mirror of
https://github.com/OpenVPN/openvpn3.git
synced 2024-09-20 12:12:15 +02:00
Also log the signature algorithm when printing the verified certificates
This allows the user to figure out which certificate uses MD5/SHA1. Signed-off-by: Arne Schwabe <arne@openvpn.net>
This commit is contained in:
parent
949386f5fe
commit
b67702e19f
@ -32,6 +32,7 @@
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/x509v3.h>
|
||||
#include <openssl/x509.h>
|
||||
|
||||
#include "openvpn/common/hexstr.hpp"
|
||||
#include "openvpn/common/uniqueptr.hpp"
|
||||
@ -93,6 +94,24 @@ static std::string x509_get_subject(::X509 *cert, bool new_format = false) {
|
||||
subject_mem->data + subject_mem->length);
|
||||
}
|
||||
|
||||
/**
|
||||
* Retrives the algorithm used to sign a X509 certificate
|
||||
* @param cert OpenSSL certificate
|
||||
* @return
|
||||
*/
|
||||
static const std::string x509_get_signature_algorithm(const ::X509* cert)
|
||||
{
|
||||
int nid = X509_get_signature_nid(cert);
|
||||
const char *sig = OBJ_nid2sn(nid);
|
||||
|
||||
if (sig)
|
||||
{
|
||||
return sig;
|
||||
}
|
||||
else
|
||||
return "(error getting signature algorithm)";
|
||||
}
|
||||
|
||||
/**
|
||||
* Retrieves a specific portion of the X.509 Certificate subject field
|
||||
*
|
||||
|
@ -1612,6 +1612,7 @@ namespace openvpn {
|
||||
static std::string cert_status_line(int preverify_ok,
|
||||
int depth,
|
||||
int err,
|
||||
const std::string& signature,
|
||||
const std::string& subject)
|
||||
{
|
||||
std::string ret;
|
||||
@ -1628,6 +1629,7 @@ namespace openvpn {
|
||||
ret += subject;
|
||||
else
|
||||
ret += "NO_SUBJECT";
|
||||
ret += ", signature: " + signature;
|
||||
if (!preverify_ok)
|
||||
{
|
||||
ret += " [";
|
||||
@ -1687,8 +1689,10 @@ namespace openvpn {
|
||||
|
||||
// log subject
|
||||
const std::string subject = OpenSSLPKI::x509_get_subject(current_cert);
|
||||
auto signature = OpenSSLPKI::x509_get_signature_algorithm(current_cert);
|
||||
if (self->config->flags & SSLConst::LOG_VERIFY_STATUS)
|
||||
OPENVPN_LOG_SSL(cert_status_line(preverify_ok, depth, X509_STORE_CTX_get_error(ctx), subject));
|
||||
OPENVPN_LOG_SSL(cert_status_line(preverify_ok, depth, X509_STORE_CTX_get_error(ctx),
|
||||
signature, subject));
|
||||
|
||||
// Add warnings if Cert parameters are wrong
|
||||
self_ssl->tls_warnings |= self->check_cert_warnings(current_cert);
|
||||
@ -1780,7 +1784,9 @@ namespace openvpn {
|
||||
|
||||
// log subject
|
||||
if (self->config->flags & SSLConst::LOG_VERIFY_STATUS)
|
||||
OPENVPN_LOG_SSL(cert_status_line(preverify_ok, depth, err, OpenSSLPKI::x509_get_subject(current_cert)));
|
||||
OPENVPN_LOG_SSL(cert_status_line(preverify_ok, depth, err,
|
||||
OpenSSLPKI::x509_get_subject(current_cert),
|
||||
OpenSSLPKI::x509_get_signature_algorithm(current_cert)));
|
||||
|
||||
// record cert error in authcert
|
||||
if (!preverify_ok && self_ssl->authcert)
|
||||
|
@ -121,4 +121,12 @@ TEST(OpenSSL_X509_get_field, basic_checks) {
|
||||
ASSERT_EQ(OpenSSLPKI::x509_get_field(x509crt.obj(), NID_countryName), "US");
|
||||
}
|
||||
|
||||
TEST(OpenSSL_X509_get_field, signature) {
|
||||
OpenSSLPKI::X509 x509crt(test_cert, "Embedded Test Server Cert");
|
||||
|
||||
ASSERT_EQ(OpenSSLPKI::x509_get_signature_algorithm(x509crt.obj()), "RSA-SHA256");
|
||||
|
||||
}
|
||||
|
||||
|
||||
} // namespace unittests
|
||||
|
Loading…
Reference in New Issue
Block a user