abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-06-28 16:53:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

Clean code

Browse Source
This commit is contained in:
Zhi Guan
2026-06-19 11:09:25 +08:00
parent 2d98b5afae
commit 61f621d404
7 changed files with 35 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/x509_cer.c
View File

@@ -1815,8 +1815,7 @@ int x509_certs_get_cert_by_issuer_and_serial_number(const uint8_t *d, size_t dle
return 0;
}
int x509_cert_check(const uint8_t *cert, size_t certlen, int cert_type,
int *path_len_constraint)
int x509_cert_check(const uint8_t *cert, size_t certlen, int cert_type)
{
int version;
const uint8_t *serial;
@@ -1880,7 +1879,7 @@ int x509_cert_check(const uint8_t *cert, size_t certlen, int cert_type,
return -1;
}
if (x509_exts_check(exts, extslen, cert_type, path_len_constraint) != 1) {
if (x509_exts_check(exts, extslen, cert_type) != 1) {
error_print();
return -1;
}
@@ -1907,7 +1906,6 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
int ret;
int path_len = 0;
int path_len_constraint;
switch (certs_type) {
case X509_cert_chain_server:
@@ -1926,7 +1924,7 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
error_print();
return -1;
}
if (x509_cert_check(cert, certlen, entity_cert_type, &path_len_constraint) != 1) {
if (x509_cert_check(cert, certlen, entity_cert_type) != 1) {
error_print();
x509_cert_print(stderr, 0, 10, "Invalid Entity Certificate", cert, certlen);
return -1;
@@ -1938,7 +1936,7 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
error_print();
return -1;
}
if (x509_cert_check(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
if (x509_cert_check(cacert, cacertlen, X509_cert_ca) != 1) {
error_print();
x509_cert_print(stderr, 0, 10, "Invalid CA Certificate", cacert, cacertlen);
return -1;
@@ -1971,7 +1969,7 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
error_print();
return -1;
}
if (x509_cert_check(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
if (x509_cert_check(cacert, cacertlen, X509_cert_ca) != 1) {
error_print();
return -1;
}
@@ -2014,7 +2012,6 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
int ret;
int path_len = 0;
int path_len_constraint;
switch (certs_type) {
case X509_cert_chain_server:
@@ -2034,7 +2031,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
error_print();
return -1;
}
if (x509_cert_check(cert, certlen, sign_cert_type, &path_len_constraint) != 1) {
if (x509_cert_check(cert, certlen, sign_cert_type) != 1) {
error_print();
return -1;
}
@@ -2044,7 +2041,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
error_print();
return -1;
}
if (x509_cert_check(kenc_cert, kenc_certlen, kenc_cert_type, &path_len_constraint) != 1) {
if (x509_cert_check(kenc_cert, kenc_certlen, kenc_cert_type) != 1) {
error_print();
return -1;
}
@@ -2064,7 +2061,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
error_print();
return -1;
}
if (x509_cert_check(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
if (x509_cert_check(cacert, cacertlen, X509_cert_ca) != 1) {
error_print();
return -1;
}
@@ -2103,7 +2100,7 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
error_print();
return -1;
}
if (x509_cert_check(cacert, cacertlen, X509_cert_ca, &path_len_constraint) != 1) {
if (x509_cert_check(cacert, cacertlen, X509_cert_ca) != 1) {
error_print();
return -1;
}

28
src/x509_ext.c
View File

@@ -2951,8 +2951,7 @@ int x509_netscape_cert_type_print(FILE *fp, int fmt, int ind, const char *label,
sizeof(netscape_cert_types)/sizeof(netscape_cert_types[0]), bits);
}
int x509_exts_check(const uint8_t *exts, size_t extslen, int cert_type,
int *path_len_constraint)
int x509_exts_check(const uint8_t *exts, size_t extslen, int cert_type)
{
int oid;
uint32_t nodes[32];
@@ -2968,8 +2967,6 @@ int x509_exts_check(const uint8_t *exts, size_t extslen, int cert_type,
size_t ext_key_usages_cnt;
int is_ca = (cert_type == X509_cert_ca || cert_type == X509_cert_root_ca) ? 1 : 0;
*path_len_constraint = -1;
while (extslen) {
if (x509_ext_from_der(&oid, nodes, &nodes_cnt, &critical, &val, &vlen, &exts, &extslen) != 1) {
error_print();
@@ -3022,13 +3019,21 @@ int x509_exts_check(const uint8_t *exts, size_t extslen, int cert_type,
}
break;
case OID_ce_certificate_policies:
if (critical == X509_critical) {
error_print();
return -1;
}
break;
case OID_ce_policy_mappings:
if (critical != X509_critical) {
error_print();
return -1;
}
break;
/*
已识别但证书路径验证尚未实现的 critical 扩展不能被忽略。
*/
error_print();
return -1;
case OID_ce_subject_alt_name:
break;
case OID_ce_issuer_alt_name:
@@ -3050,7 +3055,6 @@ int x509_exts_check(const uint8_t *exts, size_t extslen, int cert_type,
error_print();
return -1;
}
*path_len_constraint = path_len;
break;
case OID_ce_ext_key_usage:
@@ -3063,10 +3067,20 @@ int x509_exts_check(const uint8_t *exts, size_t extslen, int cert_type,
break;
case OID_ce_name_constraints:
break;
case OID_ce_policy_constraints:
case OID_ce_crl_distribution_points:
case OID_ce_inhibit_any_policy:
/*
已识别但证书路径验证尚未实现的 critical 扩展不能被忽略。
*/
error_print();
return -1;
case OID_ce_crl_distribution_points:
case OID_ce_freshest_crl:
if (critical == X509_critical) {
error_print();
return -1;
}
break;
default:
if (critical == X509_critical) {