mirror of
https://github.com/guanzhi/GmSSL.git
synced 2026-05-18 14:26:17 +08:00
Update CRL related code
This commit is contained in:
Zhi Guan
@@ -1669,7 +1669,7 @@ int x509_certs_get_cert_by_issuer_and_serial_number(
|
||||
// 这里面需要validate的类型是两种,一种直接得到了实际值,因此可以直接对实际值做验证
|
||||
// 另一种是SEQUENCE OF类型,本质上是完整的a,alen,因此这种类型实际上可以用from_der来解析
|
||||
int x509_cert_validate(const uint8_t *cert, size_t certlen, int cert_type,
|
||||
int *path_len_constraints)
|
||||
int *path_len_constraint)
|
||||
{
|
||||
int version;
|
||||
time_t now;
|
||||
@@ -1740,7 +1740,7 @@ int x509_cert_validate(const uint8_t *cert, size_t certlen, int cert_type,
|
||||
//return -1;
|
||||
}
|
||||
|
||||
if (x509_exts_validate(exts, extslen, cert_type, path_len_constraints) != 1) {
|
||||
if (x509_exts_validate(exts, extslen, cert_type, path_len_constraint) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -1765,7 +1765,7 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
|
||||
size_t namelen;
|
||||
|
||||
int path_len = 0;
|
||||
int path_len_constraints;
|
||||
int path_len_constraint;
|
||||
|
||||
switch (certs_type) {
|
||||
case X509_cert_chain_server:
|
||||
@@ -1784,7 +1784,7 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (x509_cert_validate(cert, certlen, entity_cert_type, &path_len_constraints) != 1) {
|
||||
if (x509_cert_validate(cert, certlen, entity_cert_type, &path_len_constraint) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -1795,18 +1795,18 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (x509_cert_validate(cert, certlen, X509_cert_ca, &path_len_constraints) != 1) {
|
||||
if (x509_cert_validate(cert, certlen, X509_cert_ca, &path_len_constraint) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (path_len == 0) {
|
||||
if (path_len_constraints != 0) {
|
||||
if (path_len_constraint != 0) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
if ((path_len_constraints >= 0 && path_len > path_len_constraints)
|
||||
if ((path_len_constraint >= 0 && path_len > path_len_constraint)
|
||||
|| path_len > depth) {
|
||||
error_print();
|
||||
return -1;
|
||||
@@ -1833,11 +1833,11 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (x509_cert_validate(cacert, cacertlen, X509_cert_ca, &path_len_constraints) != 1) {
|
||||
if (x509_cert_validate(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if ((path_len_constraints >= 0 && path_len > path_len_constraints)
|
||||
if ((path_len_constraint >= 0 && path_len > path_len_constraint)
|
||||
|| path_len > depth) {
|
||||
error_print();
|
||||
return -1;
|
||||
@@ -1866,7 +1866,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
|
||||
size_t namelen;
|
||||
|
||||
int path_len = 0;
|
||||
int path_len_constraints;
|
||||
int path_len_constraint;
|
||||
|
||||
switch (certs_type) {
|
||||
case X509_cert_chain_server:
|
||||
@@ -1886,7 +1886,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (x509_cert_validate(cert, certlen, sign_cert_type, &path_len_constraints) != 1) {
|
||||
if (x509_cert_validate(cert, certlen, sign_cert_type, &path_len_constraint) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -1896,7 +1896,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (x509_cert_validate(kenc_cert, kenc_certlen, kenc_cert_type, &path_len_constraints) != 1) {
|
||||
if (x509_cert_validate(kenc_cert, kenc_certlen, kenc_cert_type, &path_len_constraint) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -1907,13 +1907,13 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (x509_cert_validate(cacert, cacertlen, X509_cert_ca, &path_len_constraints) != 1) {
|
||||
if (x509_cert_validate(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (path_len == 0) {
|
||||
if (path_len_constraints != 0) {
|
||||
if (path_len_constraint != 0) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
@@ -1925,7 +1925,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
if ((path_len_constraints >= 0 && path_len > path_len_constraints)
|
||||
if ((path_len_constraint >= 0 && path_len > path_len_constraint)
|
||||
|| path_len > depth) {
|
||||
error_print();
|
||||
return -1;
|
||||
@@ -1951,11 +1951,11 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if (x509_cert_validate(cacert, cacertlen, X509_cert_ca, &path_len_constraints) != 1) {
|
||||
if (x509_cert_validate(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
if ((path_len_constraints >= 0 && path_len > path_len_constraints)
|
||||
if ((path_len_constraint >= 0 && path_len > path_len_constraint)
|
||||
|| path_len > depth) {
|
||||
error_print();
|
||||
return -1;
|
||||
|
||||
@@ -529,7 +529,7 @@ int x509_revoked_cert_from_der(
|
||||
}
|
||||
if (asn1_integer_from_der(serial, serial_len, &d, &dlen) != 1
|
||||
|| x509_time_from_der(revoke_date, &d, &dlen) != 1
|
||||
|| asn1_sequence_from_der(crl_entry_exts, crl_entry_exts_len, &d, &dlen) != 1
|
||||
|| asn1_sequence_from_der(crl_entry_exts, crl_entry_exts_len, &d, &dlen) < 0
|
||||
|| asn1_length_is_zero(dlen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
|
||||
@@ -1532,16 +1532,16 @@ int x509_basic_constraints_validate(int ca, int path_len_cons, int cert_type)
|
||||
/*
|
||||
entity_cert:
|
||||
ca = -1 or 0
|
||||
path_len_constraints = -1
|
||||
path_len_constraint = -1
|
||||
first_ca_cert:
|
||||
ca = 1
|
||||
path_len_constraints = 0
|
||||
path_len_constraint = 0
|
||||
middle_ca_cert:
|
||||
ca = 1
|
||||
path_len_constraints = -1 or > 0
|
||||
path_len_constraint = -1 or > 0
|
||||
root_ca_cert:
|
||||
ca = 1
|
||||
path_len_constraints = -1 or > 0 (=0 might be ok?)
|
||||
path_len_constraint = -1 or > 0 (=0 might be ok?)
|
||||
*/
|
||||
if (cert_type == X509_cert_ca) {
|
||||
if (ca != 1) {
|
||||
@@ -2307,7 +2307,7 @@ int x509_netscape_cert_type_print(FILE *fp, int fmt, int ind, const char *label,
|
||||
}
|
||||
|
||||
int x509_exts_validate(const uint8_t *exts, size_t extslen, int cert_type,
|
||||
int *path_len_constraints)
|
||||
int *path_len_constraint)
|
||||
{
|
||||
int oid;
|
||||
uint32_t nodes[32];
|
||||
@@ -2322,7 +2322,7 @@ int x509_exts_validate(const uint8_t *exts, size_t extslen, int cert_type,
|
||||
int ext_key_usages[X509_MAX_KEY_PURPOSES];
|
||||
size_t ext_key_usages_cnt;
|
||||
|
||||
*path_len_constraints = -1;
|
||||
*path_len_constraint = -1;
|
||||
|
||||
while (extslen) {
|
||||
if (x509_ext_from_der(&oid, nodes, &nodes_cnt, &critical, &val, &vlen, &exts, &extslen) != 1) {
|
||||
@@ -2434,7 +2434,7 @@ int x509_exts_validate(const uint8_t *exts, size_t extslen, int cert_type,
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
*path_len_constraints = path_len;
|
||||
*path_len_constraint = path_len;
|
||||
break;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user