1 /*
2  *  Certificate reading application
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 
20 #include "mbedtls/build_info.h"
21 
22 #include "mbedtls/platform.h"
23 
24 #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) ||  \
25     !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
26     !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) ||         \
27     !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) ||  \
28     !defined(MBEDTLS_CTR_DRBG_C) || defined(MBEDTLS_X509_REMOVE_INFO)
main(void)29 int main(void)
30 {
31     mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
32                    "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
33                    "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
34                    "MBEDTLS_X509_CRT_PARSE_C and/or MBEDTLS_FS_IO and/or "
35                    "MBEDTLS_CTR_DRBG_C not defined and/or MBEDTLS_X509_REMOVE_INFO defined.\n");
36     mbedtls_exit(0);
37 }
38 #else
39 
40 #include "mbedtls/entropy.h"
41 #include "mbedtls/ctr_drbg.h"
42 #include "mbedtls/net_sockets.h"
43 #include "mbedtls/ssl.h"
44 #include "mbedtls/x509.h"
45 #include "mbedtls/debug.h"
46 
47 #include <stdio.h>
48 #include <stdlib.h>
49 #include <string.h>
50 
51 #define MODE_NONE               0
52 #define MODE_FILE               1
53 #define MODE_SSL                2
54 
55 #define DFL_MODE                MODE_NONE
56 #define DFL_FILENAME            "cert.crt"
57 #define DFL_CA_FILE             ""
58 #define DFL_CRL_FILE            ""
59 #define DFL_CA_PATH             ""
60 #define DFL_SERVER_NAME         "localhost"
61 #define DFL_SERVER_PORT         "4433"
62 #define DFL_DEBUG_LEVEL         0
63 #define DFL_PERMISSIVE          0
64 
65 #define USAGE_IO \
66     "    ca_file=%%s          The single file containing the top-level CA(s) you fully trust\n" \
67     "                        default: \"\" (none)\n" \
68     "    crl_file=%%s         The single CRL file you want to use\n" \
69     "                        default: \"\" (none)\n" \
70     "    ca_path=%%s          The path containing the top-level CA(s) you fully trust\n" \
71     "                        default: \"\" (none) (overrides ca_file)\n"
72 
73 #define USAGE \
74     "\n usage: cert_app param=<>...\n"                  \
75     "\n acceptable parameters:\n"                       \
76     "    mode=file|ssl       default: none\n"           \
77     "    filename=%%s         default: cert.crt\n"      \
78     USAGE_IO                                            \
79     "    server_name=%%s      default: localhost\n"     \
80     "    server_port=%%d      default: 4433\n"          \
81     "    debug_level=%%d      default: 0 (disabled)\n"  \
82     "    permissive=%%d       default: 0 (disabled)\n"  \
83     "\n"
84 
85 
86 /*
87  * global options
88  */
89 struct options {
90     int mode;                   /* the mode to run the application in   */
91     const char *filename;       /* filename of the certificate file     */
92     const char *ca_file;        /* the file with the CA certificate(s)  */
93     const char *crl_file;       /* the file with the CRL to use         */
94     const char *ca_path;        /* the path with the CA certificate(s) reside */
95     const char *server_name;    /* hostname of the server (client only) */
96     const char *server_port;    /* port on which the ssl service runs   */
97     int debug_level;            /* level of debugging                   */
98     int permissive;             /* permissive parsing                   */
99 } opt;
100 
my_debug(void * ctx,int level,const char * file,int line,const char * str)101 static void my_debug(void *ctx, int level,
102                      const char *file, int line,
103                      const char *str)
104 {
105     ((void) level);
106 
107     mbedtls_fprintf((FILE *) ctx, "%s:%04d: %s", file, line, str);
108     fflush((FILE *) ctx);
109 }
110 
my_verify(void * data,mbedtls_x509_crt * crt,int depth,uint32_t * flags)111 static int my_verify(void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags)
