Add support for more extensions to wolfSSL_X509_print_ex.

- Key usage
- Extended key usage
- Subject alt name

Additionally, print out the criticality of the extensions.

src/x509.c

@@ -5195,7 +5195,228 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b)
 
 #ifdef OPENSSL_EXTRA
 #ifndef NO_BIO
-#ifdef XSNPRINTF /* a snprintf function needs to be available */
+static int X509PrintSubjAltName(WOLFSSL_BIO* bio, WOLFSSL_X509* x509)
+{
+    int ret = WOLFSSL_SUCCESS;
+    int nameCount = 0;
+    DNS_entry* entry;
+
+    if (bio == NULL || x509 == NULL) {
+        ret = WOLFSSL_FAILURE;
+    }
+
+    if (ret == WOLFSSL_SUCCESS && x509->subjAltNameSet
+        && x509->altNames != NULL) {
+        if (wolfSSL_BIO_write(bio,
+            "            X509v3 Subject Alternative Name: ", 45) <= 0) {
+            ret = WOLFSSL_FAILURE;
+        }
+        if (ret == WOLFSSL_SUCCESS && x509->subjAltNameCrit &&
+            wolfSSL_BIO_write(bio, "critical", (int)XSTRLEN("critical")) <= 0) {
+            ret = WOLFSSL_FAILURE;
+        }
+        if (ret == WOLFSSL_SUCCESS &&
+            wolfSSL_BIO_write(bio, "\n                ", 17) <= 0) {
+            ret = WOLFSSL_FAILURE;
+        }
+
+        if (ret == WOLFSSL_SUCCESS) {
+            entry = x509->altNames;
+            while (entry != NULL) {
+                ++nameCount;
+                if (nameCount > 1) {
+                    if (wolfSSL_BIO_write(bio, ", ", 2) <= 0) {
+                        ret = WOLFSSL_FAILURE;
+                        break;
+                    }
+                }
+
+                if (entry->type == ASN_DNS_TYPE) {
+                    if (entry->name == NULL) {
+                        WOLFSSL_MSG("NULL DNS alt name.");
+                        ret = WOLFSSL_FAILURE;
+                        break;
+                    }
+                    if (wolfSSL_BIO_write(bio, "DNS:", 4) <= 0) {
+                        ret = WOLFSSL_FAILURE;
+                        break;
+                    }
+                    if (wolfSSL_BIO_write(bio, entry->name,
+                                          (int)XSTRLEN(entry->name))
+                        <= 0) {
+                        ret = WOLFSSL_FAILURE;
+                        break;
+                    }
+                }
+            #if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
+                else if (entry->type == ASN_IP_TYPE) {
+                    if (entry->ipString == NULL) {
+                        WOLFSSL_MSG("NULL IP address alt name.");
+                        ret = WOLFSSL_FAILURE;
+                        break;
+                    }
+                    if (wolfSSL_BIO_write(bio, "IP Address:", 11) <= 0) {
+                        ret = WOLFSSL_FAILURE;
+                        break;
+                    }
+                    if (wolfSSL_BIO_write(bio, entry->ipString,
+                                          (int)XSTRLEN(entry->ipString)) <= 0) {
+                        ret = WOLFSSL_FAILURE;
+                        break;
+                    }
+                }
+            #endif /* OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */
+                else {
+                    WOLFSSL_MSG("Bad alt name type.");
+                    ret = WOLFSSL_FAILURE;
+                    break;
+                }
+
+                entry = entry->next;
+            }
+        }
+
+        if (ret == WOLFSSL_SUCCESS && wolfSSL_BIO_write(bio, "\n", 1) <= 0) {
+            ret = WOLFSSL_FAILURE;
+        }
+    }
+
+    return ret;
+}
+
+#ifdef XSNPRINTF
+static int X509PrintKeyUsage(WOLFSSL_BIO* bio, WOLFSSL_X509* x509)
+{
+    int ret = WOLFSSL_SUCCESS;
+    word32 i = 0;
+    int usageCount = 0;
+    const int usages[] = {
+        KEYUSE_DIGITAL_SIG,
+        KEYUSE_CONTENT_COMMIT,
+        KEYUSE_KEY_ENCIPHER,
+        KEYUSE_DATA_ENCIPHER,
+        KEYUSE_KEY_AGREE,
+        KEYUSE_KEY_CERT_SIGN,
+        KEYUSE_CRL_SIGN,
