abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-05-06 16:36:16 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update certverify tool

Browse Source 
See `demos/scripts/certverify.sh`
This commit is contained in:
Zhi Guan
2023-02-07 23:34:53 +08:00
parent c0a0622c13
commit 46f0be87dc
3 changed files with 263 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored
View File

@@ -3,6 +3,11 @@
/build* /build*
/demos/*.pem /demos/*.pem
/demos/.private /demos/.private
/demos/scripts/*.pem
/demos/scripts/*.der
/demos/scripts/*.txt
/demos/scripts/*.bin
/demos/scripts/*.sig
# Object files # Object files
*.o *.o

121
demos/scripts/certverify.sh Executable file
View File

@@ -0,0 +1,121 @@
#!/bin/bash
signcert=ebssec.boc.cn-sign.pem
enccert=ebssec.boc.cn-enc.pem
crl=CFCA_SM2_OCA1.crl
cacert=CFCA_SM2_OCA1.pem
rootcacert=CFCA_CS_SM2_CA.pem
cat << EOF > $signcert
-----BEGIN CERTIFICATE-----
MIICzzCCAnKgAwIBAgIFEzY5M3AwDAYIKoEcz1UBg3UFADAlMQswCQYDVQQGEwJD
TjEWMBQGA1UECgwNQ0ZDQSBTTTIgT0NBMTAeFw0yMTA2MTEwOTA1MjBaFw0yNjA2
MTkwODE2NTZaMIGRMQswCQYDVQQGEwJDTjEPMA0GA1UECAwG5YyX5LqsMQ8wDQYD
VQQHDAbljJfkuqwxJzAlBgNVBAoMHuS4reWbvemTtuihjOiCoeS7veaciemZkOWF
rOWPuDERMA8GA1UECwwITG9jYWwgUkExDDAKBgNVBAsMA1NTTDEWMBQGA1UEAwwN
ZWJzc2VjLmJvYy5jbjBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABPsNUnoZQM9C
SnvC57TbvdfyOTCuPOSlZmPAyxBKFj+Y1QH/xlubHdVf5XqHrO1jCDRi7aN5IKGX
QF1492c803OjggEeMIIBGjAfBgNVHSMEGDAWgBRck1ggWiRzVhAbZFAQ7OmnygdB
ETAMBgNVHRMBAf8EAjAAMEgGA1UdIARBMD8wPQYIYIEchu8qAQEwMTAvBggrBgEF
BQcCARYjaHR0cDovL3d3dy5jZmNhLmNvbS5jbi91cy91cy0xNC5odG0wNwYDVR0f
BDAwLjAsoCqgKIYmaHR0cDovL2NybC5jZmNhLmNvbS5jbi9TTTIvY3JsNTYxOC5j
cmwwGAYDVR0RBBEwD4INZWJzc2VjLmJvYy5jbjAOBgNVHQ8BAf8EBAMCBsAwHQYD
VR0OBBYEFJ6oFo/OrKgDhHFORpaq04kX7T1KMB0GA1UdJQQWMBQGCCsGAQUFBwMC
BggrBgEFBQcDATAMBggqgRzPVQGDdQUAA0kAMEYCIQCvhSvbv5h6ERl1YcCLg+fz
9UleQbaPfBYwUjUD2dAHVQIhAMRC4k9S/mSC0UpUvCqh/DQC2Ui8Tccd5G2IgYSs
cnUN
-----END CERTIFICATE-----
EOF
cat << EOF > $enccert
-----BEGIN CERTIFICATE-----
MIICzjCCAnKgAwIBAgIFEzY5M3EwDAYIKoEcz1UBg3UFADAlMQswCQYDVQQGEwJD
TjEWMBQGA1UECgwNQ0ZDQSBTTTIgT0NBMTAeFw0yMTA2MTEwOTA1MjBaFw0yNjA2
MTkwODE2NTZaMIGRMQswCQYDVQQGEwJDTjEPMA0GA1UECAwG5YyX5LqsMQ8wDQYD
VQQHDAbljJfkuqwxJzAlBgNVBAoMHuS4reWbvemTtuihjOiCoeS7veaciemZkOWF
rOWPuDERMA8GA1UECwwITG9jYWwgUkExDDAKBgNVBAsMA1NTTDEWMBQGA1UEAwwN
ZWJzc2VjLmJvYy5jbjBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABMn1q+hbV0i1
qnKAy7QeZ3ZfAD+gqHX4F5MqIhsarODlWsavf/dcprC0F277zc44aYBB/3ucy4PF
qXaRHQp8PEyjggEeMIIBGjAfBgNVHSMEGDAWgBRck1ggWiRzVhAbZFAQ7OmnygdB
ETAMBgNVHRMBAf8EAjAAMEgGA1UdIARBMD8wPQYIYIEchu8qAQEwMTAvBggrBgEF
BQcCARYjaHR0cDovL3d3dy5jZmNhLmNvbS5jbi91cy91cy0xNC5odG0wNwYDVR0f
BDAwLjAsoCqgKIYmaHR0cDovL2NybC5jZmNhLmNvbS5jbi9TTTIvY3JsNTYxOC5j
cmwwGAYDVR0RBBEwD4INZWJzc2VjLmJvYy5jbjAOBgNVHQ8BAf8EBAMCAzgwHQYD
VR0OBBYEFF/a1JHvzLzbpFbBljX7hNxRpj/2MB0GA1UdJQQWMBQGCCsGAQUFBwMC
BggrBgEFBQcDATAMBggqgRzPVQGDdQUAA0gAMEUCIQDCOFi1eZcgiN6t+h6lxLwS
