/src/FreeRDP/libfreerdp/crypto/certificate_data.c

Source
/**
 * FreeRDP: A Remote Desktop Protocol Implementation
 * Certificate Handling
 *
 * Copyright 2011 Jiten Pathy
 * Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
 * Copyright 2023 Armin Novak <anovak@thincast.com>
 * Copyright 2023 Thincast Technologies GmbH
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <ctype.h>

#include <freerdp/config.h>

#include <winpr/assert.h>
#include <winpr/path.h>

#include <freerdp/settings.h>

#include <freerdp/crypto/crypto.h>
#include <freerdp/crypto/certificate_data.h>

#include "certificate.h"

struct rdp_certificate_data
{
  char* hostname;
  UINT16 port;
  rdpCertificate* cert;

  char cached_hash[MAX_PATH + 10];
  char* cached_subject;
  char* cached_issuer;
  char* cached_fingerprint;
  char* cached_pem;
  char* cached_pem_chain;
};

/* ensure our hostnames (and therefore filenames) always use the same capitalization.
 * the user might have input random case, but we always need to have a sane
 * baseline to compare against. */
static char* ensure_lowercase(char* str, size_t length)
{
  const size_t len = strnlen(str, length);
  for (size_t x = 0; x < len; x++)
    str[x] = (char)tolower(str[x]);
  return str;
}

static char* ensure_valid_charset(char* str, size_t length)
{
  const size_t len = strnlen(str, length);
  for (size_t x = 0; x < len; x++)
  {
    char cur = str[x];
    switch (cur)
    {
      case ':':
        str[x] = '.';
        break;
      case '/':
      case '\\':
        str[x] = '_';
        break;
      default:
        break;
    }
  }
  return str;
}

static const char* freerdp_certificate_data_hash_(const char* hostname, UINT16 port, char* name,
                                                  size_t length)
{
  (void)_snprintf(name, length, "%s_%" PRIu16 ".pem", hostname, port);
  return ensure_lowercase(ensure_valid_charset(name, length), length);
}

static BOOL freerdp_certificate_data_load_cache(rdpCertificateData* data)
{
  BOOL rc = FALSE;

  WINPR_ASSERT(data);

  freerdp_certificate_data_hash_(data->hostname, data->port, data->cached_hash,
                                 sizeof(data->cached_hash));
  if (strnlen(data->cached_hash, sizeof(data->cached_hash)) == 0)
    goto fail;

  data->cached_subject = freerdp_certificate_get_subject(data->cert);
  if (!data->cached_subject)
    data->cached_subject = calloc(1, 1);

  size_t pemlen = 0;
  data->cached_pem = freerdp_certificate_get_pem_ex(data->cert, &pemlen, FALSE);
  if (!data->cached_pem)
    goto fail;

  size_t pemchainlen = 0;
  data->cached_pem_chain = freerdp_certificate_get_pem_ex(data->cert, &pemchainlen, TRUE);
  if (!data->cached_pem_chain)
    goto fail;

  data->cached_fingerprint = freerdp_certificate_get_fingerprint(data->cert);
  if (!data->cached_fingerprint)
    goto fail;

  data->cached_issuer = freerdp_certificate_get_issuer(data->cert);
  if (!data->cached_issuer)
    data->cached_issuer = calloc(1, 1);

  rc = TRUE;
fail:
  return rc;
}

static rdpCertificateData* freerdp_certificate_data_new_nocopy(const char* hostname, UINT16 port,
                                                               rdpCertificate* xcert)
{
  rdpCertificateData* certdata = NULL;

  if (!hostname || !xcert)
    goto fail;

  certdata = (rdpCertificateData*)calloc(1, sizeof(rdpCertificateData));

  if (!certdata)
    goto fail;

  certdata->port = port;
  certdata->hostname = _strdup(hostname);
  if (!certdata->hostname)
    goto fail;
  ensure_lowercase(certdata->hostname, strlen(certdata->hostname));

  certdata->cert = xcert;
  if (!freerdp_certificate_data_load_cache(certdata))
  {
    certdata->cert = NULL;
    goto fail;
  }

  return certdata;
fail:
  freerdp_certificate_data_free(certdata);
  return NULL;
}

rdpCertificateData* freerdp_certificate_data_new(const char* hostname, UINT16 port,
                                                 const rdpCertificate* xcert)
{
  rdpCertificate* copy = freerdp_certificate_clone(xcert);
  rdpCertificateData* data = freerdp_certificate_data_new_nocopy(hostname, port, copy);
  if (!data)
    freerdp_certificate_free(copy);
  return data;
}

