abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-05-06 16:36:16 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add CRLDistributionPoints and AuthorityInformationAccess ext

Browse Source
This commit is contained in:
Zhi Guan
2023-01-17 10:29:00 +08:00
parent dc80fea1f6
commit 0c061e24ae
5 changed files with 122 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
demos/certdemo.sh
View File

@@ -2,22 +2,25 @@
gmssl sm2keygen -pass 1234 -out rootcakey.pem
gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign
gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign -crl_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn
gmssl certparse -in rootcacert.pem
gmssl sm2keygen -pass 1234 -out cakey.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem
gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem
gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem \
-crl_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn
gmssl certparse -in cacert.pem
gmssl sm2keygen -pass 1234 -out signkey.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem
gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem
gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem \
-crl_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn
gmssl certparse -in signcert.pem
gmssl sm2keygen -pass 1234 -out enckey.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem
gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem
gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem \
-crl_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn
gmssl certparse -in enccert.pem

9
include/gmssl/x509_ext.h
View File

@@ -64,11 +64,12 @@ int x509_exts_add_policy_constraints(uint8_t *exts, size_t *extslen, size_t maxl
int require_explicit_policy, int inhibit_policy_mapping);
int x509_exts_add_basic_constraints(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, int ca, int path_len_constraint);
int x509_exts_add_ext_key_usage(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const int *key_purposes, size_t key_purposes_cnt);
int x509_exts_add_crl_distribution_points(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const uint8_t *d, size_t dlen);
int x509_exts_add_crl_distribution_points(uint8_t *exts, size_t *extslen, size_t maxlen, int critical,
const char *http_uri, size_t http_urilen, const char *ldap_uri, size_t ldap_urilen);
int x509_exts_add_inhibit_any_policy(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, int skip_certs);
int x509_exts_add_freshest_crl(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const uint8_t *d, size_t dlen);
int x509_exts_add_authority_info_access(uint8_t *exts, size_t *extslen, size_t maxlen, int critical,
const char *crt_uri, size_t crt_urilen, // crt_uri is the URI (http://examaple.com/subCA.crt) of DER-encoded CA cert
const char *ca_issuers_uri, size_t ca_issuers_urilen, // ca_issuers_uri is the URI (http://examaple.com/subCA.crt) of DER-encoded CA cert
const char *ocsp_uri, size_t ocsp_urilen);
int x509_exts_add_sequence(uint8_t *exts, size_t *extslen, size_t maxlen,
@@ -575,11 +576,11 @@ int x509_access_description_from_der(int *oid, const char **uri, size_t *urilen,
int x509_access_description_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);
int x509_authority_info_access_to_der(
const char *crt_uri, size_t crt_urilen,
const char *ca_issuers_uri, size_t ca_issuers_urilen,
const char *ocsp_uri, size_t ocsp_urilen,
uint8_t **out, size_t *outlen);
int x509_authority_info_access_from_der(
const char **crt_uri, size_t *crt_urilen,
const char **ca_issuers_uri, size_t *ca_issuers_urilen,
const char **ocsp_uri, size_t *ocsp_urilen,
const uint8_t **in, size_t *inlen);
int x509_authority_info_access_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);

