2 * Copyright 2017-present Facebook, Inc.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
16 #include <folly/ssl/OpenSSLCertUtils.h>
18 #include <folly/FileUtil.h>
19 #include <folly/ScopeGuard.h>
20 #include <folly/String.h>
21 #include <folly/ssl/OpenSSLPtrTypes.h>
26 Optional<std::string> OpenSSLCertUtils::getCommonName(X509& x509) {
27 auto subject = X509_get_subject_name(&x509);
32 auto cnLoc = X509_NAME_get_index_by_NID(subject, NID_commonName, -1);
37 auto cnEntry = X509_NAME_get_entry(subject, cnLoc);
42 auto cnAsn = X509_NAME_ENTRY_get_data(cnEntry);
47 auto cnData = reinterpret_cast<const char*>(ASN1_STRING_get0_data(cnAsn));
48 auto cnLen = ASN1_STRING_length(cnAsn);
49 if (!cnData || cnLen <= 0) {
53 return Optional<std::string>(std::string(cnData, cnLen));
56 std::vector<std::string> OpenSSLCertUtils::getSubjectAltNames(X509& x509) {
57 auto names = reinterpret_cast<STACK_OF(GENERAL_NAME)*>(
58 X509_get_ext_d2i(&x509, NID_subject_alt_name, nullptr, nullptr));
63 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
66 std::vector<std::string> ret;
67 auto count = sk_GENERAL_NAME_num(names);
68 for (int i = 0; i < count; i++) {
69 auto genName = sk_GENERAL_NAME_value(names, i);
70 if (!genName || genName->type != GEN_DNS) {
73 auto nameData = reinterpret_cast<const char*>(
74 ASN1_STRING_get0_data(genName->d.dNSName));
75 auto nameLen = ASN1_STRING_length(genName->d.dNSName);
76 if (!nameData || nameLen <= 0) {
79 ret.emplace_back(nameData, nameLen);
84 Optional<std::string> OpenSSLCertUtils::getSubject(X509& x509) {
85 auto subject = X509_get_subject_name(&x509);
90 auto bio = BioUniquePtr(BIO_new(BIO_s_mem()));
92 throw std::runtime_error("Cannot allocate bio");
94 if (X509_NAME_print_ex(bio.get(), subject, 0, XN_FLAG_ONELINE) <= 0) {
98 char* bioData = nullptr;
99 size_t bioLen = BIO_get_mem_data(bio.get(), &bioData);
100 return std::string(bioData, bioLen);
103 Optional<std::string> OpenSSLCertUtils::getIssuer(X509& x509) {
104 auto issuer = X509_get_issuer_name(&x509);
109 auto bio = BioUniquePtr(BIO_new(BIO_s_mem()));
110 if (bio == nullptr) {
111 throw std::runtime_error("Cannot allocate bio");
114 if (X509_NAME_print_ex(bio.get(), issuer, 0, XN_FLAG_ONELINE) <= 0) {
118 char* bioData = nullptr;
119 size_t bioLen = BIO_get_mem_data(bio.get(), &bioData);
120 return std::string(bioData, bioLen);
123 folly::Optional<std::string> OpenSSLCertUtils::toString(X509& x509) {
124 auto in = BioUniquePtr(BIO_new(BIO_s_mem()));
126 throw std::runtime_error("Cannot allocate bio");
131 flags |= X509_FLAG_NO_HEADER | /* A few bytes of cert and data */
132 X509_FLAG_NO_PUBKEY | /* Public key */
133 X509_FLAG_NO_AUX | /* Auxiliary info? */
134 X509_FLAG_NO_SIGDUMP | /* Prints the signature */
135 X509_FLAG_NO_SIGNAME; /* Signature algorithms */
137 #ifdef X509_FLAG_NO_IDS
138 flags |= X509_FLAG_NO_IDS; /* Issuer/subject IDs */
141 if (X509_print_ex(in.get(), &x509, XN_FLAG_ONELINE, flags) > 0) {
142 char* bioData = nullptr;
143 size_t bioLen = BIO_get_mem_data(in.get(), &bioData);
144 return std::string(bioData, bioLen);
150 std::string OpenSSLCertUtils::getNotAfterTime(X509& x509) {
