2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 RCSID("$Id: print.c 22420 2008-01-13 09:42:35Z lha $");
38 * @page page_print Hx509 printing functions
40 * See the library functions here: @ref hx509_print
43 struct hx509_validate_ctx_data {
45 hx509_vprint_func vprint_func;
50 unsigned int selfsigned:1;
52 unsigned int isproxy:1;
53 unsigned int haveSAN:1;
54 unsigned int haveIAN:1;
55 unsigned int haveSKI:1;
56 unsigned int haveAKI:1;
57 unsigned int haveCRLDP:1;
66 Time2string(const Time *T, char **str)
73 t = _hx509_Time2time_t(T);
78 strftime(s, 30, "%Y-%m-%d %H:%M:%S", tm);
84 * Helper function to print on stdout for:
85 * - hx509_oid_print(),
86 * - hx509_bitstring_print(),
87 * - hx509_validate_ctx_set_print().
89 * @param ctx the context to the print function. If the ctx is NULL,
91 * @param fmt the printing format.
92 * @param va the argumet list.
94 * @ingroup hx509_print
98 hx509_print_stdout(void *ctx, const char *fmt, va_list va)
103 vfprintf(f, fmt, va);
107 print_func(hx509_vprint_func func, void *ctx, const char *fmt, ...)
111 (*func)(ctx, fmt, va);
116 * Print a oid to a string.
118 * @param oid oid to print
119 * @param str allocated string, free with hx509_xfree().
121 * @return An hx509 error code, see hx509_get_error_string().
123 * @ingroup hx509_print
127 hx509_oid_sprint(const heim_oid *oid, char **str)
129 return der_print_heim_oid(oid, '.', str);
133 * Print a oid using a hx509_vprint_func function. To print to stdout
134 * use hx509_print_stdout().
136 * @param oid oid to print
137 * @param func hx509_vprint_func to print with.
138 * @param ctx context variable to hx509_vprint_func function.
140 * @ingroup hx509_print
144 hx509_oid_print(const heim_oid *oid, hx509_vprint_func func, void *ctx)
147 hx509_oid_sprint(oid, &str);
148 print_func(func, ctx, "%s", str);
153 * Print a bitstring using a hx509_vprint_func function. To print to
154 * stdout use hx509_print_stdout().
156 * @param b bit string to print.
157 * @param func hx509_vprint_func to print with.
158 * @param ctx context variable to hx509_vprint_func function.
160 * @ingroup hx509_print
164 hx509_bitstring_print(const heim_bit_string *b,
165 hx509_vprint_func func, void *ctx)
168 print_func(func, ctx, "\tlength: %d\n\t", b->length);
169 for (i = 0; i < (b->length + 7) / 8; i++)
170 print_func(func, ctx, "%02x%s%s",
171 ((unsigned char *)b->data)[i],
172 i < (b->length - 7) / 8
173 && (i == 0 || (i % 16) != 15) ? ":" : "",
174 i != 0 && (i % 16) == 15 ?
175 (i <= ((b->length + 7) / 8 - 2) ? "\n\t" : "\n"):"");
179 * Print certificate usage for a certificate to a string.
181 * @param context A hx509 context.
182 * @param c a certificate print the keyusage for.
183 * @param s the return string with the keysage printed in to, free
184 * with hx509_xfree().
186 * @return An hx509 error code, see hx509_get_error_string().
188 * @ingroup hx509_print
192 hx509_cert_keyusage_print(hx509_context context, hx509_cert c, char **s)
200 ret = _hx509_cert_get_keyusage(context, c, &ku);
203 unparse_flags(KeyUsage2int(ku), asn1_KeyUsage_units(), buf, sizeof(buf));
206 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
218 validate_vprint(void *c, const char *fmt, va_list va)
220 hx509_validate_ctx ctx = c;
221 if (ctx->vprint_func == NULL)
223 (ctx->vprint_func)(ctx->ctx, fmt, va);
227 validate_print(hx509_validate_ctx ctx, int flags, const char *fmt, ...)
