/src/FreeRDP/libfreerdp/crypto/certificate_data.c

Source
/**
 * FreeRDP: A Remote Desktop Protocol Implementation
 * Certificate Handling
 *
 * Copyright 2011 Jiten Pathy
 * Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
 * Copyright 2023 Armin Novak <anovak@thincast.com>
 * Copyright 2023 Thincast Technologies GmbH
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <ctype.h>

#include <freerdp/config.h>

#include <winpr/assert.h>
#include <winpr/path.h>

#include <freerdp/settings.h>

#include <freerdp/crypto/crypto.h>
#include <freerdp/crypto/certificate_data.h>

#include "certificate.h"
#include <freerdp/log.h>
#define TAG FREERDP_TAG("crypto.certificate_data")

struct rdp_certificate_data
{
  char* hostname;
  UINT16 port;
  rdpCertificate* cert;

  char cached_hash[MAX_PATH + 10];
  char* cached_subject;
  char* cached_issuer;
  char* cached_fingerprint;
  char* cached_pem;
  char* cached_pem_chain;
};

/* ensure our hostnames (and therefore filenames) always use the same capitalization.
 * the user might have input random case, but we always need to have a sane
 * baseline to compare against. */
static char* ensure_lowercase(char* str, size_t length)
{
  const size_t len = strnlen(str, length);
  for (size_t x = 0; x < len; x++)
    str[x] = (char)tolower(str[x]);
  return str;
}

static char* ensure_valid_charset(char* str, size_t length)
{
  const size_t len = strnlen(str, length);
  for (size_t x = 0; x < len; x++)
  {
    char cur = str[x];
    switch (cur)
    {
      case ':':
        str[x] = '.';
        break;
      case '/':
      case '\\':
        str[x] = '_';
        break;
      default:
        break;
    }
  }
  return str;
}

static const char* freerdp_certificate_data_hash_(const char* hostname, UINT16 port, char* name,
                                                  size_t length)
{
  (void)_snprintf(name, length, "%s_%" PRIu16 ".pem", hostname, port);
  return ensure_lowercase(ensure_valid_charset(name, length), length);
}

static BOOL freerdp_certificate_data_load_cache(rdpCertificateData* data)
{
  BOOL rc = FALSE;

  WINPR_ASSERT(data);

  freerdp_certificate_data_hash_(data->hostname, data->port, data->cached_hash,
                                 sizeof(data->cached_hash) - 1);
  const size_t len = strnlen(data->cached_hash, sizeof(data->cached_hash));
  if ((len == 0) || (len >= sizeof(data->cached_hash)))
    goto fail;

  data->cached_subject = freerdp_certificate_get_subject(data->cert);
  if (!data->cached_subject)
    data->cached_subject = calloc(1, 1);

  {
    size_t pemlen = 0;
    data->cached_pem = freerdp_certificate_get_pem_ex(data->cert, &pemlen, FALSE);
  }
  if (!data->cached_pem)
    goto fail;

  {
    size_t pemchainlen = 0;
    data->cached_pem_chain = freerdp_certificate_get_pem_ex(data->cert, &pemchainlen, TRUE);
    if (!data->cached_pem_chain)
      goto fail;
  }

  data->cached_fingerprint = freerdp_certificate_get_fingerprint(data->cert);
  if (!data->cached_fingerprint)
    goto fail;

  data->cached_issuer = freerdp_certificate_get_issuer(data->cert);
  if (!data->cached_issuer)
    data->cached_issuer = calloc(1, 1);

  rc = TRUE;
fail:
  return rc;
}

static rdpCertificateData* freerdp_certificate_data_new_nocopy(const char* hostname, UINT16 port,
                                                               rdpCertificate* xcert)
{
  rdpCertificateData* certdata = NULL;

  if (!hostname || !xcert)
    goto fail;
  if (strnlen(hostname, MAX_PATH) >= MAX_PATH)
  {
    WLog_ERR(TAG, "hostname exceeds length limits");
    goto fail;
  }

