diff --git a/demos/certdemo.sh b/demos/certdemo.sh index 2c8337b3..f8320be6 100755 --- a/demos/certdemo.sh +++ b/demos/certdemo.sh @@ -2,22 +2,25 @@ gmssl sm2keygen -pass 1234 -out rootcakey.pem -gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign +gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign -crl_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn gmssl certparse -in rootcacert.pem gmssl sm2keygen -pass 1234 -out cakey.pem gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem -gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem +gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem \ + -crl_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn gmssl certparse -in cacert.pem gmssl sm2keygen -pass 1234 -out signkey.pem gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem -gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem +gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem \ + -crl_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn gmssl certparse -in signcert.pem gmssl sm2keygen -pass 1234 -out enckey.pem gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem -gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem +gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem \ + -crl_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn gmssl certparse -in enccert.pem diff --git a/include/gmssl/x509_ext.h b/include/gmssl/x509_ext.h index 144b47b9..db8a4c27 100644 --- a/include/gmssl/x509_ext.h +++ b/include/gmssl/x509_ext.h @@ -64,11 +64,12 @@ int x509_exts_add_policy_constraints(uint8_t *exts, size_t *extslen, size_t maxl int require_explicit_policy, int inhibit_policy_mapping); int x509_exts_add_basic_constraints(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, int ca, int path_len_constraint); int x509_exts_add_ext_key_usage(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const int *key_purposes, size_t key_purposes_cnt); -int x509_exts_add_crl_distribution_points(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const uint8_t *d, size_t dlen); +int x509_exts_add_crl_distribution_points(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, + const char *http_uri, size_t http_urilen, const char *ldap_uri, size_t ldap_urilen); int x509_exts_add_inhibit_any_policy(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, int skip_certs); int x509_exts_add_freshest_crl(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, const uint8_t *d, size_t dlen); int x509_exts_add_authority_info_access(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, - const char *crt_uri, size_t crt_urilen, // crt_uri is the URI (http://examaple.com/subCA.crt) of DER-encoded CA cert + const char *ca_issuers_uri, size_t ca_issuers_urilen, // ca_issuers_uri is the URI (http://examaple.com/subCA.crt) of DER-encoded CA cert const char *ocsp_uri, size_t ocsp_urilen); int x509_exts_add_sequence(uint8_t *exts, size_t *extslen, size_t maxlen, @@ -575,11 +576,11 @@ int x509_access_description_from_der(int *oid, const char **uri, size_t *urilen, int x509_access_description_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); int x509_authority_info_access_to_der( - const char *crt_uri, size_t crt_urilen, + const char *ca_issuers_uri, size_t ca_issuers_urilen, const char *ocsp_uri, size_t ocsp_urilen, uint8_t **out, size_t *outlen); int x509_authority_info_access_from_der( - const char **crt_uri, size_t *crt_urilen, + const char **ca_issuers_uri, size_t *ca_issuers_urilen, const char **ocsp_uri, size_t *ocsp_urilen, const uint8_t **in, size_t *inlen); int x509_authority_info_access_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); diff --git a/src/x509_ext.c b/src/x509_ext.c index 61dfeee4..17b1d1dc 100644 --- a/src/x509_ext.c +++ b/src/x509_ext.c @@ -285,17 +285,36 @@ int x509_exts_add_ext_key_usage(uint8_t *exts, size_t *extslen, size_t