diff --git a/CMakeLists.txt b/CMakeLists.txt index 59cd2a14..1cc54614 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -820,7 +820,7 @@ endif() # set(CPACK_PACKAGE_NAME "GmSSL") set(CPACK_PACKAGE_VENDOR "GmSSL develop team") -set(CPACK_PACKAGE_VERSION "3.2.0-dev.1100") +set(CPACK_PACKAGE_VERSION "3.2.0-dev.1101") set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md) set(CPACK_NSIS_MODIFY_PATH ON) include(CPack) diff --git a/include/gmssl/version.h b/include/gmssl/version.h index f4e864bf..213a129c 100644 --- a/include/gmssl/version.h +++ b/include/gmssl/version.h @@ -18,7 +18,7 @@ extern "C" { #define GMSSL_VERSION_NUM 30200 -#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1100" +#define GMSSL_VERSION_STR "GmSSL 3.2.0-dev.1101" int gmssl_version_num(void); const char *gmssl_version_str(void); diff --git a/include/gmssl/x509_cer.h b/include/gmssl/x509_cer.h index 021d1e48..e97a9639 100644 --- a/include/gmssl/x509_cer.h +++ b/include/gmssl/x509_cer.h @@ -331,7 +331,7 @@ typedef enum { X509_cert_crl_sign, } X509_CERT_TYPE; -int x509_cert_check(const uint8_t *cert, size_t certlen, int cert_type, int *path_len_constraint); +int x509_cert_check(const uint8_t *cert, size_t certlen, int cert_type); int x509_cert_check_subject(const uint8_t *cert, size_t certlen, int is_cacert); int x509_cert_check_name_constraints(const uint8_t *cert, size_t certlen, const uint8_t *name_constraints, size_t name_constraints_len); diff --git a/include/gmssl/x509_ext.h b/include/gmssl/x509_ext.h index 15907467..f888e6c3 100644 --- a/include/gmssl/x509_ext.h +++ b/include/gmssl/x509_ext.h @@ -606,8 +606,7 @@ NetscapeCertComment ::= IA5String int x509_netscape_cert_type_print(FILE *fp, int fmt, int ind, const char *label, int bits); int x509_ext_check_critical(int oid, int is_ca, int critical); -int x509_exts_check(const uint8_t *exts, size_t extslen, int cert_type, - int *path_len_constraints); +int x509_exts_check(const uint8_t *exts, size_t extslen, int cert_type); /* AuthorityInfoAccessSyntax ::= SEQUENCE OF AccessDescription diff --git a/src/x509_cer.c b/src/x509_cer.c index 7274af64..141a7948 100644 --- a/src/x509_cer.c +++ b/src/x509_cer.c @@ -1815,8 +1815,7 @@ int x509_certs_get_cert_by_issuer_and_serial_number(const uint8_t *d, size_t dle return 0; } -int x509_cert_check(const uint8_t *cert, size_t certlen, int cert_type, - int *path_len_constraint) +int x509_cert_check(const uint8_t *cert, size_t certlen, int cert_type) { int version; const uint8_t *serial; @@ -1880,7 +1879,7 @@ int x509_cert_check(const uint8_t *cert, size_t certlen, int cert_type, return -1; } - if (x509_exts_check(exts, extslen, cert_type, path_len_constraint) != 1) { + if (x509_exts_check(exts, extslen, cert_type) != 1) { error_print(); return -1; } @@ -1907,7 +1906,6 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type, int ret; int path_len = 0; - int path_len_constraint; switch (certs_type) { case X509_cert_chain_server: @@ -1926,7 +1924,7 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type, error_print(); return -1; } - if (x509_cert_check(cert, certlen, entity_cert_type, &path_len_constraint) != 1) { + if (x509_cert_check(cert, certlen, entity_cert_type) != 1) { error_print(); x509_cert_print(stderr, 0, 10, "Invalid Entity Certificate", cert, certlen); return -1; @@ -1938,7 +1936,7 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type, error_print(); return -1; } - if (x509_cert_check(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) { + if (x509_cert_check(cacert, cacertlen, X509_cert_ca) != 1) { error_print(); x509_cert_print(stderr, 0, 10, "Invalid CA Certificate", cacert, cacertlen); return -1; @@ -1971,7 +1969,7 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type, error_print(); return -1; } - if (x509_cert_check(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) { + if (x509_cert_check(cacert, cacertlen, X509_cert_ca) != 1) { error_print(); return -1; } @@ -2014,7 +2012,6 