From 9063b54395106a2037bad201d49b53838a2c8d24 Mon Sep 17 00:00:00 2001 From: Jonas Olausson <j.olausson@student.unimelb.edu.au> Date: Wed, 23 May 2018 20:34:53 +1000 Subject: [PATCH] added comments --- certexample | Bin 16292 -> 16292 bytes certexample.c | 103 ++++++++++++++++++++++++-------------------------- 2 files changed, 49 insertions(+), 54 deletions(-) diff --git a/certexample b/certexample index adcbba2d1dfb87c18b47852663885bcac745763a..5116c853a62f66da0077a0d486d236fc868bea46 100755 GIT binary patch delta 2839 zcmZ2dzodS`4JJv!iMQMYwPY9=7#SECzA-?6)?`CQdqD+Ri0CSi6axc;!sJFqd%;t3 z5Ye{~r3|MgUu3iw+#wGU^?-`**sRDD&m@rl?EK0{Qr3U>r$2RErZL-Z^8}W5wt4|Z z1_qB_))m4G498vnfOK@${_yB5{ov6J!gU-ToyT6R5(Fu-Z50MlrhOo)v$f*?|Nk#0 zfMhyb3qWi(K?a5wF9jGFUc3@uU^w2I^Z);Ukb(PB7(n`J8$7zFf;EMLG&TQV;BVom zXJTORINq87RqAoPH3Gp5KrlU^%olY63=AHf$6pi(Ffi=Xff?KhHo>EFufYHR|2wzx zfSjWMw&exmF&EYb29IvAR5wIwAtT5^rdxy<>KQybTP^<o|L@Tar9c7($N~-=9-XZk z7$OQ_k-Z?LFM2?Z$zfn%*vZVmz|eWhqq9{4A`SAGM|Uq+)ee3J1`m+8TQ$J$HuVJC z-_2SA3eawg4Gb^51Q;0hgQB>zl>_7l4FLuQ!vmcMJ-YXTP3k=7(Ru2{GLS)?;E+Nw zPgaP5!K0g16>i*bez<WgAmeU=H1?Vbfz|B=MOr=F-vS#LUYvo*e+GqIH(1`Idn(AI zovjT2|Nq~>@M0B61zZXeDqBHO=Fz$L$G`voJvy&<wto5d|NjdIP|Wt4u7;QelIuLQ zf#F3aKLbPeR8Z1rKE&8LRSv}JZ2j=>|Noaa|Nj4P`2U3&KLZ25d<!V$FidXXoyT}+ zvOJ$7W76bAK4r$F$*p{58tI@!&}*6{z`(Fe100vUIiPg6lb3<vB}k)3ckPB3KY1rV z=2K#PIGK&#T=FT%;k~9W_!$^>=|Hr6<7Z%aVLmyG-#uVHCj&#L>l2Ue+7~a1K@RUc z{^B+VNbCVvOrM2;q4W5Q4la<;9k5UjH;8=$%)S6-U-9U!1!bETFBm4j<&S3Und~W` zrSzT~6e)Xm{Qm#H^Vo~qAYNzdgWsSOw--dc*fV*mfC6Lf<ZS{9oGxJL<1Y**-xrW) z^qKr$K!fq&WDP+T#yyjL1r-=WC+7+3F@58jJWtSs(~JvbGVgER$+rbf89OEm3aK;A z;hpRyprynKl7ZRz8pK1j^9<+YX#xt2oRhZ;C~$(MkH2u>ocusQo{@8spavtyWKBU8 zMvlpTf*?itf_m&AMcurPlcxxKGwz)HKv+>amjjd&T|a<){X!1Hc>xX%&B-z%sv^c5 z3=D=RJI@(j^5}%BVwxN(lEkPmd54IWtO7d&12{7XfHMOt1IRa>u0LJ|GcYhr-Y6>0 z_+;`)QDxO*Ae%wr+z@qpp?r^S*B>6uM-*ZY^UFI-ju$nN$Y+C^C<s<*o5{(*uz}%) z+~n1wvW!L`!vsa3nqNW<<DUFiRKs#N8z{JHKX`PyK6tSX%qe}~!FbH0`52=|=l2)2 zAfe-j{)4h~rz_Zx9^IusUbs(=6BB3DoLnXr$hdIw2{ARsp2_dUR6>hc!69?OqucdD zvjr1>YX`_d-L4lrx+^$d9AyC&KDP3Z5If<~U3y{z!;40cp6=2M9^G{uovwRcECs1b z1_ka3kIvE!FDfTzh{p-Afi!jd-tg!=4=R^ePrfGZ=(ZJ<oV#l;bRK(=#mK<0PY+~U zrz<Gse(>ma{ov7AdjeEs_CnO1=sfnq3B>Gl1*P5x9^IukUKF!TR+LoXbBH~hmX@Xm z&3=>TOIS#3{Q}C>AYX&9g-5SxGaCcLi*J(^Bt<4OONuiFO_rAQU{ePP)=XBARNdSs zsm;jfJb9N?8l%i)MQKIOsNetpgQB`+a-pQ`<P2#^4(p%)|9kYBc1-S+_TZQe;TTQ6 zDQz70gPDQhzv?eA`3Fq?1CtCaAaN!z$pR+Xz$6El<N}jCV3H3^3V=x=Few5i#aI{^ zCUeP5<Mrv4{mI0@;28X0^(E70UfG|F`k8rUi8+}m3_gh^sYMLI`T2PuDls>ep*$n8 zM4==jRUxf3Ia?tmUm-8QoNKbKeA49g@|uiVlW)qq*Bd}9XDcY}0;T<+bOe-6g3>uq zx(rG;K<O?hJq1e7gVHOY^d>012TC7<(De)#APk0EQ2Gg!eg~z0Kxrmudw~Z^i$Q4x zD6IvhO`x<Ll=gtqK~OpdN~eKocLs(6FoS`i3QD&?