[thirdparty/openssl.git] / crypto / x509 / t_x509.c

/*
 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * because of EVP_PKEY_asn1_find deprecation
 */
#define OPENSSL_SUPPRESS_DEPRECATED

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/buffer.h>
#include <openssl/bn.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include "crypto/asn1.h"
#include "crypto/x509.h"

void OSSL_STACK_OF_X509_free(STACK_OF(X509) *certs)
{
    sk_X509_pop_free(certs, X509_free);
}

#ifndef OPENSSL_NO_STDIO
int X509_print_fp(FILE *fp, X509 *x)
{
    return X509_print_ex_fp(fp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
}

int X509_print_ex_fp(FILE *fp, X509 *x, unsigned long nmflag, unsigned long cflag)
{
    BIO *b;
    int ret;

    if ((b = BIO_new(BIO_s_file())) == NULL) {
        ERR_raise(ERR_LIB_X509, ERR_R_BUF_LIB);
        return 0;
    }
    BIO_set_fp(b, fp, BIO_NOCLOSE);
    ret = X509_print_ex(b, x, nmflag, cflag);
    BIO_free(b);
    return ret;
}
#endif

int X509_print(BIO *bp, const X509 *x)
{
    return X509_print_ex(bp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
}

int X509_print_ex(BIO *bp, const X509 *x, unsigned long nmflags, unsigned long cflag)
{
    long l;
    int ret = 0;
    char mlch = ' ';
    int nmindent = 0, printok = 0;
    EVP_PKEY *pkey = NULL;

    if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
        mlch = '\n';
        nmindent = 12;
    }

    if (nmflags == XN_FLAG_COMPAT)
        printok = 1;

    if (!(cflag & X509_FLAG_NO_HEADER)) {
        if (BIO_write(bp, "Certificate:\n", 13) <= 0)
            goto err;
        if (BIO_write(bp, "    Data:\n", 10) <= 0)
            goto err;
    }
    if (!(cflag & X509_FLAG_NO_VERSION)) {
        l = X509_get_version(x);
        if (l >= X509_VERSION_1 && l <= X509_VERSION_3) {
            if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1, (unsigned long)l) <= 0)
                goto err;
        } else {
            if (BIO_printf(bp, "%8sVersion: Unknown (%ld)\n", "", l) <= 0)
                goto err;
        }
    }
    if (!(cflag & X509_FLAG_NO_SERIAL)) {
        const ASN1_INTEGER *bs = X509_get0_serialNumber(x);

        if (BIO_write(bp, "        Serial Number:", 22) <= 0)
            goto err;
        if (ossl_serial_number_print(bp, bs, 12) != 0)
            goto err;
        if (BIO_puts(bp, "\n") <= 0)
            goto err;
    }

    if (!(cflag & X509_FLAG_NO_SIGNAME)) {
        const X509_ALGOR *tsig_alg = X509_get0_tbs_sigalg(x);

        if (BIO_puts(bp, "    ") <= 0)
            goto err;
        if (X509_signature_print(bp, tsig_alg, NULL) <= 0)
            goto err;
    }

    if (!(cflag & X509_FLAG_NO_ISSUER)) {
        if (BIO_printf(bp, "        Issuer:%c", mlch) <= 0)
            goto err;
        if (X509_NAME_print_ex(bp, X509_get_issuer_name(x), nmindent, nmflags)
            < printok)
            goto err;
        if (BIO_write(bp, "\n", 1) <= 0)
            goto err;
    }
    if (!(cflag & X509_FLAG_NO_VALIDITY)) {
        if (BIO_write(bp, "        Validity\n", 17) <= 0)
            goto err;
        if (BIO_write(bp, "            Not Before: ", 24) <= 0)
            goto err;
        if (ossl_asn1_time_print_ex(bp, X509_get0_notBefore(x), ASN1_DTFLGS_RFC822) == 0)
            goto err;
        if (BIO_write(bp, "\n            Not After : ", 25) <= 0)
            goto err;
        if (ossl_asn1_time_print_ex(bp, X509_get0_notAfter(x), ASN1_DTFLGS_RFC822) == 0)
            goto err;
        if (BIO_write(bp, "\n", 1) <= 0)
            goto err;
    }
    if (!(cflag & X509_FLAG_NO_SUBJECT)) {
        if (BIO_printf(bp, "        Subject:%c", mlch) <= 0)
            goto err;
        if (X509_NAME_print_ex
            (bp, X509_get_subject_name(x), nmindent, nmflags) < printok)
            goto err;
        if (BIO_write(bp, "\n", 1) <= 0)
            goto err;
    }
    if (!(cflag & X509_FLAG_NO_PUBKEY)) {
        X509_PUBKEY *xpkey = X509_get_X509_PUBKEY(x);
        ASN1_OBJECT *xpoid;
        X509_PUBKEY_get0_param(&xpoid, NULL, NULL, NULL, xpkey);
        if (BIO_write(bp, "        Subject Public Key Info:\n", 33) <= 0)
            goto err;
        if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0)
            goto err;
        if (i2a_ASN1_OBJECT(bp, xpoid) <= 0)
            goto err;
        if (BIO_puts(bp, "\n") <= 0)
            goto err;

        pkey = X509_get0_pubkey(x);
        if (pkey == NULL) {
            BIO_printf(bp, "%12sUnable to load Public Key\n", "");
            ERR_print_errors(bp);
        } else {
            EVP_PKEY_print_public(bp, pkey, 16, NULL);
        }
    }

    if (!(cflag & X509_FLAG_NO_IDS)) {
        const ASN1_BIT_STRING *iuid, *suid;
        X509_get0_uids(x, &iuid, &suid);
        if (iuid != NULL) {
            if (BIO_printf(bp, "%8sIssuer Unique ID: ", "") <= 0)
                goto err;
            if (!X509_signature_dump(bp, iuid, 12))
                goto err;
        }
        if (suid != NULL) {
            if (BIO_printf(bp, "%8sSubject Unique ID: ", "") <= 0)
                goto err;
            if (!X509_signature_dump(bp, suid, 12))
                goto err;
        }
    }

