abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-05-06 16:36:16 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update CRL related code

Browse Source
This commit is contained in:
Zhi Guan
2023-02-01 11:03:33 +08:00
parent 8397280779
commit 1fbdfeee59
9 changed files with 118 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -2,6 +2,7 @@
# generated file
/build*
/demos/*.pem
/demos/.private
# Object files
*.o

15
demos/certdemo.sh
View File

@@ -5,29 +5,28 @@ gmssl sm2keygen -pass 1234 -out rootcakey.pem
gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 \
-key rootcakey.pem -pass 1234 \
-out rootcacert.pem \
-ca -path_len_constraints 6 \
-ca -path_len_constraint 6 \
-key_usage keyCertSign -key_usage cRLSign \
-crl_http_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn
gmssl certparse -in rootcacert.pem
gmssl sm2keygen -pass 1234 -out cakey.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -key cakey.pem -pass 1234 -out careq.pem
gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem \
-crl_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn
-crl_http_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn
gmssl certparse -in cacert.pem
gmssl sm2keygen -pass 1234 -out signkey.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass 1234 -out signreq.pem
gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem \
-crl_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn
-crl_http_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn
gmssl certparse -in signcert.pem
gmssl sm2keygen -pass 1234 -out enckey.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key enckey.pem -pass 1234 -out encreq.pem
gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem \
-crl_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn
-crl_http_uri http://pku.edu.cn/ca.crl -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn
gmssl certparse -in enccert.pem

BIN
demos/certs/SubCA-1.crl Normal file
View File

Binary file not shown.

34
src/x509_cer.c
View File

@@ -1669,7 +1669,7 @@ int x509_certs_get_cert_by_issuer_and_serial_number(
// 这里面需要validate的类型是两种一种直接得到了实际值因此可以直接对实际值做验证
// 另一种是SEQUENCE OF类型本质上是完整的a,alen因此这种类型实际上可以用from_der来解析
int x509_cert_validate(const uint8_t *cert, size_t certlen, int cert_type,
int *path_len_constraints)
int *path_len_constraint)
{
int version;
time_t now;
@@ -1740,7 +1740,7 @@ int x509_cert_validate(const uint8_t *cert, size_t certlen, int cert_type,
//return -1;
}
if (x509_exts_validate(exts, extslen, cert_type, path_len_constraints) != 1) {
if (x509_exts_validate(exts, extslen, cert_type, path_len_constraint) != 1) {
error_print();
return -1;
}
@@ -1765,7 +1765,7 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
size_t namelen;
int path_len = 0;
int path_len_constraints;
int path_len_constraint;
switch (certs_type) {
case X509_cert_chain_server:
@@ -1784,7 +1784,7 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
error_print();
return -1;
}
if (x509_cert_validate(cert, certlen, entity_cert_type, &path_len_constraints) != 1) {
if (x509_cert_validate(cert, certlen, entity_cert_type, &path_len_constraint) != 1) {
error_print();
return -1;
}
@@ -1795,18 +1795,18 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
error_print();
return -1;
}
if (x509_cert_validate(cert, certlen, X509_cert_ca, &path_len_constraints) != 1) {
if (x509_cert_validate(cert, certlen, X509_cert_ca, &path_len_constraint) != 1) {
error_print();
return -1;
}
if (path_len == 0) {
if (path_len_constraints != 0) {
if (path_len_constraint != 0) {
error_print();
return -1;
}
}
if ((path_len_constraints >= 0 && path_len > path_len_constraints)
if ((path_len_constraint >= 0 && path_len > path_len_constraint)
|| path_len > depth) {
error_print();
return -1;
@@ -1833,11 +1833,11 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
return -1;
}
if (x509_cert_validate(cacert, cacertlen, X509_cert_ca, &path_len_constraints) != 1) {
if (x509_cert_validate(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
error_print();
return -1;
}
if ((path_len_constraints >= 0 && path_len > path_len_constraints)
if ((path_len_constraint >= 0 && path_len > path_len_constraint)
|| path_len > depth) {
error_print();
return -1;
@@ -1866,7 +1866,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
size_t namelen;
int path_len = 0;
int path_len_constraints;
int path_len_constraint;
switch (certs_type) {
case X509_cert_chain_server:
@@ -1886,7 +1886,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
error_print();
return -1;
}
if (x509_cert_validate(cert, certlen, sign_cert_type, &path_len_constraints) != 1) {
if (x509_cert_validate(cert, certlen, sign_cert_type, &path_len_constraint) != 1) {
error_print();
return -1;
}
@@ -1896,7 +1896,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
error_print();
return -1;
}
if (x509_cert_validate(kenc_cert, kenc_certlen, kenc_cert_type, &path_len_constraints) != 1) {
if (x509_cert_validate(kenc_cert, kenc_certlen, kenc_cert_type, &path_len_constraint) != 1) {
error_print();
return -1;
}
@@ -1907,13 +1907,13 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
error_print();
return -1;
}
if (x509_cert_validate(cacert, cacertlen, X509_cert_ca, &path_len_constraints) != 1) {
if (x509_cert_validate(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
error_print();
return -1;
}
if (path_len == 0) {
if (path_len_constraints != 0) {
if (path_len_constraint != 0) {
error_print();
return -1;
}
@@ -1925,7 +1925,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
return -1;
}
}
if ((path_len_constraints >= 0 && path_len > path_len_constraints)
if ((path_len_constraint >= 0 && path_len > path_len_constraint)
|| path_len > depth) {
error_print();
return -1;
@@ -1951,11 +1951,11 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
error_print();
return -1;
}
if (x509_cert_validate(cacert, cacertlen, X509_cert_ca, &path_len_constraints) != 1) {
if (x509_cert_validate(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
error_print();
return -1;
}
if ((path_len_constraints >= 0 && path_len > path_len_constraints)
if ((path_len_constraint >= 0 && path_len > path_len_constraint)
|| path_len > depth) {
error_print();
return -1;

