diff --git a/CMakeLists.txt b/CMakeLists.txt index beecf007..3a73fe44 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -841,7 +841,7 @@ endif() # set(CPACK_PACKAGE_NAME "GmSSL") set(CPACK_PACKAGE_VENDOR "GmSSL develop team") -set(CPACK_PACKAGE_VERSION "3.2.0-dev.1122") +set(CPACK_PACKAGE_VERSION "3.2.0-dev.1123") set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md) set(CPACK_NSIS_MODIFY_PATH ON) include(CPack) diff --git a/include/gmssl/version.h b/include/gmssl/version.h index 481faff2..4f3ac4c4 100644 --- a/include/gmssl/version.h +++ b/include/gmssl/version.h @@ -18,7 +18,7 @@ extern "C" { #define GMSSL_VERSION_NUM 30200 -#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1122" +#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1123" int gmssl_version_num(void); const char *gmssl_version_str(void); diff --git a/include/gmssl/x509_ext.h b/include/gmssl/x509_ext.h index f888e6c3..32815a45 100644 --- a/include/gmssl/x509_ext.h +++ b/include/gmssl/x509_ext.h @@ -142,6 +142,8 @@ typedef enum { int x509_general_name_to_der(int choice, const uint8_t *d, size_t dlen, uint8_t **out, size_t *outlen); int x509_general_name_from_der(int *choice, const uint8_t **d, size_t *dlen, const uint8_t **in, size_t *inlen); +int x509_general_name_normalized_equ(int a_choice, const uint8_t *a, size_t alen, + int b_choice, const uint8_t *b, size_t blen); int x509_general_names_get_first(const uint8_t *gns, size_t gns_len, const uint8_t **ptr, int choice, const uint8_t **d, size_t *dlen); int x509_general_names_get_next(const uint8_t *gns, size_t gns_len, const uint8_t **ptr, int choice, const uint8_t **d, size_t *dlen); int x509_general_name_print(FILE *fp, int fmt, int ind, const char *label, int choice, const uint8_t *d, size_t dlen); diff --git a/tools/certverify.c b/tools/certverify.c index db9fbe02..3dbb1fd3 100644 --- a/tools/certverify.c +++ b/tools/certverify.c @@ -1,5 +1,5 @@ /* - * Copyright 2014-2023 The GmSSL Project. All Rights Reserved. + * Copyright 2014-2026 The GmSSL Project. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the License); you may * not use this file except in compliance with the License. @@ -9,127 +9,163 @@ #include -#include #include #include -#include +#include #include -#include +#include #include -static const char *usage = - " -in pem [-double_certs]" - " [-check_crl]" - " -cacert pem" - " [-sm2_id str | -sm2_id_hex hex]" - "\n"; +enum { + TLS_cert_chain_tlcp_server = 1, + TLS_cert_chain_server, + TLS_cert_chain_client, +}; -static const char *options = +static const char *usage = + "-in pem [-tlcp_server|-server|-client] -cacert pem" + " [-crl der] [-ocsp der] [-hostname str]"; + +static const char *help = "Options\n" "\n" -" -in pem Input certificate chain file in PEM format\n" -" -double_certs The first two certificates are SM2 signing and encryption entity certificate\n" -" -check_crl If the entity certificate has CRLDistributionPoints extension, Download and check againt the CRL\n" -" -cacert pem CA certificate\n" -" -sm2_id str Signer's ID in SM2 signature algorithm\n" -" -sm2_id_hex hex Signer's ID in hex format\n" -" When `-sm2_id` or `-sm2_id_hex` is specified,\n" -" must use the same ID in other commands explicitly.