+        KEYUSE_ENCIPHER_ONLY,
+        KEYUSE_DECIPHER_ONLY
+    };
+    const char* usageStrs[] = {
+        "Digital Signature",
+        "Non Repudiation",
+        "Key Encipherment",
+        "Data Encipherment",
+        "Key Agreement",
+        "Certificate Sign",
+        "CRL Sign",
+        "Encipher Only",
+        "Decipher Only"
+    };
+
+    if (bio == NULL || x509 == NULL) {
+        ret = WOLFSSL_FAILURE;
+    }
+
+    if (ret == WOLFSSL_SUCCESS && x509->keyUsageSet
+        && x509->keyUsage != 0) {
+        if (wolfSSL_BIO_write(bio, "            X509v3 Key Usage: ", 30) <= 0) {
+            ret = WOLFSSL_FAILURE;
+        }
+        if (ret == WOLFSSL_SUCCESS && x509->keyUsageCrit &&
+            wolfSSL_BIO_write(bio, "critical", 8) <= 0) {
+            ret = WOLFSSL_FAILURE;
+        }
+        if (ret == WOLFSSL_SUCCESS &&
+            wolfSSL_BIO_write(bio, "\n                ", 17) <= 0) {
+            ret = WOLFSSL_FAILURE;
+        }
+        for (; ret == WOLFSSL_SUCCESS && i < sizeof(usages) / sizeof(usages[i]);
+             i++) {
+            if (x509->keyUsage & usages[i]) {
+                ++usageCount;
+                if (usageCount > 1 && wolfSSL_BIO_write(bio, ", ", 2) <= 0) {
+                    ret = WOLFSSL_FAILURE;
+                    break;
+                }
+                if (wolfSSL_BIO_write(bio, usageStrs[i],
+                                      (int)XSTRLEN(usageStrs[i])) <= 0) {
+                    ret = WOLFSSL_FAILURE;
+                    break;
+                }
+            }
+        }
+        if (ret == WOLFSSL_SUCCESS && wolfSSL_BIO_write(bio, "\n", 1) <= 0) {
+            ret = WOLFSSL_FAILURE;
+        }
+    }
+
+    return ret;
+}
+
+static int X509PrintExtendedKeyUsage(WOLFSSL_BIO* bio, WOLFSSL_X509* x509)
+{
+    int ret = WOLFSSL_SUCCESS;
+    word32 i = 0;
+    int usageCount = 0;
+    const int usages[] = {
+        EXTKEYUSE_OCSP_SIGN,
+        EXTKEYUSE_TIMESTAMP,
+        EXTKEYUSE_EMAILPROT,
+        EXTKEYUSE_CODESIGN,
+        EXTKEYUSE_CLIENT_AUTH,
+        EXTKEYUSE_SERVER_AUTH
+    };
+    const char* usageStrs[] = {
+        "OCSP Signing",
+        "Time Stamping",
+        "E-mail Protection",
+        "Code Signing",
+        "TLS Web Client Authentication",
+        "TLS Web Server Authentication"
+    };
+
+    if (bio == NULL || x509 == NULL) {
+        ret = WOLFSSL_FAILURE;
+    }
+
+    if (ret == WOLFSSL_SUCCESS && x509->extKeyUsageCount > 0
+        && x509->extKeyUsage != 0) {
+
+        if (wolfSSL_BIO_write(bio,
+            "            X509v3 Extended Key Usage: ", 39) <= 0) {
+            ret = WOLFSSL_FAILURE;
+        }
+        if (ret == WOLFSSL_SUCCESS && x509->extKeyUsageCrit &&
+            wolfSSL_BIO_write(bio, "critical", 8) <= 0) {
+            ret = WOLFSSL_FAILURE;
+        }
+        if (ret == WOLFSSL_SUCCESS &&
+            wolfSSL_BIO_write(bio, "\n                ", 17) <= 0) {
+            ret = WOLFSSL_FAILURE;
+        }
+        for (; ret == WOLFSSL_SUCCESS && i < sizeof(usages) / sizeof(usages[i]);
+             i++) {
+            if (x509->extKeyUsage & usages[i]) {
+                ++usageCount;
+                if (usageCount > 1 && wolfSSL_BIO_write(bio, ", ", 2) <= 0) {
+                    ret = WOLFSSL_FAILURE;
+                    break;
+                }
+                if (wolfSSL_BIO_write(bio, usageStrs[i],
+                                      (int)XSTRLEN(usageStrs[i])) <= 0) {
+                    ret = WOLFSSL_FAILURE;
+                    break;
+                }
+            }
+        }
+        if (ret == WOLFSSL_SUCCESS && wolfSSL_BIO_write(bio, "\n", 1) <= 0) {
+            ret = WOLFSSL_FAILURE;
+        }
+    }
+
+    return ret;
+}
+
 /* Writes the human readable form of x509 to bio.
  *
  * bio  WOLFSSL_BIO to write to.
@@ -5329,13 +5550,8 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b)
         int  issSz = 256;
     #endif
 