={_hu14=J~(rcjfHYj}nL~kxs z?B|=9z_Q68k%e)?<RlYc#toA<n0N?0P+(wYxS+zo%&<U%ftlgKWDZl^`Ujc}%nTE> z8JHOk=zs`akhB2<15;^nVtOjWeCC|gy!4U`hRw{(3<nGum>E78fs`3DFf%lmfCy6t zW`+%>jPZ$iDe=LMehep=nHd(CF)%PCrKaT<r7}EVPD}%(hNsNT3=_;j_L_sL76t}} z31SOaMH*N(Fn(aZ!0gb#xPfs4V*}#@rUjEvm}=Bd5QQ|qG#MBe_!$`(9*98rwotx< z7=-T%<ugb@_%Tp^f&heH4C6!fgK9*Oc>zKY`N>du1*rTg2)~{|fE%J<14Mw~0Mx=u zFuo*2{t1-7ffvGm5931}1ZoX}EL4z&$O|$;JX8SHuM6dG;D^XNgZVBD3=L2NBESL+ f3<o423UZ+Q2T%hWp!^9?{!}PmL1MF!c@YNyr{ZD% delta 2877 zcmZ2dzodS`4W^$06K}Z*a>+0-FfuSOd}DwBuE~as_JRzu5Ybg2DUihEMn-$VRdNtf z7O3c|$rl;z1vkh;L_I+27#J8fY*u87XA)>v_;KO+VXIYr(w~x;ng6nFp1{)1R=<IP zfx)AfwL_SJ;kfG`kdDsUA0C~hAC9}eNnv1M=&pU!`Ol;Cp+~3h1CQoo{2n_${Qv(S zWS@uPIgq&KM~}`k9^IuMJi6;RJUWkgboLhf|Ns9*m>|etTSH+GWoiYYI$dwPum=fu zx?Xs(Lx6$d#q4?zIY$6w`5BPq-KB3lx<hYxbngWl!UIy>{DXnNWh)~CgU4~#10Y2n z$6a?oX^`_l;wwP>7mfl93?7}wUl<E8FznL-`K;6R0Mx9`tvMiPy#gs|e!&P8tv|-X z&d?2!iUC>CYg#V^GQ@R;M>hyFcyzi>fG{06JUU%Fkk}0#-L(^5<by2BVPIg`$;`mO z(0R(Ev$f*?|NkD{wFf-9eJ8wF$j`vw0rEqu2FOLdrbZwOx>;*MK~mpsv4H{X-u<93 z?QG2eIZ{x7fx+-V=RvR;o##9{PraA~GNsdX2Z~8N5R*(mCV>rl#m~S1H7EsS&<T*P zUQ<S}y4nj6w+n1wcySOS@gf%#z}+C3(1y;|g#Z8lZ(w+_6eI}|?C|I=-Qm%>Hv;6N z&g-46As}N-n81;`9;_KG*Li3I!;4&g28Qm?GtGw>J44TOwg&wF|No`lzyJRY|G#kH zXJAO1FnI&-JjP3t{rMajizZLxQ)Vohyp_*P0~CTDy{1J13=F$e!I8jQ0!kMrc^Md9 zf+E(VyLQ71PQJ;){7Q@;C!6t`OTGm;vDfqiKLf)qO^B9%{0s~)+$Xp3y9cc2WMJrY zed5tw`{G40$gQ2nU%ci3i9G;|>9a5}bRK^(g9{{d2P`y)8^pc=W<LP4uXuFVe(>ln zeeptIvaCQf(;oiGSwdP$+zbpJ-FtWZ{{O%8*o)U7UT5or-=O&33!+|};hwxrNP&@i z@^v8vPO$Xx7Y^K$gyk8zCo2eRFmg@y6jov6nw%#LQq(W3$H+bToS+G(8yCo6UTwa~ z+(M>|GbTF<sWYA7om?fLsmu?Sg4y|-6O=wt?7YJ{`Ivw_(_GHU&jsYUQost1zX;%* zEFdVyl*2jMKv12Dk#lmSpfb}Pj>&a`@=T?iljjTSa)^PHcJmfaJ|gVRcyh9Uh@x~Y z2grEW4<O&a(1UPZfP=+yvX6+Wh%*NRgW<`}bB32ZI-#nBCbx<tO`a|)r)uxfS^L1F z+xGz|7aFiLFo4s&AUNII3UDznY+!hCfAVcnStdrV$-hLER33vI(CPZ)B{x_N>n$kX zqucd|NAnSb*u(ttllw(YB<k5v4U6Xl8>R;`j4@#HPf=w-BdA`OS(=k|#WXBWvw_03 z_Jc>K>w_2jz?{+t9*oC4nvXGhbbf!)3lchh=s!4tyMle{(OvrEMfl`CF>yxA$;-q7 z88=S;A*RMSXR^GwN@z1HID9~P=|Zyw6Mt(5$mQLx7d*NvI9^<30p$!^bx63K@aQf* zv4P>mM3A2D(hHy>veR|Xi>)A4$)F%U;n7*T;YH`<8RBsQW*|-7zBfEN&wF$pd$D^m zn}lQiQBdOUuD#HC>_rtL1H(Q&kZql=pmhAfqucd^M`!H`P+-r6s5{Yl>_rfW+35;O z%MU!dOK-erW`TyCDoAs$tpYnJNJ<}oO4<z!FXC80#qS?*`Qv)zB|8I{3(9xhu9MeF zuru+?Pu?$KA+hw!|NkDHpdbQa3y)sYYBmOj7vCm3NQz8WmK107nrtoU!6pw9teNZ} zsk(Wcq&6d?@#I@lX^cFR9i<gHy?+1y4@wd(lP5~bPVSJF<k0^4|G!7C>9ol!r9C*h zAsmOvKc$T)_sC4C|F7!B!ocuf)dx)afyn?c83ZOnz+@Phi~y5SU@`_wf;{$LH37^{ z0+T6VG7U^-urM(A^vX&yGcY&?|5xQ?W?-0*0rK_BXaE2I&yZkXVAyOg`<!vIgS?oa zPhv@G5kqi(ejbQQ%uSsfDxW0J$r<kH<KpZX<f7mf>gOEd>F>wMsamXHYpbAI%*8Ny zo4ghy*W`!t?h_L@>II-xxD=FDfzo<V+5$>DL1`Z-9R{TnpmY|LE`ic@P`U$3PlD2O zp!6~bUC*!q!eH11rH?