    if (!(cflag & X509_FLAG_NO_EXTENSIONS)
        && !X509V3_extensions_print(bp, "X509v3 extensions",
                                    X509_get0_extensions(x), cflag, 8))
        goto err;

    if (!(cflag & X509_FLAG_NO_SIGDUMP)) {
        const X509_ALGOR *sig_alg;
        const ASN1_BIT_STRING *sig;
        X509_get0_signature(&sig, &sig_alg, x);
        if (X509_signature_print(bp, sig_alg, sig) <= 0)
            goto err;
    }
    if (!(cflag & X509_FLAG_NO_AUX)) {
        if (!X509_aux_print(bp, x, 0))
            goto err;
    }
    ret = 1;
 err:
    return ret;
}

int X509_ocspid_print(BIO *bp, const X509 *x)
{
    unsigned char *der = NULL;
    unsigned char *dertmp;
    int derlen;
    int i;
    unsigned char SHA1md[SHA_DIGEST_LENGTH];
    ASN1_BIT_STRING *keybstr;
    const X509_NAME *subj;
    EVP_MD *md = NULL;

    if (x == NULL || bp == NULL)
        return 0;
    /*
     * display the hash of the subject as it would appear in OCSP requests
     */
    if (BIO_printf(bp, "        Subject OCSP hash: ") <= 0)
        goto err;
    subj = X509_get_subject_name(x);
    derlen = i2d_X509_NAME(subj, NULL);
    if (derlen <= 0)
        goto err;
    if ((der = dertmp = OPENSSL_malloc(derlen)) == NULL)
        goto err;
    if (i2d_X509_NAME(subj, &dertmp) < 0)
        goto err;

    md = EVP_MD_fetch(x->libctx, SN_sha1, x->propq);
    if (md == NULL)
        goto err;
    if (!EVP_Digest(der, derlen, SHA1md, NULL, md, NULL))
        goto err;
    for (i = 0; i < SHA_DIGEST_LENGTH; i++) {
        if (BIO_printf(bp, "%02X", SHA1md[i]) <= 0)
            goto err;
    }
    OPENSSL_free(der);
    der = NULL;

    /*
     * display the hash of the public key as it would appear in OCSP requests
     */
    if (BIO_printf(bp, "\n        Public key OCSP hash: ") <= 0)
        goto err;

    keybstr = X509_get0_pubkey_bitstr(x);

    if (keybstr == NULL)
        goto err;

    if (!EVP_Digest(ASN1_STRING_get0_data(keybstr),
                    ASN1_STRING_length(keybstr), SHA1md, NULL, md, NULL))
        goto err;
    for (i = 0; i < SHA_DIGEST_LENGTH; i++) {
        if (BIO_printf(bp, "%02X", SHA1md[i]) <= 0)
            goto err;
    }
    BIO_printf(bp, "\n");
    EVP_MD_free(md);

    return 1;
 err:
    OPENSSL_free(der);
    EVP_MD_free(md);
    return 0;
}

int X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent)
{
    const unsigned char *s;
    int i, n;

    n = sig->length;
    s = sig->data;
    for (i = 0; i < n; i++) {
        if ((i % 18) == 0) {
            if (i > 0 && BIO_write(bp, "\n", 1) <= 0)
                return 0;
            if (BIO_indent(bp, indent, indent) <= 0)
                return 0;
        }
        if (BIO_printf(bp, "%02x%s", s[i], ((i + 1) == n) ? "" : ":") <= 0)
            return 0;
    }
    if (BIO_write(bp, "\n", 1) != 1)
        return 0;

    return 1;
}

int X509_signature_print(BIO *bp, const X509_ALGOR *sigalg,
                         const ASN1_STRING *sig)
{
#ifndef OPENSSL_NO_DEPRECATED_3_6
    int sig_nid;
#endif
    int indent = 4;
    if (BIO_printf(bp, "%*sSignature Algorithm: ", indent, "") <= 0)
        return 0;
    if (i2a_ASN1_OBJECT(bp, sigalg->algorithm) <= 0)
        return 0;

    if (sig && BIO_printf(bp, "\n%*sSignature Value:", indent, "") <= 0)
        return 0;
#ifndef OPENSSL_NO_DEPRECATED_3_6
    sig_nid = OBJ_obj2nid(sigalg->algorithm);
    if (sig_nid != NID_undef) {
        int pkey_nid, dig_nid;
        const EVP_PKEY_ASN1_METHOD *ameth;
        if (OBJ_find_sigid_algs(sig_nid, &dig_nid, &pkey_nid)) {
            ameth = EVP_PKEY_asn1_find(NULL, pkey_nid);
            if (ameth && ameth->sig_print)
                return ameth->sig_print(bp, sigalg, sig, indent + 4, 0);
        }
    }
#endif
    if (BIO_write(bp, "\n", 1) != 1)
        return 0;
    if (sig)
        return X509_signature_dump(bp, sig, indent + 4);
    return 1;
}