83
src/x509_ext.c
View File

@@ -285,17 +285,36 @@ int x509_exts_add_ext_key_usage(uint8_t *exts, size_t *extslen, size_t maxlen,
}
int x509_exts_add_crl_distribution_points(uint8_t *exts, size_t *extslen, size_t maxlen,
int critical, const uint8_t *d, size_t dlen)
int critical, const char *http_uri, size_t http_urilen, const char *ldap_uri, size_t ldap_urilen)
{
int oid = OID_ce_crl_distribution_points;
size_t curlen = *extslen;
uint8_t val[256];
uint8_t *p = val;
size_t vlen = 0;
size_t len = 0;
// The extension SHOULD be non-critical, but this profile
// RECOMMENDS support for this extension by CAs and applications.
if (critical) {
error_print();
//return -1;
}
if (x509_distribution_points_to_der(http_uri, http_urilen, ldap_uri, ldap_urilen, NULL, &len) != 1
|| asn1_length_le(len, sizeof(val)) != 1
|| x509_distribution_points_to_der(http_uri, http_urilen, ldap_uri, ldap_urilen, &p, &vlen) != 1) {
error_print();
return -1;
}
return x509_exts_add_sequence(exts, extslen, maxlen, oid, critical, d, dlen);
exts += *extslen;
if (x509_ext_to_der(oid, critical, val, vlen, NULL, &curlen) != 1
|| asn1_length_le(curlen, maxlen) != 1
|| x509_ext_to_der(oid, critical, val, vlen, &exts, extslen) != 1) {
error_print();
return -1;
}
return 1;
}
int x509_exts_add_inhibit_any_policy(uint8_t *exts, size_t *extslen, size_t maxlen,
@@ -447,20 +466,22 @@ err:
int x509_general_name_to_der(int choice, const uint8_t *d, size_t dlen, uint8_t **out, size_t *outlen)
{
int ret;
switch (choice) {
case X509_gn_rfc822_name:
case X509_gn_dns_name:
case X509_gn_uniform_resource_identifier:
case X509_gn_ip_address:
if (asn1_implicit_to_der(choice, d, dlen, out, outlen) != 1) {
error_print();
return -1;
if ((ret = asn1_implicit_to_der(choice, d, dlen, out, outlen)) != 1) {
if (ret < 0) error_print();
return ret;
}
break;
default:
error_print();
return -1;
}
return 1;
}
@@ -1783,6 +1804,10 @@ int x509_uri_as_general_names_to_der_ex(int tag, const char *uri, size_t urilen,
{
int choice = X509_gn_uniform_resource_identifier;
size_t len = 0;
if (!uri || !urilen) {
return 0;
}
if (x509_general_name_to_der(choice, (uint8_t *)uri, urilen, NULL, &len) != 1
|| asn1_sequence_header_to_der_ex(tag, len, out, outlen) != 1
|| x509_general_name_to_der(choice, (uint8_t *)uri, urilen, out, outlen) != 1) {
@@ -1795,7 +1820,8 @@ int x509_uri_as_general_names_to_der_ex(int tag, const char *uri, size_t urilen,
int x509_uri_as_distribution_point_name_to_der(const char *uri, size_t urilen,
uint8_t **out, size_t *outlen)
{
if (x509_uri_as_general_names_to_der_ex(ASN1_TAG_EXPLICIT(0), uri, urilen, out, outlen) != 1) {
int ret;
if ((ret = x509_uri_as_general_names_to_der_ex(ASN1_TAG_EXPLICIT(0), uri, urilen, out, outlen)) != 1) {
error_print();
return -1;
}
@@ -1806,6 +1832,10 @@ int x509_uri_as_explicit_distribution_point_name_to_der(int index,
const char *uri, size_t urilen, uint8_t **out, size_t *outlen)
{
size_t len = 0;
if (!uri || !urilen) {
return 0;
}
if (x509_uri_as_distribution_point_name_to_der(uri, urilen, NULL, &len) != 1
|| asn1_explicit_header_to_der(index, len, out, outlen) != 1
|| x509_uri_as_distribution_point_name_to_der(uri, urilen, out, outlen) != 1) {
@@ -1818,6 +1848,10 @@ int x509_uri_as_explicit_distribution_point_name_to_der(int index,
int x509_uri_as_distribution_point_to_der(const char *uri, size_t urilen, uint8_t **out, size_t *outlen)
{
size_t len = 0;
if (!uri || !urilen) {
return 0;
}
if (x509_uri_as_explicit_distribution_point_name_to_der(0, uri, urilen, NULL, &len) != 1
|| asn1_sequence_header_to_der(len, out, outlen) != 1
|| x509_uri_as_explicit_distribution_point_name_to_der(0, uri, urilen, out, outlen) != 1) {
@@ -1831,6 +1865,10 @@ int x509_distribution_points_to_der(const char *http_uri, size_t http_urilen,