  certdata = (rdpCertificateData*)calloc(1, sizeof(rdpCertificateData));

  if (!certdata)
    goto fail;

  certdata->port = port;
  certdata->hostname = _strdup(hostname);
  if (!certdata->hostname)
    goto fail;
  ensure_lowercase(certdata->hostname, strlen(certdata->hostname));

  certdata->cert = xcert;
  if (!freerdp_certificate_data_load_cache(certdata))
  {
    certdata->cert = NULL;
    goto fail;
  }

  return certdata;
fail:
  freerdp_certificate_data_free(certdata);
  return NULL;
}

rdpCertificateData* freerdp_certificate_data_new(const char* hostname, UINT16 port,
                                                 const rdpCertificate* xcert)
{
  rdpCertificate* copy = freerdp_certificate_clone(xcert);
  rdpCertificateData* data = freerdp_certificate_data_new_nocopy(hostname, port, copy);
  if (!data)
    freerdp_certificate_free(copy);
  return data;
}

rdpCertificateData* freerdp_certificate_data_new_from_pem(const char* hostname, UINT16 port,
                                                          const char* pem, size_t length)
{
  if (!pem || (length == 0))
    return NULL;

  rdpCertificate* cert = freerdp_certificate_new_from_pem(pem);
  rdpCertificateData* data = freerdp_certificate_data_new_nocopy(hostname, port, cert);
  if (!data)
    freerdp_certificate_free(cert);
  return data;
}

rdpCertificateData* freerdp_certificate_data_new_from_file(const char* hostname, UINT16 port,
                                                           const char* file)
{
  if (!file)
    return NULL;

  rdpCertificate* cert = freerdp_certificate_new_from_file(file);
  rdpCertificateData* data = freerdp_certificate_data_new_nocopy(hostname, port, cert);
  if (!data)
    freerdp_certificate_free(cert);
  return data;
}

void freerdp_certificate_data_free(rdpCertificateData* data)
{
  if (data == NULL)
    return;

  free(data->hostname);
  freerdp_certificate_free(data->cert);
  free(data->cached_subject);
  free(data->cached_issuer);
  free(data->cached_fingerprint);
  free(data->cached_pem);
  free(data->cached_pem_chain);

  free(data);
}

const char* freerdp_certificate_data_get_host(const rdpCertificateData* cert)
{
  if (!cert)
    return NULL;
  return cert->hostname;
}

UINT16 freerdp_certificate_data_get_port(const rdpCertificateData* cert)
{
  if (!cert)
    return 0;
  return cert->port;
}

const char* freerdp_certificate_data_get_pem(const rdpCertificateData* cert)
{
  return freerdp_certificate_data_get_pem_ex(cert, TRUE);
}

const char* freerdp_certificate_data_get_pem_ex(const rdpCertificateData* cert, BOOL withFullChain)
{
  if (!cert)
    return NULL;
  if (withFullChain)
    return cert->cached_pem_chain;
  return cert->cached_pem;
}

const char* freerdp_certificate_data_get_subject(const rdpCertificateData* cert)
{
  if (!cert)
    return NULL;

  return cert->cached_subject;
}

const char* freerdp_certificate_data_get_issuer(const rdpCertificateData* cert)
{
  if (!cert)
    return NULL;

  return cert->cached_issuer;
}
const char* freerdp_certificate_data_get_fingerprint(const rdpCertificateData* cert)
{
  if (!cert)
    return NULL;

  return cert->cached_fingerprint;
}

BOOL freerdp_certificate_data_equal(const rdpCertificateData* a, const rdpCertificateData* b)
{
  BOOL rc = FALSE;