maxlen, } int x509_exts_add_crl_distribution_points(uint8_t *exts, size_t *extslen, size_t maxlen, - int critical, const uint8_t *d, size_t dlen) + int critical, const char *http_uri, size_t http_urilen, const char *ldap_uri, size_t ldap_urilen) { int oid = OID_ce_crl_distribution_points; + size_t curlen = *extslen; + uint8_t val[256]; + uint8_t *p = val; + size_t vlen = 0; + size_t len = 0; // The extension SHOULD be non-critical, but this profile // RECOMMENDS support for this extension by CAs and applications. if (critical) { + error_print(); + //return -1; + } + + if (x509_distribution_points_to_der(http_uri, http_urilen, ldap_uri, ldap_urilen, NULL, &len) != 1 + || asn1_length_le(len, sizeof(val)) != 1 + || x509_distribution_points_to_der(http_uri, http_urilen, ldap_uri, ldap_urilen, &p, &vlen) != 1) { error_print(); return -1; } - return x509_exts_add_sequence(exts, extslen, maxlen, oid, critical, d, dlen); + exts += *extslen; + if (x509_ext_to_der(oid, critical, val, vlen, NULL, &curlen) != 1 + || asn1_length_le(curlen, maxlen) != 1 + || x509_ext_to_der(oid, critical, val, vlen, &exts, extslen) != 1) { + error_print(); + return -1; + } + return 1; } int x509_exts_add_inhibit_any_policy(uint8_t *exts, size_t *extslen, size_t maxlen, @@ -447,20 +466,22 @@ err: int x509_general_name_to_der(int choice, const uint8_t *d, size_t dlen, uint8_t **out, size_t *outlen) { + int ret; + switch (choice) { case X509_gn_rfc822_name: case X509_gn_dns_name: case X509_gn_uniform_resource_identifier: case X509_gn_ip_address: - if (asn1_implicit_to_der(choice, d, dlen, out, outlen) != 1) { - error_print(); - return -1; + if ((ret = asn1_implicit_to_der(choice, d, dlen, out, outlen)) != 1) { + if (ret < 0) error_print(); + return ret; } + break; default: error_print(); return -1; } - return 1; } @@ -1783,6 +1804,10 @@ int x509_uri_as_general_names_to_der_ex(int tag, const char *uri, size_t urilen, { int choice = X509_gn_uniform_resource_identifier; size_t len = 0; + + if (!uri || !urilen) { + return 0; + } if (x509_general_name_to_der(choice, (uint8_t *)uri, urilen, NULL, &len) != 1 || asn1_sequence_header_to_der_ex(tag, len, out, outlen) != 1 || x509_general_name_to_der(choice, (uint8_t *)uri, urilen, out, outlen) != 1) { @@ -1795,7 +1820,8 @@ int x509_uri_as_general_names_to_der_ex(int tag, const char *uri, size_t urilen, int x509_uri_as_distribution_point_name_to_der(const char *uri, size_t urilen, uint8_t **out, size_t *outlen) { - if (x509_uri_as_general_names_to_der_ex(ASN1_TAG_EXPLICIT(0), uri, urilen, out, outlen) != 1) { + int ret; + if ((ret = x509_uri_as_general_names_to_der_ex(ASN1_TAG_EXPLICIT(0), uri, urilen, out, outlen)) != 1) { error_print(); return -1; } @@ -1806,6 +1832,10 @@ int x509_uri_as_explicit_distribution_point_name_to_der(int index, const char *uri, size_t urilen, uint8_t **out, size_t *outlen) { size_t len = 0; + + if (!uri || !urilen) { + return 0; + } if (x509_uri_as_distribution_point_name_to_der(uri, urilen, NULL, &len) != 1 || asn1_explicit_header_to_der(index, len, out, outlen) != 1 || x509_uri_as_distribution_point_name_to_der(uri, urilen, out, outlen) != 1) { @@ -1818,6 +1848,10 @@ int x509_uri_as_explicit_distribution_point_name_to_der(int index, int x509_uri_as_distribution_point_to_der(const char *uri, size_t urilen, uint8_t **out, size_t *outlen) { size_t len = 0; + + if (!uri || !urilen) { + return 0; + } if (x509_uri_as_explicit_distribution_point_name_to_der(0, uri, urilen, NULL, &len) != 1 || asn1_sequence_header_to_der(len, out, outlen) != 1 || x509_uri_as_explicit_distribution_point_name_to_der(0, uri, urilen, out, outlen) != 1) { @@ -1831,6 +1865,10 @@ int x509_distribution_points_to_der(const char *http_uri, size_t http_urilen, const char *ldap_uri, size_t ldap_urilen, uint8_t **out, size_t *outlen) { size_t len = 0; + + if ((!http_uri || !http_urilen) && (!ldap_uri || !ldap_urilen)) { + return 0; + } if (x509_uri_as_distribution_point_to_der(http_uri, http_urilen, NULL, &len) < 0 || x509_uri_as_distribution_point_to_der(ldap_uri, ldap_urilen, NULL, &len) < 0 || asn1_sequence_header_to_der(len, out, outlen) != 1 @@ -1884,6 +1922,7 @@ int x509_distribution_point_name_print(FILE *fp, int fmt, int ind, const char *l return 1; } +// 这个如何使用?