2
src/x509_crl.c
View File

@@ -529,7 +529,7 @@ int x509_revoked_cert_from_der(
}
if (asn1_integer_from_der(serial, serial_len, &d, &dlen) != 1
|| x509_time_from_der(revoke_date, &d, &dlen) != 1
|| asn1_sequence_from_der(crl_entry_exts, crl_entry_exts_len, &d, &dlen) != 1
|| asn1_sequence_from_der(crl_entry_exts, crl_entry_exts_len, &d, &dlen) < 0
|| asn1_length_is_zero(dlen) != 1) {
error_print();
return -1;

14
src/x509_ext.c
View File

@@ -1532,16 +1532,16 @@ int x509_basic_constraints_validate(int ca, int path_len_cons, int cert_type)
/*
entity_cert:
ca = -1 or 0
path_len_constraints = -1
path_len_constraint = -1
first_ca_cert:
ca = 1
path_len_constraints = 0
path_len_constraint = 0
middle_ca_cert:
ca = 1
path_len_constraints = -1 or > 0
path_len_constraint = -1 or > 0
root_ca_cert:
ca = 1
path_len_constraints = -1 or > 0 (=0 might be ok?)
path_len_constraint = -1 or > 0 (=0 might be ok?)
*/
if (cert_type == X509_cert_ca) {
if (ca != 1) {
@@ -2307,7 +2307,7 @@ int x509_netscape_cert_type_print(FILE *fp, int fmt, int ind, const char *label,
}
int x509_exts_validate(const uint8_t *exts, size_t extslen, int cert_type,
int *path_len_constraints)
int *path_len_constraint)
{
int oid;
uint32_t nodes[32];
@@ -2322,7 +2322,7 @@ int x509_exts_validate(const uint8_t *exts, size_t extslen, int cert_type,
int ext_key_usages[X509_MAX_KEY_PURPOSES];
size_t ext_key_usages_cnt;
*path_len_constraints = -1;
*path_len_constraint = -1;
while (extslen) {
if (x509_ext_from_der(&oid, nodes, &nodes_cnt, &critical, &val, &vlen, &exts, &extslen) != 1) {
@@ -2434,7 +2434,7 @@ int x509_exts_validate(const uint8_t *exts, size_t extslen, int cert_type,
error_print();
return -1;
}
*path_len_constraints = path_len;
*path_len_constraint = path_len;
break;
}