  WINPR_ASSERT(a);
  WINPR_ASSERT(b);

  if (strcmp(a->hostname, b->hostname) != 0)
    return FALSE;
  if (a->port != b->port)
    return FALSE;

  const char* pem1 = freerdp_certificate_data_get_fingerprint(a);
  const char* pem2 = freerdp_certificate_data_get_fingerprint(b);
  if (pem1 && pem2)
    rc = strcmp(pem1, pem2) == 0;
  else
    rc = pem1 == pem2;

  return rc;
}

const char* freerdp_certificate_data_get_hash(const rdpCertificateData* cert)
{
  if (!cert)
    return NULL;

  return cert->cached_hash;
}

char* freerdp_certificate_data_hash(const char* hostname, UINT16 port)
{
  char name[MAX_PATH + 10] = { 0 };
  freerdp_certificate_data_hash_(hostname, port, name, sizeof(name));
  return strndup(name, sizeof(name));
}

Coverage Report

Created: 2026-01-09 06:43

Line	Count	Source
1		/**
2		* FreeRDP: A Remote Desktop Protocol Implementation
3		* Certificate Handling
4		*
5		* Copyright 2011 Jiten Pathy
6		* Copyright 2011-2012 Marc-Andre Moreau <marcandre.moreau@gmail.com>
7		* Copyright 2023 Armin Novak <anovak@thincast.com>
8		* Copyright 2023 Thincast Technologies GmbH
9		*
10		* Licensed under the Apache License, Version 2.0 (the "License");
11		* you may not use this file except in compliance with the License.
12		* You may obtain a copy of the License at
13		*
14		* http://www.apache.org/licenses/LICENSE-2.0
15		*
16		* Unless required by applicable law or agreed to in writing, software
17		* distributed under the License is distributed on an "AS IS" BASIS,
18		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19		* See the License for the specific language governing permissions and
20		* limitations under the License.
21		*/
22
23		#include <ctype.h>
24
25		#include <freerdp/config.h>
26
27		#include <winpr/assert.h>
28		#include <winpr/path.h>
29
30		#include <freerdp/settings.h>
31
32		#include <freerdp/crypto/crypto.h>
33		#include <freerdp/crypto/certificate_data.h>
34
35		#include "certificate.h"
36		#include <freerdp/log.h>
37		#define TAG FREERDP_TAG("crypto.certificate_data")
38
39		struct rdp_certificate_data
40		{
41		char* hostname;
42		UINT16 port;
43		rdpCertificate* cert;
44
45		char cached_hash[MAX_PATH + 10];
46		char* cached_subject;
47		char* cached_issuer;
48		char* cached_fingerprint;
49		char* cached_pem;
50		char* cached_pem_chain;
51		};
52
53		/* ensure our hostnames (and therefore filenames) always use the same capitalization.
54		* the user might have input random case, but we always need to have a sane
55		* baseline to compare against. */
56		static char* ensure_lowercase(char* str, size_t length)
57	230	{
58	230	const size_t len = strnlen(str, length);
59	3.10k	for (size_t x = 0; x < len; x++)
60	2.87k	str[x] = (char)tolower(str[x]);
61	230	return str;
62	230	}
63
64		static char* ensure_valid_charset(char* str, size_t length)
65	115	{
66	115	const size_t len = strnlen(str, length);
67	2.07k	for (size_t x = 0; x < len; x++)
68	1.95k	{
69	1.95k	char cur = str[x];
70	1.95k	switch (cur)
71	1.95k	{
72	0	case ':':
73	0	str[x] = '.';
74	0	break;
75	0	case '/':
76	0	case '\\':
77	0	str[x] = '_';
78	0	break;
79	1.95k	default:
80	1.95k	break;
81	1.95k	}
82	1.95k	}
83	115	return str;
84	115	}
85
86		static const char* freerdp_certificate_data_hash_(const char* hostname, UINT16 port, char* name,