grAh3Jall+ZyA2ePw6xcjwIgNyDvo761dpwJhcyWfyVCAnaTf0Vf4DLWI1K+S7po
Ur8=
-----END CERTIFICATE-----
EOF
cat << EOF > $cacert
-----BEGIN CERTIFICATE-----
MIICNTCCAdmgAwIBAgIFEAAAAAgwDAYIKoEcz1UBg3UFADBYMQswCQYDVQQGEwJD
TjEwMC4GA1UECgwnQ2hpbmEgRmluYW5jaWFsIENlcnRpZmljYXRpb24gQXV0aG9y
aXR5MRcwFQYDVQQDDA5DRkNBIENTIFNNMiBDQTAeFw0xMzAxMjQwODQ2NDBaFw0z
MzAxMTkwODQ2NDBaMCUxCzAJBgNVBAYTAkNOMRYwFAYDVQQKDA1DRkNBIFNNMiBP
Q0ExMFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEfJqQoo0+JoyCRy0msS2Ym076
8nV1pSLuK9utS1ij38obWDymq0oMRRwUzDMEQI19Cajo3JUoGFxOvsA+YWu3XKOB
wDCBvTAfBgNVHSMEGDAWgBTkjt3Uo+e2D+4dJ5bNddwlJXJp3TAMBgNVHRMEBTAD
AQH/MGAGA1UdHwRZMFcwVaBToFGkTzBNMQswCQYDVQQGEwJDTjETMBEGA1UECgwK
Q0ZDQSBDUyBDQTEMMAoGA1UECwwDQ1JMMQwwCgYDVQQLDANTTTIxDTALBgNVBAMM
BGNybDEwCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBRck1ggWiRzVhAbZFAQ7OmnygdB
ETAMBggqgRzPVQGDdQUAA0gAMEUCIBVscoZJhUy4eToK4C//LjvhjKK2qpBFac/h
Pr6yYTLzAiEAiyqrqsGUU5vGkDo5bEpmF1EbnY8xovsM9vCx98yBrVM=
-----END CERTIFICATE-----
EOF
cat << EOF > $rootcacert
-----BEGIN CERTIFICATE-----
MIICAzCCAaegAwIBAgIEFy9CWTAMBggqgRzPVQGDdQUAMFgxCzAJBgNVBAYTAkNO
MTAwLgYDVQQKDCdDaGluYSBGaW5hbmNpYWwgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
dHkxFzAVBgNVBAMMDkNGQ0EgQ1MgU00yIENBMB4XDTEyMDgzMTAyMDY1OVoXDTQy
MDgyNDAyMDY1OVowWDELMAkGA1UEBhMCQ04xMDAuBgNVBAoMJ0NoaW5hIEZpbmFu
Y2lhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEXMBUGA1UEAwwOQ0ZDQSBDUyBT
TTIgQ0EwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAATuRh26wmtyKNMz+Pmneo3a
Sme+BCjRon8SvAxZBgLSuIxNUewq4kNujeb1I4A0yg7xNcjuOgXglAoQv+Tc+P0V
o10wWzAfBgNVHSMEGDAWgBTkjt3Uo+e2D+4dJ5bNddwlJXJp3TAMBgNVHRMEBTAD
AQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU5I7d1KPntg/uHSeWzXXcJSVyad0w
DAYIKoEcz1UBg3UFAANIADBFAiBhP/rmIvles3RK1FfcmmEeS9RZdu+5lCzxF0nk
cof2QAIhAPVRpqOuceEQHsR77FBe/DgVPqF6lOyoZs0TzTDHrN8c
-----END CERTIFICATE-----
EOF
gmssl certverify -in $signcert -cacert $cacert
gmssl certverify -in $enccert -cacert $cacert
gmssl certverify -in $cacert -cacert $rootcacert
chain=chain.pem
cat $signcert > $chain
cat $cacert >> $chain
gmssl certverify -in $chain -cacert $rootcacert
double_certs=double_certs.pem
cat $signcert > $double_certs
cat $enccert >> $double_certs
gmssl certverify -in $double_certs -cacert $cacert -double_certs
double_chain=double_chain.pem
cat $double_certs > $double_chain
cat $cacert >> $double_chain
gmssl certverify -in $double_chain -cacert $rootcacert -double_certs
gmssl certparse -in $double_chain
#gmssl certverify -in $double_chain -cacert $rootcacert -double_certs -check_crl
#gmssl crlget -cert $signcert -out $crl
#gmssl crlparse -in $crl
rm -fr $signcert
rm -fr $enccert
rm -fr $crl
rm -fr $cacert
rm -fr $rootcacert
rm -fr $chain
rm -fr $double_certs
rm -fr $double_chain

179
tools/certverify.c
View File

@@ -12,6 +12,7 @@
#include <errno.h> #include <errno.h>
#include <string.h> #include <string.h>
#include <stdlib.h> #include <stdlib.h>
#include <gmssl/hex.h>