@Ab5QyQlzs%I-$3baP?`bS+TeoHB2ZcmN^3xABPeYHrQN`^ zI|D-in8Cmh1*KD<bRLwhfYMD+x(7;6gVGB?^yWgve!htbESn4xSr{88Cz<#%HcZ}N z;vuj>fq|J}feHgN!v}Q+W`+%uIZSoyH)t|2Gd$2@U}l)010r-m()tVxOr^z%>8T9! znR8O}(n~TJHZwCbEHGqXX1HJkGQ}9A3rv`RbeS^7C+4NZ2Rr&PoM2{VXfR`7U`k3& z%P&f0c)*;P21*)FnVA_rm@zOj954r^AqED931S~uL>gE&Fn(aZ!0gb#xPfs4V*}#@ zrVW!%m}=A~h(a1^nhXpK{EQ3?8$=*{TPR;Z48nJX@*hY-_%TqvfdGVG4C6!fw?O#{ zLJ;}MQ2qyD2!9oXU(X=G4G{pfpg<0o0JZQEL;=GBsD)3U{03f#`u9-&1Stp~)Mf<f zXOM>Q1sNe83V`a@h4LHtA@a^(z6%3G0@Q#AumA(Y0ttwM94P+))W8NPzW~ag3gv$g K-)v-F!~p=zR6K3~ diff --git a/certexample.c b/certexample.c index 2f40704..f638312 100644 --- a/certexample.c +++ b/certexample.c @@ -16,6 +16,8 @@ #include <time.h> #include <openssl/asn1_mac.h> #define DEBUG 0 +#define LINE_BUFFER 100 + const ASN1_TIME *X509_get0_notBefore(const X509 *x); char** str_split(const char* a_str, const char a_delim); char* concat(char *s1, char *s2); @@ -39,13 +41,10 @@ int validate_certificate(const char *url, X509 *cert); int find_first_instanceof(const char *str, char delim); char *str_slice_to_end(const char *str, int begin); - - - int main(int argc, char **argv){ - int LINE_BUFFER=100; char line[LINE_BUFFER]; + //open the file, create the file to write to FILE *csv_input = fopen(argv[1], "r"); FILE *csv_output = fopen("output_test.csv" ,"w"); //for each line in the csv file, process each certificate @@ -60,6 +59,7 @@ int main(int argc, char **argv){ printf("CSV LINE # %d\n", n); } + //init all the things we use to describe a certificate BIO *certificate_bio = NULL; X509 *cert = NULL; X509_NAME *cert_issuer = NULL; @@ -71,6 +71,7 @@ int main(int argc, char **argv){ //get rid of newline line[strlen(line)-1] = '\0'; + //split the csv line up into its elements char **csv_row_elements = str_split(line, ','); if(DEBUG){ @@ -84,6 +85,7 @@ int main(int argc, char **argv){ //for some reason splitting keeps mututating the original string char *unchanged_url = csv_row_elements[1]; + //open up the certificate file specifed by the line in the input csv FILE *fp = fopen(certificate_file, "r"); if (!(BIO_read_filename(certificate_bio, certificate_file))){ @@ -116,14 +118,10 @@ int main(int argc, char **argv){ fprintf(csv_output,"%s,", csv_row_elements[0]); fprintf(csv_output,"%s,", unchanged_url); + //print validation result fprintf(csv_output,"%d\n", validate_certificate(url, cert)); - // printf ("\tCOMMON NAME VALIDATION: %d\n",); - // printf ("\tMatches Subject Alternative Name Result: %d\n",); - // printf("URL: %s\n",url); - - // - // printf("URL: %s\n",url); + //this is for debugging and printing out line numbers n++; } @@ -131,23 +129,21 @@ int main(int