abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-06-27 15:43:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update x509_cer.c

Browse Source
This commit is contained in:
Zhi Guan
2026-06-19 10:27:20 +08:00
parent f48af14b2b
commit 2a943e6d16
3 changed files with 33 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CMakeLists.txt
View File

@@ -820,7 +820,7 @@ endif()
# #
set(CPACK_PACKAGE_NAME "GmSSL") set(CPACK_PACKAGE_NAME "GmSSL")
set(CPACK_PACKAGE_VENDOR "GmSSL develop team") set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
set(CPACK_PACKAGE_VERSION "3.2.0-dev.1098") set(CPACK_PACKAGE_VERSION "3.2.0-dev.1099")
set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md) set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
set(CPACK_NSIS_MODIFY_PATH ON) set(CPACK_NSIS_MODIFY_PATH ON)
include(CPack) include(CPack)

2
include/gmssl/version.h
View File

@@ -18,7 +18,7 @@ extern "C" {
#define GMSSL_VERSION_NUM 30200 #define GMSSL_VERSION_NUM 30200
#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1098" #define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1099"
int gmssl_version_num(void); int gmssl_version_num(void);
const char *gmssl_version_str(void); const char *gmssl_version_str(void);

39
src/x509_cer.c
View File

@@ -1898,11 +1898,12 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
const uint8_t *rootcerts, size_t rootcertslen, int depth, int *verify_result) const uint8_t *rootcerts, size_t rootcertslen, int depth, int *verify_result)
{ {
int entity_cert_type; int entity_cert_type;
const uint8_t *cert_chain = certs;
size_t cert_chain_len = certslen;
const uint8_t *cert; const uint8_t *cert;
size_t certlen; size_t certlen;
const uint8_t *cacert; const uint8_t *cacert;
size_t cacertlen; size_t cacertlen;
int matched_root = 0;
int ret; int ret;
int path_len = 0; int path_len = 0;
@@ -1943,8 +1944,7 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
return -1; return -1;
} }
if ((path_len_constraint >= 0 && path_len > path_len_constraint) if (path_len > depth) {
|| path_len > depth) {
error_print(); error_print();
return -1; return -1;
} }
@@ -1961,37 +1961,36 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
path_len++; path_len++;
} }
// 函数提供了一组根证书,我们要从根证书中找到和被验证的证书链匹配的那个根证书 if ((ret = x509_cert_chain_find_root_ca_cert(cert_chain, cert_chain_len,
// 如果没有找到对应的根证书,那么就会出错 rootcerts, rootcertslen, &cacert, &cacertlen,
// 但是这个错误隐藏在这个函数中并不合适!这说明这个函数的接口有问题
//
while (rootcertslen) {
if (x509_cert_from_der(&cacert, &cacertlen, &rootcerts, &rootcertslen) != 1) {
error_print();
return -1;
}
if ((ret = x509_cert_is_signed_by_root_ca_cert(cert, certlen, cacert, cacertlen,
SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH)) < 0) { SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH)) < 0) {
error_print(); error_print();
return -1; return -1;
} }
if (ret == 0) { if (ret == 0) {
continue; error_print();
return -1;
} }
if (x509_cert_check(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) { if (x509_cert_check(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
error_print(); error_print();
return -1; return -1;
} }
if ((path_len_constraint >= 0 && path_len > path_len_constraint) if (path_len > depth) {
|| path_len > depth) {
error_print(); error_print();
return -1; return -1;
} }
matched_root = 1;
break;
}
if (!matched_root) { if (x509_certs_check_basic_constraints(cert_chain, cert_chain_len,
cacert, cacertlen) != 1) {
error_print();
return -1;
}
if ((ret = x509_certs_check_name_constraints(cert_chain, cert_chain_len,
cacert, cacertlen)) < 0) {
error_print();
return -1;
}
if (ret == 0) {
error_print(); error_print();
return -1; return -1;
} }