如何准备完整的数据呢? int x509_distribution_point_to_der( int dist_point_choice, const uint8_t *dist_point, size_t dist_point_len, int reasons, const uint8_t *crl_issuer, size_t crl_issuer_len, @@ -2224,14 +2263,14 @@ int x509_access_description_print(FILE *fp, int fmt, int ind, const char *label, } int x509_authority_info_access_to_der( - const char *crt_uri, size_t crt_urilen, + const char *ca_issuers_uri, size_t ca_issuers_urilen, const char *ocsp_uri, size_t ocsp_urilen, uint8_t **out, size_t *outlen) { size_t len = 0; - if (crt_uri && crt_urilen) { - if (x509_access_description_to_der(OID_ad_ca_issuers, crt_uri, crt_urilen, NULL, &len) != 1) { + if (ca_issuers_uri && ca_issuers_urilen) { + if (x509_access_description_to_der(OID_ad_ca_issuers, ca_issuers_uri, ca_issuers_urilen, NULL, &len) != 1) { error_print(); return -1; } @@ -2250,8 +2289,8 @@ int x509_authority_info_access_to_der( error_print(); return -1; } - if (crt_uri && crt_urilen) { - if (x509_access_description_to_der(OID_ad_ca_issuers, crt_uri, crt_urilen, out, outlen) != 1) { + if (ca_issuers_uri && ca_issuers_urilen) { + if (x509_access_description_to_der(OID_ad_ca_issuers, ca_issuers_uri, ca_issuers_urilen, out, outlen) != 1) { error_print(); return -1; } @@ -2266,7 +2305,7 @@ int x509_authority_info_access_to_der( } int x509_authority_info_access_from_der( - const char **crt_uri, size_t *crt_urilen, + const char **ca_issuers_uri, size_t *ca_issuers_urilen, const char **ocsp_uri, size_t *ocsp_urilen, const uint8_t **in, size_t *inlen) { @@ -2276,13 +2315,13 @@ int x509_authority_info_access_from_der( const uint8_t *ad; size_t adlen; - if (!crt_uri || !crt_urilen || !ocsp_uri || !ocsp_urilen || !in || !(*in) || !inlen) { + if (!ca_issuers_uri || !ca_issuers_urilen || !ocsp_uri || !ocsp_urilen || !in || !(*in) || !inlen) { error_print(); return -1; } - *crt_uri = NULL; - *crt_urilen = 0; + *ca_issuers_uri = NULL; + *ca_issuers_urilen = 0; *ocsp_uri = NULL; *ocsp_urilen = 0; @@ -2302,12 +2341,12 @@ int x509_authority_info_access_from_der( } switch (oid) { case OID_ad_ca_issuers: - if (*crt_uri) { + if (*ca_issuers_uri) { error_print(); return -1; } - *crt_uri = uri; - *crt_urilen = urilen; + *ca_issuers_uri = uri; + *ca_issuers_urilen = urilen; break; case OID_ad_ocsp: if (*ocsp_uri) { @@ -2344,7 +2383,7 @@ int x509_authority_info_access_print(FILE *fp, int fmt, int ind, const char *lab } int x509_exts_add_authority_info_access(uint8_t *exts, size_t *extslen, size_t maxlen, int critical, - const char *crt_uri, size_t crt_urilen, const char *ocsp_uri, size_t ocsp_urilen) + const char *ca_issuers_uri, size_t ca_issuers_urilen, const char *ocsp_uri, size_t ocsp_urilen) { int oid = OID_pe_authority_info_access; size_t curlen = *extslen; @@ -2358,9 +2397,9 @@ int x509_exts_add_authority_info_access(uint8_t *exts, size_t *extslen, size_t m error_print(); return -1; } - if (x509_authority_info_access_to_der(crt_uri, crt_urilen, ocsp_uri, ocsp_urilen, NULL, &len) != 1 + if (x509_authority_info_access_to_der(ca_issuers_uri, ca_issuers_urilen, ocsp_uri, ocsp_urilen, NULL, &len) != 1 || asn1_length_le(len, sizeof(val)) != 1 - || x509_authority_info_access_to_der(crt_uri, crt_urilen, ocsp_uri, ocsp_urilen, &p, &vlen) != 1) { + || x509_authority_info_access_to_der(ca_issuers_uri, ca_issuers_urilen, ocsp_uri, ocsp_urilen, &p, &vlen) != 1) { error_print(); return -1; } diff --git a/tools/certgen.c b/tools/certgen.c index 71bde5a6..c77f5844 100644 --- a/tools/certgen.c +++ b/tools/certgen.c @@ -23,7 +23,9 @@ static const char *options = "[-C str] [-ST str] [-L str] [-O str] [-OU str] -CN str -days num " "-key file [-pass pass] " - "[-key_usage str]* [-ocsp uri] [-crl uri] [-out file]"; + "-crl_uri uri" + "-ca_issuers_uri uri -ocsp_uri uri" + "[-key_usage str]* [-ocsp uri] [-out file]"; static int ext_key_usage_set(int *usages, const char *usage_name) @@ -50,7 +52,9 @@ int certgen_main(int argc, char **argv) int days = 0; int key_usage = 0; char *ocsp = NULL; - char *crl = NULL; + char *crl_uri = NULL; + char *ca_issuers_uri = NULL; + char *ocsp_uri = NULL; char *keyfile = NULL; char *pass = NULL; char *outfile = NULL; @@ -114,12 +118,15 @@ int certgen_main(int argc, char **argv) fprintf(stderr, "%s: invalid -key_usage value '%s'\n", prog, usage); goto end; } - } else if (!strcmp(*argv, "-ocsp")) { + } else if (!strcmp(*argv, "-crl_uri")) { if (--argc < 1) goto bad; - ocsp = *(++argv); - } else if (!strcmp(*argv, "-crl")) { + crl_uri = *(++argv); + } else if (!strcmp(*argv, "-ca_issuers_uri")) { if (--argc < 1) goto bad; - crl = *(++argv); + ca_issuers_uri = *(++argv); + } else if (!strcmp(*argv, "-ocsp_uri")) { + if (--argc < 1) goto bad; + ocsp_uri = *(++argv); } else if (!strcmp(*argv, "-key")) { if (--argc < 1) goto bad; keyfile = *(++argv); @@ -181,9 +188,16 @@ bad: fprintf(stderr, "%s: inner error\n", prog); goto end; } - if (ocsp) { + if (crl_uri) { + if (x509_exts_add_crl_distribution_points(exts, &extslen, sizeof(exts), 0, + crl_uri, strlen(crl_uri), NULL, 0) != 1) { + error_print(); + return -1; + } + } + if (ca_issuers_uri || ocsp_uri) { if (x509_exts_add_authority_info_access(exts, &extslen, sizeof(exts), 0, - ocsp, strlen(ocsp), crl, strlen(crl)) != 1) { + ca_issuers_uri, strlen(ca_issuers_uri), ocsp_uri, strlen(ocsp_uri)) != 1) { fprintf(stderr, "%s: error\n", prog); goto end; } diff --git a/tools/reqsign.c b/tools/reqsign.c index 793f372f..85be598d 100644 --- a/tools/reqsign.c +++ b/tools/reqsign.c @@ -20,7 +20,8 @@ static const char *options = "[-in pem] -days num -cacert pem -key pem [-pass str] [-out pem] " - "-key_usage oid -path_len_constraint num -crl_url url\n"; + "-key_usage oid -path_len_constraint num -crl_uri uri " + "-ca_issuers_uri uri -ocsp_uri uri\n"; static int ext_key_usage_set(int *usages, const char *usage_name) { @@ -38,6 +39,9 @@ int reqsign_main(int argc, char **argv) char *prog = argv[0]; char *infile = NULL; int days = 0; + char *crl_uri = NULL; + char *ca_issuers_uri = NULL; + char *ocsp_uri = NULL; char *cacertfile = NULL; char *keyfile = NULL; char *pass = NULL; @@ -110,9 +114,15 @@ int reqsign_main(int argc, char **argv) fprintf(stderr, "%s: invalid value for '-path_len_constraint'\n", prog); goto end; } - } else if (!strcmp(*argv, "-crl_url")) { + } else if (!strcmp(*argv, "-crl_uri")) { if (--argc < 1) goto bad; - //crl_url = *(++argv); + crl_uri = *(++argv); + } else if (!strcmp(*argv, "-ca_issuers_uri")) { + if (--argc < 1) goto bad; + ca_issuers_uri = *(++argv); + } else if (!strcmp(*argv, "-ocsp_uri")) { + if (--argc < 1) goto bad; + ocsp_uri = *(++argv); } else if (!strcmp(*argv, "-cacert")) { if (--argc < 1) goto bad; cacertfile = *(++argv); @@ -212,6 +222,20 @@ bad: fprintf(stderr, "%s: inner error\n", prog); goto end; } + if (crl_uri) { + if (x509_exts_add_crl_distribution_points(exts, &extslen, sizeof(exts), 0, + crl_uri, strlen(crl_uri), NULL, 0) != 1) { + fprintf(stderr, "%s: process -crl_uri error\n", prog); + return -1; + } + } + if (ca_issuers_uri || ocsp_uri) { + if (x509_exts_add_authority_info_access(exts, &extslen, sizeof(exts), 0, + ca_issuers_uri, strlen(ca_issuers_uri), ocsp_uri, strlen(ocsp_uri)) != 1) { + fprintf(stderr, "%s: process -ca_issuers_uri -ocsp_uri error\n", prog); + goto end; + } + } if (x509_validity_add_days(¬_after, not_before, days) != 1 || x509_cert_sign(