#include <gmssl/x509.h> #include <gmssl/x509.h>
#include <gmssl/x509_crl.h> #include <gmssl/x509_crl.h>
#include <gmssl/error.h> #include <gmssl/error.h>
@@ -21,6 +22,7 @@ static const char *usage =
" -in pem [-double_certs]" " -in pem [-double_certs]"
" [-check_crl]" " [-check_crl]"
" -cacert pem" " -cacert pem"
" [-sm2_id str | -sm2_id_hex hex]"
"\n"; "\n";
static const char *options = static const char *options =
@@ -30,6 +32,12 @@ static const char *options =
" -double_certs The first two certificates are SM2 signing and encryption entity certificate\n" " -double_certs The first two certificates are SM2 signing and encryption entity certificate\n"
" -check_crl If the entity certificate has CRLDistributionPoints extension, Download and check againt the CRL\n" " -check_crl If the entity certificate has CRLDistributionPoints extension, Download and check againt the CRL\n"
" -cacert pem CA certificate\n" " -cacert pem CA certificate\n"
" -sm2_id str Signer's ID in SM2 signature algorithm\n"
" -sm2_id_hex hex Signer's ID in hex format\n"
" When `-sm2_id` or `-sm2_id_hex` is specified,\n"
" must use the same ID in other commands explicitly.\n"
" If neither `-sm2_id` nor `-sm2_id_hex` is specified,\n"
" the default string '1234567812345678' is used\n"
"\n"; "\n";
@@ -37,6 +45,8 @@ int certverify_main(int argc, char **argv)
{ {
int ret = 1; int ret = 1;
char *prog = argv[0]; char *prog = argv[0];
char *str;
char *infile = NULL; char *infile = NULL;
char *cacertfile = NULL; char *cacertfile = NULL;
FILE *infp = stdin; FILE *infp = stdin;
@@ -45,10 +55,22 @@ int certverify_main(int argc, char **argv)
size_t certlen; size_t certlen;
uint8_t cacert[1024]; uint8_t cacert[1024];
size_t cacertlen; size_t cacertlen;
char signer_id[SM2_MAX_ID_LENGTH + 1] = {0};
size_t signer_id_len = 0;
const uint8_t *serial;
size_t serial_len;
const uint8_t *issuer;
size_t issuer_len;
const uint8_t *subject; const uint8_t *subject;
size_t subject_len; size_t subject_len;
const uint8_t *subj;
size_t subj_len; const uint8_t *enc_serial;
size_t enc_serial_len;
const uint8_t *enc_issuer;
size_t enc_issuer_len;
const uint8_t *enc_subject;
size_t enc_subject_len;
int double_certs = 0; int double_certs = 0;
uint8_t enc_cert[1024]; uint8_t enc_cert[1024];
@@ -56,6 +78,7 @@ int certverify_main(int argc, char **argv)
int rv; int rv;
int check_crl = 0; int check_crl = 0;
int crl_ret;
argc--; argc--;
argv++; argv++;
@@ -89,6 +112,26 @@ int certverify_main(int argc, char **argv)
fprintf(stderr, "%s: open '%s' failure : %s\n", prog, cacertfile, strerror(errno)); fprintf(stderr, "%s: open '%s' failure : %s\n", prog, cacertfile, strerror(errno));
goto end; goto end;
} }
} else if (!strcmp(*argv, "-sm2_id")) {
if (--argc < 1) goto bad;
str = *(++argv);
if (strlen(str) > sizeof(signer_id) - 1) {
fprintf(stderr, "%s: invalid `-sm2_id` length\n", prog);
goto end;
}
strncpy(signer_id, str, sizeof(signer_id));
signer_id_len = strlen(str);
