); + if (cookie.error || !cookie.buffer) + { + xfree (cookie.buffer); + gpg_err_set_errno (cookie.error); + return NULL; + } + return cookie.buffer; +} + + +char * +gpgsm_format_name (const char *name) +{ + return gpgsm_format_name2 (name, 1); +} + + +/* Return fingerprint and a percent escaped name in a human readable + format suitable for status messages like GOODSIG. May return NULL + on error (out of core). */ +char * +gpgsm_fpr_and_name_for_status (ksba_cert_t cert) +{ + char *fpr, *name, *p; + char *buffer; + + fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1); + if (!fpr) + return NULL; + + name = ksba_cert_get_subject (cert, 0); + if (!name) + { + xfree (fpr); + return NULL; + } + + p = gpgsm_format_name2 (name, 0); + ksba_free (name); + name = p; + if (!name) + { + xfree (fpr); + return NULL; + } + + buffer = xtrymalloc (strlen (fpr) + 1 + 3*strlen (name) + 1); + if (buffer) + { + const char *s; + + p = stpcpy (stpcpy (buffer, fpr), " "); + for (s = name; *s; s++) + { + if (*s < ' ') + { + sprintf (p, "%%%02X", *(const unsigned char*)s); + p += 3; + } + else + *p++ = *s; + } + *p = 0; + } + xfree (fpr); + xfree (name); + return buffer; +} + + +/* Create a key description for the CERT, this may be passed to the + pinentry. The caller must free the returned string. NULL may be + returned on error. */ +char * +gpgsm_format_keydesc (ksba_cert_t cert) +{ + char *name, *subject, *buffer; + ksba_isotime_t t; + char created[20]; + char expires[20]; + char *sn; + ksba_sexp_t sexp; + char *orig_codeset; + + name = ksba_cert_get_subject (cert, 0); + subject = name? gpgsm_format_name2 (name, 0) : NULL; + ksba_free (name); name = NULL; + + sexp = ksba_cert_get_serial (cert); + sn = sexp? gpgsm_format_serial (sexp) : NULL; + ksba_free (sexp); + + ksba_cert_get_validity (cert, 0, t); + if (*t) + sprintf (created, "%.4s-%.2s-%.2s", t, t+4, t+6); + else + *created = 0; + ksba_cert_get_validity (cert, 1, t); + if (*t) + sprintf (expires, "%.4s-%.2s-%.2s", t, t+4, t+6); + else + *expires = 0; + + orig_codeset = i18n_switchto_utf8 (); + + name = xtryasprintf (_("Please enter the passphrase to unlock the" + " secret key for the X.509 certificate:\n" + "\"%s\"\n" + "S/N %s, ID 0x%08lX,\n" + "created %s, expires %s.\n" ), + subject? subject:"?", + sn? sn: "?", + gpgsm_get_short_fingerprint (cert, NULL), + created, expires); + + i18n_switchback (orig_codeset); + + if (!name) + { + xfree (subject); + xfree (sn); + return NULL; + } + + xfree (subject); + xfree (sn); + + buffer = percent_plus_escape (name); + xfree (name); + return buffer; +} |