From 630eb9ef8f139878a790f9db48278de1185d0063 Mon Sep 17 00:00:00 2001 From: "Jean-Marc Pigeon (Delson)" Date: Sat, 3 May 2025 21:02:49 -0400 Subject: [PATCH] Trying toe resolv peer certificate acceptation --- certs/safe_CA.pem | 120 ++++++++++++---------------------- certs/safe_CA.pem.ref | 127 ++++++++++++++++++++++++++++++++++++ certs/xx | 17 +++++ lib/devsoc.c | 1 + lib/unitls.c | 145 +++++++++++++++++++++--------------------- lib/unitls.h | 3 + 6 files changed, 263 insertions(+), 150 deletions(-) create mode 100644 certs/safe_CA.pem.ref create mode 100644 certs/xx diff --git a/certs/safe_CA.pem b/certs/safe_CA.pem index 0a10181..21f4d69 100644 --- a/certs/safe_CA.pem +++ b/certs/safe_CA.pem @@ -1,81 +1,45 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 2a:01:e0:a5:fb:80:10:00:00:00:02 - Signature Algorithm: ecdsa-with-SHA384 - Issuer: C=CA, L=Montreal, ST=Quebec, O=SAFE Inc., OU=Digital Certificate Signing, CN=SAFE Root CA 1 - Validity - Not Before: Jan 20 17:19:55 2024 GMT - Not After : Jun 7 17:19:55 2051 GMT - Subject: C=CA, O=SAFE Inc., OU=Digital Certificate Signing, CN=SAFE Midle Ground CA (2024) - SHA384 - 3 - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - Modulus: - 00:d1:52:9b:dc:10:57:6d:9a:0e:09:5b:1b:aa:fb: - 76:8c:65:b3:f2:ca:75:36:8f:c0:cb:82:d8:2f:5b: - 0e:25:0c:5f:fc:18:94:41:87:5d:75:eb:92:ec:2a: - 87:14:ec:5f:cc:f6:8f:bf:db:4e:a3:07:aa:ec:90: - 3a:48:43:b9:01:84:42:fb:34:0b:06:5f:d8:e4:6d: - e7:55:8f:f6:ad:98:c4:7d:6f:a8:39:de:f8:70:94: - 71:f3:2f:24:1b:3b:ab:42:70:d8:6c:06:ef:81:af: - fa:f7:68:77:66:0e:60:12:df:80:bb:b4:92:4a:1f: - 3e:52:2d:f5:9a:e3:ba:26:d3:88:68:aa:11:88:0f: - b8:be:7e:e3:d7:88:ce:86:09:1a:a3:2c:ce:74:c1: - d7:d6:7a:c4:b5:04:1e:25:ef:b7:15:6a:16:27:4d: - 0f:ed:af:46:fc:a0:57:a2:6d:fe:91:c3:c7:1f:87: - 06:fe:5a:e2:a8:de:33:67:ae:6d:06:84:f2:15:1d: - 9d:ff:11:cf:be:6f:a9:a5:13:13:0b:ef:67:19:1f: - ea:a8:ed:f0:db:f2:1f:ba:8c:a5:1e:b3:54:b7:68: - c3:37:85:db:01:2e:83:4d:e0:06:be:93:54:b0:dc: - 31:23:98:15:b7:ec:b5:82:57:7a:7c:34:6c:3b:2b: - 3b:fa:b3:12:9a:63:63:d9:54:fd:bf:a1:ee:3c:a4: - 47:83:04:60:b9:9b:74:8f:f7:92:93:1d:f5:ea:98: - 87:c4:c9:de:d6:b8:5f:bf:fc:2e:41:e0:55:38:65: - 80:54:02:c6:d9:bd:7d:51:96:ba:55:ad:bf:01:ce: - 31:21:54:1e:56:16:79:7b:97:1a:53:92:86:80:54: - ef:e9:75:ad:21:45:37:82:54:52:ed:c3:37:8c:11: - ab:63:dd:64:ae:15:b4:f5:cc:02:2f:61:ab:42:d6: - c5:a1:c0:dd:19:ef:70:f1:7f:6d:31:af:4e:60:bb: - 83:a1:f7:49:a5:de:94:dd:31:c1:74:4b:11:73:da: - 4d:f4:4e:90:9e:ae:dd:c0:61:d6:6b:54:3f:3a:78: - c3:8b:e4:0e:ba:c6:9c:f3:3f:fb:6c:34:7c:ff:3d: - 65:d7:0b:ec:4c:19:37:51:37:c5:3b:34:7e:55:85: - 10:82:33:30:7f:ff:95:63:5b:45:3c:45:90:34:fb: - 1c:5e:ef:64:a3:a7:a8:58:0f:d0:97:6a:de:5a:8f: - 29:51:6b:14:01:b1:ec:59:74:47:0e:d9:d0:1a:78: - df:16:e5:fe:5b:8b:95:48:0f:26:20:58:ef:14:6a: - 97:ca:c0:b3:7d:ac:7f:8a:6c:59:be:1b:fc:a0:47: - e7:57:b1 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - Authority Information Access: - CA Issuers - URI:http://certificates.safe.ca/cacert/safeMDL.pem - OCSP - URI:http://certificates/safe.ca/chkcertstats - X509v3 Certificate Policies: - Policy: 1.3.6.1.4.1.7438.1.1 - CPS: http://certificates.safe.ca/repository/ - Policy: 2.23.140.1.2.1 - X509v3 Basic Constraints: critical - CA:TRUE, pathlen:0 - X509v3 CRL Distribution Points: - Full Name: - URI:http://certificates.safe.ca/repository/revoklist.pem - X509v3 Subject Alternative Name: - DNS:certificates.safe.ca, IP Address:192.219.254.53 - X509v3 Authority Key Identifier: - 87:DD:FB:32:49:26:5E:13:F8:B7:F2:DF:EF:9C:F6:85:34:37:7A:D9 - X509v3 Subject Key Identifier: - 9C:BE:0B:C0:22:76:F5:CF:BC:FD:78:9A:92:77:20:FE:BF:96:1E:D8 - Signature Algorithm: ecdsa-with-SHA384 - Signature Value: - 30:46:02:21:00:ff:21:78:ff:d7:43:e7:9d:7d:dd:e6:f1:89: - f9:39:8a:14:e0:46:ca:b2:f2:59:a1:09:70:a0:2d:8b:66:a1: - 65:02:21:00:d6:cf:8e:54:06:f0:d3:4c:23:f6:9d:a7:d5:b7: - 23:6d:b9:c8:18:15:63:a3:92:98:3c:dc:25:18:71:1c:74:68 +-----BEGIN CERTIFICATE----- +MIIHYjCCBUqgAwIBAgILKgHgpfuAgAAAACgwDQYJKoZIhvcNAQEMBQAwejELMAkG +A1UEBhMCQ0ExEjAQBgNVBAoMCVNBRkUgSW5jLjEkMCIGA1UECwwbRGlnaXRhbCBD +ZXJ0aWZpY2F0ZSBTaWduaW5nMTEwLwYDVQQDDChTQUZFIE1pZGxlIEdyb3VuZCBD +QSAoMjAyNCkgLSBTSEEzODQgLSAzMCAXDTI1MDQwNjExNTQ0NVoYDzIwNTAwNDA2 +MTE1NDQ1WjCBkDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UE +BwwITW9udHJlYWwxEjAQBgNVBAoMCVNBRkUgSW5jLjEqMCgGA1UECwwhTWFpbGxl +dXIgZW1haWwgZGV2ZWxvcHBlbWVudCB0ZXN0MR0wGwYDVQQDDBRtYWlsbGV1ci5l +eGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALJuNfeM +6wcNofgQ/d2N2Z7Pn0s5Te6BXrNeomeBnrfsuLsIEl0HASO8PSSCp7CmsVZXbua5 +lY/7fxL97JFLgW3oj10zw+bbJGb18s0eho8jtjguRsmUzUy2N0FEX48INveQd5f2 +HYGoRJQjMKgZQby41FLZTFdF6h4uqGCbxzRtgWZdaPilZzFaSRQTfGiv0Ktu5Sza +XLEgeP9LPB5agaCRZn+pbC3ftk+JU9tiQAHqq9ifHUtc3C2Vg3Oid8g/zv45ES6y +OBc9vFBzUNAaW3aeRHZtyRRTYQUxpmYduqmIUrsoqbvePgU/EWvuFAsP8nlqPFbJ +9ngP1S+Le60jdfNT57SrgsSN8YT4gj6XpoWEGPyJ5xKVye0oxWzYhN731f2oweYt +VXUUnBtfiZEKWA7/kmcu8J7ESDAavh1kNbqHkq7XJF8IKDey7MlaNoRmHvKUc7x+ +gz4M2v+P6hwTlFPWcY+hUifFDzELfTqWI/XMv0qbjghaFexKa9slFiEsm1JNcdNs +b1VjzCg3I1jPY904eSSrRvmWIGuxd7S48c8efq71i1uJmOXfcdG1Zs1vtsKPDnVZ +4V/Pq7OHzm3BukRoeXCuCwcf1XozCxP9OZhbRhnkor/0BkgSAcf8yMwVgdYugj9+ +V7ioBthwgffDQkyvSHomOJbib/yz5p+4bysNAgMBAAGjggHOMIIByjAOBgNVHQ8B +Af8EBAMCBaAwgYAGCCsGAQUFBwEBBHQwcjA6BggrBgEFBQcwAoYuaHR0cDovL2Nl +cnRpZmljYXRlcy5zYWZlLmNhL2NhY2VydC9zYWZlTURMLnBlbTA0BggrBgEFBQcw +AYYoaHR0cDovL2NlcnRpZmljYXRlcy9zYWZlLmNhL2Noa2NlcnRzdGF0czBTBgNV +HSAETDBKMD8GCSsGAQQBug4BAjAyMDAGCCsGAQUFBwIBFiRodHRwOi8vY2VydGlm +aWNhdGVzLnNhZmUuY2EvcG9saWNpZXMwBwYFZ4EMAQEwCQYDVR0TBAIwADBFBgNV +HR8EPjA8MDqgOKA2hjRodHRwOi8vY2VydGlmaWNhdGVzLnNhZmUuY2EvcmVwb3Np +dG9yeS9yZXZva2xpc3QucGVtMCUGA1UdEQQeMByCFG1haWxsZXVyLmV4YW1wbGUu +Y29thwR/fwoZMCcGA1UdJQQgMB4GCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUH +AwQwHQYDVR0OBBYEFIn8+ieFGnVwdLZHnCq2H5BYv8XBMB8GA1UdIwQYMBaAFJy+ +C8AidvXPvP14mpJ3IP6/lh7YMA0GCSqGSIb3DQEBDAUAA4ICAQBoIbYRYKbqMa+a +MWS+iPlgF9dL1ZWozb0EECo9+WEl4USHXVOBR6XURjKo7/O+HDZxGXdK+BVDOMVh +Ygl8HtYMcrmcl+vCzrbQFAt8AYwdBb9+KQmfE+LlHdiJeA74r4crlNzDJ5zN2zP3 +YHyaD6sJed1ftLJgVKWInHY/bsyRs6YTY2S+sC43nIDb4ZUREugKW72wuUnuzWw0 +ZO+FVznXL42ltk2Yj8UuLdWXi8xJhLopqelAtypW9A/LAtIv7F1MLGuI4bYByyxu +yEmmLEjTgZwNbwfFVn5H9H0UgWLhKbYokX/b/Ed8f+H+nAirZCL4z7uPnnUeB6zd +VoiVyoRCH7CQyjp7JABDRFc6g2f3FWUUv5aFOdlTbOPy3A/iu9cPgXEAFr0fgiuv +9ytJBJ8c/ju72iapuotfcPRoo/yIS880R1TrOmVNJMdmYGFVA4EQpLMwPkDK6Azo +JJ8OIFwf6mW9WyPNlfgcdO8lLFV62IXrM/6Yjs280W75OHFfi8sJLj14tDdLcGBg +hfA0eOdMBUenukZYe0oujANfSeqoxIFOCMdQ4kOyItLLauZpcU6l9Uml/QMHJehD +Lv36HfWcJJB9KedA+OWw6gKkxeU6+NCniDEaPY06/azNAmpKCNTdqaN2RSrRQzoX +vnVQM0NmexymzA4NkFyFfWzMsFZERQ== +-----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFejCCBR+gAwIBAgILKgHgpfuAEAAAAAIwCgYIKoZIzj0EAwMwgYQxCzAJBgNV BAYTAkNBMREwDwYDVQQHDAhNb250cmVhbDEPMA0GA1UECAwGUXVlYmVjMRIwEAYD diff --git a/certs/safe_CA.pem.ref b/certs/safe_CA.pem.ref new file mode 100644 index 0000000..0a10181 --- /dev/null +++ b/certs/safe_CA.pem.ref @@ -0,0 +1,127 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2a:01:e0:a5:fb:80:10:00:00:00:02 + Signature Algorithm: ecdsa-with-SHA384 + Issuer: C=CA, L=Montreal, ST=Quebec, O=SAFE Inc., OU=Digital Certificate Signing, CN=SAFE Root CA 1 + Validity + Not Before: Jan 20 17:19:55 2024 GMT + Not After : Jun 7 17:19:55 2051 GMT + Subject: C=CA, O=SAFE Inc., OU=Digital Certificate Signing, CN=SAFE Midle