Update certverify tool

See `demos/scripts/certverify.sh`
2026-05-06 16:36:16 +08:00 · 2023-02-07 23:34:53 +08:00
parent c0a0622c13
commit 46f0be87dc
3 changed files with 263 additions and 40 deletions
--- a/tools/certverify.c
+++ b/tools/certverify.c
@@ -12,6 +12,7 @@
 #include <errno.h>
 #include <string.h>
 #include <stdlib.h>
+#include <gmssl/hex.h>
 #include <gmssl/x509.h>
 #include <gmssl/x509_crl.h>
 #include <gmssl/error.h>
@@ -21,6 +22,7 @@ static const char *usage =
 	" -in pem [-double_certs]"
 	" [-check_crl]"
 	" -cacert pem"
+	" [-sm2_id str | -sm2_id_hex hex]"
 	"\n";

 static const char *options =
@@ -30,6 +32,12 @@ static const char *options =
 "    -double_certs       The first two certificates are SM2 signing and encryption entity certificate\n"
 "    -check_crl          If the entity certificate has CRLDistributionPoints extension, Download and check againt the CRL\n"
 "    -cacert pem         CA certificate\n"
+"    -sm2_id str         Signer's ID in SM2 signature algorithm\n"
+"    -sm2_id_hex hex     Signer's ID in hex format\n"
+"                        When `-sm2_id` or `-sm2_id_hex` is specified,\n"
+"                          must use the same ID in other commands explicitly.\n"
+"                        If neither `-sm2_id` nor `-sm2_id_hex` is specified,\n"
+"                          the default string '1234567812345678' is used\n"
 "\n";


@@ -37,6 +45,8 @@ int certverify_main(int argc, char **argv)
 {
 	int ret = 1;
 	char *prog = argv[0];
+	char *str;
+
 	char *infile = NULL;
 	char *cacertfile = NULL;
 	FILE *infp = stdin;
@@ -45,10 +55,22 @@ int certverify_main(int argc, char **argv)
 	size_t certlen;
 	uint8_t cacert[1024];
 	size_t cacertlen;
+	char signer_id[SM2_MAX_ID_LENGTH + 1] = {0};
+	size_t signer_id_len = 0;
+
+	const uint8_t *serial;
+	size_t serial_len;
+	const uint8_t *issuer;
+	size_t issuer_len;
 	const uint8_t *subject;
 	size_t subject_len;
-	const uint8_t *subj;
-	size_t subj_len;
+
+	const uint8_t *enc_serial;
+	size_t enc_serial_len;
+	const uint8_t *enc_issuer;
+	size_t enc_issuer_len;
+	const uint8_t *enc_subject;
+	size_t enc_subject_len;

 	int double_certs = 0;
 	uint8_t enc_cert[1024];
@@ -56,6 +78,7 @@ int certverify_main(int argc, char **argv)
 	int rv;

 	int check_crl = 0;
+	int crl_ret;

 	argc--;
 	argv++;
@@ -89,6 +112,26 @@ int certverify_main(int argc, char **argv)
 				fprintf(stderr, "%s: open '%s' failure : %s\n", prog, cacertfile, strerror(errno));
 				goto end;
 			}
+		} else if (!strcmp(*argv, "-sm2_id")) {
+			if (--argc < 1) goto bad;
+			str = *(++argv);
+			if (strlen(str) > sizeof(signer_id) - 1) {
+				fprintf(stderr, "%s: invalid `-sm2_id` length\n", prog);
+				goto end;
+			}
+			strncpy(signer_id, str, sizeof(signer_id));
+			signer_id_len = strlen(str);
+		} else if (!strcmp(*argv, "-sm2_id_hex")) {
+			if (--argc < 1) goto bad;
+			str = *(++argv);
+			if (strlen(str) > (sizeof(signer_id) - 1) * 2) {
+				fprintf(stderr, "%s: invalid `-sm2_id_hex` length\n", prog);
+				goto end;
+			}
+			if (hex_to_bytes(str, strlen(str), (uint8_t *)signer_id, &signer_id_len) != 1) {
+				fprintf(stderr, "%s: invalid `-sm2_id_hex` value\n", prog);
+				goto end;
+			}
 		} else {
 			fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
 			goto end;
@@ -110,24 +153,34 @@ bad:
 		fprintf(stderr, "%s: '-cacert' option required\n", prog);
 		goto end;
 	}
+	if (!signer_id_len) {
+		strcpy(signer_id, SM2_DEFAULT_ID);
+		signer_id_len = strlen(SM2_DEFAULT_ID);
+	}