rdpCertificateData* freerdp_certificate_data_new_from_pem(const char* hostname, UINT16 port,
                                                          const char* pem, size_t length)
{
  if (!pem || (length == 0))
    return NULL;

  rdpCertificate* cert = freerdp_certificate_new_from_pem(pem);
  rdpCertificateData* data = freerdp_certificate_data_new_nocopy(hostname, port, cert);
  if (!data)
    freerdp_certificate_free(cert);
  return data;
}

rdpCertificateData* freerdp_certificate_data_new_from_file(const char* hostname, UINT16 port,
                                                           const char* file)
{
  if (!file)
    return NULL;

  rdpCertificate* cert = freerdp_certificate_new_from_file(file);
  rdpCertificateData* data = freerdp_certificate_data_new_nocopy(hostname, port, cert);
  if (!data)
    freerdp_certificate_free(cert);
  return data;
}

void freerdp_certificate_data_free(rdpCertificateData* data)
{
  if (data == NULL)
    return;

  free(data->hostname);
  freerdp_certificate_free(data->cert);
  free(data->cached_subject);
  free(data->cached_issuer);
  free(data->cached_fingerprint);
  free(data->cached_pem);
  free(data->cached_pem_chain);

  free(data);
}

const char* freerdp_certificate_data_get_host(const rdpCertificateData* cert)
{
  if (!cert)
    return NULL;
  return cert->hostname;
}

UINT16 freerdp_certificate_data_get_port(const rdpCertificateData* cert)
{
  if (!cert)
    return 0;
  return cert->port;
}

const char* freerdp_certificate_data_get_pem(const rdpCertificateData* cert)
{
  return freerdp_certificate_data_get_pem_ex(cert, TRUE);
}

const char* freerdp_certificate_data_get_pem_ex(const rdpCertificateData* cert, BOOL withFullChain)
{
  if (!cert)
    return NULL;
  if (withFullChain)
    return cert->cached_pem_chain;
  return cert->cached_pem;
}

const char* freerdp_certificate_data_get_subject(const rdpCertificateData* cert)
{
  if (!cert)
    return NULL;

  return cert->cached_subject;
}

const char* freerdp_certificate_data_get_issuer(const rdpCertificateData* cert)
{
  if (!cert)
    return NULL;

  return cert->cached_issuer;
}
const char* freerdp_certificate_data_get_fingerprint(const rdpCertificateData* cert)
{
  if (!cert)
    return NULL;

  return cert->cached_fingerprint;
}

BOOL freerdp_certificate_data_equal(const rdpCertificateData* a, const rdpCertificateData* b)
{
  BOOL rc = FALSE;

  WINPR_ASSERT(a);
  WINPR_ASSERT(b);

  if (strcmp(a->hostname, b->hostname) != 0)
    return FALSE;
  if (a->port != b->port)
    return FALSE;

  const char* pem1 = freerdp_certificate_data_get_fingerprint(a);
  const char* pem2 = freerdp_certificate_data_get_fingerprint(b);
  if (pem1 && pem2)
    rc = strcmp(pem1, pem2) == 0;
  else
    rc = pem1 == pem2;

  return rc;
}

const char* freerdp_certificate_data_get_hash(const rdpCertificateData* cert)
{
  if (!cert)
    return NULL;

  return cert->cached_hash;
}

char* freerdp_certificate_data_hash(const char* hostname, UINT16 port)
{
  char name[MAX_PATH + 10] = { 0 };
  freerdp_certificate_data_hash_(hostname, port, name, sizeof(name));
  return _strdup(name);
}