} else if (!strcmp(*argv, "-sm2_id_hex")) {
if (--argc < 1) goto bad;
str = *(++argv);
if (strlen(str) > (sizeof(signer_id) - 1) * 2) {
fprintf(stderr, "%s: invalid `-sm2_id_hex` length\n", prog);
goto end;
}
if (hex_to_bytes(str, strlen(str), (uint8_t *)signer_id, &signer_id_len) != 1) {
fprintf(stderr, "%s: invalid `-sm2_id_hex` value\n", prog);
goto end;
}
} else { } else {
fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv); fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
goto end; goto end;
@@ -110,24 +153,34 @@ bad:
fprintf(stderr, "%s: '-cacert' option required\n", prog); fprintf(stderr, "%s: '-cacert' option required\n", prog);
goto end; goto end;
} }
if (!signer_id_len) {
strcpy(signer_id, SM2_DEFAULT_ID);
signer_id_len = strlen(SM2_DEFAULT_ID);
}
// read first to be verified certificate
if (x509_cert_from_pem(cert, &certlen, sizeof(cert), infp) != 1 if (x509_cert_from_pem(cert, &certlen, sizeof(cert), infp) != 1
|| x509_cert_get_issuer_and_serial_number(cert, certlen,
&issuer, &issuer_len, &serial, &serial_len) != 1
|| x509_cert_get_subject(cert, certlen, &subject, &subject_len) != 1) { || x509_cert_get_subject(cert, certlen, &subject, &subject_len) != 1) {
fprintf(stderr, "%s: read certificate failure\n", prog); fprintf(stderr, "%s: read certificate failure\n", prog);
goto end; goto end;
} }
x509_name_print(stdout, 0, 0, "Certificate", subject, subject_len); format_print(stdout, 0, 0, "Certificate\n");
format_bytes(stdout, 0, 4, "serialNumber", serial, serial_len);
x509_name_print(stdout, 0, 4, "subject", subject, subject_len);
// read encryption cert in double certs
if (double_certs) { if (double_certs) {
if (x509_cert_from_pem(enc_cert, &enc_cert_len, sizeof(enc_cert), infp) != 1 if (x509_cert_from_pem(enc_cert, &enc_cert_len, sizeof(enc_cert), infp) != 1
|| x509_cert_get_subject(enc_cert, enc_cert_len, &subj, &subj_len) != 1) { || x509_cert_get_issuer_and_serial_number(enc_cert, enc_cert_len,
&enc_issuer, &enc_issuer_len, &enc_serial, &enc_serial_len) != 1
|| x509_cert_get_subject(enc_cert, enc_cert_len, &enc_subject, &enc_subject_len) != 1) {
fprintf(stderr, "%s: read encryption certficate failure\n", prog); fprintf(stderr, "%s: read encryption certficate failure\n", prog);
goto end; goto end;
} }
if (x509_name_equ(enc_subject, enc_subject_len, subject, subject_len) != 1
if (subj_len != subject_len || x509_name_equ(enc_issuer, enc_issuer_len, issuer, issuer_len) != 1) {
|| memcmp(subject, subj, subj_len) != 0) {
fprintf(stderr, "%s: double certificates not compatible\n", prog); fprintf(stderr, "%s: double certificates not compatible\n", prog);
goto end; goto end;
} }
@@ -138,73 +191,117 @@ bad:
if (rv < 0) goto end; if (rv < 0) goto end;
goto final; goto final;
} }
if (x509_cert_get_subject(cacert, cacertlen, &subject, &subject_len) != 1) {
goto end;
}
if ((rv = x509_cert_verify_by_ca_cert(cert, certlen, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID))) < 0) { if ((rv = x509_cert_verify_by_ca_cert(cert, certlen, cacert, cacertlen,