\n" -" If neither `-sm2_id` nor `-sm2_id_hex` is specified,\n" -" the default string '1234567812345678' is used\n" +" -in pem Certificate chain in PEM format\n" +" -tlcp_server Verify TLCP server certificate chain, default\n" +" -server Verify TLS server certificate chain\n" +" -client Verify TLS client certificate chain\n" +" -cacert pem Trusted CA certificate(s) in PEM format\n" +" -crl der CRL in DER format\n" +" -ocsp der OCSPResponse in DER format\n" +" -hostname str Server hostname for certificate verification\n" +"\n" +"Examples\n" +"\n" +" gmssl certverify -tlcp_server -in certs.pem -cacert cacerts.pem -hostname localhost\n" "\n"; +static int cert_match_server_name_normalized(const uint8_t *cert, size_t certlen, + const char *hostname) +{ + int ret; + const uint8_t *dns_name; + size_t dns_name_len; + + if (!cert || !certlen || !hostname || !strlen(hostname)) { + error_print(); + return -1; + } + if ((ret = x509_cert_get_subject_alt_name_dns_name(cert, certlen, + &dns_name, &dns_name_len)) < 0) { + error_print(); + return -1; + } else if (ret == 0) { + return 0; + } + return x509_general_name_normalized_equ(X509_gn_dns_name, dns_name, dns_name_len, + X509_gn_dns_name, (const uint8_t *)hostname, strlen(hostname)); +} + +static const char *verify_result_name(int verify_result) +{ + switch (verify_result) { + case X509_verify_ok: + return "ok"; + case X509_verify_err_certificate: + return "certificate"; + case X509_verify_err_cert_chain: + return "cert_chain"; + case X509_verify_err_trust_anchor: + return "trust_anchor"; + case X509_verify_err_depth: + return "depth"; + case X509_verify_err_crl: + return "crl"; + case X509_verify_err_ocsp: + return "ocsp"; + case X509_verify_err_constraints: + return "constraints"; + case X509_verify_err_tls_extensions: + return "tls_extensions"; + case X509_verify_err_hostname: + return "hostname"; + } + return "unknown"; +} int certverify_main(int argc, char **argv) { int ret = 1; char *prog = argv[0]; - char *str; - char *infile = NULL; char *cacertfile = NULL; - FILE *infp = stdin; - FILE *cacertfp = NULL; - uint8_t cert[8192]; + char *crlfile = NULL; + char *ocspfile = NULL; + char *hostname = NULL; + int chain_type = TLS_cert_chain_tlcp_server; + uint8_t *certs = NULL; + size_t certslen = 0; + uint8_t *cacerts = NULL; + size_t cacertslen = 0; + uint8_t *crl = NULL; + size_t crl_len = 0; + uint8_t *ocsp = NULL; + size_t ocsp_len = 0; + int certs_type = X509_cert_chain_server; + int verify_result = X509_verify_ok; + const uint8_t *cert; size_t certlen; - uint8_t cacert[8192]; - size_t cacertlen; - char signer_id[SM2_MAX_ID_LENGTH + 1] = {0}; - size_t signer_id_len = 0; - - const uint8_t *serial; - size_t serial_len; - const uint8_t *issuer; - size_t issuer_len; - const uint8_t *subject; - size_t subject_len; - - const uint8_t *enc_serial; - size_t enc_serial_len; - const uint8_t *enc_issuer; - size_t enc_issuer_len; - const uint8_t *enc_subject; - size_t enc_subject_len; - - int double_certs = 0; - uint8_t enc_cert[8192]; - size_t enc_cert_len; int rv; - int check_crl = 0; - int crl_ret; - argc--; argv++; if (argc < 1) { - fprintf(stderr, "usage: %s %s\n", prog, usage); + fprintf(stderr, "usage: gmssl %s %s\n", prog, usage); return 1; } while (argc > 0) { if (!strcmp(*argv, "-help")) { - printf("usage: %s %s\n", prog, usage); - printf("%s\n", options); + printf("usage: gmssl %s %s\n\n", prog, usage); + printf("%s\n", help); ret = 0; goto end; } else if (!strcmp(*argv, "-in")) { if (--argc < 1) goto bad; infile = *(++argv); - if (!