230 if ((ctx->flags & flags) == 0)
233 validate_vprint(ctx, fmt, va);
238 * Dont Care, SHOULD critical, SHOULD NOT critical, MUST critical,
241 enum critical_flag { D_C = 0, S_C, S_N_C, M_C, M_N_C };
244 check_Null(hx509_validate_ctx ctx,
245 struct cert_status *status,
246 enum critical_flag cf, const Extension *e)
253 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
254 "\tCritical not set on SHOULD\n");
258 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
259 "\tCritical set on SHOULD NOT\n");
263 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
264 "\tCritical not set on MUST\n");
268 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
269 "\tCritical set on MUST NOT\n");
272 _hx509_abort("internal check_Null state error");
278 check_subjectKeyIdentifier(hx509_validate_ctx ctx,
279 struct cert_status *status,
280 enum critical_flag cf,
283 SubjectKeyIdentifier si;
288 check_Null(ctx, status, cf, e);
290 ret = decode_SubjectKeyIdentifier(e->extnValue.data,
294 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
295 "Decoding SubjectKeyIdentifier failed: %d", ret);
298 if (size != e->extnValue.length) {
299 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
300 "Decoding SKI ahve extra bits on the end");
304 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
305 "SKI is too short (0 bytes)");
307 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
312 hex_encode(si.data, si.length, &id);
314 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
315 "\tsubject key id: %s\n", id);
320 free_SubjectKeyIdentifier(&si);
326 check_authorityKeyIdentifier(hx509_validate_ctx ctx,
327 struct cert_status *status,
328 enum critical_flag cf,
331 AuthorityKeyIdentifier ai;
336 check_Null(ctx, status, cf, e);
339 check_Null(ctx, status, cf, e);
341 ret = decode_AuthorityKeyIdentifier(e->extnValue.data,
345 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
346 "Decoding AuthorityKeyIdentifier failed: %d", ret);
349 if (size != e->extnValue.length) {
350 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
351 "Decoding SKI ahve extra bits on the end");
355 if (ai.keyIdentifier) {
357 hex_encode(ai.keyIdentifier->data, ai.keyIdentifier->length, &id);
359 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
360 "\tauthority key id: %s\n", id);
370 check_pkinit_san(hx509_validate_ctx ctx, heim_any *a)
372 KRB5PrincipalName kn;
377 ret = decode_KRB5PrincipalName(a->data, a->length, &kn, &size);
379 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
380 "Decoding kerberos name in SAN failed: %d", ret);
384 if (size != a->length) {
385 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
386 "Decoding kerberos name have extra bits on the end");
390 /* print kerberos principal, add code to quote / within components */
391 for (i = 0; i < kn.principalName.name_string.len; i++) {
392 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s",
393 kn.principalName.name_string.val[i]);
394 if (i + 1 < kn.principalName.name_string.len)
395 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "/");
397 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "@");
398 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", kn.realm);
400 free_KRB5PrincipalName(&kn);
405 check_utf8_string_san(hx509_validate_ctx ctx, heim_any *a)
411 ret = decode_PKIXXmppAddr(a->data, a->length, &jid, &size);
413 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
414 "Decoding JID in SAN failed: %d", ret);
418 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s", jid);
419 free_PKIXXmppAddr(&jid);
425 check_altnull(hx509_validate_ctx ctx, heim_any *a)
431 check_CRLDistributionPoints(hx509_validate_ctx ctx,
432 struct cert_status *status,
433 enum critical_flag cf,
436 CRLDistributionPoints dp;
440 check_Null(ctx, status, cf, e);
442 ret = decode_CRLDistributionPoints(e->extnValue.data,
446 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
447 "Decoding CRL Distribution Points failed: %d\n", ret);
451 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "CRL Distribution Points:\n");
452 for (i = 0 ; i < dp.len; i++) {