int X509_aux_print(BIO *out, const X509 *x, int indent)
{
    char oidstr[80], first;
    STACK_OF(ASN1_OBJECT) *trust, *reject;
    const unsigned char *alias, *keyid;
    int keyidlen;
    int i;
    if (X509_trusted(x) == 0)
        return 1;
    trust = X509_get0_trust_objects(x);
    reject = X509_get0_reject_objects(x);
    if (trust) {
        first = 1;
        BIO_printf(out, "%*sTrusted Uses:\n%*s", indent, "", indent + 2, "");
        for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) {
            if (!first)
                BIO_puts(out, ", ");
            else
                first = 0;
            OBJ_obj2txt(oidstr, sizeof(oidstr),
                        sk_ASN1_OBJECT_value(trust, i), 0);
            BIO_puts(out, oidstr);
        }
        BIO_puts(out, "\n");
    } else
        BIO_printf(out, "%*sNo Trusted Uses.\n", indent, "");
    if (reject) {
        first = 1;
        BIO_printf(out, "%*sRejected Uses:\n%*s", indent, "", indent + 2, "");
        for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) {
            if (!first)
                BIO_puts(out, ", ");
            else
                first = 0;
            OBJ_obj2txt(oidstr, sizeof(oidstr),
                        sk_ASN1_OBJECT_value(reject, i), 0);
            BIO_puts(out, oidstr);
        }
        BIO_puts(out, "\n");
    } else
        BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
    alias = X509_alias_get0(x, &i);
    if (alias)
        BIO_printf(out, "%*sAlias: %.*s\n", indent, "", i, alias);
    keyid = X509_keyid_get0(x, &keyidlen);
    if (keyid) {
        BIO_printf(out, "%*sKey Id: ", indent, "");
        for (i = 0; i < keyidlen; i++)
            BIO_printf(out, "%s%02X", i ? ":" : "", keyid[i]);
        BIO_write(out, "\n", 1);
    }
    return 1;
}

/*
 * Helper functions for improving certificate verification error diagnostics
 */

int ossl_x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags)
{
    unsigned long flags = ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE |
        XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_FN_SN;

    if (cert == NULL)
        return BIO_printf(bio, "    (no certificate)\n") > 0;
    if (BIO_printf(bio, "    certificate\n") <= 0
            || !X509_print_ex(bio, cert, flags, ~X509_FLAG_NO_SUBJECT))
        return 0;
    if (X509_check_issued((X509 *)cert, cert) == X509_V_OK) {
        if (BIO_printf(bio, "        self-issued\n") <= 0)
            return 0;
    } else {
        if (BIO_printf(bio, " ") <= 0
            || !X509_print_ex(bio, cert, flags, ~X509_FLAG_NO_ISSUER))
            return 0;
    }
    if (!X509_print_ex(bio, cert, flags,
                       ~(X509_FLAG_NO_SERIAL | X509_FLAG_NO_VALIDITY)))
        return 0;
    if (X509_cmp_current_time(X509_get0_notBefore(cert)) > 0)
        if (BIO_printf(bio, "        not yet valid\n") <= 0)
            return 0;
    if (X509_cmp_current_time(X509_get0_notAfter(cert)) < 0)
        if (BIO_printf(bio, "        no more valid\n") <= 0)
            return 0;
    return X509_print_ex(bio, cert, flags,
                         ~neg_cflags & ~X509_FLAG_EXTENSIONS_ONLY_KID);
}

static int print_certs(BIO *bio, const STACK_OF(X509) *certs)
{
    int i;

    if (certs == NULL || sk_X509_num(certs) <= 0)
        return BIO_printf(bio, "    (no certificates)\n") >= 0;

    for (i = 0; i < sk_X509_num(certs); i++) {
        X509 *cert = sk_X509_value(certs, i);

        if (cert != NULL) {
            if (!ossl_x509_print_ex_brief(bio, cert, 0))
                return 0;
            if (!X509V3_extensions_print(bio, NULL,
                                         X509_get0_extensions(cert),
                                         X509_FLAG_EXTENSIONS_ONLY_KID, 8))
                return 0;
            }
    }
    return 1;
}

static int print_store_certs(BIO *bio, X509_STORE *store)
{
    if (store != NULL) {
        STACK_OF(X509) *certs = X509_STORE_get1_all_certs(store);
        int ret = print_certs(bio, certs);

        OSSL_STACK_OF_X509_free(certs);
        return ret;
    } else {
        return BIO_printf(bio, "    (no trusted store)\n") >= 0;
    }
}

/* Extend the error queue with details on a failed cert verification */
int X509_STORE_CTX_print_verify_cb(int ok, X509_STORE_CTX *ctx)
{
    if (ok == 0 && ctx != NULL) {
        int cert_error = X509_STORE_CTX_get_error(ctx);
        BIO *bio = BIO_new(BIO_s_mem()); /* may be NULL */

        if (bio == NULL)
            return 0;
        BIO_printf(bio, "%s at depth = %d error = %d (%s)\n",
                   X509_STORE_CTX_get0_parent_ctx(ctx) != NULL
                   ? "CRL path validation"
                   : "Certificate verification",
                   X509_STORE_CTX_get_error_depth(ctx),
                   cert_error, X509_verify_cert_error_string(cert_error));
        {
            X509_STORE *ts = X509_STORE_CTX_get0_store(ctx);
            X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts);
            char *str;
            int idx = 0;

            switch (cert_error) {
            case X509_V_ERR_HOSTNAME_MISMATCH:
                BIO_printf(bio, "Expected hostname(s) = ");
                while ((str = X509_VERIFY_PARAM_get0_host(vpm, idx++)) != NULL)
                    BIO_printf(bio, "%s%s", idx == 1 ? "" : ", ", str);
                BIO_printf(bio, "\n");
                break;
            case X509_V_ERR_EMAIL_MISMATCH:
                str = X509_VERIFY_PARAM_get0_email(vpm);
                if (str != NULL)
                    BIO_printf(bio, "Expected email address = %s\n", str);
                break;
            case X509_V_ERR_IP_ADDRESS_MISMATCH:
                str = X509_VERIFY_PARAM_get1_ip_asc(vpm);
                if (str != NULL)
                    BIO_printf(bio, "Expected IP address = %s\n", str);
                OPENSSL_free(str);
                break;
            default:
                break;
            }
        }