87		size_t length)
88	115	{
89	115	(void)_snprintf(name, length, "%s_%" PRIu16 ".pem", hostname, port);
90	115	return ensure_lowercase(ensure_valid_charset(name, length), length);
91	115	}
92
93		static BOOL freerdp_certificate_data_load_cache(rdpCertificateData* data)
94	115	{
95	115	BOOL rc = FALSE;
96
97	115	WINPR_ASSERT(data);
98
99	115	freerdp_certificate_data_hash_(data->hostname, data->port, data->cached_hash,
100	115	sizeof(data->cached_hash) - 1);
101	115	const size_t len = strnlen(data->cached_hash, sizeof(data->cached_hash));
102	115	if ((len == 0) \|\| (len >= sizeof(data->cached_hash)))
103	0	goto fail;
104
105	115	data->cached_subject = freerdp_certificate_get_subject(data->cert);
106	115	if (!data->cached_subject)
107	0	data->cached_subject = calloc(1, 1);
108
109	115	{
110	115	size_t pemlen = 0;
111	115	data->cached_pem = freerdp_certificate_get_pem_ex(data->cert, &pemlen, FALSE);
112	115	}
113	115	if (!data->cached_pem)
114	3	goto fail;
115
116	112	{
117	112	size_t pemchainlen = 0;
118	112	data->cached_pem_chain = freerdp_certificate_get_pem_ex(data->cert, &pemchainlen, TRUE);
119	112	if (!data->cached_pem_chain)
120	4	goto fail;
121	112	}
122
123	108	data->cached_fingerprint = freerdp_certificate_get_fingerprint(data->cert);
124	108	if (!data->cached_fingerprint)
125	0	goto fail;
126
127	108	data->cached_issuer = freerdp_certificate_get_issuer(data->cert);
128	108	if (!data->cached_issuer)
129	89	data->cached_issuer = calloc(1, 1);
130
131	108	rc = TRUE;
132	115	fail:
133	115	return rc;
134	108	}
135
136		static rdpCertificateData* freerdp_certificate_data_new_nocopy(const char* hostname, UINT16 port,
137		rdpCertificate* xcert)
138	1.04k	{
139	1.04k	rdpCertificateData* certdata = NULL;
140
141	1.04k	if (!hostname \|\| !xcert)
142	926	goto fail;
143	115	if (strnlen(hostname, MAX_PATH) >= MAX_PATH)
144	0	{
145	0	WLog_ERR(TAG, "hostname exceeds length limits");
146	0	goto fail;
147	0	}
148
149	115	certdata = (rdpCertificateData*)calloc(1, sizeof(rdpCertificateData));
150
151	115	if (!certdata)
152	0	goto fail;
153
154	115	certdata->port = port;
155	115	certdata->hostname = _strdup(hostname);
156	115	if (!certdata->hostname)
157	0	goto fail;
158	115	ensure_lowercase(certdata->hostname, strlen(certdata->hostname));
159
160	115	certdata->cert = xcert;
161	115	if (!freerdp_certificate_data_load_cache(certdata))
162	7	{
163	7	certdata->cert = NULL;
164	7	goto fail;
165	7	}
166
167	108	return certdata;
168	933	fail:
169	933	freerdp_certificate_data_free(certdata);
170	933	return NULL;
171	115	}
172
173		rdpCertificateData* freerdp_certificate_data_new(const char* hostname, UINT16 port,
174		const rdpCertificate* xcert)
175	0	{
176	0	rdpCertificate* copy = freerdp_certificate_clone(xcert);
177	0	rdpCertificateData* data = freerdp_certificate_data_new_nocopy(hostname, port, copy);
178	0	if (!data)
179	0	freerdp_certificate_free(copy);
180	0	return data;
181	0	}
182
183		rdpCertificateData* freerdp_certificate_data_new_from_pem(const char* hostname, UINT16 port,
184		const char* pem, size_t length)
185	1.04k	{
186	1.04k	if (!pem \|\| (length == 0))
187	0	return NULL;
188
189	1.04k	rdpCertificate* cert = freerdp_certificate_new_from_pem(pem);
