diff options
author | Todd Short <tshort@akamai.com> | 2021-01-27 14:23:33 -0500 |
---|---|---|
committer | Todd Short <todd.short@me.com> | 2023-03-28 13:49:54 -0400 |
commit | 3c95ef22df55cb2d9dc64ce1f3be6e5a8ee63206 (patch) | |
tree | 0f7fcff4ec4735c778595db4f4a85bce70715d8b /apps/lib | |
parent | 5ab3f71a33cb0140fc29ae9244cd4f8331c2f3a5 (diff) |
RFC7250 (RPK) support
Add support for the RFC7250 certificate-type extensions.
Alows the use of only private keys for connection (i.e. certs not needed).
Add APIs
Add unit tests
Add documentation
Add s_client/s_server support
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18185)
Diffstat (limited to 'apps/lib')
-rw-r--r-- | apps/lib/s_cb.c | 34 |
1 files changed, 21 insertions, 13 deletions
diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index 04464bec03..dcfea55dc5 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -673,6 +673,8 @@ static STRINT_PAIR tlsext_types[] = { {"session ticket", TLSEXT_TYPE_session_ticket}, {"renegotiation info", TLSEXT_TYPE_renegotiate}, {"signed certificate timestamps", TLSEXT_TYPE_signed_certificate_timestamp}, + {"client cert type", TLSEXT_TYPE_client_cert_type}, + {"server cert type", TLSEXT_TYPE_server_cert_type}, {"TLS padding", TLSEXT_TYPE_padding}, #ifdef TLSEXT_TYPE_next_proto_neg {"next protocol", TLSEXT_TYPE_next_proto_neg}, @@ -1171,7 +1173,7 @@ static char *hexencode(const unsigned char *data, size_t len) void print_verify_detail(SSL *s, BIO *bio) { int mdpth; - EVP_PKEY *mspki; + EVP_PKEY *mspki = NULL; long verify_err = SSL_get_verify_result(s); if (verify_err == X509_V_OK) { @@ -1206,12 +1208,15 @@ void print_verify_detail(SSL *s, BIO *bio) hexdata = hexencode(data + dlen - TLSA_TAIL_SIZE, TLSA_TAIL_SIZE); else hexdata = hexencode(data, dlen); - BIO_printf(bio, "DANE TLSA %d %d %d %s%s %s at depth %d\n", + BIO_printf(bio, "DANE TLSA %d %d %d %s%s ", usage, selector, mtype, - (dlen > TLSA_TAIL_SIZE) ? "..." : "", hexdata, - (mspki != NULL) ? "signed the certificate" : - mdpth ? "matched TA certificate" : "matched EE certificate", - mdpth); + (dlen > TLSA_TAIL_SIZE) ? "..." : "", hexdata); + if (SSL_get0_peer_rpk(s) == NULL) + BIO_printf(bio, "%s certificate at depth %d\n", + (mspki != NULL) ? "signed the peer" : + mdpth ? "matched the TA" : "matched the EE", mdpth); + else + BIO_printf(bio, "matched the peer raw public key\n"); OPENSSL_free(hexdata); } } @@ -1219,17 +1224,16 @@ void print_verify_detail(SSL *s, BIO *bio) void print_ssl_summary(SSL *s) { const SSL_CIPHER *c; - X509 *peer; + X509 *peer = SSL_get0_peer_certificate(s); + EVP_PKEY *peer_rpk = SSL_get0_peer_rpk(s); + int nid; BIO_printf(bio_err, "Protocol version: %s\n", SSL_get_version(s)); print_raw_cipherlist(s); c = SSL_get_current_cipher(s); BIO_printf(bio_err, "Ciphersuite: %s\n", SSL_CIPHER_get_name(c)); do_print_sigalgs(bio_err, s, 0); - peer = SSL_get0_peer_certificate(s); if (peer != NULL) { - int nid; - BIO_puts(bio_err, "Peer certificate: "); X509_NAME_print_ex(bio_err, X509_get_subject_name(peer), 0, get_nameopt()); @@ -1239,8 +1243,13 @@ void print_ssl_summary(SSL *s) if (SSL_get_peer_signature_type_nid(s, &nid)) BIO_printf(bio_err, "Signature type: %s\n", get_sigtype(nid)); print_verify_detail(s, bio_err); + } else if (peer_rpk != NULL) { + BIO_printf(bio_err, "Peer used raw public key\n"); + if (SSL_get_peer_signature_type_nid(s, &nid)) + BIO_printf(bio_err, "Signature type: %s\n", get_sigtype(nid)); + print_verify_detail(s, bio_err); } else { - BIO_puts(bio_err, "No peer certificate\n"); + BIO_puts(bio_err, "No peer certificate or raw public key\n"); } #ifndef OPENSSL_NO_EC ssl_print_point_formats(bio_err, s); @@ -1595,4 +1604,3 @@ int progress_cb(EVP_PKEY_CTX *ctx) (void)BIO_flush(b); return 1; } - |