argc, char **argv){ } char* get_basic_constraints(X509 *cert){ - + /* -returns a string that represents the certificate's basic constraint, either CA is false or true + -taken from the sample code and modified + */ X509_EXTENSION *ex = X509_get_ext(cert, X509_get_ext_by_NID(cert, NID_basic_constraints, -1)); ASN1_OBJECT *obj = X509_EXTENSION_get_object(ex); char buff[1024]; OBJ_obj2txt(buff, 1024, obj, 0); - //printf("Extension: %s, ", buff); - BUF_MEM *bptr = NULL; char *buf = NULL; BIO *bio = BIO_new(BIO_s_mem()); - X509V3_EXT_print(bio, ex, 0, 0); - BIO_flush(bio); BIO_get_mem_ptr(bio, &bptr); @@ -161,6 +157,9 @@ char* get_basic_constraints(X509 *cert){ return buf; } char* get_key_usage(X509 *cert){ + /* -returns a string that represents the certificate's key usage + -taken from the sample code and modified + */ X509_EXTENSION *ex = X509_get_ext(cert, X509_get_ext_by_NID(cert, NID_ext_key_usage, -1)); @@ -168,7 +167,7 @@ char* get_key_usage(X509 *cert){ char buff[1024]; OBJ_obj2txt(buff, 1024, obj, 0); - //printf("Extension: %s, ", buff); + BUF_MEM *bptr = NULL; char *buf = NULL; @@ -191,7 +190,7 @@ char* get_key_usage(X509 *cert){ return buf; } int get_public_key_length(X509 *cert){ - + /*Gets the length of the key and returns its size in bits*/ EVP_PKEY *public_key = X509_get_pubkey(cert); RSA *rsa_key = EVP_PKEY_get1_RSA(public_key); @@ -202,6 +201,7 @@ int get_public_key_length(X509 *cert){ } char* get_domain_name(X509 *cert){ + //gets the common name for this certifate and returns it as a string X509_NAME *x509_name = X509_get_subject_name(cert); char *cert_cn = X509_NAME_oneline(x509_name, 0, 0); cert_cn =(cert_cn+1); @@ -213,12 +213,13 @@ char* get_domain_name(X509 *cert){ return domain_clean[1]; } char* compare_not_before(X509 *cert){ + // gets a certificate's not before date and compares it to the current date int day, sec; const ASN1_TIME *not_before = X509_get_notBefore(cert); if (!ASN1_TIME_diff(&day, &sec, NULL, not_before)){ /* Invalid time format */ - printf("what the fuck do now\n"); + return "invalid"; } if (day > 0 || sec > 0){ @@ -230,9 +231,10 @@ char* compare_not_before(X509 *cert){ else{ return "Same"; } - return "invalid?"; + return "invalid"; } char* compare_not_after(X509 *cert){ + // gets a certificate's not after date and compares it to the current date int day, sec; const ASN1_TIME *not_after = X509_get_notAfter(cert); @@ -262,6 +264,7 @@ char* concat(char *s1, char *s2){ } char** str_split(const char* a_str, const char a_delim){ + //splits up string by a delimiter char** result = 0; size_t count = 0; char* tmp = (char *)a_str; @@ -300,8 +303,7 @@ char** str_split(const