fprintf(stderr, "%s: inner error\n", prog); signer_id, signer_id_len)) != 1) {
fprintf(stderr, "%s: Verification failure\n", prog);
goto end; goto end;
} }
printf("Verification %s\n", rv ? "success" : "failure"); format_print(stdout, 0, 4, "Verification success\n");
if (check_crl) { if (check_crl) {
if (x509_cert_check_crl(cert, certlen, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID)) < 0) { if ((crl_ret = x509_cert_check_crl(cert, certlen, cacert, cacertlen,
fprintf(stderr, "%s: certificate has been revoked\n", prog); signer_id, signer_id_len)) < 0) {
fprintf(stderr, "%s: Certificate has been revoked\n", prog);
goto end; goto end;
} }
format_print(stdout, 0, 4, "Revocation status: %s\n",
crl_ret ? "Not revoked by CRL" : "No CRL URI found in certificate");
} }
if (double_certs) {
x509_name_print(stdout, 0, 0, "Certificate", subj, subj_len);
if ((rv = x509_cert_verify_by_ca_cert(enc_cert, enc_cert_len, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID))) < 0) { if (double_certs) {
fprintf(stderr, "%s: inner error\n", prog); if ((rv = x509_cert_verify_by_ca_cert(enc_cert, enc_cert_len, cacert, cacertlen,
signer_id, signer_id_len)) < 0) {
fprintf(stderr, "%s: Verification failure\n", prog);
goto end; goto end;
} }
printf("Verification %s\n", rv ? "success" : "failure"); format_print(stdout, 0, 0, "Certificate\n");
format_bytes(stdout, 0, 4, "serialNumber", enc_serial, enc_serial_len);
x509_name_print(stdout, 0, 4, "subject", enc_subject, enc_subject_len);
format_print(stdout, 0, 4, "Verification success\n");
if (check_crl) {
if ((crl_ret = x509_cert_check_crl(enc_cert, enc_cert_len, cacert, cacertlen,
signer_id, signer_id_len)) < 0) {
fprintf(stderr, "%s: Certificate has been revoked\n", prog);
goto end;
}
format_print(stdout, 0, 4, "Revocation status: %s\n",
crl_ret ? "Not revoked by CRL" : "No CRL URI found in certificate");
}
double_certs = 0; double_certs = 0;
if (check_crl) {
if (x509_cert_check_crl(enc_cert, enc_cert_len, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID)) < 0) {
fprintf(stderr, "%s: certificate has been revoked\n", prog);
goto end;
}
} }
// NOTE: make sure the buffer (issuer, issuer_len) not crashed
memcpy(cert, cacert, cacertlen);
certlen = cacertlen;
if (x509_cert_get_issuer_and_serial_number(cert, certlen,
&issuer, &issuer_len, &serial, &serial_len) != 1
|| x509_cert_get_subject(cert, certlen, &subject, &subject_len) != 1) {
error_print();
goto end;
} }
format_print(stdout, 0, 0, "Signed by\n"); format_print(stdout, 0, 0, "Signed by Certificate\n");
x509_name_print(stdout, 0, 0, "Certificate", subject, subject_len); format_bytes(stdout, 0, 4, "serialNumber", serial, serial_len);
x509_name_print(stdout, 0, 4, "Certificate", subject, subject_len);
check_crl = 0; // only check the entity CRL check_crl = 0; // only check the entity CRL
memcpy(cert, cacert, cacertlen);
