ssl: add support for checking cert existance and verification

Signed-off-by: Petar Paradzik <petar.paradzik@sartura.hr>
2025-03-09 00:00:04 +01:00 · 2017-10-27 12:08:05 +02:00 · 2017-10-27 12:08:05 +02:00 · a552de400a
commit a552de400a
parent 2f7bd10487
3 changed files with 44 additions and 5 deletions
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@ -5430,13 +5430,22 @@ lws_get_ssl(struct lws *wsi);

 enum lws_tls_cert_info {
 	LWS_TLS_CERT_INFO_VALIDITY_FROM,
+	/**< fills .time with the time_t the cert validity started from */
 	LWS_TLS_CERT_INFO_VALIDITY_TO,
+	/**< fills .time with the time_t the cert validity ends at */
 	LWS_TLS_CERT_INFO_COMMON_NAME,
+	/**< fills up to len bytes of .ns.name with the cert common name */
 	LWS_TLS_CERT_INFO_ISSUER_NAME,
+	/**< fills up to len bytes of .ns.name with the cert issuer name */
 	LWS_TLS_CERT_INFO_USAGE,
+	/**< fills verified with a bitfield asserting the valid uses */
+	LWS_TLS_CERT_INFO_VERIFIED,
+	/**< fills .verified with a bool representing peer cert validity,
+	 *   call returns -1 if no cert */
 };

 union lws_tls_cert_info_results {
+	unsigned int verified;
 	time_t time;
 	unsigned int usage;
 	struct {
@ -5450,8 +5459,8 @@ union lws_tls_cert_info_results {
 		 * union lws_tls_cert_info_results *buf =
 		 * 	(union lws_tls_cert_info_results *)big;
 		 *
-		 * lws_tls_peer_cert_info(wsi, type, buf,
-		 * 			  sizeof(big) - sizeof(*buf) + 64);
+		 * lws_tls_peer_cert_info(wsi, type, buf, sizeof(big) -
+		 *			  sizeof(*buf) + sizeof(buf->ns.name));
 		 */
 		char name[64];
 	} ns;
@ -5468,6 +5477,9 @@ union lws_tls_cert_info_results {
 * lws_tls_peer_cert_info() lets you get hold of information from the peer
 * certificate.
 *
+ * Return 0 if there is a result in \p buf, or -1 indicating there was no cert
+ * or another problem.
+ *
 * This function works the same no matter if the TLS backend is OpenSSL or
 * mbedTLS.
 */
@ -5486,13 +5498,15 @@ lws_tls_peer_cert_info(struct lws *wsi, enum lws_tls_cert_info type,
 * lws_tls_vhost_cert_info() lets you get hold of information from the vhost
 * certificate.
 *
+ * Return 0 if there is a result in \p buf, or -1 indicating there was no cert
+ * or another problem.
+ *
 * This function works the same no matter if the TLS backend is OpenSSL or
 * mbedTLS.
 */
 LWS_VISIBLE LWS_EXTERN int
 lws_tls_vhost_cert_info(struct lws_vhost *vhost, enum lws_tls_cert_info type,
 		        union lws_tls_cert_info_results *buf, size_t len);
-
 ///@}

 /** \defgroup lws_ring LWS Ringbuffer APIs
--- a/lib/tls/mbedtls/ssl.c
+++ b/lib/tls/mbedtls/ssl.c
@ -398,6 +398,8 @@ lws_tls_mbedtls_cert_info(mbedtls_x509_crt *x509, enum lws_tls_cert_info type,
 	case LWS_TLS_CERT_INFO_USAGE:
 		buf->usage = x509->key_usage;
 		break;
+	default:
+		return -1;
 	}

 	return 0;
@ -418,5 +420,16 @@ lws_tls_peer_cert_info(struct lws *wsi, enum lws_tls_cert_info type,
 {
 	mbedtls_x509_crt *x509 = ssl_get_peer_mbedtls_x509_crt(wsi->ssl);

-	return lws_tls_mbedtls_cert_info(x509, type, buf, len);
+	if (!x509)
+		return -1;
+
+	switch (type) {
+	case LWS_TLS_CERT_INFO_VERIFIED:
+		buf->verified = SSL_get_verify_result(wsi->ssl) == X509_V_OK;
+		return 0;
+	default:
+		return lws_tls_mbedtls_cert_info(x509, type, buf, len);
+	}
+
+	return -1;
 }
--- a/lib/tls/openssl/ssl.c
+++ b/lib/tls/openssl/ssl.c
@ -574,6 +574,8 @@ lws_tls_openssl_cert_info(X509 *x509, enum lws_tls_cert_info type,
 #else
 		return -1;
 #endif
+	default:
+		return -1;
 	}

 	return 0;
@ -598,9 +600,19 @@ LWS_VISIBLE int
 lws_tls_peer_cert_info(struct lws *wsi, enum lws_tls_cert_info type,
 		       union lws_tls_cert_info_results *buf, size_t len)
 {
+	int rc = 0;
 	X509 *x509 = SSL_get_peer_certificate(wsi->ssl);

-	int rc = lws_tls_openssl_cert_info(x509, type, buf, len);
+	if (!x509)
+		return -1;
+
+	switch (type) {
+	case LWS_TLS_CERT_INFO_VERIFIED:
+		buf->verified = SSL_get_verify_result(wsi->ssl) == X509_V_OK;
+		break;
+	default:
+		rc = lws_tls_openssl_cert_info(x509, type, buf, len);
+	}

 	X509_free(x509);