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type int ret; int path_len = 0; - int path_len_constraint; switch (certs_type) { case X509_cert_chain_server: @@ -2034,7 +2031,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type error_print(); return -1; } - if (x509_cert_check(cert, certlen, sign_cert_type, &path_len_constraint) != 1) { + if (x509_cert_check(cert, certlen, sign_cert_type) != 1) { error_print(); return -1; } @@ -2044,7 +2041,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type error_print(); return -1; } - if (x509_cert_check(kenc_cert, kenc_certlen, kenc_cert_type, &path_len_constraint) != 1) { + if (x509_cert_check(kenc_cert, kenc_certlen, kenc_cert_type) != 1) { error_print(); return -1; } @@ -2064,7 +2061,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type error_print(); return -1; } - if (x509_cert_check(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) { + if (x509_cert_check(cacert, cacertlen, X509_cert_ca) != 1) { error_print(); return -1; } @@ -2103,7 +2100,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type error_print(); return -1; } - if (x509_cert_check(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) { + if (x509_cert_check(cacert, cacertlen, X509_cert_ca) != 1) { error_print(); return -1; } diff --git a/src/x509_ext.c b/src/x509_ext.c index 2eda7aff..c5125341 100644 --- a/src/x509_ext.c +++ b/src/x509_ext.c @@ -2951,8 +2951,7 @@ int x509_netscape_cert_type_print(FILE *fp, int fmt, int ind, const char *label, sizeof(netscape_cert_types)/sizeof(netscape_cert_types[0]), bits); } -int x509_exts_check(const uint8_t *exts, size_t extslen, int cert_type, - int *path_len_constraint) +int x509_exts_check(const uint8_t *exts, size_t extslen, int cert_type) { int oid; uint32_t nodes[32]; @@ -2968,8 +2967,6 @@ int x509_exts_check(const uint8_t *exts, size_t extslen, int cert_type, size_t ext_key_usages_cnt; int is_ca = (cert_type == X509_cert_ca || cert_type == X509_cert_root_ca) ? 1 : 0; - *path_len_constraint = -1; - while (extslen) { if (x509_ext_from_der(&oid, nodes, &nodes_cnt, &critical, &val, &vlen, &exts, &extslen) != 1) { error_print(); @@ -3022,13 +3019,21 @@ int x509_exts_check(const uint8_t *exts, size_t extslen, int cert_type, } break; case OID_ce_certificate_policies: + if (critical == X509_critical) { + error_print(); + return -1; + } break; case OID_ce_policy_mappings: if (critical != X509_critical) { error_print(); return -1; } - break; + /* + 已识别但证书路径验证尚未实现的 critical 扩展不能被忽略。 + */ + error_print(); + return -1; case OID_ce_subject_alt_name: break; case OID_ce_issuer_alt_name: @@ -3050,7 +3055,6 @@ int x509_exts_check(const uint8_t *exts, size_t extslen, int cert_type, error_print(); return -1; } - *path_len_constraint = path_len; break; case OID_ce_ext_key_usage: @@ -3063,10 +3067,20 @@ int x509_exts_check(const uint8_t *exts, size_t extslen, int cert_type, break; case OID_ce_name_constraints: + break; case OID_ce_policy_constraints: - case OID_ce_crl_distribution_points: case OID_ce_inhibit_any_policy: + /* + 已识别但证书路径验证尚未实现的 critical 扩展不能被忽略。 + */ + error_print(); + return -1; + case OID_ce_crl_distribution_points: case OID_ce_freshest_crl: + if (critical == X509_critical) { + error_print(); + return -1; + } break; default: if (critical == X509_critical) { diff --git a/tests/x509_vrftest.c b/tests/x509_vrftest.c index f043b5cb..e89459d8 100644 --- a/tests/x509_vrftest.c +++ b/tests/x509_vrftest.c @@ -63,7 +63,6 @@ static int test_x509_cert_check_subject(void) uint8_t cert[1024]; uint8_t *p; size_t certlen; - int path_len_constraint; set_x509_name(issuer, &issuer_len, sizeof(issuer)); time(¬_before); @@ -95,7 +94,7 @@ static int test_x509_cert_check_subject(void) &x509_key, SM2_DEFAULT_ID, strlen(SM2_DEFAULT_ID), &p, &certlen) != 1 || x509_cert_check_subject(cert, certlen, 0) != 1 - || x509_cert_check(cert, certlen, X509_cert_server_auth, &path_len_constraint) != 1) { + || x509_cert_check(cert, certlen, X509_cert_server_auth) != 1) { error_print(); return -1; }