Report TOD policy in peer certificate events
Add tod=1 to CTRL-EVENT-EAP-PEER-CERT events if the peer certificate includes the TOD policy in the X.509v3 Certificate Policies extension. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen
parent
bc0634da4a
commit
21f1a1e66c
3 changed files with 34 additions and 2 deletions
|
|
@ -57,6 +57,7 @@ struct tls_cert_data {
|
||||||
const char *altsubject[TLS_MAX_ALT_SUBJECT];
|
const char *altsubject[TLS_MAX_ALT_SUBJECT];
|
||||||
int num_altsubject;
|
int num_altsubject;
|
||||||
const char *serial_num;
|
const char *serial_num;
|
||||||
|
int tod;
|
||||||
};
|
};
|
||||||
|
|
||||||
union tls_event_data {
|
union tls_event_data {
|
||||||
|
|
|
||||||
|
|
@ -2149,6 +2149,34 @@ static void openssl_tls_fail_event(struct tls_connection *conn,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int openssl_cert_tod(X509 *cert)
|
||||||
|
{
|
||||||
|
CERTIFICATEPOLICIES *ext;
|
||||||
|
stack_index_t i;
|
||||||
|
char buf[100];
|
||||||
|
int res;
|
||||||
|
int tod = 0;
|
||||||
|
|
||||||
|
ext = X509_get_ext_d2i(cert, NID_certificate_policies, NULL, NULL);
|
||||||
|
if (!ext)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
for (i = 0; i < sk_POLICYINFO_num(ext); i++) {
|
||||||
|
POLICYINFO *policy;
|
||||||
|
|
||||||
|
policy = sk_POLICYINFO_value(ext, i);
|
||||||
|
res = OBJ_obj2txt(buf, sizeof(buf), policy->policyid, 0);
|
||||||
|
if (res < 0 || (size_t) res >= sizeof(buf))
|
||||||
|
continue;
|
||||||
|
wpa_printf(MSG_DEBUG, "OpenSSL: Certificate Policy %s", buf);
|
||||||
|
if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.1") == 0)
|
||||||
|
tod = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
return tod;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static void openssl_tls_cert_event(struct tls_connection *conn,
|
static void openssl_tls_cert_event(struct tls_connection *conn,
|
||||||
X509 *err_cert, int depth,
|
X509 *err_cert, int depth,
|
||||||
const char *subject)
|
const char *subject)
|
||||||
|
|
@ -2241,6 +2269,8 @@ static void openssl_tls_cert_event(struct tls_connection *conn,
|
||||||
ev.peer_cert.altsubject[alt] = altsubject[alt];
|
ev.peer_cert.altsubject[alt] = altsubject[alt];
|
||||||
ev.peer_cert.num_altsubject = num_altsubject;
|
ev.peer_cert.num_altsubject = num_altsubject;
|
||||||
|
|
||||||
|
ev.peer_cert.tod = openssl_cert_tod(err_cert);
|
||||||
|
|
||||||
context->event_cb(context->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
|
context->event_cb(context->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
|
||||||
wpabuf_free(cert);
|
wpabuf_free(cert);
|
||||||
for (alt = 0; alt < num_altsubject; alt++)
|
for (alt = 0; alt < num_altsubject; alt++)
|
||||||
|
|
|
||||||
|
|
@ -792,9 +792,10 @@ void wpas_notify_certification(struct wpa_supplicant *wpa_s,
|
||||||
const char *cert_hash)
|
const char *cert_hash)
|
||||||
{
|
{
|
||||||
wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_CERT
|
wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_CERT
|
||||||
"depth=%d subject='%s'%s%s",
|
"depth=%d subject='%s'%s%s%s",
|
||||||
cert->depth, cert->subject, cert_hash ? " hash=" : "",
|
cert->depth, cert->subject, cert_hash ? " hash=" : "",
|
||||||
cert_hash ? cert_hash : "");
|
cert_hash ? cert_hash : "",
|
||||||
|
cert->tod ? " tod=1" : "");
|
||||||
|
|
||||||
if (cert->cert) {
|
if (cert->cert) {
|
||||||
char *cert_hex;
|
char *cert_hex;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue