Update CRL related code

tools/certgen.c

@@ -33,7 +33,7 @@ static const char *options =
 	" [-key_usage str]*"
 	" [-subject_dns_name str]*"
 	" [-issuer_dns_name str]*"
-	" [-ca -path_len_constraints num]"
+	" [-ca -path_len_constraint num]"
 	" [-ext_key_usage str]*"
 	" [-crl_http_uri uri] [-crl_ldap_uri uri]"
 	" [-inhibit_any_policy num]"
@@ -85,7 +85,7 @@ static char *usage =
 "    -issuer_dns_name str         Add DNS name to IssuerAltName extension\n"
 "                                 this option can be called multi-times\n"
 "    -ca                          Set cA of BasicConstaints extension\n"
-"    -path_len_constraints num    Set pathLenConstaints of BasicConstaints extension\n"
+"    -path_len_constraint num     Set pathLenConstraint of BasicConstaints extension\n"
 "    -ext_key_usage str           Set ExtKeyUsage extension\n"
 "                                 this option can be called multi-times\n"
 "                                 avaiable values:\n"
@@ -108,7 +108,7 @@ static char *usage =
 "\n"
 "    gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 \\\n"
 "          -key rootcakey.pem -pass P@ssw0rd \\\n"
-"          -ca -path_len_constraints 6 \\\n"
+"          -ca -path_len_constraint 6 \\\n"
 "          -key_usage keyCertSign -key_usage cRLSign \\\n"
 "          -crl_http_uri http://pku.edu.cn/ca.crl \\\n"
 "          -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn \\\n"
@@ -187,7 +187,7 @@ int certgen_main(int argc, char **argv)
 
 	// BasicConstraints
 	int ca = -1;
-	int path_len_constraints = -1;
+	int path_len_constraint = -1;
 
 	// ExtKeyUsageSyntax
 	int ext_key_usages[12];
@@ -316,11 +316,11 @@ int certgen_main(int argc, char **argv)
 			}
 		} else if (!strcmp(*argv, "-ca")) {
 			ca = 1;
-		} else if (!strcmp(*argv, "-path_len_constraints")) {
+		} else if (!strcmp(*argv, "-path_len_constraint")) {
 			if (--argc < 1) goto bad;
-			path_len_constraints = atoi(*(++argv));
-			if (path_len_constraints < 0) {
-				fprintf(stderr, "%s: invalid `-path_len_constraints` value\n", prog);
+			path_len_constraint = atoi(*(++argv));
+			if (path_len_constraint < 0) {
+				fprintf(stderr, "%s: invalid `-path_len_constraint` value\n", prog);
 				goto end;
 			}
 		} else if (!strcmp(*argv, "-ext_key_usage")) {
@@ -459,9 +459,9 @@ bad:
 		}
 	}
 	// no SubjectDirectoryAttributes
-	if (ca >= 0 || path_len_constraints >= 0) {
+	if (ca >= 0 || path_len_constraint >= 0) {
 		if (x509_exts_add_basic_constraints(exts, &extslen, sizeof(exts),
-			X509_critical, ca, path_len_constraints) != 1) {
+			X509_critical, ca, path_len_constraint) != 1) {
 			fprintf(stderr, "%s: set BasicConstraints extension failure\n", prog);
 			goto end;
 		}

tools/crlverify.c

@@ -12,30 +12,45 @@
 #include <errno.h>
 #include <string.h>
 #include <stdlib.h>
+#include <gmssl/hex.h>
 #include <gmssl/file.h>
 #include <gmssl/x509.h>
 #include <gmssl/x509_crl.h>
 
 
-static const char *options = "-in file -cacert file\n";
+static const char *usage = " -in der -cacert pem [-req_sm2_id str | -req_sm2_id_hex hex]\n";
+static const char *options =
+"Options\n"
+"\n"
+"    -in pem                      Input CSR file in PEM format\n"
+"    -cacert pem                  Issuer CA certificate\n"
+"    -sm2_id str                  Authority's ID in SM2 signature algorithm\n"
+"    -sm2_id_hex hex              Authority's ID in hex format\n"
+"                                 When `-sm2_id` or `-sm2_id_hex` is specified,\n"
+"                                   must use the same ID in other commands explicitly.\n"
+"                                 If neither `-sm2_id` nor `-sm2_id_hex` is specified,\n"
+"                                   the default string '1234567812345678' is used\n"
+"\n"
+"Examples\n"
+"\n"
+"    gmssl certverify -in crl.der -cacert cacert.pem\n"
+"\n";
 
 int crlverify_main(int argc, char **argv)
 {
 	int ret = 1;
 	char *prog = argv[0];
-	char *infile = NULL;
-	char *cacertfile = NULL;
-	FILE *infp = NULL;
-	FILE *cacertfp = NULL;
-	uint8_t *in = NULL;
-	size_t inlen;
-	const uint8_t *pin;
-	const uint8_t *crl = NULL;
-	size_t crllen;
+	char *str;
+
+	uint8_t *crl = NULL;
+	size_t crl_len;
+	uint8_t *cacert = NULL;
+	size_t cacertlen;
+	char signer_id[SM2_MAX_ID_LENGTH + 1] = SM2_DEFAULT_ID;
+	size_t signer_id_len = strlen(SM2_DEFAULT_ID);
+
 	const uint8_t *subject;
 	size_t subject_len;
-	uint8_t cacert[1024];
-	size_t cacertlen;
 	int rv;
 
 	argc--;
@@ -53,23 +68,43 @@ int crlverify_main(int argc, char **argv)
 			goto end;
 		} else if (!strcmp(*argv, "-in")) {
 			if (--argc < 1) goto bad;
-			infile = *(++argv);
-			if (!(infp = fopen(infile, "rb"))) {
-				fprintf(stderr, "%s: open '%s' failure : %s\n", prog, infile, strerror(errno));
+			str = *(++argv);
+			if (file_read_all(str, &crl, &crl_len) != 1) {
+				fprintf(stderr, "%s: read '%s' failure : %s\n", prog, str, strerror(errno));
 				goto end;
 			}
 		} else if (!strcmp(*argv, "-cacert")) {
 			if (--argc < 1) goto bad;
-			cacertfile = *(++argv);
-			if (!(cacertfp = fopen(cacertfile, "rb"))) {
-				fprintf(stderr, "%s: open '%s' failure : %s\n", prog, cacertfile, strerror(errno));
+			str = *(++argv);
+			if (x509_cert_new_from_file(&cacert, &cacertlen, str) != 1) {
+				fprintf(stderr, "%s: open '%s' failure : %s\n", prog, str, strerror(errno));
+				goto end;
+			}
+		} else if (!strcmp(*argv, "-sm2_id")) {
+			if (--argc < 1) goto bad;
+			str = *(++argv);
+			if (strlen(str) > sizeof(signer_id) - 1) {
+				fprintf(stderr, "%s: invalid `-sm2_id` length\n", prog);
+				goto end;
+			}
+			strncpy(signer_id, str, sizeof(signer_id));
+			signer_id_len = strlen(str);
+		} else if (!strcmp(*argv, "-sm2_id_hex")) {
+			if (--argc < 1) goto bad;
+			str = *(++argv);
+			if (strlen(str) > (sizeof(signer_id) - 1) * 2) {
+				fprintf(stderr, "%s: invalid `-sm2_id_hex` length\n", prog);
+				goto end;
+			}
+			if (hex_to_bytes(str, strlen(str), (uint8_t *)signer_id, &signer_id_len) != 1) {
+				fprintf(stderr, "%s: invalid `-sm2_id_hex` value\n", prog);
 				goto end;
 			}
 		} else {
-			fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
+			fprintf(stderr, "%s: illegal option `%s`\n", prog, *argv);
 			goto end;
 bad:
-			fprintf(stderr, "%s: '%s' option value missing\n", prog, *argv);
+			fprintf(stderr, "%s: `%s` option value missing\n", prog, *argv);
 			goto end;
 		}
 
@@ -77,46 +112,20 @@ bad:
 		argv++;
 	}
 
-	if (!infile) {
-		fprintf(stderr, "%s: '-in' option required\n", prog);
+	if (!crl) {
+		fprintf(stderr, "%s: `-in` option required\n", prog);
 		goto end;
 	}
-	if (!cacertfile) {
-		fprintf(stderr, "%s: '-cacert' option required\n", prog);
+	if (!cacert) {
+		fprintf(stderr, "%s: `-cacert` option required\n", prog);
 		goto end;
 	}
 
-	if (file_size(infp, &inlen) != 1) {
-		fprintf(stderr, "%s: get input length failed\n", prog);
-		goto end;
-	}
-	if (!(in = malloc(inlen))) {
-		fprintf(stderr, "%s: malloc failure\n", prog);
-		goto end;
-	}
-	if (fread(in, 1, inlen, infp) != inlen) {
-		fprintf(stderr, "%s: read file error : %s\n",  prog, strerror(errno));
-		goto end;
-	}
-	pin = in;
-	if (x509_crl_from_der(&crl, &crllen, &pin, &inlen) != 1
-		|| asn1_length_is_zero(inlen) != 1) {
-		fprintf(stderr, "%s: read CRL failure\n", prog);
-		goto end;
-	}
-	if (x509_crl_get_issuer(crl, crllen, &subject, &subject_len) != 1) {
-		fprintf(stderr, "%s: inner error\n", prog);
-		goto end;
-	}
-	if (x509_cert_from_pem_by_subject(cacert, &cacertlen, sizeof(cacert), subject, subject_len, cacertfp) != 1) {
-		fprintf(stderr, "%s: read certificate failure\n", prog);
-		goto end;
-	}
-	if (x509_crl_validate(crl, crllen, time(NULL)) != 1) {
+	if (x509_crl_validate(crl, crl_len, time(NULL)) != 1) {
 		fprintf(stderr, "%s: invalid CRL data or format\n", prog);
 		goto end;
 	}
-	if ((rv = x509_crl_verify_by_ca_cert(crl, crllen, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID))) < 0) {
+	if ((rv = x509_crl_verify_by_ca_cert(crl, crl_len, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID))) < 0) {
 		fprintf(stderr, "%s: verification inner error\n", prog);
 		goto end;
 	}
@@ -125,8 +134,7 @@ bad:
 	if (rv == 1) ret = 0;
 
 end:
-	if (infile && infp) fclose(infp);
-	if (cacertfp) fclose(cacertfp);
-	if (in) free(in);
+	if (crl) free(crl);
+	if (cacert) free(cacert);
 	return ret;
 }

tools/reqsign.c

@@ -33,7 +33,7 @@ static const char *options =
 	" [-key_usage str]*"
 	" [-subject_dns_name str]*"
 	" [-issuer_dns_name str]*"
-	" [-ca -path_len_constraints num]"
+	" [-ca -path_len_constraint num]"
 	" [-ext_key_usage str]*"
 	" [-crl_http_uri uri] [-crl_ldap_uri uri]"
 	" [-inhibit_any_policy num]"
@@ -43,7 +43,7 @@ static const char *options =
 static char *usage =
 "Options\n"
 "\n"
-"    -in pem                      Input CSR file in PEM format\n"
+"    -in pem | stdin              Input CSR file in PEM format\n"
 "    -req_sm2_id str              CSR Owner's ID in SM2 signature algorithm\n"
 "    -req_sm2_id_hex hex          CSR Owner's ID in hex format\n"
 "                                 When `-req_sm2_id` or `-req_sm2_id_hex` is specified,\n"
@@ -84,7 +84,7 @@ static char *usage =
 "    -issuer_dns_name str         Add DNS name to IssuerAltName extension\n"
 "                                 this option can be called multi-times\n"
 "    -ca                          Set cA of BasicConstaints extension\n"
-"    -path_len_constraints num    Set pathLenConstaints of BasicConstaints extension\n"
+"    -path_len_constraint num    Set pathLenConstaint of BasicConstaints extension\n"
 "    -ext_key_usage str           Set ExtKeyUsage extension\n"
 "                                 this option can be called multi-times\n"
 "                                 avaiable values:\n"
@@ -108,7 +108,7 @@ static char *usage =
 "    gmssl sm2keygen -pass P@ssw0rd -out rootcakey.pem\n"
 "    gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 \\\n"
 "          -key rootcakey.pem -pass P@ssw0rd \\\n"
-"          -ca -path_len_constraints 6 \\\n"
+"          -ca -path_len_constraint 6 \\\n"
 "          -key_usage keyCertSign -key_usage cRLSign \\\n"
 "          -crl_http_uri http://pku.edu.cn/ca.crl \\\n"
 "          -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn \\\n"
@@ -123,7 +123,7 @@ static char *usage =
 "\n"
 "    gmssl reqsign -in careq.pem -serial_len 12 -days 365 \\\n"
 "          -cacert rootcacert.pem -key rootcakey.pem -pass P@ssw0rd \\\n"
-"          -ca -path_len_constraints 0 \\\n"
+"          -ca -path_len_constraint 0 \\\n"
 "          -key_usage keyCertSign -key_usage cRLSign \\\n"
 "          -crl_http_uri http://pku.edu.cn/ca.crl \\\n"
 "          -ca_issuers_uri http://pku.edu.cn/ca.crt -ocsp_uri http://ocsp.pku.edu.cn \\\n"
@@ -211,7 +211,7 @@ int reqsign_main(int argc, char **argv)
 
 	// BasicConstraints
 	int ca = -1;
-	int path_len_constraints = -1;
+	int path_len_constraint = -1;
 
 	// ExtKeyUsageSyntax
 	int ext_key_usages[12];
@@ -361,11 +361,11 @@ int reqsign_main(int argc, char **argv)
 			}
 		} else if (!strcmp(*argv, "-ca")) {
 			ca = 1;
-		} else if (!strcmp(*argv, "-path_len_constraints")) {
+		} else if (!strcmp(*argv, "-path_len_constraint")) {
 			if (--argc < 1) goto bad;
-			path_len_constraints = atoi(*(++argv));
-			if (path_len_constraints < 0) {
-				fprintf(stderr, "%s: invalid `-path_len_constraints` value\n", prog);
+			path_len_constraint = atoi(*(++argv));
+			if (path_len_constraint < 0) {
+				fprintf(stderr, "%s: invalid `-path_len_constraint` value\n", prog);
 				goto end;
 			}
 		} else if (!strcmp(*argv, "-ext_key_usage")) {
@@ -518,9 +518,9 @@ bad:
 		}
 	}
 	// no SubjectDirectoryAttributes
-	if (ca >= 0 || path_len_constraints >= 0) {
+	if (ca >= 0 || path_len_constraint >= 0) {
 		if (x509_exts_add_basic_constraints(exts, &extslen, sizeof(exts),
-			X509_critical, ca, path_len_constraints) != 1) {
+			X509_critical, ca, path_len_constraint) != 1) {
 			fprintf(stderr, "%s: set BasicConstraints extension failure\n", prog);
 			goto end;
 		}