| /* x509-parser.c -- print human readable info from an X.509 certificate |
| * |
| * ==================================================================== |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| * ==================================================================== |
| */ |
| |
| #include "svn_pools.h" |
| #include "svn_cmdline.h" |
| #include "svn_string.h" |
| #include "svn_dirent_uri.h" |
| #include "svn_io.h" |
| #include "svn_base64.h" |
| #include "svn_x509.h" |
| #include "svn_time.h" |
| |
| #include "svn_private_config.h" |
| |
| #define PEM_BEGIN_CERT "-----BEGIN CERTIFICATE-----" |
| #define PEM_END_CERT "-----END CERTIFICATE-----" |
| |
| static svn_error_t * |
| show_cert(const svn_string_t *der_cert, apr_pool_t *scratch_pool) |
| { |
| svn_x509_certinfo_t *certinfo; |
| const apr_array_header_t *hostnames; |
| |
| SVN_ERR(svn_x509_parse_cert(&certinfo, der_cert->data, der_cert->len, |
| scratch_pool, scratch_pool)); |
| |
| SVN_ERR(svn_cmdline_printf(scratch_pool, _("Subject: %s\n"), |
| svn_x509_certinfo_get_subject(certinfo, scratch_pool))); |
| SVN_ERR(svn_cmdline_printf(scratch_pool, _("Valid from: %s\n"), |
| svn_time_to_human_cstring( |
| svn_x509_certinfo_get_valid_from(certinfo), |
| scratch_pool))); |
| SVN_ERR(svn_cmdline_printf(scratch_pool, _("Valid until: %s\n"), |
| svn_time_to_human_cstring( |
| svn_x509_certinfo_get_valid_to(certinfo), |
| scratch_pool))); |
| SVN_ERR(svn_cmdline_printf(scratch_pool, _("Issuer: %s\n"), |
| svn_x509_certinfo_get_issuer(certinfo, scratch_pool))); |
| SVN_ERR(svn_cmdline_printf(scratch_pool, _("Fingerprint: %s\n"), |
| svn_checksum_to_cstring_display( |
| svn_x509_certinfo_get_digest(certinfo), |
| scratch_pool))); |
| |
| hostnames = svn_x509_certinfo_get_hostnames(certinfo); |
| if (hostnames && !apr_is_empty_array(hostnames)) |
| { |
| int i; |
| svn_stringbuf_t *buf = svn_stringbuf_create_empty(scratch_pool); |
| for (i = 0; i < hostnames->nelts; ++i) |
| { |
| const char *hostname = APR_ARRAY_IDX(hostnames, i, const char*); |
| if (i > 0) |
| svn_stringbuf_appendbytes(buf, ", ", 2); |
| svn_stringbuf_appendbytes(buf, hostname, strlen(hostname)); |
| } |
| SVN_ERR(svn_cmdline_printf(scratch_pool, _("Hostnames: %s\n"), |
| buf->data)); |
| } |
| |
| return SVN_NO_ERROR; |
| } |
| |
| static svn_boolean_t |
| is_der_cert(const svn_string_t *raw) |
| { |
| /* really simplistic fingerprinting of a DER. By definition it must |
| * start with an ASN.1 tag of a constructed (0x20) sequence (0x10). |
| * It's somewhat unfortunate that 0x30 happens to also come out to the |
| * ASCII for '0' which may mean this will create false positives. */ |
| return raw->data[0] == 0x30 ? TRUE : FALSE; |
| } |
| |
| static svn_error_t * |
| get_der_cert_from_stream(const svn_string_t **der_cert, svn_stream_t *in, |
| apr_pool_t *pool) |
| { |
| svn_string_t *raw; |
| SVN_ERR(svn_string_from_stream2(&raw, in, SVN__STREAM_CHUNK_SIZE, |
| pool)); |
| |
| *der_cert = NULL; |
| |
| /* look for a DER cert */ |
| if (is_der_cert(raw)) |
| { |
| *der_cert = raw; |
| return SVN_NO_ERROR; |
| } |
| else |
| { |
| const svn_string_t *base64_decoded; |
| const char *start, *end; |
| |
| /* Try decoding as base64 without headers */ |
| base64_decoded = svn_base64_decode_string(raw, pool); |
| if (base64_decoded && is_der_cert(base64_decoded)) |
| { |
| *der_cert = base64_decoded; |
| return SVN_NO_ERROR; |
| } |
| |
| /* Try decoding as a PEM with begining and ending headers. */ |
| start = strstr(raw->data, PEM_BEGIN_CERT); |
| end = strstr(raw->data, PEM_END_CERT); |
| if (start && end && end > start) |
| { |
| svn_string_t *encoded; |
| |
| start += sizeof(PEM_BEGIN_CERT) - 1; |
| end -= 1; |
| encoded = svn_string_ncreate(start, end - start, pool); |
| base64_decoded = svn_base64_decode_string(encoded, pool); |
| if (is_der_cert(base64_decoded)) |
| { |
| *der_cert = base64_decoded; |
| return SVN_NO_ERROR; |
| } |
| } |
| } |
| |
| return svn_error_create(SVN_ERR_X509_CERT_INVALID_PEM, NULL, |
| _("Couldn't find certificate in input data")); |
| } |
| |
| int main (int argc, const char *argv[]) |
| { |
| apr_pool_t *pool = NULL; |
| svn_error_t *err; |
| svn_stream_t *in; |
| |
| apr_initialize(); |
| atexit(apr_terminate); |
| |
| pool = svn_pool_create(NULL); |
| |
| if (argc == 2) |
| { |
| const char *target = svn_dirent_canonicalize(argv[1], pool); |
| err = svn_stream_open_readonly(&in, target, pool, pool); |
| } |
| else if (argc == 1) |
| { |
| err = svn_stream_for_stdin2(&in, TRUE, pool); |
| } |
| else |
| err = svn_error_create(SVN_ERR_CL_ARG_PARSING_ERROR, NULL, _("Too many arguments")); |
| |
| if (!err) |
| { |
| const svn_string_t *der_cert; |
| err = get_der_cert_from_stream(&der_cert, in, pool); |
| if (!err) |
| err = show_cert(der_cert, pool); |
| } |
| |
| if (err) |
| return svn_cmdline_handle_exit_error(err, pool, "x509-parser: "); |
| |
| return 0; |
| } |