453 if (dp.val[i].distributionPoint) {
454 DistributionPointName dpname;
455 heim_any *data = dp.val[i].distributionPoint;
458 ret = decode_DistributionPointName(data->data, data->length,
461 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
462 "Failed to parse CRL Distribution Point Name: %d\n", ret);
466 switch (dpname.element) {
467 case choice_DistributionPointName_fullName:
468 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n");
470 for (j = 0 ; j < dpname.u.fullName.len; j++) {
472 GeneralName *name = &dpname.u.fullName.val[j];
474 ret = hx509_general_name_unparse(name, &s);
475 if (ret == 0 && s != NULL) {
476 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " %s\n", s);
481 case choice_DistributionPointName_nameRelativeToCRLIssuer:
482 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
483 "Unknown nameRelativeToCRLIssuer");
486 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
487 "Unknown DistributionPointName");
490 free_DistributionPointName(&dpname);
493 free_CRLDistributionPoints(&dp);
495 status->haveCRLDP = 1;
503 const heim_oid *(*oid)(void);
504 int (*func)(hx509_validate_ctx, heim_any *);
505 } check_altname[] = {
506 { "pk-init", oid_id_pkinit_san, check_pkinit_san },
507 { "jabber", oid_id_pkix_on_xmppAddr, check_utf8_string_san },
508 { "dns-srv", oid_id_pkix_on_dnsSRV, check_altnull },
509 { "card-id", oid_id_uspkicommon_card_id, check_altnull },
510 { "Microsoft NT-PRINCIPAL-NAME", oid_id_pkinit_ms_san, check_utf8_string_san }
514 check_altName(hx509_validate_ctx ctx,
515 struct cert_status *status,
517 enum critical_flag cf,
524 check_Null(ctx, status, cf, e);
526 if (e->extnValue.length == 0) {
527 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
528 "%sAltName empty, not allowed", name);
531 ret = decode_GeneralNames(e->extnValue.data, e->extnValue.length,
534 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
535 "\tret = %d while decoding %s GeneralNames\n",
540 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
541 "%sAltName generalName empty, not allowed\n", name);
545 for (i = 0; i < gn.len; i++) {
546 switch (gn.val[i].element) {
547 case choice_GeneralName_otherName: {
550 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
551 "%sAltName otherName ", name);
553 for (j = 0; j < sizeof(check_altname)/sizeof(check_altname[0]); j++) {
554 if (der_heim_oid_cmp((*check_altname[j].oid)(),
555 &gn.val[i].u.otherName.type_id) != 0)
558 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ",
559 check_altname[j].name);
560 (*check_altname[j].func)(ctx, &gn.val[i].u.otherName.value);
563 if (j == sizeof(check_altname)/sizeof(check_altname[0])) {
564 hx509_oid_print(&gn.val[i].u.otherName.type_id,
565 validate_vprint, ctx);
566 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, " unknown");
568 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\n");
573 ret = hx509_general_name_unparse(&gn.val[i], &s);
575 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
576 "ret = %d unparsing GeneralName\n", ret);
579 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s\n", s);
586 free_GeneralNames(&gn);
592 check_subjectAltName(hx509_validate_ctx ctx,
593 struct cert_status *status,
594 enum critical_flag cf,
598 return check_altName(ctx, status, "subject", cf, e);
602 check_issuerAltName(hx509_validate_ctx ctx,
603 struct cert_status *status,
604 enum critical_flag cf,
608 return check_altName(ctx, status, "issuer", cf, e);
613 check_basicConstraints(hx509_validate_ctx ctx,
614 struct cert_status *status,
615 enum critical_flag cf,
622 check_Null(ctx, status, cf, e);
624 ret = decode_BasicConstraints(e->extnValue.data, e->extnValue.length,
627 printf("\tret = %d while decoding BasicConstraints\n", ret);
630 if (size != e->extnValue.length)
631 printf("\tlength of der data isn't same as extension\n");
633 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
634 "\tis %sa CA\n", b.cA && *b.cA ? "" : "NOT ");
635 if (b.pathLenConstraint)
636 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
637 "\tpathLenConstraint: %d\n", *b.pathLenConstraint);