20
tools/certgen.c
View File

@@ -33,7 +33,7 @@ static const char *options =
" [-key_usage str]*"
" [-subject_dns_name str]*"
" [-issuer_dns_name str]*"
" [-ca -path_len_constraints num]"
" [-ca -path_len_constraint num]"
" [-ext_key_usage str]*"
" [-crl_http_uri uri] [-crl_ldap_uri uri]"
" [-inhibit_any_policy num]"
@@ -85,7 +85,7 @@ static char *usage =
" -issuer_dns_name str Add DNS name to IssuerAltName extension\n"
" this option can be called multi-times\n"
" -ca Set cA of BasicConstaints extension\n"
" -path_len_constraints num Set pathLenConstaints of BasicConstaints extension\n"
" -path_len_constraint num Set pathLenConstraint of BasicConstaints extension\n"
" -ext_key_usage str Set ExtKeyUsage extension\n"
" this option can be called multi-times\n"
" avaiable values:\n"
@@ -108,7 +108,7 @@ static char *usage =
"\n"
" gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 \\\n"
" -key rootcakey.pem -pass P@ssw0rd \\\n"
" -ca -path_len_constraints 6 \\\n"
" -ca -path_len_constraint 6 \\\n"
" -key_usage keyCertSign -key_usage cRLSign \\\n"
" -crl_http_uri http://pku.edu.cn/ca.crl \\\n"
" -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn \\\n"
@@ -187,7 +187,7 @@ int certgen_main(int argc, char **argv)
// BasicConstraints
int ca = -1;
int path_len_constraints = -1;
int path_len_constraint = -1;
// ExtKeyUsageSyntax
int ext_key_usages[12];
@@ -316,11 +316,11 @@ int certgen_main(int argc, char **argv)
}
} else if (!strcmp(*argv, "-ca")) {
ca = 1;
} else if (!strcmp(*argv, "-path_len_constraints")) {
} else if (!strcmp(*argv, "-path_len_constraint")) {
if (--argc < 1) goto bad;
path_len_constraints = atoi(*(++argv));
if (path_len_constraints < 0) {
fprintf(stderr, "%s: invalid `-path_len_constraints` value\n", prog);
path_len_constraint = atoi(*(++argv));
if (path_len_constraint < 0) {
fprintf(stderr, "%s: invalid `-path_len_constraint` value\n", prog);
goto end;
}
} else if (!strcmp(*argv, "-ext_key_usage")) {
@@ -459,9 +459,9 @@ bad:
}
}
// no SubjectDirectoryAttributes
if (ca >= 0 || path_len_constraints >= 0) {
if (ca >= 0 || path_len_constraint >= 0) {
if (x509_exts_add_basic_constraints(exts, &extslen, sizeof(exts),
X509_critical, ca, path_len_constraints) != 1) {
X509_critical, ca, path_len_constraint) != 1) {
fprintf(stderr, "%s: set BasicConstraints extension failure\n", prog);
goto end;
}