-        #if defined(WOLFSSL_QT)
         issuer = wolfSSL_X509_get_name_oneline(
                            wolfSSL_X509_get_issuer_name(x509), buff, issSz);
-        #else
-            issuer = wolfSSL_X509_NAME_oneline(
-                               wolfSSL_X509_get_issuer_name(x509), buff, issSz);
-        #endif
 
         if (wolfSSL_BIO_write(bio, "        Issuer: ",
                       (int)XSTRLEN("        Issuer: ")) <= 0) {
@@ -5427,13 +5643,8 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b)
         int  subSz = 256;
     #endif
 
-        #if defined(WOLFSSL_QT)
         subject = wolfSSL_X509_get_name_oneline(
                           wolfSSL_X509_get_subject_name(x509), buff, subSz);
-        #else
-            subject = wolfSSL_X509_NAME_oneline(
-                              wolfSSL_X509_get_subject_name(x509), buff, subSz);
-        #endif
 
         if (wolfSSL_BIO_write(bio, "\n        Subject: ",
                       (int)XSTRLEN("\n        Subject: ")) <= 0) {
@@ -5809,13 +6020,17 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b)
         char val[5];
         int valSz = 5;
 
+        XSNPRINTF(tmp, sizeof(tmp),
+                  "            X509v3 Subject Key Identifier: ");
+        if (x509->subjKeyIdCrit) {
+            XSTRNCAT(tmp, "critical", sizeof(tmp) - XSTRLEN(tmp) - 1);
+        }
+        XSTRNCAT(tmp, "\n", sizeof(tmp) - XSTRLEN(tmp) - 1);
 
-            if (wolfSSL_BIO_write(bio,
+        if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
-                        "            X509v3 Subject Key Identifier: \n",
-           (int)XSTRLEN("            X509v3 Subject Key Identifier: \n"))
-                 <= 0) {
             return WOLFSSL_FAILURE;
         }
+        XMEMSET(tmp, 0, sizeof(tmp));
 
         XSNPRINTF(tmp, sizeof(tmp) - 1, "                ");
         for (i = 0; i < sizeof(tmp) && i < (x509->subjKeyIdSz - 1); i++) {
@@ -5838,12 +6053,17 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b)
         int valSz = 5;
         int len = 0;
 
-            if (wolfSSL_BIO_write(bio,
+        XSNPRINTF(tmp, sizeof(tmp),
-                        "            X509v3 Authority Key Identifier: \n",
+                  "            X509v3 Authority Key Identifier: ");
-           (int)XSTRLEN("            X509v3 Authority Key Identifier: \n"))
+        if (x509->authKeyIdCrit) {
-                 <= 0) {
+            XSTRNCAT(tmp, "critical", sizeof(tmp) - XSTRLEN(tmp) - 1);
+        }
+        XSTRNCAT(tmp, "\n", sizeof(tmp) - XSTRLEN(tmp) - 1);
+
+        if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
             return WOLFSSL_FAILURE;
         }
+        XMEMSET(tmp, 0, sizeof(tmp));
 
         XSNPRINTF(tmp, sizeof(tmp) - 1, "                keyid");
         for (i = 0; i < x509->authKeyIdSz; i++) {
@@ -5868,12 +6088,18 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b)
     if (x509->basicConstSet) {
         char tmp[100];
 
-            if (wolfSSL_BIO_write(bio,
+        XSNPRINTF(tmp, sizeof(tmp),
-                        "\n            X509v3 Basic Constraints: \n",
+                  "            X509v3 Basic Constraints: ");
-           (int)XSTRLEN("\n            X509v3 Basic Constraints: \n"))
+        if (x509->basicConstCrit) {
-                 <= 0) {
+            XSTRNCAT(tmp, "critical", sizeof(tmp) - XSTRLEN(tmp) - 1);
+        }
+        XSTRNCAT(tmp, "\n", sizeof(tmp) - XSTRLEN(tmp) - 1);
+
+        if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
             return WOLFSSL_FAILURE;
         }
+        XMEMSET(tmp, 0, sizeof(tmp));
+
         XSNPRINTF(tmp, sizeof(tmp),
                 "                CA:%s\n",
                 (x509->isCa)? "TRUE": "FALSE");
@@ -5882,6 +6108,10 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b)
         }
     }
 
+    X509PrintSubjAltName(bio, x509);
+    X509PrintKeyUsage(bio, x509);
+    X509PrintExtendedKeyUsage(bio, x509);
+
     /* print out signature */
     if (x509->sig.length > 0) {
         unsigned char* sig;

tests/api.c

@@ -51464,10 +51464,11 @@ static void test_wolfSSL_X509_print(void)
     AssertNotNull(bio = BIO_new(BIO_s_mem()));
     AssertIntEQ(X509_print(bio, x509), SSL_SUCCESS);
 
-#if defined(WOLFSSL_QT)
+#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
-    AssertIntEQ(BIO_get_mem_data(bio, NULL), 3113);
+    /* Will print IP address subject alt name. */
+    AssertIntEQ(BIO_get_mem_data(bio, NULL), 3329);
 #else
-    AssertIntEQ(BIO_get_mem_data(bio, NULL), 3103);
+    AssertIntEQ(BIO_get_mem_data(bio, NULL), 3307);
 #endif
     BIO_free(bio);