const char *ldap_uri, size_t ldap_urilen, uint8_t **out, size_t *outlen)
{
size_t len = 0;
if ((!http_uri || !http_urilen) && (!ldap_uri || !ldap_urilen)) {
return 0;
}
if (x509_uri_as_distribution_point_to_der(http_uri, http_urilen, NULL, &len) < 0
|| x509_uri_as_distribution_point_to_der(ldap_uri, ldap_urilen, NULL, &len) < 0
|| asn1_sequence_header_to_der(len, out, outlen) != 1
@@ -1884,6 +1922,7 @@ int x509_distribution_point_name_print(FILE *fp, int fmt, int ind, const char *l
return 1;
}
// 这个如何使用?如何准备完整的数据呢?
int x509_distribution_point_to_der(
int dist_point_choice, const uint8_t *dist_point, size_t dist_point_len,
int reasons, const uint8_t *crl_issuer, size_t crl_issuer_len,
@@ -2224,14 +2263,14 @@ int x509_access_description_print(FILE *fp, int fmt, int ind, const char *label,
}
int x509_authority_info_access_to_der(
const char *crt_uri, size_t crt_urilen,
const char *ca_issuers_uri, size_t ca_issuers_urilen,
const char *ocsp_uri, size_t ocsp_urilen,
uint8_t **out, size_t *outlen)
{
size_t len = 0;
if (crt_uri && crt_urilen) {
if (x509_access_description_to_der(OID_ad_ca_issuers, crt_uri, crt_urilen, NULL, &len) != 1) {
if (ca_issuers_uri && ca_issuers_urilen) {
if (x509_access_description_to_der(OID_ad_ca_issuers, ca_issuers_uri, ca_issuers_urilen, NULL, &len) != 1) {
error_print();
return -1;
}
@@ -2250,8 +2289,8 @@ int x509_authority_info_access_to_der(
error_print();
return -1;
}
if (crt_uri && crt_urilen) {
if (x509_access_description_to_der(OID_ad_ca_issuers, crt_uri, crt_urilen, out, outlen) != 1) {
if (ca_issuers_uri && ca_issuers_urilen) {
if (x509_access_description_to_der(OID_ad_ca_issuers, ca_issuers_uri, ca_issuers_urilen, out, outlen) != 1) {
error_print();
return -1;
}
@@ -2266,7 +2305,7 @@ int x509_authority_info_access_to_der(
}
int x509_authority_info_access_from_der(
const char **crt_uri, size_t *crt_urilen,
const char **ca_issuers_uri, size_t *ca_issuers_urilen,
const char **ocsp_uri, size_t *ocsp_urilen,
const uint8_t **in, size_t *inlen)
{
@@ -2276,13 +2315,13 @@ int x509_authority_info_access_from_der(
const uint8_t *ad;
size_t adlen;
if (!crt_uri || !crt_urilen || !ocsp_uri || !ocsp_urilen || !in || !(*in) || !inlen) {
if (!ca_issuers_uri || !ca_issuers_urilen || !ocsp_uri || !ocsp_urilen || !in || !(*in) || !inlen) {
error_print();
return -1;
}
*crt_uri = NULL;
*crt_urilen = 0;
*ca_issuers_uri = NULL;
*ca_issuers_urilen = 0;
*ocsp_uri = NULL;
*ocsp_urilen = 0;
@@ -2302,12 +2341,12 @@ int x509_authority_info_access_from_der(
}
switch (oid) {
case OID_ad_ca_issuers:
if (*crt_uri) {
if (*ca_issuers_uri) {
error_print();
return -1;
}
*crt_uri = uri;
*crt_urilen = urilen;
*ca_issuers_uri = uri;
*ca_issuers_urilen = urilen;
break;
case OID_ad_ocsp:
if (*ocsp_uri) {
@@ -2344,7 +2383,7 @@ int x509_authority_info_access_print(FILE *fp, int fmt, int ind, const char *lab
}
int x509_exts_add_authority_info_access(uint8_t *exts, size_t *extslen, size_t maxlen, int critical,
const char *crt_uri, size_t crt_urilen, const char *ocsp_uri, size_t ocsp_urilen)
const char *ca_issuers_uri, size_t ca_issuers_urilen, const char *ocsp_uri, size_t ocsp_urilen)
{
int oid = OID_pe_authority_info_access;
size_t curlen = *extslen;
@@ -2358,9 +2397,9 @@ int x509_exts_add_authority_info_access(uint8_t *exts, size_t *extslen, size_t m
error_print();
return -1;
}
if (x509_authority_info_access_to_der(crt_uri, crt_urilen, ocsp_uri, ocsp_urilen, NULL, &len) != 1
if (x509_authority_info_access_to_der(ca_issuers_uri, ca_issuers_urilen, ocsp_uri, ocsp_urilen, NULL, &len) != 1
|| asn1_length_le(len, sizeof(val)) != 1
|| x509_authority_info_access_to_der(crt_uri, crt_urilen, ocsp_uri, ocsp_urilen, &p, &vlen) != 1) {
|| x509_authority_info_access_to_der(ca_issuers_uri, ca_issuers_urilen, ocsp_uri, ocsp_urilen, &p, &vlen) != 1) {
error_print();
return -1;
}