(infp = fopen(infile, "rb"))) { - fprintf(stderr, "%s: open '%s' failure : %s\n", prog, infile, strerror(errno)); + } else if (!strcmp(*argv, "-tlcp_server")) { + if (chain_type) { + fprintf(stderr, "%s: chain type option conflicts\n", prog); goto end; } - } else if (!strcmp(*argv, "-double_certs")) { - double_certs = 1; - } else if (!strcmp(*argv, "-check_crl")) { - check_crl = 1; + chain_type = TLS_cert_chain_tlcp_server; + } else if (!strcmp(*argv, "-server")) { + if (chain_type) { + fprintf(stderr, "%s: chain type option conflicts\n", prog); + goto end; + } + chain_type = TLS_cert_chain_server; + } else if (!strcmp(*argv, "-client")) { + if (chain_type) { + fprintf(stderr, "%s: chain type option conflicts\n", prog); + goto end; + } + chain_type = TLS_cert_chain_client; } else if (!strcmp(*argv, "-cacert")) { if (--argc < 1) goto bad; cacertfile = *(++argv); - if (!(cacertfp = fopen(cacertfile, "rb"))) { - fprintf(stderr, "%s: open '%s' failure : %s\n", prog, cacertfile, strerror(errno)); - goto end; - } - } else if (!strcmp(*argv, "-sm2_id")) { + } else if (!strcmp(*argv, "-crl")) { if (--argc < 1) goto bad; - str = *(++argv); - if (strlen(str) > sizeof(signer_id) - 1) { - fprintf(stderr, "%s: invalid `-sm2_id` length\n", prog); - goto end; - } - strncpy(signer_id, str, sizeof(signer_id)); - signer_id_len = strlen(str); - } else if (!strcmp(*argv, "-sm2_id_hex")) { + crlfile = *(++argv); + } else if (!strcmp(*argv, "-ocsp")) { if (--argc < 1) goto bad; - str = *(++argv); - if (strlen(str) > (sizeof(signer_id) - 1) * 2) { - fprintf(stderr, "%s: invalid `-sm2_id_hex` length\n", prog); - goto end; - } - if (hex_to_bytes(str, strlen(str), (uint8_t *)signer_id, &signer_id_len) != 1) { - fprintf(stderr, "%s: invalid `-sm2_id_hex` value\n", prog); + ocspfile = *(++argv); + } else if (!strcmp(*argv, "-hostname")) { + if (--argc < 1) goto bad; + hostname = *(++argv); + if (!strlen(hostname) || strchr(hostname, '\r') || strchr(hostname, '\n')) { + fprintf(stderr, "%s: invalid '-hostname' value\n", prog); goto end; } } else { @@ -144,7 +180,6 @@ bad: argv++; } - if (!infile) { fprintf(stderr, "%s: '-in' option required\n", prog); goto end; @@ -153,160 +188,83 @@ bad: fprintf(stderr, "%s: '-cacert' option required\n", prog); goto end; } - if (!signer_id_len) { - strcpy(signer_id, SM2_DEFAULT_ID); - signer_id_len = strlen(SM2_DEFAULT_ID); - } - - // read first to be verified certificate - if (x509_cert_from_pem(cert, &certlen, sizeof(cert), infp) != 1 - || x509_cert_get_issuer_and_serial_number(cert, certlen, - &issuer, &issuer_len, &serial, &serial_len) != 1 - || x509_cert_get_subject(cert, certlen, &subject, &subject_len) != 1) { - fprintf(stderr, "%s: read certificate failure\n", prog); + if (hostname && chain_type == TLS_cert_chain_client) { + fprintf(stderr, "%s: '-hostname' only allowed with '-tlcp_server' or '-server'\n", prog); goto end; } - format_print(stdout, 0, 0, "Certificate\n"); - format_bytes(stdout, 0, 4, "serialNumber", serial, serial_len); - x509_name_print(stdout, 0, 4, "subject", subject, subject_len); - - // read encryption cert in double certs - if (double_certs) { - if (x509_cert_from_pem(enc_cert, &enc_cert_len, sizeof(enc_cert), infp) != 1 - || x509_cert_get_issuer_and_serial_number(enc_cert, enc_cert_len, - &enc_issuer, &enc_issuer_len, &enc_serial, &enc_serial_len) != 1 - || x509_cert_get_subject(enc_cert, enc_cert_len, &enc_subject, &enc_subject_len) != 