        BIO_printf(bio, "Failure for:\n");
        ossl_x509_print_ex_brief(bio, X509_STORE_CTX_get_current_cert(ctx),
                                 X509_FLAG_NO_EXTENSIONS);
        if (cert_error == X509_V_ERR_CERT_UNTRUSTED
                || cert_error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
                || cert_error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
                || cert_error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
                || cert_error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
                || cert_error == X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
                || cert_error == X509_V_ERR_STORE_LOOKUP) {
            BIO_printf(bio, "Non-trusted certs:\n");
            print_certs(bio, X509_STORE_CTX_get0_untrusted(ctx));
            BIO_printf(bio, "Certs in trust store:\n");
            print_store_certs(bio, X509_STORE_CTX_get0_store(ctx));
        }
        ERR_raise(ERR_LIB_X509, X509_R_CERTIFICATE_VERIFICATION_FAILED);
        ERR_add_error_mem_bio("\n", bio);
        BIO_free(bio);
    }

    return ok;
}

/*
 * Prints serial numbers in decimal and hexadecimal. The indent argument is only
 * used if the serial number is too large to fit in an int64_t.
 */
int ossl_serial_number_print(BIO *out, const ASN1_INTEGER *bs, int indent)
{
    int i, ok;
    int64_t l;
    uint64_t ul;
    const char *neg;

    if (bs->length == 0) {
        if (BIO_puts(out, " (Empty)") <= 0)
            return -1;
        return 0;
    }

    ERR_set_mark();
    ok = ASN1_INTEGER_get_int64(&l, bs);
    ERR_pop_to_mark();

    if (ok) { /* Reading an int64_t succeeded: print decimal and hex. */
        if (bs->type == V_ASN1_NEG_INTEGER) {
            ul = 0 - (uint64_t)l;
            neg = "-";
        } else {
            ul = l;
            neg = "";
        }
        if (BIO_printf(out, " %s%ju (%s0x%jx)", neg, ul, neg, ul) <= 0)
            return -1;
    } else { /* Reading an int64_t failed: just print hex. */
        neg = (bs->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : "";
        if (BIO_printf(out, "\n%*s%s", indent, "", neg) <= 0)
            return -1;