112 {
113     char buf[1024];
114     ((void) data);
115 
116     mbedtls_printf("\nVerify requested for (Depth %d):\n", depth);
117     mbedtls_x509_crt_info(buf, sizeof(buf) - 1, "", crt);
118     mbedtls_printf("%s", buf);
119 
120     if ((*flags) == 0) {
121         mbedtls_printf("  This certificate has no flags\n");
122     } else {
123         mbedtls_x509_crt_verify_info(buf, sizeof(buf), "  ! ", *flags);
124         mbedtls_printf("%s\n", buf);
125     }
126 
127     return 0;
128 }
129 
main(int argc,char * argv[])130 int main(int argc, char *argv[])
131 {
132     int ret = 1;
133     int exit_code = MBEDTLS_EXIT_FAILURE;
134     mbedtls_net_context server_fd;
135     unsigned char buf[1024];
136     mbedtls_entropy_context entropy;
137     mbedtls_ctr_drbg_context ctr_drbg;
138     mbedtls_ssl_context ssl;
139     mbedtls_ssl_config conf;
140     mbedtls_x509_crt cacert;
141     mbedtls_x509_crl cacrl;
142     int i, j;
143     uint32_t flags;
144     int verify = 0;
145     char *p, *q;
146     const char *pers = "cert_app";
147 
148     /*
149      * Set to sane values
150      */
151     mbedtls_net_init(&server_fd);
152     mbedtls_ctr_drbg_init(&ctr_drbg);
153     mbedtls_ssl_init(&ssl);
154     mbedtls_ssl_config_init(&conf);
155     mbedtls_x509_crt_init(&cacert);
156 #if defined(MBEDTLS_X509_CRL_PARSE_C)
157     mbedtls_x509_crl_init(&cacrl);
158 #else
159     /* Zeroize structure as CRL parsing is not supported and we have to pass
160        it to the verify function */
161     memset(&cacrl, 0, sizeof(mbedtls_x509_crl));
162 #endif
163 
164     if (argc < 2) {
165 usage:
166         mbedtls_printf(USAGE);
167         goto exit;
168     }
169 
170     opt.mode                = DFL_MODE;
171     opt.filename            = DFL_FILENAME;
172     opt.ca_file             = DFL_CA_FILE;
173     opt.crl_file            = DFL_CRL_FILE;
174     opt.ca_path             = DFL_CA_PATH;
175     opt.server_name         = DFL_SERVER_NAME;
176     opt.server_port         = DFL_SERVER_PORT;
177     opt.debug_level         = DFL_DEBUG_LEVEL;
178     opt.permissive          = DFL_PERMISSIVE;
179 
180     for (i = 1; i < argc; i++) {
181         p = argv[i];
182         if ((q = strchr(p, '=')) == NULL) {
183             goto usage;
184         }
185         *q++ = '\0';
186 
187         for (j = 0; p + j < q; j++) {
188             if (argv[i][j] >= 'A' && argv[i][j] <= 'Z') {
189                 argv[i][j] |= 0x20;
190             }
191         }
192 
193         if (strcmp(p, "mode") == 0) {
194             if (strcmp(q, "file") == 0) {
195                 opt.mode = MODE_FILE;
196             } else if (strcmp(q, "ssl") == 0) {
197                 opt.mode = MODE_SSL;
198             } else {
199                 goto usage;
200             }
201         } else if (strcmp(p, "filename") == 0) {
202             opt.filename = q;
203         } else if (strcmp(p, "ca_file") == 0) {
204             opt.ca_file = q;
205         } else if (strcmp(p, "crl_file") == 0) {
206             opt.crl_file = q;
207         } else if (strcmp(p, "ca_path") == 0) {
208             opt.ca_path = q;
209         } else if (strcmp(p, "server_name") == 0) {
210             opt.server_name = q;
211         } else if (strcmp(p, "server_port") == 0) {
212             opt.server_port = q;
213         } else if (strcmp(p, "debug_level") == 0) {
214             opt.debug_level = atoi(q);
215             if (opt.debug_level < 0 || opt.debug_level > 65535) {
216                 goto usage;
217             }
218         } else if (strcmp(p, "permissive") == 0) {
219             opt.permissive = atoi(q);
220             if (opt.permissive < 0 || opt.permissive > 1) {
221                 goto usage;
222             }
223         } else {
224             goto usage;
225         }
226     }
227 
228     /*
229      * 1.1. Load the trusted CA
230      */
231     mbedtls_printf("  . Loading the CA root certificate ...");
232     fflush(stdout);
233 
234     if (strlen(opt.ca_path)) {
235         if ((ret = mbedtls_x509_crt_parse_path(&cacert, opt.ca_path)) < 0) {