+	// read first to be verified certificate
 	if (x509_cert_from_pem(cert, &certlen, sizeof(cert), infp) != 1
+		|| x509_cert_get_issuer_and_serial_number(cert, certlen,
+			&issuer, &issuer_len, &serial, &serial_len) != 1
 		|| x509_cert_get_subject(cert, certlen, &subject, &subject_len) != 1) {
 		fprintf(stderr, "%s: read certificate failure\n", prog);
 		goto end;
 	}
-	x509_name_print(stdout, 0, 0, "Certificate", subject, subject_len);
+	format_print(stdout, 0, 0, "Certificate\n");
+	format_bytes(stdout, 0, 4, "serialNumber", serial, serial_len);
+	x509_name_print(stdout, 0, 4, "subject", subject, subject_len);

+	// read encryption cert in double certs
 	if (double_certs) {
-
 		if (x509_cert_from_pem(enc_cert, &enc_cert_len, sizeof(enc_cert), infp) != 1
-			|| x509_cert_get_subject(enc_cert, enc_cert_len, &subj, &subj_len) != 1) {
+			|| x509_cert_get_issuer_and_serial_number(enc_cert, enc_cert_len,
+				&enc_issuer, &enc_issuer_len, &enc_serial, &enc_serial_len) != 1
+			|| x509_cert_get_subject(enc_cert, enc_cert_len, &enc_subject, &enc_subject_len) != 1) {
 			fprintf(stderr, "%s: read encryption certficate failure\n", prog);
 			goto end;
 		}
-
-		if (subj_len != subject_len
-			|| memcmp(subject, subj, subj_len) != 0) {
+		if (x509_name_equ(enc_subject, enc_subject_len, subject, subject_len) != 1
+			|| x509_name_equ(enc_issuer, enc_issuer_len, issuer, issuer_len) != 1) {
 			fprintf(stderr, "%s: double certificates not compatible\n", prog);
 			goto end;
 		}
@@ -138,73 +191,117 @@ bad:
 			if (rv < 0) goto end;
 			goto final;
 		}
-		if (x509_cert_get_subject(cacert, cacertlen, &subject, &subject_len) != 1) {
-			goto end;
-		}

-		if ((rv = x509_cert_verify_by_ca_cert(cert, certlen, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID))) < 0) {
-			fprintf(stderr, "%s: inner error\n", prog);
+		if ((rv = x509_cert_verify_by_ca_cert(cert, certlen, cacert, cacertlen,
+			signer_id, signer_id_len)) != 1) {
+			fprintf(stderr, "%s: Verification failure\n", prog);
 			goto end;
 		}
-		printf("Verification %s\n", rv ? "success" : "failure");
+		format_print(stdout, 0, 4, "Verification success\n");

 		if (check_crl) {
-			if (x509_cert_check_crl(cert, certlen, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID)) < 0) {
-				fprintf(stderr, "%s: certificate has been revoked\n", prog);
+			if ((crl_ret = x509_cert_check_crl(cert, certlen, cacert, cacertlen,
+				signer_id, signer_id_len)) < 0) {
+				fprintf(stderr, "%s: Certificate has been revoked\n", prog);
 				goto end;
 			}
+			format_print(stdout, 0, 4, "Revocation status: %s\n",
+				crl_ret ? "Not revoked by CRL" : "No CRL URI found in certificate");
 		}
-		if (double_certs) {
-			x509_name_print(stdout, 0, 0, "Certificate", subj, subj_len);

-			if ((rv = x509_cert_verify_by_ca_cert(enc_cert, enc_cert_len, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID))) < 0) {
-				fprintf(stderr, "%s: inner error\n", prog);
+		if (double_certs) {
+			if ((rv = x509_cert_verify_by_ca_cert(enc_cert, enc_cert_len, cacert, cacertlen,
+				signer_id, signer_id_len)) < 0) {
+				fprintf(stderr, "%s: Verification failure\n", prog);
 				goto end;
 			}
-			printf("Verification %s\n", rv ? "success" : "failure");
-			double_certs = 0;
-
+			format_print(stdout, 0, 0, "Certificate\n");
+			format_bytes(stdout, 0, 4, "serialNumber", enc_serial, enc_serial_len);
+			x509_name_print(stdout, 0, 4, "subject", enc_subject, enc_subject_len);
+			format_print(stdout, 0, 4, "Verification success\n");
 			if (check_crl) {
-				if (x509_cert_check_crl(enc_cert, enc_cert_len, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID)) < 0) {
-					fprintf(stderr, "%s: certificate has been revoked\n", prog);
+				if ((crl_ret = x509_cert_check_crl(enc_cert, enc_cert_len, cacert, cacertlen,
+					signer_id, signer_id_len)) < 0) {
+					fprintf(stderr, "%s: Certificate has been revoked\n", prog);
 					goto end;
 				}
+				format_print(stdout, 0, 4, "Revocation status: %s\n",
+					crl_ret ? "Not revoked by CRL" : "No CRL URI found in certificate");
 			}
+			double_certs = 0;