        for (i = 0; i < bs->length - 1; i++) {
            if (BIO_printf(out, "%02x%c", bs->data[i], ':') <= 0)
                return -1;
        }
        if (BIO_printf(out, "%02x", bs->data[i]) <= 0)
            return -1;
    }
    return 0;
}
Commit	Line	Data
b1322259	1	/*
0c679f55	2	* Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
d02b48c6	3	*
3e4b43b9	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
b1322259 RS	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
d02b48c6 RE	8	*/
d02b48c6 RE	9
af2aaf32 NP	10	/*
	11	* because of EVP_PKEY_asn1_find deprecation
	12	*/
	13	#define OPENSSL_SUPPRESS_DEPRECATED
	14
d02b48c6	15	#include <stdio.h>
b39fc560	16	#include "internal/cryptlib.h"
ec577822 BM	17	#include <openssl/buffer.h>
ec577822 BM	18	#include <openssl/bn.h>
ec577822 BM	19	#include <openssl/objects.h>
	20	#include <openssl/x509.h>
	21	#include <openssl/x509v3.h>
25f2138b	22	#include "crypto/asn1.h"
31b28ad9	23	#include "crypto/x509.h"
d02b48c6	24
79b2a2f2 DDO	25	void OSSL_STACK_OF_X509_free(STACK_OF(X509) *certs)
	26	{
	27	sk_X509_pop_free(certs, X509_free);
	28	}
	29
4b618848	30	#ifndef OPENSSL_NO_STDIO
6b691a5c	31	int X509_print_fp(FILE fp, X509 x)
0f113f3e MC	32	{
	33	return X509_print_ex_fp(fp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
	34	}
d0c98589	35
59294828	36	int X509_print_ex_fp(FILE fp, X509 x, unsigned long nmflag, unsigned long cflag)
0f113f3e MC	37	{
	38	BIO *b;
	39	int ret;
	40
	41	if ((b = BIO_new(BIO_s_file())) == NULL) {
9311d0c4	42	ERR_raise(ERR_LIB_X509, ERR_R_BUF_LIB);
26a7d938	43	return 0;
0f113f3e MC	44	}
	45	BIO_set_fp(b, fp, BIO_NOCLOSE);
	46	ret = X509_print_ex(b, x, nmflag, cflag);
	47	BIO_free(b);
26a7d938	48	return ret;
0f113f3e	49	}
d02b48c6 RE	50	#endif
d02b48c6 RE	51
59294828	52	int X509_print(BIO bp, const X509 x)
d0c98589	53	{
0f113f3e	54	return X509_print_ex(bp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
d0c98589 DSH	55	}
d0c98589 DSH	56
59294828	57	int X509_print_ex(BIO bp, const X509 x, unsigned long nmflags, unsigned long cflag)
0f113f3e MC	58	{
0f113f3e MC	59	long l;
935f6e63	60	int ret = 0;
36699c12	61	char mlch = ' ';
02db7354	62	int nmindent = 0, printok = 0;
0f113f3e	63	EVP_PKEY *pkey = NULL;
0f113f3e MC	64
	65	if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
	66	mlch = '\n';
	67	nmindent = 12;
	68	}
	69
2126ca3d	70	if (nmflags == XN_FLAG_COMPAT)
02db7354	71	printok = 1;
0f113f3e	72
0f113f3e MC	73	if (!(cflag & X509_FLAG_NO_HEADER)) {
	74	if (BIO_write(bp, "Certificate:\n", 13) <= 0)
	75	goto err;
	76	if (BIO_write(bp, " Data:\n", 10) <= 0)
	77	goto err;
	78	}
	79	if (!(cflag & X509_FLAG_NO_VERSION)) {
	80	l = X509_get_version(x);
cdf63a37	81	if (l >= X509_VERSION_1 && l <= X509_VERSION_3) {
676befbe KR	82	if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1, (unsigned long)l) <= 0)
	83	goto err;
	84	} else {
	85	if (BIO_printf(bp, "%8sVersion: Unknown (%ld)\n", "", l) <= 0)
	86	goto err;
	87	}
0f113f3e MC	88	}
0f113f3e MC	89	if (!(cflag & X509_FLAG_NO_SERIAL)) {
1337a3a9	90	const ASN1_INTEGER *bs = X509_get0_serialNumber(x);
0f113f3e MC	91
	92	if (BIO_write(bp, " Serial Number:", 22) <= 0)
	93	goto err;
c90451d8 JW	94	if (ossl_serial_number_print(bp, bs, 12) != 0)
	95	goto err;
	96	if (BIO_puts(bp, "\n") <= 0)
	97	goto err;
0f113f3e MC	98	}
	99
	100	if (!(cflag & X509_FLAG_NO_SIGNAME)) {
8900f3e3	101	const X509_ALGOR *tsig_alg = X509_get0_tbs_sigalg(x);
e6cccb5f YL	102
	103	if (BIO_puts(bp, " ") <= 0)
	104	goto err;
699f1635	105	if (X509_signature_print(bp, tsig_alg, NULL) <= 0)
0f113f3e	106	goto err;
0f113f3e MC	107	}
	108
	109	if (!(cflag & X509_FLAG_NO_ISSUER)) {
	110	if (BIO_printf(bp, " Issuer:%c", mlch) <= 0)
	111	goto err;
	112	if (X509_NAME_print_ex(bp, X509_get_issuer_name(x), nmindent, nmflags)
02db7354	113	< printok)
0f113f3e MC	114	goto err;
	115	if (BIO_write(bp, "\n", 1) <= 0)
	116	goto err;
	117	}
	118	if (!(cflag & X509_FLAG_NO_VALIDITY)) {
	119	if (BIO_write(bp, " Validity\n", 17) <= 0)
	120	goto err;
	121	if (BIO_write(bp, " Not Before: ", 24) <= 0)
	122	goto err;
8c5bff22	123	if (ossl_asn1_time_print_ex(bp, X509_get0_notBefore(x), ASN1_DTFLGS_RFC822) == 0)
0f113f3e MC	124	goto err;
	125	if (BIO_write(bp, "\n Not After : ", 25) <= 0)
	126	goto err;
8c5bff22	127	if (ossl_asn1_time_print_ex(bp, X509_get0_notAfter(x), ASN1_DTFLGS_RFC822) == 0)
0f113f3e MC	128	goto err;
	129	if (BIO_write(bp, "\n", 1) <= 0)
	130	goto err;
	131	}
	132	if (!(cflag & X509_FLAG_NO_SUBJECT)) {
	133	if (BIO_printf(bp, " Subject:%c", mlch) <= 0)
	134	goto err;
	135	if (X509_NAME_print_ex
02db7354	136	(bp, X509_get_subject_name(x), nmindent, nmflags) < printok)
0f113f3e MC	137	goto err;
	138	if (BIO_write(bp, "\n", 1) <= 0)