1) { - fprintf(stderr, "%s: read encryption certficate failure\n", prog); - goto end; - } - if (x509_name_equ(enc_subject, enc_subject_len, subject, subject_len) != 1 - || x509_name_equ(enc_issuer, enc_issuer_len, issuer, issuer_len) != 1) { - fprintf(stderr, "%s: double certificates not compatible\n", prog); - goto end; - } - } - - for (;;) { - if ((rv = x509_cert_from_pem(cacert, &cacertlen, sizeof(cacert), infp)) != 1) { - if (rv < 0) goto end; - goto final; - } - - if ((rv = x509_cert_verify_by_ca_cert(cert, certlen, cacert, cacertlen, - signer_id, signer_id_len)) != 1) { - fprintf(stderr, "%s: Verification failure\n", prog); - goto end; - } - format_print(stdout, 0, 4, "Verification success\n"); - - if (check_crl) { - if ((crl_ret = x509_cert_check_crl(cert, certlen, cacert, cacertlen, - signer_id, signer_id_len)) < 0) { - fprintf(stderr, "%s: Certificate has been revoked\n", prog); - goto end; - } - format_print(stdout, 0, 4, "Revocation status: %s\n", - crl_ret ? "Not revoked by CRL" : "No CRL URI found in certificate"); - } - - if (double_certs) { - if ((rv = x509_cert_verify_by_ca_cert(enc_cert, enc_cert_len, cacert, cacertlen, - signer_id, signer_id_len)) < 0) { - fprintf(stderr, "%s: Verification failure\n", prog); - goto end; - } - format_print(stdout, 0, 0, "Certificate\n"); - format_bytes(stdout, 0, 4, "serialNumber", enc_serial, enc_serial_len); - x509_name_print(stdout, 0, 4, "subject", enc_subject, enc_subject_len); - format_print(stdout, 0, 4, "Verification success\n"); - if (check_crl) { - if ((crl_ret = x509_cert_check_crl(enc_cert, enc_cert_len, cacert, cacertlen, - signer_id, signer_id_len)) < 0) { - fprintf(stderr, "%s: Certificate has been revoked\n", prog); - goto end; - } - format_print(stdout, 0, 4, "Revocation status: %s\n", - crl_ret ? "Not revoked by CRL" : "No CRL URI found in certificate"); - } - double_certs = 0; - - } - - // NOTE: make sure the buffer (issuer, issuer_len) not crashed - memcpy(cert, cacert, cacertlen); - certlen = cacertlen; - if (x509_cert_get_issuer_and_serial_number(cert, certlen, - &issuer, &issuer_len, &serial, &serial_len) != 1 - || x509_cert_get_subject(cert, certlen, &subject, &subject_len) != 1) { - error_print(); - goto end; - } - format_print(stdout, 0, 0, "Signed by Certificate\n"); - format_bytes(stdout, 0, 4, "serialNumber", serial, serial_len); - x509_name_print(stdout, 0, 4, "Certificate", subject, subject_len); - - check_crl = 0; // only check the entity CRL - - } - -final: - if (x509_cert_from_pem_by_subject(cacert, &cacertlen, sizeof(cacert), issuer, issuer_len, cacertfp) != 1) { - fprintf(stderr, "%s: load CA certificate failure\n", prog); + if (x509_certs_new_from_file(&certs, &certslen, infile) != 1) { + fprintf(stderr, "%s: load '%s' failed\n", prog, infile); goto end; } - if ((rv = x509_cert_verify_by_ca_cert(cert, certlen, cacert, cacertlen, - signer_id, signer_id_len)) < 0) { - fprintf(stderr, "%s: inner error\n", prog); + if (x509_certs_new_from_file(&cacerts, &cacertslen, cacertfile) != 1) { + fprintf(stderr, "%s: load '%s' failed\n", prog, cacertfile); goto end; } - format_print(stdout, 0, 4, "Verification success\n"); - - if (check_crl) { - if ((crl_ret = x509_cert_check_crl(cert, certlen, cacert, cacertlen, - signer_id, signer_id_len)) < 0) { - fprintf(stderr, "%s: certificate has been revoked\n", prog); + if (crlfile) { + if (file_read_all(crlfile, &crl, &crl_len) != 1) { + fprintf(stderr, "%s: load '%s' failed\n", prog, crlfile); goto end; } - format_print(stdout, 0, 4, "Revocation status: %s\n", - crl_ret ? "Not revoked by CRL" : "No CRL URI found in certificate"); } - - if (double_certs) { - if ((rv = x509_cert_verify_by_ca_cert(enc_cert, enc_cert_len, cacert, cacertlen, - signer_id, signer_id_len)) < 0) { - fprintf(stderr, "%s: inner error\n", prog); + if (ocspfile) { + if (file_read_all(ocspfile, &ocsp, &ocsp_len) != 1) { + fprintf(stderr, "%s: load '%s' failed\n", prog, ocspfile); goto end; } - format_print(stdout, 0, 0, "Certificate\n"); - format_bytes(stdout, 0, 4, "serialNumber", enc_serial, enc_serial_len); - x509_name_print(stdout, 0, 4, "subject", enc_subject, enc_subject_len); - format_print(stdout, 0, 4, "Verification success\n"); - - if (check_crl) { - if ((crl_ret = x509_cert_check_crl(enc_cert, enc_cert_len, cacert, cacertlen, - signer_id, signer_id_len)) < 0) { - fprintf(stderr, "%s: certificate has been revoked\n", prog); - goto end; - } - format_print(stdout, 0, 4, "Revocation status: %s\n", - crl_ret ? "Not revoked by CRL" : "No CRL URI found in certificate"); - } } - if (x509_cert_get_issuer_and_serial_number(cacert, cacertlen, NULL, NULL, &serial, &serial_len) != 1 - || x509_cert_get_subject(cacert, cacertlen, &subject, &subject_len) != 1) { - fprintf(stderr, "%s: parse certificate error\n", prog); + switch (chain_type) { + case TLS_cert_chain_tlcp_server: + if (x509_certs_verify_tlcp(certs, certslen, X509_cert_chain_server, + cacerts, cacertslen, crl, crl_len, ocsp, ocsp_len, + X509_MAX_VERIFY_DEPTH, &verify_result) != 1) { + fprintf(stderr, "%s: Vcerification failure: %s\n", prog, verify_result_name(verify_result)); + goto end; + } + break; + case TLS_cert_chain_server: + if (x509_certs_verify(certs, certslen, X509_cert_chain_server, + cacerts, cacertslen, crl, crl_len, ocsp, ocsp_len, + X509_MAX_VERIFY_DEPTH, &verify_result) != 1) { + fprintf(stderr, "%s: Verification failure: %s\n", prog, verify_result_name(verify_result)); + goto end; + } + break; + case TLS_cert_chain_client: + if (x509_certs_verify(certs, certslen, X509_cert_chain_client, + cacerts, cacertslen, crl, crl_len, ocsp, ocsp_len, + X509_MAX_VERIFY_DEPTH, &verify_result) != 1) { + fprintf(stderr, "%s: Verification failure: %s\n", prog, verify_result_name(verify_result)); + goto end; + } + break; + default: + error_print(); goto end; } - format_print(stdout, 0, 0, "Signed by Certificate\n"); - format_bytes(stdout, 0, 4, "serialNumber", serial, serial_len); - x509_name_print(stdout, 0, 4, "subject", subject, subject_len); - printf("\n"); + if (hostname) { + if (x509_certs_get_cert_by_index(certs, certslen, 0, &cert, &certlen) != 1) { + fprintf(stderr, "%s: read entity certificate failure\n", prog); + goto end; + } + if ((rv = cert_match_server_name_normalized(cert, certlen, hostname)) < 0) { + fprintf(stderr, "%s: hostname verification error\n", prog); + goto end; + } + if (rv == 0) { + fprintf(stderr, "%s: Verification failure: %s\n", prog, verify_result_name(X509_verify_err_hostname)); + goto end; + } + } + + printf("Verification success\n"); ret = 0; end: - if (infile && infp) fclose(infp); - if (cacertfp) fclose(cacertfp); + if (certs) free(certs); + if (cacerts) free(cacerts); + if (crl) free(crl); + if (ocsp) free(ocsp); return ret; }