151 return getDateTimeStr(X509_get_notAfter(&x509));
154 std::string OpenSSLCertUtils::getNotBeforeTime(X509& x509) {
155 return getDateTimeStr(X509_get_notBefore(&x509));
158 std::string OpenSSLCertUtils::getDateTimeStr(const ASN1_TIME* time) {
163 auto bio = BioUniquePtr(BIO_new(BIO_s_mem()));
164 if (bio == nullptr) {
165 throw std::runtime_error("Cannot allocate bio");
168 if (ASN1_TIME_print(bio.get(), time) <= 0) {
169 throw std::runtime_error("Cannot print ASN1_TIME");
172 char* bioData = nullptr;
173 size_t bioLen = BIO_get_mem_data(bio.get(), &bioData);
174 return std::string(bioData, bioLen);
177 X509UniquePtr OpenSSLCertUtils::derDecode(ByteRange range) {
178 auto begin = range.data();
179 X509UniquePtr cert(d2i_X509(nullptr, &begin, range.size()));
181 throw std::runtime_error("could not read cert");
186 std::unique_ptr<IOBuf> OpenSSLCertUtils::derEncode(X509& x509) {
187 auto len = i2d_X509(&x509, nullptr);
189 throw std::runtime_error("Error computing length");
191 auto buf = IOBuf::create(len);
192 auto dataPtr = buf->writableData();
193 len = i2d_X509(&x509, &dataPtr);
195 throw std::runtime_error("Error converting cert to DER");
201 std::vector<X509UniquePtr> OpenSSLCertUtils::readCertsFromBuffer(
204 BIO_new_mem_buf(const_cast<unsigned char*>(range.data()), range.size()));
206 throw std::runtime_error("failed to create BIO");
208 std::vector<X509UniquePtr> certs;
210 X509UniquePtr x509(PEM_read_bio_X509(b.get(), nullptr, nullptr, nullptr));
214 certs.push_back(std::move(x509));
220 std::array<uint8_t, SHA_DIGEST_LENGTH> OpenSSLCertUtils::getDigestSha1(
223 std::array<uint8_t, SHA_DIGEST_LENGTH> md;
224 int rc = X509_digest(&x509, EVP_sha1(), md.data(), &len);
227 throw std::runtime_error("Could not calculate SHA1 digest for cert");
232 std::array<uint8_t, SHA256_DIGEST_LENGTH> OpenSSLCertUtils::getDigestSha256(
235 std::array<uint8_t, SHA256_DIGEST_LENGTH> md;
236 int rc = X509_digest(&x509, EVP_sha256(), md.data(), &len);
239 throw std::runtime_error("Could not calculate SHA256 digest for cert");
244 X509StoreUniquePtr OpenSSLCertUtils::readStoreFromFile(std::string caFile) {
245 std::string certData;
246 if (!folly::readFile(caFile.c_str(), certData)) {
247 throw std::runtime_error(
248 folly::to<std::string>("Could not read store file: ", caFile));
250 auto certRange = folly::ByteRange(folly::StringPiece(certData));
251 return readStoreFromBuffer(std::move(certRange));
254 X509StoreUniquePtr OpenSSLCertUtils::readStoreFromBuffer(ByteRange certRange) {
255 auto certs = readCertsFromBuffer(certRange);
257 folly::ssl::X509StoreUniquePtr store(X509_STORE_new());
258 for (auto& caCert : certs) {
259 if (X509_STORE_add_cert(store.get(), caCert.get()) != 1) {
260 auto err = ERR_get_error();
261 if (ERR_GET_LIB(err) != ERR_LIB_X509 ||
262 ERR_GET_REASON(err) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
263 std::array<char, 256> errBuff;
264 ERR_error_string_n(err, errBuff.data(), errBuff.size());
265 throw std::runtime_error(folly::to<std::string>(
266 "Could not insert CA certificate into store: ",
267 std::string(errBuff.data())));