30
tools/certgen.c
View File

@@ -23,7 +23,9 @@
static const char *options =
"[-C str] [-ST str] [-L str] [-O str] [-OU str] -CN str -days num "
"-key file [-pass pass] "
"[-key_usage str]* [-ocsp uri] [-crl uri] [-out file]";
"-crl_uri uri"
"-ca_issuers_uri uri -ocsp_uri uri"
"[-key_usage str]* [-ocsp uri] [-out file]";
static int ext_key_usage_set(int *usages, const char *usage_name)
@@ -50,7 +52,9 @@ int certgen_main(int argc, char **argv)
int days = 0;
int key_usage = 0;
char *ocsp = NULL;
char *crl = NULL;
char *crl_uri = NULL;
char *ca_issuers_uri = NULL;
char *ocsp_uri = NULL;
char *keyfile = NULL;
char *pass = NULL;
char *outfile = NULL;
@@ -114,12 +118,15 @@ int certgen_main(int argc, char **argv)
fprintf(stderr, "%s: invalid -key_usage value '%s'\n", prog, usage);
goto end;
}
} else if (!strcmp(*argv, "-ocsp")) {
} else if (!strcmp(*argv, "-crl_uri")) {
if (--argc < 1) goto bad;
ocsp = *(++argv);
} else if (!strcmp(*argv, "-crl")) {
crl_uri = *(++argv);
} else if (!strcmp(*argv, "-ca_issuers_uri")) {
if (--argc < 1) goto bad;
crl = *(++argv);
ca_issuers_uri = *(++argv);
} else if (!strcmp(*argv, "-ocsp_uri")) {
if (--argc < 1) goto bad;
ocsp_uri = *(++argv);
} else if (!strcmp(*argv, "-key")) {
if (--argc < 1) goto bad;
keyfile = *(++argv);
@@ -181,9 +188,16 @@ bad:
fprintf(stderr, "%s: inner error\n", prog);
goto end;
}
if (ocsp) {
if (crl_uri) {
if (x509_exts_add_crl_distribution_points(exts, &extslen, sizeof(exts), 0,
crl_uri, strlen(crl_uri), NULL, 0) != 1) {
error_print();
return -1;
}
}
if (ca_issuers_uri || ocsp_uri) {
if (x509_exts_add_authority_info_access(exts, &extslen, sizeof(exts), 0,
ocsp, strlen(ocsp), crl, strlen(crl)) != 1) {
ca_issuers_uri, strlen(ca_issuers_uri), ocsp_uri, strlen(ocsp_uri)) != 1) {
fprintf(stderr, "%s: error\n", prog);
goto end;
}

30
tools/reqsign.c
View File

@@ -20,7 +20,8 @@
static const char *options = "[-in pem] -days num -cacert pem -key pem [-pass str] [-out pem] "
"-key_usage oid -path_len_constraint num -crl_url url\n";
"-key_usage oid -path_len_constraint num -crl_uri uri "
"-ca_issuers_uri uri -ocsp_uri uri\n";
static int ext_key_usage_set(int *usages, const char *usage_name)
{
@@ -38,6 +39,9 @@ int reqsign_main(int argc, char **argv)
char *prog = argv[0];
char *infile = NULL;
int days = 0;
char *crl_uri = NULL;
char *ca_issuers_uri = NULL;
char *ocsp_uri = NULL;
char *cacertfile = NULL;
char *keyfile = NULL;
char *pass = NULL;
@@ -110,9 +114,15 @@ int reqsign_main(int argc, char **argv)
fprintf(stderr, "%s: invalid value for '-path_len_constraint'\n", prog);
goto end;
}
} else if (!strcmp(*argv, "-crl_url")) {
} else if (!strcmp(*argv, "-crl_uri")) {
if (--argc < 1) goto bad;
//crl_url = *(++argv);
crl_uri = *(++argv);
} else if (!strcmp(*argv, "-ca_issuers_uri")) {
if (--argc < 1) goto bad;
ca_issuers_uri = *(++argv);
} else if (!strcmp(*argv, "-ocsp_uri")) {
if (--argc < 1) goto bad;
ocsp_uri = *(++argv);
} else if (!strcmp(*argv, "-cacert")) {
if (--argc < 1) goto bad;
cacertfile = *(++argv);
@@ -212,6 +222,20 @@ bad:
fprintf(stderr, "%s: inner error\n", prog);
goto end;
}
if (crl_uri) {
if (x509_exts_add_crl_distribution_points(exts, &extslen, sizeof(exts), 0,
crl_uri, strlen(crl_uri), NULL, 0) != 1) {
fprintf(stderr, "%s: process -crl_uri error\n", prog);
return -1;
}
}
if (ca_issuers_uri || ocsp_uri) {
if (x509_exts_add_authority_info_access(exts, &extslen, sizeof(exts), 0,
ca_issuers_uri, strlen(ca_issuers_uri), ocsp_uri, strlen(ocsp_uri)) != 1) {
fprintf(stderr, "%s: process -ca_issuers_uri -ocsp_uri error\n", prog);
goto end;
}
}
if (x509_validity_add_days(&not_after, not_before, days) != 1
|| x509_cert_sign(