190	1.04k	rdpCertificateData* data = freerdp_certificate_data_new_nocopy(hostname, port, cert);
191	1.04k	if (!data)
192	933	freerdp_certificate_free(cert);
193	1.04k	return data;
194	1.04k	}
195
196		rdpCertificateData* freerdp_certificate_data_new_from_file(const char* hostname, UINT16 port,
197		const char* file)
198	0	{
199	0	if (!file)
200	0	return NULL;
201
202	0	rdpCertificate* cert = freerdp_certificate_new_from_file(file);
203	0	rdpCertificateData* data = freerdp_certificate_data_new_nocopy(hostname, port, cert);
204	0	if (!data)
205	0	freerdp_certificate_free(cert);
206	0	return data;
207	0	}
208
209		void freerdp_certificate_data_free(rdpCertificateData* data)
210	1.97k	{
211	1.97k	if (data == NULL)
212	1.85k	return;
213
214	115	free(data->hostname);
215	115	freerdp_certificate_free(data->cert);
216	115	free(data->cached_subject);
217	115	free(data->cached_issuer);
218	115	free(data->cached_fingerprint);
219	115	free(data->cached_pem);
220	115	free(data->cached_pem_chain);
221
222	115	free(data);
223	115	}
224
225		const char* freerdp_certificate_data_get_host(const rdpCertificateData* cert)
226	0	{
227	0	if (!cert)
228	0	return NULL;
229	0	return cert->hostname;
230	0	}
231
232		UINT16 freerdp_certificate_data_get_port(const rdpCertificateData* cert)
233	0	{
234	0	if (!cert)
235	0	return 0;
236	0	return cert->port;
237	0	}
238
239		const char* freerdp_certificate_data_get_pem(const rdpCertificateData* cert)
240	0	{
241	0	return freerdp_certificate_data_get_pem_ex(cert, TRUE);
242	0	}
243
244		const char* freerdp_certificate_data_get_pem_ex(const rdpCertificateData* cert, BOOL withFullChain)
245	0	{
246	0	if (!cert)
247	0	return NULL;
248	0	if (withFullChain)
249	0	return cert->cached_pem_chain;
250	0	return cert->cached_pem;
251	0	}
252
253		const char* freerdp_certificate_data_get_subject(const rdpCertificateData* cert)
254	0	{
255	0	if (!cert)
256	0	return NULL;
257
258	0	return cert->cached_subject;
259	0	}
260
261		const char* freerdp_certificate_data_get_issuer(const rdpCertificateData* cert)
262	0	{
263	0	if (!cert)
264	0	return NULL;
265
266	0	return cert->cached_issuer;
267	0	}
268		const char* freerdp_certificate_data_get_fingerprint(const rdpCertificateData* cert)
269	0	{
270	0	if (!cert)
271	0	return NULL;
272
273	0	return cert->cached_fingerprint;
274	0	}
275
276		BOOL freerdp_certificate_data_equal(const rdpCertificateData* a, const rdpCertificateData* b)
277	0	{
278	0	BOOL rc = FALSE;
279
280	0	WINPR_ASSERT(a);
281	0	WINPR_ASSERT(b);
282
283	0	if (strcmp(a->hostname, b->hostname) != 0)
284	0	return FALSE;
285	0	if (a->port != b->port)
286	0	return FALSE;
287
288	0	const char* pem1 = freerdp_certificate_data_get_fingerprint(a);
289	0	const char* pem2 = freerdp_certificate_data_get_fingerprint(b);
290	0	if (pem1 && pem2)
291	0	rc = strcmp(pem1, pem2) == 0;
292	0	else
293	0	rc = pem1 == pem2;
294
295	0	return rc;
296	0	}
297
298		const char* freerdp_certificate_data_get_hash(const rdpCertificateData* cert)
299	0	{
300	0	if (!cert)
301	0	return NULL;
302
303	0	return cert->cached_hash;
304	0	}
305
306		char* freerdp_certificate_data_hash(const char* hostname, UINT16 port)
307	0	{
308	0	char name[MAX_PATH + 10] = { 0 };
309	0	freerdp_certificate_data_hash_(hostname, port, name, sizeof(name));
310	0	return strndup(name, sizeof(name));
311	0	}