Ground CA (2024) - SHA384 - 3 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + Modulus: + 00:d1:52:9b:dc:10:57:6d:9a:0e:09:5b:1b:aa:fb: + 76:8c:65:b3:f2:ca:75:36:8f:c0:cb:82:d8:2f:5b: + 0e:25:0c:5f:fc:18:94:41:87:5d:75:eb:92:ec:2a: + 87:14:ec:5f:cc:f6:8f:bf:db:4e:a3:07:aa:ec:90: + 3a:48:43:b9:01:84:42:fb:34:0b:06:5f:d8:e4:6d: + e7:55:8f:f6:ad:98:c4:7d:6f:a8:39:de:f8:70:94: + 71:f3:2f:24:1b:3b:ab:42:70:d8:6c:06:ef:81:af: + fa:f7:68:77:66:0e:60:12:df:80:bb:b4:92:4a:1f: + 3e:52:2d:f5:9a:e3:ba:26:d3:88:68:aa:11:88:0f: + b8:be:7e:e3:d7:88:ce:86:09:1a:a3:2c:ce:74:c1: + d7:d6:7a:c4:b5:04:1e:25:ef:b7:15:6a:16:27:4d: + 0f:ed:af:46:fc:a0:57:a2:6d:fe:91:c3:c7:1f:87: + 06:fe:5a:e2:a8:de:33:67:ae:6d:06:84:f2:15:1d: + 9d:ff:11:cf:be:6f:a9:a5:13:13:0b:ef:67:19:1f: + ea:a8:ed:f0:db:f2:1f:ba:8c:a5:1e:b3:54:b7:68: + c3:37:85:db:01:2e:83:4d:e0:06:be:93:54:b0:dc: + 31:23:98:15:b7:ec:b5:82:57:7a:7c:34:6c:3b:2b: + 3b:fa:b3:12:9a:63:63:d9:54:fd:bf:a1:ee:3c:a4: + 47:83:04:60:b9:9b:74:8f:f7:92:93:1d:f5:ea:98: + 87:c4:c9:de:d6:b8:5f:bf:fc:2e:41:e0:55:38:65: + 80:54:02:c6:d9:bd:7d:51:96:ba:55:ad:bf:01:ce: + 31:21:54:1e:56:16:79:7b:97:1a:53:92:86:80:54: + ef:e9:75:ad:21:45:37:82:54:52:ed:c3:37:8c:11: + ab:63:dd:64:ae:15:b4:f5:cc:02:2f:61:ab:42:d6: + c5:a1:c0:dd:19:ef:70:f1:7f:6d:31:af:4e:60:bb: + 83:a1:f7:49:a5:de:94:dd:31:c1:74:4b:11:73:da: + 4d:f4:4e:90:9e:ae:dd:c0:61:d6:6b:54:3f:3a:78: + c3:8b:e4:0e:ba:c6:9c:f3:3f:fb:6c:34:7c:ff:3d: + 65:d7:0b:ec:4c:19:37:51:37:c5:3b:34:7e:55:85: + 10:82:33:30:7f:ff:95:63:5b:45:3c:45:90:34:fb: + 1c:5e:ef:64:a3:a7:a8:58:0f:d0:97:6a:de:5a:8f: + 29:51:6b:14:01:b1:ec:59:74:47:0e:d9:d0:1a:78: + df:16:e5:fe:5b:8b:95:48:0f:26:20:58:ef:14:6a: + 97:ca:c0:b3:7d:ac:7f:8a:6c:59:be:1b:fc:a0:47: + e7:57:b1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + Authority Information Access: + CA Issuers - URI:http://certificates.safe.ca/cacert/safeMDL.pem + OCSP - URI:http://certificates/safe.ca/chkcertstats + X509v3 Certificate Policies: + Policy: 1.3.6.1.4.1.7438.1.1 + CPS: http://certificates.safe.ca/repository/ + Policy: 2.23.140.1.2.1 + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:0 + X509v3 CRL Distribution Points: + Full Name: + URI:http://certificates.safe.ca/repository/revoklist.pem + X509v3 Subject Alternative Name: + DNS:certificates.safe.ca, IP Address:192.219.254.53 + X509v3 Authority Key Identifier: + 87:DD:FB:32:49:26:5E:13:F8:B7:F2:DF:EF:9C:F6:85:34:37:7A:D9 + X509v3 Subject Key