	139	goto err;
	140	}
	141	if (!(cflag & X509_FLAG_NO_PUBKEY)) {
699f1635 DSH	142	X509_PUBKEY *xpkey = X509_get_X509_PUBKEY(x);
	143	ASN1_OBJECT *xpoid;
	144	X509_PUBKEY_get0_param(&xpoid, NULL, NULL, NULL, xpkey);
0f113f3e MC	145	if (BIO_write(bp, " Subject Public Key Info:\n", 33) <= 0)
	146	goto err;
	147	if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0)
	148	goto err;
699f1635	149	if (i2a_ASN1_OBJECT(bp, xpoid) <= 0)
0f113f3e MC	150	goto err;
	151	if (BIO_puts(bp, "\n") <= 0)
	152	goto err;
	153
c01ff880	154	pkey = X509_get0_pubkey(x);
0f113f3e MC	155	if (pkey == NULL) {
	156	BIO_printf(bp, "%12sUnable to load Public Key\n", "");
	157	ERR_print_errors(bp);
	158	} else {
	159	EVP_PKEY_print_public(bp, pkey, 16, NULL);
0f113f3e MC	160	}
	161	}
	162
	163	if (!(cflag & X509_FLAG_NO_IDS)) {
8900f3e3 DSH	164	const ASN1_BIT_STRING iuid, suid;
8900f3e3 DSH	165	X509_get0_uids(x, &iuid, &suid);
699f1635	166	if (iuid != NULL) {
0f113f3e MC	167	if (BIO_printf(bp, "%8sIssuer Unique ID: ", "") <= 0)
0f113f3e MC	168	goto err;
699f1635	169	if (!X509_signature_dump(bp, iuid, 12))
0f113f3e MC	170	goto err;
0f113f3e MC	171	}
699f1635	172	if (suid != NULL) {
0f113f3e MC	173	if (BIO_printf(bp, "%8sSubject Unique ID: ", "") <= 0)
0f113f3e MC	174	goto err;
699f1635	175	if (!X509_signature_dump(bp, suid, 12))
0f113f3e MC	176	goto err;
	177	}
	178	}
	179
076bf8c2 DDO	180	if (!(cflag & X509_FLAG_NO_EXTENSIONS)
	181	&& !X509V3_extensions_print(bp, "X509v3 extensions",
	182	X509_get0_extensions(x), cflag, 8))
	183	goto err;
0f113f3e MC	184
0f113f3e MC	185	if (!(cflag & X509_FLAG_NO_SIGDUMP)) {
8adc1cb8 DSH	186	const X509_ALGOR *sig_alg;
8adc1cb8 DSH	187	const ASN1_BIT_STRING *sig;
699f1635 DSH	188	X509_get0_signature(&sig, &sig_alg, x);
699f1635 DSH	189	if (X509_signature_print(bp, sig_alg, sig) <= 0)
0f113f3e MC	190	goto err;
	191	}
	192	if (!(cflag & X509_FLAG_NO_AUX)) {
699f1635	193	if (!X509_aux_print(bp, x, 0))
0f113f3e MC	194	goto err;
	195	}
	196	ret = 1;
	197	err:
26a7d938	198	return ret;
0f113f3e MC	199	}
0f113f3e MC	200
59294828	201	int X509_ocspid_print(BIO bp, const X509 x)
0f113f3e MC	202	{
	203	unsigned char *der = NULL;
	204	unsigned char *dertmp;
	205	int derlen;
	206	int i;
	207	unsigned char SHA1md[SHA_DIGEST_LENGTH];
699f1635	208	ASN1_BIT_STRING *keybstr;
8cc86b81	209	const X509_NAME *subj;
192d5008	210	EVP_MD *md = NULL;
0f113f3e	211
192d5008 P	212	if (x == NULL \|\| bp == NULL)
192d5008 P	213	return 0;
0f113f3e MC	214	/*
	215	* display the hash of the subject as it would appear in OCSP requests
	216	*/
	217	if (BIO_printf(bp, " Subject OCSP hash: ") <= 0)
	218	goto err;
699f1635 DSH	219	subj = X509_get_subject_name(x);
699f1635 DSH	220	derlen = i2d_X509_NAME(subj, NULL);
42e7d2f1 SL	221	if (derlen <= 0)
42e7d2f1 SL	222	goto err;
b196e7d9	223	if ((der = dertmp = OPENSSL_malloc(derlen)) == NULL)
0f113f3e	224	goto err;
db280451 ES	225	if (i2d_X509_NAME(subj, &dertmp) < 0)
db280451 ES	226	goto err;
0f113f3e	227
192d5008 P	228	md = EVP_MD_fetch(x->libctx, SN_sha1, x->propq);
	229	if (md == NULL)
	230	goto err;
	231	if (!EVP_Digest(der, derlen, SHA1md, NULL, md, NULL))
0f113f3e MC	232	goto err;
	233	for (i = 0; i < SHA_DIGEST_LENGTH; i++) {
	234	if (BIO_printf(bp, "%02X", SHA1md[i]) <= 0)
	235	goto err;
	236	}
	237	OPENSSL_free(der);
	238	der = NULL;
	239
	240	/*
	241	* display the hash of the public key as it would appear in OCSP requests
	242	*/
	243	if (BIO_printf(bp, "\n Public key OCSP hash: ") <= 0)
	244	goto err;
	245
699f1635 DSH	246	keybstr = X509_get0_pubkey_bitstr(x);
	247
	248	if (keybstr == NULL)
	249	goto err;
	250
17ebf85a	251	if (!EVP_Digest(ASN1_STRING_get0_data(keybstr),
192d5008	252	ASN1_STRING_length(keybstr), SHA1md, NULL, md, NULL))
0f113f3e MC	253	goto err;
	254	for (i = 0; i < SHA_DIGEST_LENGTH; i++) {
	255	if (BIO_printf(bp, "%02X", SHA1md[i]) <= 0)
	256	goto err;
	257	}
	258	BIO_printf(bp, "\n");
192d5008	259	EVP_MD_free(md);
0f113f3e	260
208fb891	261	return 1;
0f113f3e	262	err:
b548a1f1	263	OPENSSL_free(der);
192d5008	264	EVP_MD_free(md);
26a7d938	265	return 0;
0f113f3e	266	}
eb64730b	267
fa1ba589	268	int X509_signature_dump(BIO bp, const ASN1_STRING sig, int indent)
de487514	269	{
0f113f3e MC	270	const unsigned char *s;
	271	int i, n;
	272
	273	n = sig->length;
	274	s = sig->data;
	275	for (i = 0; i < n; i++) {
	276	if ((i % 18) == 0) {
a4c467c9	277	if (i > 0 && BIO_write(bp, "\n", 1) <= 0)
0f113f3e MC	278	return 0;
	279	if (BIO_indent(bp, indent, indent) <= 0)
	280	return 0;
	281	}
	282	if (BIO_printf(bp, "%02x%s", s[i], ((i + 1) == n) ? "" : ":") <= 0)
	283	return 0;
	284	}
	285	if (BIO_write(bp, "\n", 1) != 1)
	286	return 0;
	287
	288	return 1;
de487514 DSH	289	}
de487514 DSH	290