char* a_str, const char a_delim){ return result; } int matches_subject_alternative_name(const char *hostname, X509 *server_cert) { - - + //goes through the alternative domain names for a certifate and validates each one int i; int san_names_nb = -1; STACK_OF(GENERAL_NAME) *san_names = NULL; @@ -348,7 +350,7 @@ int matches_subject_alternative_name(const char *hostname, X509 *server_cert) { return 0; } int validate_key_usage(char* key_usage){ - + //gets the key usage as a string from the helper function above, and then validates if it is equal to "TLS Web Server Authentication"" //key usage may be a bunch of strings, need to get first one if this is the case if(strlen("TLS Web Server Authentication")!=strlen(key_usage)){ @@ -371,7 +373,7 @@ int validate_key_usage(char* key_usage){ } int validate_basic_constraints(char* basic_constraints){ - + //gets the basic constraint from a helper function above and then validates if it is "CA: FALSE" if(strcmp(basic_constraints, "CA:FALSE")==0){ // printf("\tBASIC CONSTRAINT PASS\n"); return 1; @@ -379,38 +381,30 @@ int validate_basic_constraints(char* basic_constraints){ return 0; } int validate_wildcard_string(const char *hostname, char*hostname_with_wildcard){ - + //compares a domain with a wildcard with a given url, the wildcard is stripped of its '*' and '.' + //the string is then compared with the url (also having all things left from the initial '.' removed) char *hostname_with_wildcard_sliced = str_slice_to_end(hostname_with_wildcard, (find_first_instanceof(hostname_with_wildcard, '.'))); char *hostname_sliced = str_slice_to_end(hostname, (find_first_instanceof(hostname, '.'))); - - - - - - - // char **hostname_with_wildcard_split = str_split(hostname_with_wildcard, '.'); - - // char **hostname_split = str_split(hostname, '.'); - - // const char *hostname_with_wildcard_right = hostname_with_wildcard_split[1]; - // const char *hostname_split_right = hostname_split[1]; - if(strcasecmp(hostname_with_wildcard_sliced, hostname_sliced)==0){ - printf("\t\tWILDCARD FUNCTION\t\t%s == %s\n", hostname_with_wildcard_sliced, hostname_sliced); + + if (DEBUG){ + printf("\t\tWILDCARD FUNCTION\t\t%s == %s\n", hostname_with_wildcard_sliced, hostname_sliced); + } return 1; } - return 0; } int validate_key_length(int length){ + //validates whether or not the certifate's key is 2048 bits if (length==2048){ return 1; } return 0; } int validate_CN(const char* hostname, char*cn){ + //matches the common name with the given url, if a wildcard is present, it gives the strings to the wildcard validator if(cn[0]=='*'){ return (validate_wildcard_string(hostname, cn)); } @@ -425,6 +419,7 @@ int validate_CN(const char* hostname, char*cn){ return 0; } int validate_CN_and_SAN(const char *url, X509 *cert){ + //gets the result from both the CN and SAN validator and returns true if either are valid if(validate_CN(url, get_domain_name(cert)) || matches_subject_alternative_name(url, cert)){ return 1; @@ -432,36 +427,30 @@ int validate_CN_and_SAN(const char *url, X509 *cert){ else{return 0;} } int validate_not_before(X509 *cert){ - + //validates the not before date to be consistent with the current time if(strcmp(compare_not_before(cert), "Sooner")==0){ return 1; } return 0; } int validate_not_after(X509 *cert){ - + //validates the not after date to be consistent with the current time if(strcmp(compare_not_after(cert), "Later")==0){ return 1; } return 0; } int validate_certificate(const char *url, X509 *cert){ - // printf ("\tBASIC CONSTRAINT VALIDATION: %d\n",validate_basic_constraints(get_basic_constraints(cert))); - // printf ("\tKEY USAGE VALIDATION: %d\n",validate_key_usage(get_key_usage(cert))); - // printf ("\tKEY LENGTH VALIDATION: %d\n",validate_key_length(get_public_key_length(cert))); - // printf("\tNOT BEFORE VALIDATION %d\n", validate_not_before(cert)); - // printf("\tNOT AFTER VALIDATION %d\n", validate_not_after(cert)); - // printf("\tCOMMON NAME AND SAN VALIDATION %d\n", validate_CN_and_SAN(url, cert)); - + //the final validation decision, takes all of the validation results from each aspect of the certificate + //and makes sure there are no invalid components int a = validate_basic_constraints(get_basic_constraints(cert)); int b = validate_key_usage(get_key_usage(cert)); int c = validate_key_length(get_public_key_length(cert)); int d = validate_not_before(cert); int e = validate_not_after(cert); - // printf("%s\n", url); int f = validate_CN_and_SAN(url, cert); - // & b & c & d & e & f - if(a&b & c & d & e& f){ + //if any of these is invalid, the certificate is invalid + if(a & b & c & d & e & f){ return 1; } else{ @@ -469,6 +458,7 @@ int validate_certificate(const char *url, X509 *cert){ } } int find_first_instanceof(const char *str, char delim){ + //gets the first instance of a char in a string int i; for (i=0;i<=strlen(str);i++){ if(str[i]==delim){ @@ -479,7 +469,12 @@ int find_first_instanceof(const char *str, char delim){ return -1; } char *str_slice_to_end(const char *str, int begin){ - char *tmp = (char *)str; - tmp = (tmp+=begin+1); - return tmp; + //gets rid of things left of the index(inclusive) in a string + //eg str_slice_to_end("www.example.com",3) becomes example.com + + char *tmp = (char *)str; + tmp = (tmp+=begin+1); + return tmp; + + } -- GitLab