Coverage Report

Created: 2025-12-14 07:01

Line	Count	Source
1		/**
2		* FreeRDP: A Remote Desktop Protocol Implementation
3		* Certificate Handling
4		*
5		* Copyright 2011 Jiten Pathy
6		* Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
7		* Copyright 2023 Armin Novak <anovak@thincast.com>
8		* Copyright 2023 Thincast Technologies GmbH
9		*
10		* Licensed under the Apache License, Version 2.0 (the "License");
11		* you may not use this file except in compliance with the License.
12		* You may obtain a copy of the License at
13		*
14		* http://www.apache.org/licenses/LICENSE-2.0
15		*
16		* Unless required by applicable law or agreed to in writing, software
17		* distributed under the License is distributed on an "AS IS" BASIS,
18		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19		* See the License for the specific language governing permissions and
20		* limitations under the License.
21		*/
22
23		#include <ctype.h>
24
25		#include <freerdp/config.h>
26
27		#include <winpr/assert.h>
28		#include <winpr/path.h>
29
30		#include <freerdp/settings.h>
31
32		#include <freerdp/crypto/crypto.h>
33		#include <freerdp/crypto/certificate_data.h>
34
35		#include "certificate.h"
36
37		struct rdp_certificate_data
38		{
39		char* hostname;
40		UINT16 port;
41		rdpCertificate* cert;
42
43		char cached_hash[MAX_PATH + 10];
44		char* cached_subject;
45		char* cached_issuer;
46		char* cached_fingerprint;
47		char* cached_pem;
48		char* cached_pem_chain;
49		};
50
51		/* ensure our hostnames (and therefore filenames) always use the same capitalization.
52		* the user might have input random case, but we always need to have a sane
53		* baseline to compare against. */
54		static char* ensure_lowercase(char* str, size_t length)
55	0	{
56	0	const size_t len = strnlen(str, length);
57	0	for (size_t x = 0; x < len; x++)
58	0	str[x] = (char)tolower(str[x]);
59	0	return str;
60	0	}
61
62		static char* ensure_valid_charset(char* str, size_t length)
63	0	{
64	0	const size_t len = strnlen(str, length);
65	0	for (size_t x = 0; x < len; x++)
66	0	{
67	0	char cur = str[x];
68	0	switch (cur)
69	0	{
70	0	case ':':
71	0	str[x] = '.';
72	0	break;
73	0	case '/':
74	0	case '\\':
75	0	str[x] = '_';
76	0	break;
77	0	default:
78	0	break;
79	0	}
80	0	}
81	0	return str;
82	0	}
83
84		static const char* freerdp_certificate_data_hash_(const char* hostname, UINT16 port, char* name,
85		size_t length)
86	0	{
87	0	(void)_snprintf(name, length, "%s_%" PRIu16 ".pem", hostname, port);
88	0	return ensure_lowercase(ensure_valid_charset(name, length), length);
89	0	}
90
91		static BOOL freerdp_certificate_data_load_cache(rdpCertificateData* data)
92	0	{
93	0	BOOL rc = FALSE;
94
95	0	WINPR_ASSERT(data);
96
97	0	freerdp_certificate_data_hash_(data->hostname, data->port, data->cached_hash,
98	0	sizeof(data->cached_hash));
99	0	if (strnlen(data->cached_hash, sizeof(data->cached_hash)) == 0)
100	0	goto fail;
101
102	0	data->cached_subject = freerdp_certificate_get_subject(data->cert);
103	0	if (!data->cached_subject)
104	0	data->cached_subject = calloc(1, 1);
105
106	0	size_t pemlen = 0;
107	0	data->cached_pem = freerdp_certificate_get_pem_ex(data->cert, &pemlen, FALSE);
108	0	if (!data->cached_pem)
109	0	goto fail;
110
111	0	size_t pemchainlen = 0;
112	0	data->cached_pem_chain = freerdp_certificate_get_pem_ex(data->cert, &pemchainlen, TRUE);
113	0	if (!data->cached_pem_chain)
114	0	goto fail;
115
116	0	data->cached_fingerprint = freerdp_certificate_get_fingerprint(data->cert);
117	0	if (!data->cached_fingerprint)
118	0	goto fail;
119
120	0	data->cached_issuer = freerdp_certificate_get_issuer(data->cert);
121	0	if (!data->cached_issuer)
122	0	data->cached_issuer = calloc(1, 1);
123
124	0	rc = TRUE;
125	0	fail:
126	0	return rc;
127	0	}
128
129		static rdpCertificateData* freerdp_certificate_data_new_nocopy(const char* hostname, UINT16 port,
130		rdpCertificate* xcert)
131	0	{
132	0	rdpCertificateData* certdata = NULL;
133
134	0	if (!hostname \|\| !xcert)
135	0	goto fail;
136
137	0	certdata = (rdpCertificateData*)calloc(1, sizeof(rdpCertificateData));
138
139	0	if (!certdata)
140	0	goto fail;
141
142	0	certdata->port = port;
143	0	certdata->hostname = _strdup(hostname);
144	0	if (!certdata->hostname)
145	0	goto fail;
