FreeRDP/libfreerdp/crypto/certificate_data.c
akallabeth dac0ae4976
[crypto,cert] extend certificate store API
Use the certificate PEM without trustchain in the local trust store, but
keep the full PEM with chain for the user facing callbacks.
2024-08-13 15:56:08 +02:00

280 lines
7.1 KiB
C

/**
* FreeRDP: A Remote Desktop Protocol Implementation
* Certificate Handling
*
* Copyright 2011 Jiten Pathy
* Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
* Copyright 2023 Armin Novak <anovak@thincast.com>
* Copyright 2023 Thincast Technologies GmbH
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <ctype.h>
#include <freerdp/config.h>
#include <winpr/assert.h>
#include <winpr/path.h>
#include <freerdp/settings.h>
#include <freerdp/crypto/crypto.h>
#include <freerdp/crypto/certificate_data.h>
#include "certificate.h"
#include <freerdp/log.h>
#define TAG FREERDP_TAG("crypto")
struct rdp_certificate_data
{
char* hostname;
UINT16 port;
rdpCertificate* cert;
char cached_hash[MAX_PATH + 10];
char* cached_subject;
char* cached_issuer;
char* cached_fingerprint;
char* cached_pem;
char* cached_pem_chain;
};
/* ensure our hostnames (and therefore filenames) always use the same capitalization.
* the user might have input random case, but we always need to have a sane
* baseline to compare against. */
static char* ensure_lowercase(char* str, size_t length)
{
const size_t len = strnlen(str, length);
for (size_t x = 0; x < len; x++)
str[x] = tolower(str[x]);
return str;
}
static const char* freerdp_certificate_data_hash_(const char* hostname, UINT16 port, char* name,
size_t length)
{
_snprintf(name, length, "%s_%" PRIu16 ".pem", hostname, port);
return ensure_lowercase(name, length);
}
static BOOL freerdp_certificate_data_load_cache(rdpCertificateData* data)
{
BOOL rc = FALSE;
WINPR_ASSERT(data);
freerdp_certificate_data_hash_(data->hostname, data->port, data->cached_hash,
sizeof(data->cached_hash));
if (strnlen(data->cached_hash, sizeof(data->cached_hash)) == 0)
goto fail;
data->cached_subject = freerdp_certificate_get_subject(data->cert);
if (!data->cached_subject)
data->cached_subject = calloc(1, 1);
size_t pemlen = 0;
data->cached_pem = freerdp_certificate_get_pem_ex(data->cert, &pemlen, FALSE);
if (!data->cached_pem)
goto fail;
size_t pemchainlen = 0;
data->cached_pem_chain = freerdp_certificate_get_pem_ex(data->cert, &pemchainlen, TRUE);
if (!data->cached_pem_chain)
goto fail;
data->cached_fingerprint = freerdp_certificate_get_fingerprint(data->cert);
if (!data->cached_fingerprint)
goto fail;
data->cached_issuer = freerdp_certificate_get_issuer(data->cert);
if (!data->cached_issuer)
data->cached_issuer = calloc(1, 1);
rc = TRUE;
fail:
return rc;
}
static rdpCertificateData* freerdp_certificate_data_new_nocopy(const char* hostname, UINT16 port,
rdpCertificate* xcert)
{
rdpCertificateData* certdata = NULL;
if (!hostname || !xcert)
goto fail;
certdata = (rdpCertificateData*)calloc(1, sizeof(rdpCertificateData));
if (!certdata)
goto fail;
certdata->port = port;
certdata->hostname = _strdup(hostname);
if (!certdata->hostname)
goto fail;
ensure_lowercase(certdata->hostname, strlen(certdata->hostname));
certdata->cert = xcert;
if (!freerdp_certificate_data_load_cache(certdata))
{
certdata->cert = NULL;
goto fail;
}
return certdata;
fail:
freerdp_certificate_data_free(certdata);
return NULL;
}
rdpCertificateData* freerdp_certificate_data_new(const char* hostname, UINT16 port,
const rdpCertificate* xcert)
{
rdpCertificate* copy = freerdp_certificate_clone(xcert);
rdpCertificateData* data = freerdp_certificate_data_new_nocopy(hostname, port, copy);
if (!data)
freerdp_certificate_free(copy);
return data;
}
rdpCertificateData* freerdp_certificate_data_new_from_pem(const char* hostname, UINT16 port,
const char* pem, size_t length)
{
if (!pem || (length == 0))
return NULL;
rdpCertificate* cert = freerdp_certificate_new_from_pem(pem);
rdpCertificateData* data = freerdp_certificate_data_new_nocopy(hostname, port, cert);
if (!data)
freerdp_certificate_free(cert);
return data;
}
rdpCertificateData* freerdp_certificate_data_new_from_file(const char* hostname, UINT16 port,
const char* file)
{
if (!file)
return NULL;
rdpCertificate* cert = freerdp_certificate_new_from_file(file);
rdpCertificateData* data = freerdp_certificate_data_new_nocopy(hostname, port, cert);
if (!data)
freerdp_certificate_free(cert);
return data;
}
void freerdp_certificate_data_free(rdpCertificateData* data)
{
if (data == NULL)
return;
free(data->hostname);
freerdp_certificate_free(data->cert);
free(data->cached_subject);
free(data->cached_issuer);
free(data->cached_fingerprint);
free(data->cached_pem);
free(data->cached_pem_chain);
free(data);
}
const char* freerdp_certificate_data_get_host(const rdpCertificateData* cert)
{
if (!cert)
return NULL;
return cert->hostname;
}
UINT16 freerdp_certificate_data_get_port(const rdpCertificateData* cert)
{
if (!cert)
return 0;
return cert->port;
}
const char* freerdp_certificate_data_get_pem(const rdpCertificateData* cert)
{
return freerdp_certificate_data_get_pem_ex(cert, TRUE);
}
const char* freerdp_certificate_data_get_pem_ex(const rdpCertificateData* cert, BOOL withFullChain)
{
if (!cert)
return NULL;
if (withFullChain)
return cert->cached_pem_chain;
return cert->cached_pem;
}
const char* freerdp_certificate_data_get_subject(const rdpCertificateData* cert)
{
if (!cert)
return NULL;
return cert->cached_subject;
}
const char* freerdp_certificate_data_get_issuer(const rdpCertificateData* cert)
{
if (!cert)
return NULL;
return cert->cached_issuer;
}
const char* freerdp_certificate_data_get_fingerprint(const rdpCertificateData* cert)
{
if (!cert)
return NULL;
return cert->cached_fingerprint;
}
BOOL freerdp_certificate_data_equal(const rdpCertificateData* a, const rdpCertificateData* b)
{
BOOL rc = FALSE;
WINPR_ASSERT(a);
WINPR_ASSERT(b);
if (strcmp(a->hostname, b->hostname) != 0)
return FALSE;
if (a->port != b->port)
return FALSE;
const char* pem1 = freerdp_certificate_data_get_fingerprint(a);
const char* pem2 = freerdp_certificate_data_get_fingerprint(b);
if (pem1 && pem2)
rc = strcmp(pem1, pem2) == 0;
else
rc = pem1 == pem2;
return rc;
}
const char* freerdp_certificate_data_get_hash(const rdpCertificateData* cert)
{
if (!cert)
return NULL;
return cert->cached_hash;
}
char* freerdp_certificate_data_hash(const char* hostname, UINT16 port)
{
char name[MAX_PATH + 10] = { 0 };
freerdp_certificate_data_hash_(hostname, port, name, sizeof(name));
return _strdup(name);
}