certlen = cacertlen;
} }
final: final:
if (x509_cert_get_issuer(cert, certlen, &subject, &subject_len) != 1) { if (x509_cert_from_pem_by_subject(cacert, &cacertlen, sizeof(cacert), issuer, issuer_len, cacertfp) != 1) {
fprintf(stderr, "%s: parse certificate error\n", prog);
goto end;
}
if (x509_cert_from_pem_by_subject(cacert, &cacertlen, sizeof(cacert), subject, subject_len, cacertfp) != 1) {
fprintf(stderr, "%s: load CA certificate failure\n", prog); fprintf(stderr, "%s: load CA certificate failure\n", prog);
goto end; goto end;
} }
if ((rv = x509_cert_verify_by_ca_cert(cert, certlen, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID))) < 0) { if ((rv = x509_cert_verify_by_ca_cert(cert, certlen, cacert, cacertlen,
signer_id, signer_id_len)) < 0) {
fprintf(stderr, "%s: inner error\n", prog); fprintf(stderr, "%s: inner error\n", prog);
goto end; goto end;
} }
printf("Verification %s\n", rv ? "success" : "failure"); format_print(stdout, 0, 4, "Verification success\n");
format_print(stdout, 0, 0, "Signed by\n");
x509_name_print(stdout, 0, 0, "Certificate", subject, subject_len); if (check_crl) {
if ((crl_ret = x509_cert_check_crl(cert, certlen, cacert, cacertlen,
signer_id, signer_id_len)) < 0) {
fprintf(stderr, "%s: certificate has been revoked\n", prog);
goto end;
}
format_print(stdout, 0, 4, "Revocation status: %s\n",
crl_ret ? "Not revoked by CRL" : "No CRL URI found in certificate");
}
if (double_certs) { if (double_certs) {
if ((rv = x509_cert_verify_by_ca_cert(enc_cert, enc_cert_len, cacert, cacertlen, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID))) < 0) { if ((rv = x509_cert_verify_by_ca_cert(enc_cert, enc_cert_len, cacert, cacertlen,
signer_id, signer_id_len)) < 0) {
fprintf(stderr, "%s: inner error\n", prog); fprintf(stderr, "%s: inner error\n", prog);
goto end; goto end;
} }
printf("Verification %s\n", rv ? "success" : "failure"); format_print(stdout, 0, 0, "Certificate\n");
format_bytes(stdout, 0, 4, "serialNumber", enc_serial, enc_serial_len);
x509_name_print(stdout, 0, 4, "subject", enc_subject, enc_subject_len);
format_print(stdout, 0, 4, "Verification success\n");
if (check_crl) {
if ((crl_ret = x509_cert_check_crl(enc_cert, enc_cert_len, cacert, cacertlen,
signer_id, signer_id_len)) < 0) {
fprintf(stderr, "%s: certificate has been revoked\n", prog);
goto end;
} }
format_print(stdout, 0, 4, "Revocation status: %s\n",
crl_ret ? "Not revoked by CRL" : "No CRL URI found in certificate");
}
}
if (x509_cert_get_issuer_and_serial_number(cacert, cacertlen, NULL, NULL, &serial, &serial_len) != 1
|| x509_cert_get_subject(cacert, cacertlen, &subject, &subject_len) != 1) {
fprintf(stderr, "%s: parse certificate error\n", prog);
goto end;
}
format_print(stdout, 0, 0, "Signed by Certificate\n");
format_bytes(stdout, 0, 4, "serialNumber", serial, serial_len);
x509_name_print(stdout, 0, 4, "subject", subject, subject_len);
printf("\n"); printf("\n");
ret = 0; ret = 0;