642 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
643 "Is a CA and not BasicConstraints CRITICAL\n");
647 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
648 "cA is FALSE, not allowed to be\n");
650 free_BasicConstraints(&b);
656 check_proxyCertInfo(hx509_validate_ctx ctx,
657 struct cert_status *status,
658 enum critical_flag cf,
661 check_Null(ctx, status, cf, e);
667 check_authorityInfoAccess(hx509_validate_ctx ctx,
668 struct cert_status *status,
669 enum critical_flag cf,
672 AuthorityInfoAccessSyntax aia;
676 check_Null(ctx, status, cf, e);
678 ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data,
682 printf("\tret = %d while decoding AuthorityInfoAccessSyntax\n", ret);
686 for (i = 0; i < aia.len; i++) {
688 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
690 hx509_oid_print(&aia.val[i].accessMethod, validate_vprint, ctx);
691 hx509_general_name_unparse(&aia.val[i].accessLocation, &str);
692 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
693 "\n\tdirname: %s\n", str);
696 free_AuthorityInfoAccessSyntax(&aia);
707 const heim_oid *(*oid)(void);
708 int (*func)(hx509_validate_ctx ctx,
709 struct cert_status *status,
710 enum critical_flag cf,
712 enum critical_flag cf;
713 } check_extension[] = {
714 #define ext(name, checkname) #name, &oid_id_x509_ce_##name, check_##checkname
715 { ext(subjectDirectoryAttributes, Null), M_N_C },
716 { ext(subjectKeyIdentifier, subjectKeyIdentifier), M_N_C },
717 { ext(keyUsage, Null), S_C },
718 { ext(subjectAltName, subjectAltName), M_N_C },
719 { ext(issuerAltName, issuerAltName), S_N_C },
720 { ext(basicConstraints, basicConstraints), D_C },
721 { ext(cRLNumber, Null), M_N_C },
722 { ext(cRLReason, Null), M_N_C },
723 { ext(holdInstructionCode, Null), M_N_C },
724 { ext(invalidityDate, Null), M_N_C },
725 { ext(deltaCRLIndicator, Null), M_C },
726 { ext(issuingDistributionPoint, Null), M_C },
727 { ext(certificateIssuer, Null), M_C },
728 { ext(nameConstraints, Null), M_C },
729 { ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C },
730 { ext(certificatePolicies, Null) },
731 { ext(policyMappings, Null), M_N_C },
732 { ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C },
733 { ext(policyConstraints, Null), D_C },
734 { ext(extKeyUsage, Null), D_C },
735 { ext(freshestCRL, Null), M_N_C },
736 { ext(inhibitAnyPolicy, Null), M_C },
738 #define ext(name, checkname) #name, &oid_id_pkix_pe_##name, check_##checkname
739 { ext(proxyCertInfo, proxyCertInfo), M_C },
740 { ext(authorityInfoAccess, authorityInfoAccess), M_C },
742 { "US Fed PKI - PIV Interim", oid_id_uspkicommon_piv_interim,
744 { "Netscape cert comment", oid_id_netscape_cert_comment,
750 * Allocate a hx509 validation/printing context.
752 * @param context A hx509 context.
753 * @param ctx a new allocated hx509 validation context, free with
754 * hx509_validate_ctx_free().
756 * @return An hx509 error code, see hx509_get_error_string().
758 * @ingroup hx509_print
762 hx509_validate_ctx_init(hx509_context context, hx509_validate_ctx *ctx)
764 *ctx = malloc(sizeof(**ctx));
767 memset(*ctx, 0, sizeof(**ctx));
772 * Set the printing functions for the validation context.
774 * @param ctx a hx509 valication context.
775 * @param func the printing function to usea.
776 * @param c the context variable to the printing function.
778 * @return An hx509 error code, see hx509_get_error_string().
780 * @ingroup hx509_print
784 hx509_validate_ctx_set_print(hx509_validate_ctx ctx,
785 hx509_vprint_func func,
788 ctx->vprint_func = func;
793 * Add flags to control the behaivor of the hx509_validate_cert()
796 * @param ctx A hx509 validation context.
797 * @param flags flags to add to the validation context.
799 * @return An hx509 error code, see hx509_get_error_string().
801 * @ingroup hx509_print
805 hx509_validate_ctx_add_flags(hx509_validate_ctx ctx, int flags)
811 * Free an hx509 validate context.
813 * @param ctx the hx509 validate context to free.
815 * @ingroup hx509_print
819 hx509_validate_ctx_free(hx509_validate_ctx ctx)
825 * Validate/Print the status of the certificate.