118
tools/crlverify.c
View File

@@ -12,30 +12,45 @@
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <gmssl/hex.h>
#include <gmssl/file.h>
#include <gmssl/x509.h>
#include <gmssl/x509_crl.h>
static const char *options = "-in file -cacert file\n";
static const char *usage = " -in der -cacert pem [-req_sm2_id str | -req_sm2_id_hex hex]\n";
static const char *options =
"Options\n"
"\n"
" -in pem Input CSR file in PEM format\n"
" -cacert pem Issuer CA certificate\n"
" -sm2_id str Authority's ID in SM2 signature algorithm\n"
" -sm2_id_hex hex Authority's ID in hex format\n"
" When `-sm2_id` or `-sm2_id_hex` is specified,\n"
" must use the same ID in other commands explicitly.\n"
" If neither `-sm2_id` nor `-sm2_id_hex` is specified,\n"
" the default string '1234567812345678' is used\n"
"\n"
"Examples\n"
"\n"
" gmssl certverify -in crl.der -cacert cacert.pem\n"
"\n";
int crlverify_main(int argc, char **argv)
{
int ret = 1;
char *prog = argv[0];
char *infile = NULL;
char *cacertfile = NULL;
FILE *infp = NULL;
FILE *cacertfp = NULL;
uint8_t *in = NULL;
size_t inlen;
const uint8_t *pin;
const uint8_t *crl = NULL;
size_t crllen;
char *str;
uint8_t *crl = NULL;
size_t crl_len;
uint8_t *cacert = NULL;
size_t cacertlen;
char signer_id[SM2_MAX_ID_LENGTH + 1] = SM2_DEFAULT_ID;
size_t signer_id_len = strlen(SM2_DEFAULT_ID);
const uint8_t *subject;
size_t subject_len;
uint8_t cacert[1024];
size_t cacertlen;
int rv;
argc--;
@@ -53,23 +68,43 @@ int crlverify_main(int argc, char **argv)
goto end;
} else if (!strcmp(*argv, "-in")) {
if (--argc < 1) goto bad;
infile = *(++argv);
if (!(infp = fopen(infile, "rb"))) {
fprintf(stderr, "%s: open '%s' failure : %s\n", prog, infile, strerror(errno));
str = *(++argv);
if (file_read_all(str, &crl, &crl_len) != 1) {
fprintf(stderr, "%s: read '%s' failure : %s\n", prog, str, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-cacert")) {
if (--argc < 1) goto bad;
cacertfile = *(++argv);
if (!(cacertfp = fopen(cacertfile, "rb"))) {
fprintf(stderr, "%s: open '%s' failure : %s\n", prog, cacertfile, strerror(errno));
str = *(++argv);
if (x509_cert_new_from_file(&cacert, &cacertlen, str) != 1) {
fprintf(stderr, "%s: open '%s' failure : %s\n", prog, str, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-sm2_id")) {
if (--argc < 1) goto bad;
str = *(++argv);
if (strlen(str) > sizeof(signer_id) - 1) {
fprintf(stderr, "%s: invalid `-sm2_id` length\n", prog);
goto end;
}
strncpy(signer_id, str, sizeof(signer_id));
signer_id_len = strlen(str);
} else if (!strcmp(*argv, "-sm2_id_hex")) {
if (--argc < 1) goto bad;
str = *(++argv);
if (strlen(str) > (sizeof(signer_id) - 1) * 2) {
fprintf(stderr, "%s: invalid `-sm2_id_hex` length\n", prog);
goto end;
}
if (hex_to_bytes(str, strlen(str), (uint8_t *)signer_id, &signer_id_len) != 1) {
fprintf(stderr, "%s: invalid `-sm2_id_hex` value\n", prog);
goto end;
}
} else {
fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
fprintf(stderr, "%s: illegal option `%s`\n", prog, *argv);
goto end;
bad:
fprintf(stderr, "%s: '%s' option value missing\n", prog, *argv);
fprintf(stderr, "%s: `%s` option value missing\n", prog, *argv);
goto end;
}
@@ -77,46 +112,20 @@ bad:
argv++;
}
if (!infile) {
fprintf(stderr, "%s: '-in' option required\n", prog);
if (!crl) {
fprintf(stderr, "%s: `-in` option required\n", prog);
goto end;
}
if (!cacertfile) {
fprintf(stderr, "%s: '-cacert' option required\n", prog);
if (!cacert) {
fprintf(stderr, "%s: `-cacert` option required\n", prog);
goto end;
}
if (file_size(infp, &inlen) != 1) {
fprintf(stderr, "%s: get input length failed\n", prog);
goto end;
}
if (!(in = malloc(inlen))) {
fprintf(stderr, "%s: malloc failure\n", prog);
goto end;
}
if (fread(in, 1, inlen, infp) != inlen) {
fprintf(stderr, "%s: read file error : %s\n", prog, strerror(errno));
goto end;
}
pin = in;
if (x509_crl_from_der(&crl, &crllen, &pin, &inlen) != 1
|| asn1_length_is_zero(inlen) != 1) {
fprintf(stderr, "%s: read CRL failure\n", prog);
goto end;
}
if (x509_crl_get_issuer(crl, crllen, &subject, &subject_len) != 1) {
fprintf(stderr, "%s: inner error\n", prog);
goto end;
}
if (x509_cert_from_pem_by_subject(cacert, &cacertlen, sizeof(cacert), subject, subject_len, cacertfp) != 1) {
fprintf(stderr, "%s: read certificate failure\n", prog);
goto end;
}
if (x509_crl_validate(crl, crllen, time(NULL)) != 1) {
if (x509_crl_validate(crl, crl_len, time(NULL)) != 1) {
fprintf(stderr, "%s: invalid CRL data or format\n", prog);
goto end;
}
if ((rv = x509_crl_verify_by_ca_cert(crl, crllen, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID))) < 0) {
if ((rv = x509_crl_verify_by_ca_cert(crl, crl_len, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID))) < 0) {
fprintf(stderr, "%s: verification inner error\n", prog);
goto end;
}
@@ -125,8 +134,7 @@ bad:
if (rv == 1) ret = 0;
end:
if (infile && infp) fclose(infp);
if (cacertfp) fclose(cacertfp);
if (in) free(in);
if (crl) free(crl);
if (cacert) free(cacert);
return ret;
}

