Also log the signature algorithm when printing the verified certificates

This allows the user to figure out which certificate uses MD5/SHA1. Signed-off-by: Arne Schwabe <arne@openvpn.net>
2024-09-20 12:12:15 +02:00 · 2020-09-15 16:00:40 +02:00 · 2020-09-15 16:00:40 +02:00 · b67702e19f
commit b67702e19f
parent 949386f5fe
3 changed files with 35 additions and 2 deletions
--- a/openvpn/openssl/pki/x509certinfo.hpp
+++ b/openvpn/openssl/pki/x509certinfo.hpp
@ -32,6 +32,7 @@
 #include <openssl/ssl.h>
 #include <openssl/bio.h>
 #include <openssl/x509v3.h>
+#include <openssl/x509.h>

 #include "openvpn/common/hexstr.hpp"
 #include "openvpn/common/uniqueptr.hpp"
@ -93,6 +94,24 @@ static std::string x509_get_subject(::X509 *cert, bool new_format = false) {
                     subject_mem->data + subject_mem->length);
 }

+/**
+ * Retrives the algorithm used to sign a X509 certificate
+ * @param cert 	OpenSSL certificate
+ * @return
+ */
+static const std::string x509_get_signature_algorithm(const ::X509* cert)
+{
+  int nid = X509_get_signature_nid(cert);
+  const char *sig = OBJ_nid2sn(nid);
+
+  if (sig)
+    {
+      return sig;
+    }
+  else
+    return "(error getting signature algorithm)";
+}
+
 /**
 *  Retrieves a specific portion of the X.509 Certificate subject field
 *
--- a/openvpn/openssl/ssl/sslctx.hpp
+++ b/openvpn/openssl/ssl/sslctx.hpp
@ -1612,6 +1612,7 @@ namespace openvpn {
    static std::string cert_status_line(int preverify_ok,
 					int depth,
 					int err,
+					const std::string& signature,
 					const std::string& subject)
    {
      std::string ret;
@ -1628,6 +1629,7 @@ namespace openvpn {
 	ret += subject;
      else
 	ret += "NO_SUBJECT";
+      ret += ", signature: " + signature;
      if (!preverify_ok)
 	{
 	  ret += " [";
@ -1687,8 +1689,10 @@ namespace openvpn {

      // log subject
      const std::string subject = OpenSSLPKI::x509_get_subject(current_cert);
+      auto signature = OpenSSLPKI::x509_get_signature_algorithm(current_cert);
      if (self->config->flags & SSLConst::LOG_VERIFY_STATUS)
-	OPENVPN_LOG_SSL(cert_status_line(preverify_ok, depth, X509_STORE_CTX_get_error(ctx), subject));
+	OPENVPN_LOG_SSL(cert_status_line(preverify_ok, depth, X509_STORE_CTX_get_error(ctx),
+				 signature, subject));

      // Add warnings if Cert parameters are wrong
      self_ssl->tls_warnings |= self->check_cert_warnings(current_cert);
@ -1780,7 +1784,9 @@ namespace openvpn {

      // log subject
      if (self->config->flags & SSLConst::LOG_VERIFY_STATUS)
-	OPENVPN_LOG_SSL(cert_status_line(preverify_ok, depth, err, OpenSSLPKI::x509_get_subject(current_cert)));
+	OPENVPN_LOG_SSL(cert_status_line(preverify_ok, depth, err,
+				  OpenSSLPKI::x509_get_subject(current_cert),
+				  OpenSSLPKI::x509_get_signature_algorithm(current_cert)));

      // record cert error in authcert
      if (!preverify_ok && self_ssl->authcert)
--- a/test/unittests/test_openssl_x509certinfo.cpp
+++ b/test/unittests/test_openssl_x509certinfo.cpp
@ -121,4 +121,12 @@ TEST(OpenSSL_X509_get_field, basic_checks) {
  ASSERT_EQ(OpenSSLPKI::x509_get_field(x509crt.obj(), NID_countryName), "US");
 }

+TEST(OpenSSL_X509_get_field, signature) {
+    OpenSSLPKI::X509 x509crt(test_cert, "Embedded Test Server Cert");
+
+    ASSERT_EQ(OpenSSLPKI::x509_get_signature_algorithm(x509crt.obj()), "RSA-SHA256");
+
+  }
+
+
 }  // namespace unittests