827 * @param context A hx509 context.
828 * @param ctx A hx509 validation context.
829 * @param cert the cerificate to validate/print.
831 * @return An hx509 error code, see hx509_get_error_string().
833 * @ingroup hx509_print
837 hx509_validate_cert(hx509_context context,
838 hx509_validate_ctx ctx,
841 Certificate *c = _hx509_get_cert(cert);
842 TBSCertificate *t = &c->tbsCertificate;
843 hx509_name issuer, subject;
845 struct cert_status status;
848 memset(&status, 0, sizeof(status));
850 if (_hx509_cert_get_version(c) != 3)
851 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
852 "Not version 3 certificate\n");
854 if ((t->version == NULL || *t->version < 2) && t->extensions)
855 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
856 "Not version 3 certificate with extensions\n");
858 if (_hx509_cert_get_version(c) >= 3 && t->extensions == NULL)
859 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
860 "Version 3 certificate without extensions\n");
862 ret = hx509_cert_get_subject(cert, &subject);
864 hx509_name_to_string(subject, &str);
865 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
866 "subject name: %s\n", str);
869 ret = hx509_cert_get_issuer(cert, &issuer);
871 hx509_name_to_string(issuer, &str);
872 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
873 "issuer name: %s\n", str);
876 if (hx509_name_cmp(subject, issuer) == 0) {
877 status.selfsigned = 1;
878 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
879 "\tis a self-signed certificate\n");
882 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
885 Time2string(&t->validity.notBefore, &str);
886 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotBefore %s\n", str);
888 Time2string(&t->validity.notAfter, &str);
889 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "\tnotAfter %s\n", str);
895 if (t->extensions->len == 0) {
897 HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
898 "The empty extensions list is not "
899 "allowed by PKIX\n");
902 for (i = 0; i < t->extensions->len; i++) {
904 for (j = 0; check_extension[j].name; j++)
905 if (der_heim_oid_cmp((*check_extension[j].oid)(),
906 &t->extensions->val[i].extnID) == 0)
908 if (check_extension[j].name == NULL) {
909 int flags = HX509_VALIDATE_F_VERBOSE;
910 if (t->extensions->val[i].critical)
911 flags |= HX509_VALIDATE_F_VALIDATE;
912 validate_print(ctx, flags, "don't know what ");
913 if (t->extensions->val[i].critical)
914 validate_print(ctx, flags, "and is CRITICAL ");
915 if (ctx->flags & flags)
916 hx509_oid_print(&t->extensions->val[i].extnID,
917 validate_vprint, ctx);
918 validate_print(ctx, flags, " is\n");
922 HX509_VALIDATE_F_VALIDATE|HX509_VALIDATE_F_VERBOSE,
923 "checking extention: %s\n",
924 check_extension[j].name);
925 (*check_extension[j].func)(ctx,
927 check_extension[j].cf,
928 &t->extensions->val[i]);
931 validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extentions\n");
935 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
936 "CA certificate have no SubjectKeyIdentifier\n");
940 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
941 "Is not CA and doesn't have "
942 "AuthorityKeyIdentifier\n");
947 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
948 "Doesn't have SubjectKeyIdentifier\n");
950 if (status.isproxy && status.isca)
951 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
952 "Proxy and CA at the same time!\n");
954 if (status.isproxy) {
956 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
957 "Proxy and have SAN\n");
959 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
960 "Proxy and have IAN\n");
963 if (hx509_name_is_null_p(subject) && !status.haveSAN)
964 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
965 "NULL subject DN and doesn't have a SAN\n");
967 if (!status.selfsigned && !status.haveCRLDP)
968 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
969 "Not a CA nor PROXY and doesn't have"
972 if (status.selfsigned) {
973 ret = _hx509_verify_signature_bitstring(context,
975 &c->signatureAlgorithm,
976 &c->tbsCertificate._save,
979 validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
980 "Self-signed certificate was self-signed\n");
982 validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
983 "Self-signed certificate NOT really self-signed!\n");
986 hx509_name_free(&subject);
987 hx509_name_free(&issuer);