24
tools/reqsign.c
View File

@@ -33,7 +33,7 @@ static const char *options =
" [-key_usage str]*"
" [-subject_dns_name str]*"
" [-issuer_dns_name str]*"
" [-ca -path_len_constraints num]"
" [-ca -path_len_constraint num]"
" [-ext_key_usage str]*"
" [-crl_http_uri uri] [-crl_ldap_uri uri]"
" [-inhibit_any_policy num]"
@@ -43,7 +43,7 @@ static const char *options =
static char *usage =
"Options\n"
"\n"
" -in pem Input CSR file in PEM format\n"
" -in pem | stdin Input CSR file in PEM format\n"
" -req_sm2_id str CSR Owner's ID in SM2 signature algorithm\n"
" -req_sm2_id_hex hex CSR Owner's ID in hex format\n"
" When `-req_sm2_id` or `-req_sm2_id_hex` is specified,\n"
@@ -84,7 +84,7 @@ static char *usage =
" -issuer_dns_name str Add DNS name to IssuerAltName extension\n"
" this option can be called multi-times\n"
" -ca Set cA of BasicConstaints extension\n"
" -path_len_constraints num Set pathLenConstaints of BasicConstaints extension\n"
" -path_len_constraint num Set pathLenConstaint of BasicConstaints extension\n"
" -ext_key_usage str Set ExtKeyUsage extension\n"
" this option can be called multi-times\n"
" avaiable values:\n"
@@ -108,7 +108,7 @@ static char *usage =
" gmssl sm2keygen -pass P@ssw0rd -out rootcakey.pem\n"
" gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 \\\n"
" -key rootcakey.pem -pass P@ssw0rd \\\n"
" -ca -path_len_constraints 6 \\\n"
" -ca -path_len_constraint 6 \\\n"
" -key_usage keyCertSign -key_usage cRLSign \\\n"
" -crl_http_uri http://pku.edu.cn/ca.crl \\\n"
" -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn \\\n"
@@ -123,7 +123,7 @@ static char *usage =
"\n"
" gmssl reqsign -in careq.pem -serial_len 12 -days 365 \\\n"
" -cacert rootcacert.pem -key rootcakey.pem -pass P@ssw0rd \\\n"
" -ca -path_len_constraints 0 \\\n"
" -ca -path_len_constraint 0 \\\n"
" -key_usage keyCertSign -key_usage cRLSign \\\n"
" -crl_http_uri http://pku.edu.cn/ca.crl \\\n"
" -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn \\\n"
@@ -211,7 +211,7 @@ int reqsign_main(int argc, char **argv)
// BasicConstraints
int ca = -1;
int path_len_constraints = -1;
int path_len_constraint = -1;
// ExtKeyUsageSyntax
int ext_key_usages[12];
@@ -361,11 +361,11 @@ int reqsign_main(int argc, char **argv)
}
} else if (!strcmp(*argv, "-ca")) {
ca = 1;
} else if (!strcmp(*argv, "-path_len_constraints")) {
} else if (!strcmp(*argv, "-path_len_constraint")) {
if (--argc < 1) goto bad;
path_len_constraints = atoi(*(++argv));
if (path_len_constraints < 0) {
fprintf(stderr, "%s: invalid `-path_len_constraints` value\n", prog);
path_len_constraint = atoi(*(++argv));
if (path_len_constraint < 0) {
fprintf(stderr, "%s: invalid `-path_len_constraint` value\n", prog);
goto end;
}
} else if (!strcmp(*argv, "-ext_key_usage")) {
@@ -518,9 +518,9 @@ bad:
}
}
// no SubjectDirectoryAttributes
if (ca >= 0 || path_len_constraints >= 0) {
if (ca >= 0 || path_len_constraint >= 0) {
if (x509_exts_add_basic_constraints(exts, &extslen, sizeof(exts),
X509_critical, ca, path_len_constraints) != 1) {
X509_critical, ca, path_len_constraint) != 1) {
fprintf(stderr, "%s: set BasicConstraints extension failure\n", prog);
goto end;
}