5e6089f0 MC	291	int X509_signature_print(BIO bp, const X509_ALGOR sigalg,
5e6089f0 MC	292	const ASN1_STRING *sig)
fa1ba589	293	{
af2aaf32	294	#ifndef OPENSSL_NO_DEPRECATED_3_6
0f113f3e	295	int sig_nid;
af2aaf32	296	#endif
5743d126 DO	297	int indent = 4;
5743d126 DO	298	if (BIO_printf(bp, "%*sSignature Algorithm: ", indent, "") <= 0)
0f113f3e MC	299	return 0;
	300	if (i2a_ASN1_OBJECT(bp, sigalg->algorithm) <= 0)
	301	return 0;
	302
5743d126 DO	303	if (sig && BIO_printf(bp, "\n%*sSignature Value:", indent, "") <= 0)
5743d126 DO	304	return 0;
af2aaf32	305	#ifndef OPENSSL_NO_DEPRECATED_3_6
0f113f3e MC	306	sig_nid = OBJ_obj2nid(sigalg->algorithm);
	307	if (sig_nid != NID_undef) {
	308	int pkey_nid, dig_nid;
	309	const EVP_PKEY_ASN1_METHOD *ameth;
	310	if (OBJ_find_sigid_algs(sig_nid, &dig_nid, &pkey_nid)) {
	311	ameth = EVP_PKEY_asn1_find(NULL, pkey_nid);
	312	if (ameth && ameth->sig_print)
5743d126	313	return ameth->sig_print(bp, sigalg, sig, indent + 4, 0);
0f113f3e MC	314	}
0f113f3e MC	315	}
af2aaf32	316	#endif
a4c467c9 DO	317	if (BIO_write(bp, "\n", 1) != 1)
a4c467c9 DO	318	return 0;
0f113f3e	319	if (sig)
5743d126	320	return X509_signature_dump(bp, sig, indent + 4);
0f113f3e	321	return 1;
fa1ba589	322	}
699f1635	323
59294828	324	int X509_aux_print(BIO out, const X509 x, int indent)
699f1635 DSH	325	{
	326	char oidstr[80], first;
	327	STACK_OF(ASN1_OBJECT) trust, reject;
	328	const unsigned char alias, keyid;
	329	int keyidlen;
	330	int i;
	331	if (X509_trusted(x) == 0)
	332	return 1;
	333	trust = X509_get0_trust_objects(x);
	334	reject = X509_get0_reject_objects(x);
	335	if (trust) {
	336	first = 1;
	337	BIO_printf(out, "%sTrusted Uses:\n%s", indent, "", indent + 2, "");
	338	for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) {
	339	if (!first)
	340	BIO_puts(out, ", ");
	341	else
	342	first = 0;
cbe29648	343	OBJ_obj2txt(oidstr, sizeof(oidstr),
699f1635 DSH	344	sk_ASN1_OBJECT_value(trust, i), 0);
	345	BIO_puts(out, oidstr);
	346	}
	347	BIO_puts(out, "\n");
	348	} else
	349	BIO_printf(out, "%*sNo Trusted Uses.\n", indent, "");
	350	if (reject) {
	351	first = 1;
	352	BIO_printf(out, "%sRejected Uses:\n%s", indent, "", indent + 2, "");
	353	for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) {
	354	if (!first)
	355	BIO_puts(out, ", ");
	356	else
	357	first = 0;
cbe29648	358	OBJ_obj2txt(oidstr, sizeof(oidstr),
699f1635 DSH	359	sk_ASN1_OBJECT_value(reject, i), 0);
	360	BIO_puts(out, oidstr);
	361	}
	362	BIO_puts(out, "\n");
	363	} else
	364	BIO_printf(out, "%*sNo Rejected Uses.\n", indent, "");
c5dc9ab9	365	alias = X509_alias_get0(x, &i);
699f1635	366	if (alias)
c5dc9ab9	367	BIO_printf(out, "%sAlias: %.s\n", indent, "", i, alias);
699f1635 DSH	368	keyid = X509_keyid_get0(x, &keyidlen);
	369	if (keyid) {
	370	BIO_printf(out, "%*sKey Id: ", indent, "");
	371	for (i = 0; i < keyidlen; i++)
	372	BIO_printf(out, "%s%02X", i ? ":" : "", keyid[i]);
	373	BIO_write(out, "\n", 1);
	374	}
	375	return 1;
	376	}
31b28ad9 DDO	377
	378	/*
	379	* Helper functions for improving certificate verification error diagnostics
	380	*/
	381
4669015d	382	int ossl_x509_print_ex_brief(BIO bio, X509 cert, unsigned long neg_cflags)
31b28ad9 DDO	383	{
	384	unsigned long flags = ASN1_STRFLGS_RFC2253 \| ASN1_STRFLGS_ESC_QUOTE \|
	385	XN_FLAG_SEP_CPLUS_SPC \| XN_FLAG_FN_SN;
	386
	387	if (cert == NULL)
	388	return BIO_printf(bio, " (no certificate)\n") > 0;
	389	if (BIO_printf(bio, " certificate\n") <= 0
	390	\|\| !X509_print_ex(bio, cert, flags, ~X509_FLAG_NO_SUBJECT))
	391	return 0;
	392	if (X509_check_issued((X509 *)cert, cert) == X509_V_OK) {
	393	if (BIO_printf(bio, " self-issued\n") <= 0)
	394	return 0;
	395	} else {
	396	if (BIO_printf(bio, " ") <= 0
	397	\|\| !X509_print_ex(bio, cert, flags, ~X509_FLAG_NO_ISSUER))
	398	return 0;
	399	}
	400	if (!X509_print_ex(bio, cert, flags,
	401	~(X509_FLAG_NO_SERIAL \| X509_FLAG_NO_VALIDITY)))
	402	return 0;
	403	if (X509_cmp_current_time(X509_get0_notBefore(cert)) > 0)
	404	if (BIO_printf(bio, " not yet valid\n") <= 0)
	405	return 0;
	406	if (X509_cmp_current_time(X509_get0_notAfter(cert)) < 0)
	407	if (BIO_printf(bio, " no more valid\n") <= 0)
	408	return 0;
076bf8c2 DDO	409	return X509_print_ex(bio, cert, flags,
076bf8c2 DDO	410	~neg_cflags & ~X509_FLAG_EXTENSIONS_ONLY_KID);
31b28ad9 DDO	411	}
	412
	413	static int print_certs(BIO bio, const STACK_OF(X509) certs)
	414	{
	415	int i;
	416
	417	if (certs == NULL \|\| sk_X509_num(certs) <= 0)
	418	return BIO_printf(bio, " (no certificates)\n") >= 0;
	419
	420	for (i = 0; i < sk_X509_num(certs); i++) {
	421	X509 *cert = sk_X509_value(certs, i);
076bf8c2 DDO	422
076bf8c2 DDO	423	if (cert != NULL) {
4669015d	424	if (!ossl_x509_print_ex_brief(bio, cert, 0))