236             mbedtls_printf(" failed\n  !  mbedtls_x509_crt_parse_path returned -0x%x\n\n",
237                            (unsigned int) -ret);
238             goto exit;
239         }
240 
241         verify = 1;
242     } else if (strlen(opt.ca_file)) {
243         if ((ret = mbedtls_x509_crt_parse_file(&cacert, opt.ca_file)) < 0) {
244             mbedtls_printf(" failed\n  !  mbedtls_x509_crt_parse_file returned -0x%x\n\n",
245                            (unsigned int) -ret);
246             goto exit;
247         }
248 
249         verify = 1;
250     }
251 
252     mbedtls_printf(" ok (%d skipped)\n", ret);
253 
254 #if defined(MBEDTLS_X509_CRL_PARSE_C)
255     if (strlen(opt.crl_file)) {
256         if ((ret = mbedtls_x509_crl_parse_file(&cacrl, opt.crl_file)) != 0) {
257             mbedtls_printf(" failed\n  !  mbedtls_x509_crl_parse returned -0x%x\n\n",
258                            (unsigned int) -ret);
259             goto exit;
260         }
261 
262         verify = 1;
263     }
264 #endif
265 
266     if (opt.mode == MODE_FILE) {
267         mbedtls_x509_crt crt;
268         mbedtls_x509_crt *cur = &crt;
269         mbedtls_x509_crt_init(&crt);
270 
271         /*
272          * 1.1. Load the certificate(s)
273          */
274         mbedtls_printf("\n  . Loading the certificate(s) ...");
275         fflush(stdout);
276 
277         ret = mbedtls_x509_crt_parse_file(&crt, opt.filename);
278 
279         if (ret < 0) {
280             mbedtls_printf(" failed\n  !  mbedtls_x509_crt_parse_file returned %d\n\n", ret);
281             mbedtls_x509_crt_free(&crt);
282             goto exit;
283         }
284 
285         if (opt.permissive == 0 && ret > 0) {
286             mbedtls_printf(
287                 " failed\n  !  mbedtls_x509_crt_parse failed to parse %d certificates\n\n",
288                 ret);
289             mbedtls_x509_crt_free(&crt);
290             goto exit;
291         }
292 
293         mbedtls_printf(" ok\n");
294 
295         /*
296          * 1.2 Print the certificate(s)
297          */
298         while (cur != NULL) {
299             mbedtls_printf("  . Peer certificate information    ...\n");
300             ret = mbedtls_x509_crt_info((char *) buf, sizeof(buf) - 1, "      ",
301                                         cur);
302             if (ret == -1) {
303                 mbedtls_printf(" failed\n  !  mbedtls_x509_crt_info returned %d\n\n", ret);
304                 mbedtls_x509_crt_free(&crt);
305                 goto exit;
306             }
307 
308             mbedtls_printf("%s\n", buf);
309 
310             cur = cur->next;
311         }
312 
313         /*
314          * 1.3 Verify the certificate
315          */
316         if (verify) {
317             mbedtls_printf("  . Verifying X.509 certificate...");
318 
319             if ((ret = mbedtls_x509_crt_verify(&crt, &cacert, &cacrl, NULL, &flags,
320                                                my_verify, NULL)) != 0) {
321                 char vrfy_buf[512];
322 
323                 mbedtls_printf(" failed\n");
324 
325                 mbedtls_x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "  ! ", flags);
326 
327                 mbedtls_printf("%s\n", vrfy_buf);
328             } else {
329                 mbedtls_printf(" ok\n");
330             }
331         }
332 
333         mbedtls_x509_crt_free(&crt);
334     } else if (opt.mode == MODE_SSL) {
335         /*
336          * 1. Initialize the RNG and the session data
337          */
338         mbedtls_printf("\n  . Seeding the random number generator...");
339         fflush(stdout);
340 
341         mbedtls_entropy_init(&entropy);
342         if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
343                                          (const unsigned char *) pers,
344                                          strlen(pers))) != 0) {
345             mbedtls_printf(" failed\n  ! mbedtls_ctr_drbg_seed returned %d\n", ret);
346             goto ssl_exit;
347         }
348 
349         mbedtls_printf(" ok\n");
350 
