123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146 |
- /**
- * \file metadata.c
- * \brief Certificate Metadata Probe.
- *
- */
- #include <string.h>
- #include <openssl/pem.h>
- #include <openssl/rsa.h>
- #include <openssl/x509.h>
- #include "qa/questions/questions.h"
- #include "qa/questions/qstrings.h"
- /* taken from openssl's s_client app source */
- #define BUFSIZE 1024*8
- /* for some reasons this is commented into openssl's source code x509.h */
- #define X509_get_serialNumber(x) ((x)->cert_info->serialNumber)
- #define ISSUER "issuer"
- #define SUBJECT "subject"
- #define SERIAL "serial"
- #define BITLEN "bitlen"
- #define PKEY "public key"
- #define NBITLEN "N bits"
- #define EBITLEN "e bits"
- #define MODULUS "modulus"
- #define E "pub exp"
- #define NOTBEF "not before"
- #define NOTAFT "not after"
- static BIO* out;
- static int
- metadata_question_setup(void)
- {
- out = BIO_new_fp(stdout, BIO_NOCLOSE);
- return (out != NULL);
- }
- static int
- metadata_question_teardown(void)
- {
- return BIO_free(out);
- }
- static int
- metadata_question_ask_crt(X509* crt)
- {
- EVP_PKEY* pkey = NULL;
- BIGNUM *serial = NULL;
- char *sserial = NULL;
- char sbuf[BUFSIZE];
- char ibuf[BUFSIZE];
- char not_after[64], not_before[64];
- /* subject informations: country, organization, common name */
- X509_NAME_oneline(X509_get_subject_name(crt), sbuf, sizeof(sbuf));
- /* issuer informations: country, organization, common name */
- X509_NAME_oneline(X509_get_issuer_name(crt), ibuf, sizeof(ibuf));
- /* serial number */
- serial = ASN1_INTEGER_to_BN(X509_get_serialNumber(crt), NULL);
- sserial = BN_bn2hex(serial);
- /* time fields */
- ASN1_TIME_str(not_before, X509_get_notBefore(crt));
- ASN1_TIME_str(not_after, X509_get_notAfter(crt));
- /* public key */
- pkey = X509_get_pubkey(crt);
- /* BIO_printf(out, "%-10s\n", PKEY); */
- /* PEM_write_bio_RSAPublicKey(out, pkey->pkey.rsa); */
- /* BIO_printf(out, "\r\n\r\n"); */
- /* public key bitlength */
- BIO_printf(out,
- "%-10s:%s\n"
- "%-10s:%s\n"
- "%-10s:%s\n"
- "%-10s:%s\n"
- "%-10s:%s\n"
- "%-10s:%d\n",
- SUBJECT, sbuf,
- ISSUER, ibuf,
- SERIAL, sserial,
- NOTBEF, not_before,
- NOTAFT, not_after,
- BITLEN, EVP_PKEY_bits(pkey));
- /* XXX. Compression. TLS version.
- * This needs access to the socket.
- * Therefore a design change has to be taken. :( */
- /* Note: debian builds withouth sslv2 support
- * <https://lists.debian.org/debian-devel/2011/04/msg00049.html> */
- /* brands and trivial sanity check for defaults */
- if (strstr(sbuf, "localhost") ||
- strstr(sbuf, "none") ||
- strstr(sbuf, "test"))
- fprintf(stderr,
- "The certificate contains dummy informations.\n");
- OPENSSL_free(sserial);
- BN_free(serial);
- EVP_PKEY_free(pkey);
- return 0;
- }
- RSA *metadata_question_ask_rsa(const RSA* rsa)
- {
- char *s, *t;
- s = BN_bn2hex(rsa->e);
- t = BN_bn2hex(rsa->n);
- BIO_printf(out,
- "%-10s:%s\n"
- "%-10s:%s\n"
- "%-10s:%d\n"
- "%-10s:%d\n",
- MODULUS, t,
- E, s,
- EBITLEN, BN_num_bits(rsa->e),
- NBITLEN, BN_num_bits(rsa->n));
- if (BN_num_bits(rsa->n) < 2048)
- fprintf(stdout,
- "RSA keys < 2048 are disallowed after 2013.\n"
- "For more informations, see "
- "<http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf>\n");
- OPENSSL_free(s);
- OPENSSL_free(t);
- return NULL;
- }
- qa_question_t MetadataQuestion = {
- .name = "metadata",
- .pretty_name = "Metadata",
- .setup = metadata_question_setup,
- .teardown = metadata_question_teardown,
- .ask_crt = metadata_question_ask_crt,
- .ask_rsa = metadata_question_ask_rsa
- };
|