076bf8c2 DDO	425	return 0;
	426	if (!X509V3_extensions_print(bio, NULL,
	427	X509_get0_extensions(cert),
	428	X509_FLAG_EXTENSIONS_ONLY_KID, 8))
	429	return 0;
	430	}
31b28ad9 DDO	431	}
	432	return 1;
	433	}
	434
	435	static int print_store_certs(BIO bio, X509_STORE store)
	436	{
	437	if (store != NULL) {
	438	STACK_OF(X509) *certs = X509_STORE_get1_all_certs(store);
	439	int ret = print_certs(bio, certs);
	440
79b2a2f2	441	OSSL_STACK_OF_X509_free(certs);
31b28ad9 DDO	442	return ret;
	443	} else {
	444	return BIO_printf(bio, " (no trusted store)\n") >= 0;
	445	}
	446	}
	447
	448	/* Extend the error queue with details on a failed cert verification */
	449	int X509_STORE_CTX_print_verify_cb(int ok, X509_STORE_CTX *ctx)
	450	{
	451	if (ok == 0 && ctx != NULL) {
	452	int cert_error = X509_STORE_CTX_get_error(ctx);
31b28ad9 DDO	453	BIO bio = BIO_new(BIO_s_mem()); / may be NULL */
31b28ad9 DDO	454
ecf60b9e	455	if (bio == NULL)
318e9799	456	return 0;
278260bf	457	BIO_printf(bio, "%s at depth = %d error = %d (%s)\n",
31b28ad9	458	X509_STORE_CTX_get0_parent_ctx(ctx) != NULL
278260bf DDO	459	? "CRL path validation"
	460	: "Certificate verification",
	461	X509_STORE_CTX_get_error_depth(ctx),
	462	cert_error, X509_verify_cert_error_string(cert_error));
	463	{
	464	X509_STORE *ts = X509_STORE_CTX_get0_store(ctx);
	465	X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts);
	466	char *str;
	467	int idx = 0;
	468
	469	switch (cert_error) {
	470	case X509_V_ERR_HOSTNAME_MISMATCH:
	471	BIO_printf(bio, "Expected hostname(s) = ");
	472	while ((str = X509_VERIFY_PARAM_get0_host(vpm, idx++)) != NULL)
	473	BIO_printf(bio, "%s%s", idx == 1 ? "" : ", ", str);
	474	BIO_printf(bio, "\n");
	475	break;
	476	case X509_V_ERR_EMAIL_MISMATCH:
	477	str = X509_VERIFY_PARAM_get0_email(vpm);
	478	if (str != NULL)
	479	BIO_printf(bio, "Expected email address = %s\n", str);
	480	break;
	481	case X509_V_ERR_IP_ADDRESS_MISMATCH:
	482	str = X509_VERIFY_PARAM_get1_ip_asc(vpm);
	483	if (str != NULL)
	484	BIO_printf(bio, "Expected IP address = %s\n", str);
	485	OPENSSL_free(str);
	486	break;
	487	default:
	488	break;
	489	}
	490	}
	491
	492	BIO_printf(bio, "Failure for:\n");
4669015d SL	493	ossl_x509_print_ex_brief(bio, X509_STORE_CTX_get_current_cert(ctx),
4669015d SL	494	X509_FLAG_NO_EXTENSIONS);
31b28ad9 DDO	495	if (cert_error == X509_V_ERR_CERT_UNTRUSTED
	496	\|\| cert_error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
	497	\|\| cert_error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
	498	\|\| cert_error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
	499	\|\| cert_error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
	500	\|\| cert_error == X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
	501	\|\| cert_error == X509_V_ERR_STORE_LOOKUP) {
278260bf	502	BIO_printf(bio, "Non-trusted certs:\n");
31b28ad9	503	print_certs(bio, X509_STORE_CTX_get0_untrusted(ctx));
278260bf	504	BIO_printf(bio, "Certs in trust store:\n");
31b28ad9 DDO	505	print_store_certs(bio, X509_STORE_CTX_get0_store(ctx));
31b28ad9 DDO	506	}
9311d0c4	507	ERR_raise(ERR_LIB_X509, X509_R_CERTIFICATE_VERIFICATION_FAILED);
31b28ad9 DDO	508	ERR_add_error_mem_bio("\n", bio);
	509	BIO_free(bio);
	510	}
	511
31b28ad9 DDO	512	return ok;
31b28ad9 DDO	513	}
935f6e63 JW	514
	515	/*
	516	* Prints serial numbers in decimal and hexadecimal. The indent argument is only
aa52ec9b	517	* used if the serial number is too large to fit in an int64_t.
935f6e63 JW	518	*/
	519	int ossl_serial_number_print(BIO out, const ASN1_INTEGER bs, int indent)
	520	{
aa52ec9b KY	521	int i, ok;
	522	int64_t l;
	523	uint64_t ul;
935f6e63 JW	524	const char *neg;
935f6e63 JW	525
6f1dbaf7 KY	526	if (bs->length == 0) {
	527	if (BIO_puts(out, " (Empty)") <= 0)
	528	return -1;
	529	return 0;
	530	}
	531
aa52ec9b KY	532	ERR_set_mark();
	533	ok = ASN1_INTEGER_get_int64(&l, bs);
	534	ERR_pop_to_mark();
	535
	536	if (ok) { /* Reading an int64_t succeeded: print decimal and hex. */
935f6e63	537	if (bs->type == V_ASN1_NEG_INTEGER) {
aa52ec9b	538	ul = 0 - (uint64_t)l;
935f6e63 JW	539	neg = "-";
	540	} else {
	541	ul = l;
	542	neg = "";
	543	}
aa52ec9b	544	if (BIO_printf(out, " %s%ju (%s0x%jx)", neg, ul, neg, ul) <= 0)
935f6e63	545	return -1;
aa52ec9b	546	} else { /* Reading an int64_t failed: just print hex. */
935f6e63 JW	547	neg = (bs->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : "";
	548	if (BIO_printf(out, "\n%*s%s", indent, "", neg) <= 0)
	549	return -1;
	550
	551	for (i = 0; i < bs->length - 1; i++) {
	552	if (BIO_printf(out, "%02x%c", bs->data[i], ':') <= 0)
	553	return -1;
	554	}
	555	if (BIO_printf(out, "%02x", bs->data[i]) <= 0)
	556	return -1;
	557	}
	558	return 0;
	559	}