Identifier: + 9C:BE:0B:C0:22:76:F5:CF:BC:FD:78:9A:92:77:20:FE:BF:96:1E:D8 + Signature Algorithm: ecdsa-with-SHA384 + Signature Value: + 30:46:02:21:00:ff:21:78:ff:d7:43:e7:9d:7d:dd:e6:f1:89: + f9:39:8a:14:e0:46:ca:b2:f2:59:a1:09:70:a0:2d:8b:66:a1: + 65:02:21:00:d6:cf:8e:54:06:f0:d3:4c:23:f6:9d:a7:d5:b7: + 23:6d:b9:c8:18:15:63:a3:92:98:3c:dc:25:18:71:1c:74:68 +-----BEGIN CERTIFICATE----- +MIIFejCCBR+gAwIBAgILKgHgpfuAEAAAAAIwCgYIKoZIzj0EAwMwgYQxCzAJBgNV +BAYTAkNBMREwDwYDVQQHDAhNb250cmVhbDEPMA0GA1UECAwGUXVlYmVjMRIwEAYD +VQQKDAlTQUZFIEluYy4xJDAiBgNVBAsMG0RpZ2l0YWwgQ2VydGlmaWNhdGUgU2ln +bmluZzEXMBUGA1UEAwwOU0FGRSBSb290IENBIDEwIBcNMjQwMTIwMTcxOTU1WhgP +MjA1MTA2MDcxNzE5NTVaMHoxCzAJBgNVBAYTAkNBMRIwEAYDVQQKDAlTQUZFIElu +Yy4xJDAiBgNVBAsMG0RpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzExMC8GA1UE +AwwoU0FGRSBNaWRsZSBHcm91bmQgQ0EgKDIwMjQpIC0gU0hBMzg0IC0gMzCCAiIw +DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANFSm9wQV22aDglbG6r7doxls/LK +dTaPwMuC2C9bDiUMX/wYlEGHXXXrkuwqhxTsX8z2j7/bTqMHquyQOkhDuQGEQvs0 +CwZf2ORt51WP9q2YxH1vqDne+HCUcfMvJBs7q0Jw2GwG74Gv+vdod2YOYBLfgLu0 +kkofPlIt9ZrjuibTiGiqEYgPuL5+49eIzoYJGqMsznTB19Z6xLUEHiXvtxVqFidN +D+2vRvygV6Jt/pHDxx+HBv5a4qjeM2eubQaE8hUdnf8Rz75vqaUTEwvvZxkf6qjt +8NvyH7qMpR6zVLdowzeF2wEug03gBr6TVLDcMSOYFbfstYJXenw0bDsrO/qzEppj +Y9lU/b+h7jykR4MEYLmbdI/3kpMd9eqYh8TJ3ta4X7/8LkHgVThlgFQCxtm9fVGW +ulWtvwHOMSFUHlYWeXuXGlOShoBU7+l1rSFFN4JUUu3DN4wRq2PdZK4VtPXMAi9h +q0LWxaHA3RnvcPF/bTGvTmC7g6H3SaXelN0xwXRLEXPaTfROkJ6u3cBh1mtUPzp4 +w4vkDrrGnPM/+2w0fP89ZdcL7EwZN1E3xTs0flWFEIIzMH//lWNbRTxFkDT7HF7v +ZKOnqFgP0Jdq3lqPKVFrFAGx7Fl0Rw7Z0Bp43xbl/luLlUgPJiBY7xRql8rAs32s +f4psWb4b/KBH51exAgMBAAGjggGyMIIBrjAOBgNVHQ8BAf8EBAMCAQYwgYAGCCsG +AQUFBwEBBHQwcjA6BggrBgEFBQcwAoYuaHR0cDovL2NlcnRpZmljYXRlcy5zYWZl +LmNhL2NhY2VydC9zYWZlTURMLnBlbTA0BggrBgEFBQcwAYYoaHR0cDovL2NlcnRp +ZmljYXRlcy9zYWZlLmNhL2Noa2NlcnRzdGF0czBXBgNVHSAEUDBOMEIGCSsGAQQB +ug4BATA1MDMGCCsGAQUFBwIBFidodHRwOi8vY2VydGlmaWNhdGVzLnNhZmUuY2Ev +cmVwb3NpdG9yeS8wCAYGZ4EMAQIBMBIGA1UdEwEB/wQIMAYBAf8CAQAwRQYDVR0f +BD4wPDA6oDigNoY0aHR0cDovL2NlcnRpZmljYXRlcy5zYWZlLmNhL3JlcG9zaXRv +cnkvcmV2b2tsaXN0LnBlbTAlBgNVHREEHjAcghRjZXJ0aWZpY2F0ZXMuc2FmZS5j +YYcEwNv+NTAfBgNVHSMEGDAWgBSH3fsySSZeE/i38t/vnPaFNDd62TAdBgNVHQ4E +FgQUnL4LwCJ29c+8/Xiakncg/r+WHtgwCgYIKoZIzj0EAwMDSQAwRgIhAP8heP/X +Q+edfd3m8Yn5OYoU4EbKsvJZoQlwoC2LZqFlAiEA1s+OVAbw00wj9p2n1bcjbbnI +GBVjo5KYPNwlGHEcdGg= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICyjCCAnCgAwIBAgIUAtMkWFCaY2IBnHeZJh0H1JpvuDEwCgYIKoZIzj0EAwMw +gYQxCzAJBgNVBAYTAkNBMREwDwYDVQQHDAhNb250cmVhbDEPMA0GA1UECAwGUXVl +YmVjMRIwEAYDVQQKDAlTQUZFIEluYy4xJDAiBgNVBAsMG0RpZ2l0YWwgQ2VydGlm +aWNhdGUgU2lnbmluZzEXMBUGA1UEAwwOU0FGRSBSb290IENBIDEwHhcNMjEwNDI1 +MTMyNjU1WhcNNDEwNDI1MTMyNjU1WjCBhDELMAkGA1UEBhMCQ0ExETAPBgNVBAcM +CE1vbnRyZWFsMQ8wDQYDVQQIDAZRdWViZWMxEjAQBgNVBAoMCVNBRkUgSW5jLjEk +MCIGA1UECwwbRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMRcwFQYDVQQDDA5T +QUZFIFJvb3QgQ0EgMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCu6gm4DFOju +mx0L44Do7x9o/bVNJFCdegQHudHDcNuqyRDDPX8moIgiIVE5/VEQjmcxnlyyvmCU +AXV+w++zrGyjgb0wgbowDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w +HQYDVR0OBBYEFIfd+zJJJl4T+Lfy3++c9oU0N3rZMB8GA1UdIwQYMBaAFIfd+zJJ +Jl4T+Lfy3++c9oU0N3rZMFcGA1UdIARQME4wQgYJKwYBBAG6DgEBMDUwMwYIKwYB +BQUHAgEWJ2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuc2FmZS5jYS9yZXBvc2l0b3J5LzAI +BgZngQwBAgEwCgYIKoZIzj0EAwMDSAAwRQIgUEMNNezsU248dE57Uz/fLdRdiioL +eiHEbpMEcLW1dCoCIQCmbpV3cp0OvPAVX7cCzOGssT31ppkBIzA6dgNr7qyS+g== +-----END CERTIFICATE----- diff --git a/certs/xx b/certs/xx new file mode 100644 index 0000000..ff10572 --- /dev/null +++ b/certs/xx @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyjCCAnCgAwIBAgIUAtMkWFCaY2IBnHeZJh0H1JpvuDEwCgYIKoZIzj0EAwMw +gYQxCzAJBgNVBAYTAkNBMREwDwYDVQQHDAhNb250cmVhbDEPMA0GA1UECAwGUXVl +YmVjMRIwEAYDVQQKDAlTQUZFIEluYy4xJDAiBgNVBAsMG0RpZ2l0YWwgQ2VydGlm +aWNhdGUgU2lnbmluZzEXMBUGA1UEAwwOU0FGRSBSb290IENBIDEwHhcNMjEwNDI1 +MTMyNjU1WhcNNDEwNDI1MTMyNjU1WjCBhDELMAkGA1UEBhMCQ0ExETAPBgNVBAcM +CE1vbnRyZWFsMQ8wDQYDVQQIDAZRdWViZWMxEjAQBgNVBAoMCVNBRkUgSW5jLjEk +MCIGA1UECwwbRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMRcwFQYDVQQDDA5T +QUZFIFJvb3QgQ0EgMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCu6gm4DFOju +mx0L44Do7x9o/bVNJFCdegQHudHDcNuqyRDDPX8moIgiIVE5/VEQjmcxnlyyvmCU +AXV+w++zrGyjgb0wgbowDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w +HQYDVR0OBBYEFIfd+zJJJl4T+Lfy3++c9oU0N3rZMB8GA1UdIwQYMBaAFIfd+zJJ +Jl4T+Lfy3++c9oU0N3rZMFcGA1UdIARQME4wQgYJKwYBBAG6DgEBMDUwMwYIKwYB +BQUHAgEWJ2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuc2FmZS5jYS9yZXBvc2l0b3J5LzAI +BgZngQwBAgEwCgYIKoZIzj0EAwMDSAAwRQIgUEMNNezsU248dE57Uz/fLdRdiioL +eiHEbpMEcLW1dCoCIQCmbpV3cp0OvPAVX7cCzOGssT31ppkBIzA6dgNr7qyS+g== +-----END CERTIFICATE----- diff --git a/lib/devsoc.c b/lib/devsoc.c index 4c6ebf0..de86e89 100644 --- a/lib/devsoc.c +++ b/lib/devsoc.c @@ -1409,6 +1409,7 @@ if ((soc!