 		}
-		format_print(stdout, 0, 0, "Signed by\n");
-		x509_name_print(stdout, 0, 0, "Certificate", subject, subject_len);
+
+		// NOTE: make sure the buffer (issuer, issuer_len) not crashed
+		memcpy(cert, cacert, cacertlen);
+		certlen = cacertlen;
+		if (x509_cert_get_issuer_and_serial_number(cert, certlen,
+				&issuer, &issuer_len, &serial, &serial_len) != 1
+			|| x509_cert_get_subject(cert, certlen, &subject, &subject_len) != 1) {
+			error_print();
+			goto end;
+		}
+		format_print(stdout, 0, 0, "Signed by Certificate\n");
+		format_bytes(stdout, 0, 4, "serialNumber", serial, serial_len);
+		x509_name_print(stdout, 0, 4, "Certificate", subject, subject_len);

 		check_crl = 0; // only check the entity CRL

-		memcpy(cert, cacert, cacertlen);
-		certlen = cacertlen;
 	}

 final:
-	if (x509_cert_get_issuer(cert, certlen, &subject, &subject_len) != 1) {
-		fprintf(stderr, "%s: parse certificate error\n", prog);
-		goto end;
-	}
-	if (x509_cert_from_pem_by_subject(cacert, &cacertlen, sizeof(cacert), subject, subject_len, cacertfp) != 1) {
+	if (x509_cert_from_pem_by_subject(cacert, &cacertlen, sizeof(cacert), issuer, issuer_len, cacertfp) != 1) {
 		fprintf(stderr, "%s: load CA certificate failure\n", prog);
 		goto end;
 	}
-	if ((rv = x509_cert_verify_by_ca_cert(cert, certlen, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID))) < 0) {
+	if ((rv = x509_cert_verify_by_ca_cert(cert, certlen, cacert, cacertlen,
+		signer_id, signer_id_len)) < 0) {
 		fprintf(stderr, "%s: inner error\n", prog);
 		goto end;
 	}
-	printf("Verification %s\n", rv ? "success" : "failure");
-	format_print(stdout, 0, 0, "Signed by\n");
-	x509_name_print(stdout, 0, 0, "Certificate", subject, subject_len);
+	format_print(stdout, 0, 4, "Verification success\n");
+
+	if (check_crl) {
+		if ((crl_ret = x509_cert_check_crl(cert, certlen, cacert, cacertlen,
+			signer_id, signer_id_len)) < 0) {
+			fprintf(stderr, "%s: certificate has been revoked\n", prog);
+			goto end;
+		}
+		format_print(stdout, 0, 4, "Revocation status: %s\n",
+			crl_ret ? "Not revoked by CRL" : "No CRL URI found in certificate");
+	}

 	if (double_certs) {
-		if ((rv = x509_cert_verify_by_ca_cert(enc_cert, enc_cert_len, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID))) < 0) {
+		if ((rv = x509_cert_verify_by_ca_cert(enc_cert, enc_cert_len, cacert, cacertlen,
+			signer_id, signer_id_len)) < 0) {
 			fprintf(stderr, "%s: inner error\n", prog);
 			goto end;
 		}
-		printf("Verification %s\n", rv ? "success" : "failure");
+		format_print(stdout, 0, 0, "Certificate\n");
+		format_bytes(stdout, 0, 4, "serialNumber", enc_serial, enc_serial_len);
+		x509_name_print(stdout, 0, 4, "subject", enc_subject, enc_subject_len);
+		format_print(stdout, 0, 4, "Verification success\n");
+
+		if (check_crl) {
+			if ((crl_ret = x509_cert_check_crl(enc_cert, enc_cert_len, cacert, cacertlen,
+				signer_id, signer_id_len)) < 0) {
+				fprintf(stderr, "%s: certificate has been revoked\n", prog);
+				goto end;
+			}
+			format_print(stdout, 0, 4, "Revocation status: %s\n",
+				crl_ret ? "Not revoked by CRL" : "No CRL URI found in certificate");
+		}
 	}
+
+	if (x509_cert_get_issuer_and_serial_number(cacert, cacertlen, NULL, NULL, &serial, &serial_len) != 1
+		|| x509_cert_get_subject(cacert, cacertlen, &subject, &subject_len) != 1) {
+		fprintf(stderr, "%s: parse certificate error\n", prog);
+		goto end;
+	}
+	format_print(stdout, 0, 0, "Signed by Certificate\n");
+	format_bytes(stdout, 0, 4, "serialNumber", serial, serial_len);
+	x509_name_print(stdout, 0, 4, "subject", subject, subject_len);
+
 	printf("\n");

 	ret = 0;