351 #if defined(MBEDTLS_DEBUG_C)
352         mbedtls_debug_set_threshold(opt.debug_level);
353 #endif
354 
355         /*
356          * 2. Start the connection
357          */
358         mbedtls_printf("  . SSL connection to tcp/%s/%s...", opt.server_name,
359                        opt.server_port);
360         fflush(stdout);
361 
362         if ((ret = mbedtls_net_connect(&server_fd, opt.server_name,
363                                        opt.server_port, MBEDTLS_NET_PROTO_TCP)) != 0) {
364             mbedtls_printf(" failed\n  ! mbedtls_net_connect returned %d\n\n", ret);
365             goto ssl_exit;
366         }
367 
368         /*
369          * 3. Setup stuff
370          */
371         if ((ret = mbedtls_ssl_config_defaults(&conf,
372                                                MBEDTLS_SSL_IS_CLIENT,
373                                                MBEDTLS_SSL_TRANSPORT_STREAM,
374                                                MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
375             mbedtls_printf(" failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", ret);
376             goto exit;
377         }
378 
379         if (verify) {
380             mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED);
381             mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
382             mbedtls_ssl_conf_verify(&conf, my_verify, NULL);
383         } else {
384             mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_NONE);
385         }
386 
387         mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
388         mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
389 
390         if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) {
391             mbedtls_printf(" failed\n  ! mbedtls_ssl_setup returned %d\n\n", ret);
392             goto ssl_exit;
393         }
394 
395         if ((ret = mbedtls_ssl_set_hostname(&ssl, opt.server_name)) != 0) {
396             mbedtls_printf(" failed\n  ! mbedtls_ssl_set_hostname returned %d\n\n", ret);
397             goto ssl_exit;
398         }
399 
400         mbedtls_ssl_set_bio(&ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL);
401 
402         /*
403          * 4. Handshake
404          */
405         while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
406             if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
407                 mbedtls_printf(" failed\n  ! mbedtls_ssl_handshake returned %d\n\n", ret);
408                 goto ssl_exit;
409             }
410         }
411 
412         mbedtls_printf(" ok\n");
413 
414         /*
415          * 5. Print the certificate
416          */
417 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
418         mbedtls_printf("  . Peer certificate information    ... skipped\n");
419 #else
420         mbedtls_printf("  . Peer certificate information    ...\n");
421         ret = mbedtls_x509_crt_info((char *) buf, sizeof(buf) - 1, "      ",
422                                     mbedtls_ssl_get_peer_cert(&ssl));
423         if (ret == -1) {
424             mbedtls_printf(" failed\n  !  mbedtls_x509_crt_info returned %d\n\n", ret);
425             goto ssl_exit;
426         }
427 
428         mbedtls_printf("%s\n", buf);
429 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
430 
431         mbedtls_ssl_close_notify(&ssl);
432 
433 ssl_exit:
434         mbedtls_ssl_free(&ssl);
435         mbedtls_ssl_config_free(&conf);
436     } else {
437         goto usage;
438     }
439 
440     exit_code = MBEDTLS_EXIT_SUCCESS;
441 
442 exit:
443 
444     mbedtls_net_free(&server_fd);
445     mbedtls_x509_crt_free(&cacert);
446 #if defined(MBEDTLS_X509_CRL_PARSE_C)
447     mbedtls_x509_crl_free(&cacrl);
448 #endif
449     mbedtls_ctr_drbg_free(&ctr_drbg);
450     mbedtls_entropy_free(&entropy);
451 
452     mbedtls_exit(exit_code);
453 }
454 #endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C &&
455           MBEDTLS_SSL_CLI_C && MBEDTLS_NET_C && MBEDTLS_RSA_C &&
456           MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_FS_IO && MBEDTLS_CTR_DRBG_C */
457