=(SOCTYP *)0)&&(soc->modtls==false)) { case false : break; } + (void) tls_verify(soc->tls); } peerip=rou_freestr(peerip); } diff --git a/lib/unitls.c b/lib/unitls.c index 534a169..87094bc 100644 --- a/lib/unitls.c +++ b/lib/unitls.c @@ -125,76 +125,6 @@ return good; */ /********************************************************/ /* */ -/* Procedure to verify remote certificate */ -/* */ -/********************************************************/ -static int verify(TLSTYP *tls) - -{ -#define OPEP "unitls.c:verify" -X509 *peer; -int ok; -int phase; -_Bool proceed; - -peer=(X509 *)0; -ok=false; -phase=0; -proceed=true; -while (proceed==true) { - switch (phase) { - case 0 : //get remote certificate - if ((peer=SSL_get_peer_certificate(tls->ssl))==(X509 *)0) { - char msg[200]; - - (void) snprintf(msg,sizeof(msg),"%s, Unable to get certificate " - "from remote [%s]", - OPEP,tls->peerip); - (void) showtlserror(tls,0,msg); - phase=999; //no need to go furter - } - break; - case 1 : //displaying certificate - if (peer!=(X509 *)0) { //always - char *line; - - line=X509_NAME_oneline(X509_get_subject_name(peer),0,0); - (void) rou_alert(2,"Certificate subject=<%s>",line); - (void) free(line); - line=X509_NAME_oneline(X509_get_issuer_name(peer),0,0); - (void) rou_alert(2,"Certificate issuer=<%s>",line); - (void) free(line); - } - break; - case 3 : { //verifying certificate - int verif; - - verif=SSL_get_verify_result(tls->ssl); - switch (verif) { - default : - (void) rou_alert(0,"%s, Remote certificate status='%d'",OPEP,verif); - break; - } - } - break; - case 2 : //everything is fine - (void) X509_free(peer); - ok=true; - break; - default : //SAFE Guard - proceed=false; - break; - } - phase++; - } -return ok; -#undef OPEP -} -/* -^L -*/ -/********************************************************/ -/* */ /* Procedure to open an SSL channel */ /* */ /********************************************************/ @@ -227,7 +157,7 @@ return tls; static int set_certificate(TLSTYP *tls) { -#define OPEP "unitls.c:set_link_certificate" +#define OPEP "unitls.c:set_certificate" int done; int mode; const char *certpub[3]; @@ -236,6 +166,7 @@ _Bool proceed; done=false; mode=SSL_VERIFY_NONE; +//mode=SSL_VERIFY_PEER; certpub[0]="./certs/safe_CA.pem"; //default and debugging certificats //Default debugging server certificate certpub[1]="./certs/mailleur_server_cert_x509.pem"; @@ -255,6 +186,7 @@ while (proceed==true) { } break; case 