146	0	ensure_lowercase(certdata->hostname, strlen(certdata->hostname));
147
148	0	certdata->cert = xcert;
149	0	if (!freerdp_certificate_data_load_cache(certdata))
150	0	{
151	0	certdata->cert = NULL;
152	0	goto fail;
153	0	}
154
155	0	return certdata;
156	0	fail:
157	0	freerdp_certificate_data_free(certdata);
158	0	return NULL;
159	0	}
160
161		rdpCertificateData* freerdp_certificate_data_new(const char* hostname, UINT16 port,
162		const rdpCertificate* xcert)
163	0	{
164	0	rdpCertificate* copy = freerdp_certificate_clone(xcert);
165	0	rdpCertificateData* data = freerdp_certificate_data_new_nocopy(hostname, port, copy);
166	0	if (!data)
167	0	freerdp_certificate_free(copy);
168	0	return data;
169	0	}
170
171		rdpCertificateData* freerdp_certificate_data_new_from_pem(const char* hostname, UINT16 port,
172		const char* pem, size_t length)
173	0	{
174	0	if (!pem \|\| (length == 0))
175	0	return NULL;
176
177	0	rdpCertificate* cert = freerdp_certificate_new_from_pem(pem);
178	0	rdpCertificateData* data = freerdp_certificate_data_new_nocopy(hostname, port, cert);
179	0	if (!data)
180	0	freerdp_certificate_free(cert);
181	0	return data;
182	0	}
183
184		rdpCertificateData* freerdp_certificate_data_new_from_file(const char* hostname, UINT16 port,
185		const char* file)
186	0	{
187	0	if (!file)
188	0	return NULL;
189
190	0	rdpCertificate* cert = freerdp_certificate_new_from_file(file);
191	0	rdpCertificateData* data = freerdp_certificate_data_new_nocopy(hostname, port, cert);
192	0	if (!data)
193	0	freerdp_certificate_free(cert);
194	0	return data;
195	0	}
196
197		void freerdp_certificate_data_free(rdpCertificateData* data)
198	0	{
199	0	if (data == NULL)
200	0	return;
201
202	0	free(data->hostname);
203	0	freerdp_certificate_free(data->cert);
204	0	free(data->cached_subject);
205	0	free(data->cached_issuer);
206	0	free(data->cached_fingerprint);
207	0	free(data->cached_pem);
208	0	free(data->cached_pem_chain);
209
210	0	free(data);
211	0	}
212
213		const char* freerdp_certificate_data_get_host(const rdpCertificateData* cert)
214	0	{
215	0	if (!cert)
216	0	return NULL;
217	0	return cert->hostname;
218	0	}
219
220		UINT16 freerdp_certificate_data_get_port(const rdpCertificateData* cert)
221	0	{
222	0	if (!cert)
223	0	return 0;
224	0	return cert->port;
225	0	}
226
227		const char* freerdp_certificate_data_get_pem(const rdpCertificateData* cert)
228	0	{
229	0	return freerdp_certificate_data_get_pem_ex(cert, TRUE);
230	0	}
231
232		const char* freerdp_certificate_data_get_pem_ex(const rdpCertificateData* cert, BOOL withFullChain)
233	0	{
234	0	if (!cert)
235	0	return NULL;
236	0	if (withFullChain)
237	0	return cert->cached_pem_chain;
238	0	return cert->cached_pem;
239	0	}
240
241		const char* freerdp_certificate_data_get_subject(const rdpCertificateData* cert)
242	0	{
243	0	if (!cert)
244	0	return NULL;
245
246	0	return cert->cached_subject;
247	0	}
248
249		const char* freerdp_certificate_data_get_issuer(const rdpCertificateData* cert)
250	0	{
251	0	if (!cert)
252	0	return NULL;
253
254	0	return cert->cached_issuer;
255	0	}
256		const char* freerdp_certificate_data_get_fingerprint(const rdpCertificateData* cert)
257	0	{
258	0	if (!cert)
259	0	return NULL;
260
261	0	return cert->cached_fingerprint;
262	0	}
263
264		BOOL freerdp_certificate_data_equal(const rdpCertificateData* a, const rdpCertificateData* b)
265	0	{
266	0	BOOL rc = FALSE;
267
268	0	WINPR_ASSERT(a);
269	0	WINPR_ASSERT(b);
270
271	0	if (strcmp(a->hostname, b->hostname) != 0)
272	0	return FALSE;
273	0	if (a->port != b->port)
274	0	return FALSE;
275
276	0	const char* pem1 = freerdp_certificate_data_get_fingerprint(a);
277	0	const char* pem2 = freerdp_certificate_data_get_fingerprint(b);
278	0	if (pem1 && pem2)
279	0	rc = strcmp(pem1, pem2) == 0;
280	0	else
281	0	rc = pem1 == pem2;
282
283	0	return rc;
284	0	}
285
286		const char* freerdp_certificate_data_get_hash(const rdpCertificateData* cert)
287	0	{
288	0	if (!cert)
289	0	return NULL;
290
291	0	return cert->cached_hash;
292	0	}
293
294		char* freerdp_certificate_data_hash(const char* hostname, UINT16 port)
295	0	{
296	0	char name[MAX_PATH + 10] = { 0 };
297	0	freerdp_certificate_data_hash_(hostname, port, name, sizeof(name));
298	0	return _strdup(name);
299	0	}