1 : //loading default CA verify dir + phase++; if (SSL_CTX_set_default_verify_paths(tls->ctx)==0) { (void) showtlserror(tls,0,"Unable to verify default path"); phase=999; //no need to go furter @@ -389,6 +321,76 @@ while (proceed==true) { */ /********************************************************/ /* */ +/* Procedure to verify remote certificate */ +/* */ +/********************************************************/ +PUBLIC _Bool tls_verify(TLSTYP *tls) + +{ +#define OPEP "unitls.c:tls_verify," +X509 *peer; +_Bool ok; +int phase; +_Bool proceed; + +peer=(X509 *)0; +ok=false; +phase=0; +proceed=true; +while (proceed==true) { + switch (phase) { + case 0 : //get remote certificate + if ((peer=SSL_get_peer_certificate(tls->ssl))==(X509 *)0) { + char msg[200]; + + (void) snprintf(msg,sizeof(msg),"%s, Unable to get certificate " + "from remote [%s]", + OPEP,tls->peerip); + (void) showtlserror(tls,0,msg); + phase=999; //no need to go furter + } + break; + case 1 : //displaying certificate + if (peer!=(X509 *)0) { //always + char *line; + + line=X509_NAME_oneline(X509_get_subject_name(peer),0,0); + (void) rou_alert(2,"Certificate subject=<%s>",line); + (void) free(line); + line=X509_NAME_oneline(X509_get_issuer_name(peer),0,0); + (void) rou_alert(2,"Certificate issuer=<%s>",line); + (void) free(line); + } + break; + case 3 : { //verifying certificate + int verif; + + verif=SSL_get_verify_result(tls->ssl); + switch (verif) { + default : + (void) rou_alert(0,"%s, Remote certificate status='%d'",OPEP,verif); + break; + } + } + break; + case 2 : //everything is fine + (void) X509_free(peer); + ok=true; + break; + default : //SAFE Guard + proceed=false; + break; + } + phase++; + } +return ok; +#undef OPEP +} +/* +^L +*/ +/********************************************************/ +/* */ /* Procedure to open an SSL channel */ /* */ /********************************************************/ @@ -446,7 +448,6 @@ while (proceed==true) { } break; case 4 : //Setting the TLS channel actif - (void) verify(tls); proceed=false; break; default : //SAFE guard diff --git a/lib/unitls.h b/lib/unitls.h index 1fcf217..6c183c0 100644 --- a/lib/unitls.h +++ b/lib/unitls.h @@ -24,6 +24,9 @@ typedef struct { SSL *ssl; //SSL link }TLSTYP; +//procedure to verify certificate linked to TLS channel +extern _Bool tls_verify(TLSTYP *tls); + //procedure to open an tls channel extern TLSTYP *tls_opentls(int handle,_Bool server); -- 2.47.3