Update Tools

tools/certverify.c

@@ -47,94 +47,98 @@
  */
 
 #include <stdio.h>
+#include <errno.h>
 #include <string.h>
 #include <stdlib.h>
-#include <gmssl/pem.h>
 #include <gmssl/x509.h>
-#include <gmssl/pkcs8.h>
-#include <gmssl/rand.h>
-#include <gmssl/error.h>
 
-// 验证证书链是一个重量级的功能，应准备相应的文档，列举所有验证项目
-// 比如最基本的是证书中的签名、有效期、各个扩展等
-// 外部相关的：证书链、CRL等
+
+static const char *options = "[-in pem] -cacert pem (-id str)\n";
 
 int certverify_main(int argc, char **argv)
 {
-	int ret = 0;
+	int ret = 1;
 	char *prog = argv[0];
-	char *certfile = NULL;
-	FILE *certfp = NULL;
-
+	char *infile = NULL;
 	char *cacertfile = NULL;
+	FILE *infp = stdin;
 	FILE *cacertfp = NULL;
-
 	uint8_t cert[1024];
 	size_t certlen;
+	const uint8_t *issuer;
+	size_t issuer_len;
 	uint8_t cacert[1024];
 	size_t cacertlen;
 	char *signer_id = SM2_DEFAULT_ID;
-
-	SM2_KEY ca_pubkey;
+	int rv;
 
 	argc--;
 	argv++;
-	while (argc >= 1) {
-		if (!strcmp(*argv, "-help")) {
-			printf("Usage: %s [-cert pem] -cacert pem\n", prog);
-			return 0;
 
+	if (argc < 1) {
+		fprintf(stderr, "usage: %s %s\n", prog, options);
+		return 1;
+	}
+
+	while (argc > 0) {
+		if (!strcmp(*argv, "-help")) {
+			printf("usage: %s %s\n", prog, options);
+			ret = 0;
+			goto end;
 		} else if (!strcmp(*argv, "-cert")) {
 			if (--argc < 1) goto bad;
-			certfile = *(++argv);
-			if (!(certfp = fopen(certfile, "r"))) {
-				error_print();
-				return -1;
+			infile = *(++argv);
+			if (!(infp = fopen(infile, "r"))) {
+				fprintf(stderr, "%s: open '%s' failure : %s\n", prog, infile, strerror(errno));
+				goto end;
 			}
 		} else if (!strcmp(*argv, "-cacert")) {
 			if (--argc < 1) goto bad;
 			cacertfile = *(++argv);
 			if (!(cacertfp = fopen(cacertfile, "r"))) {
-				error_print();
-				return -1;
+				fprintf(stderr, "%s: open '%s' failure : %s\n", prog, cacertfile, strerror(errno));
+				goto end;
 			}
+		} else if (!strcmp(*argv, "-id")) {
+			if (--argc < 1) goto bad;
+			signer_id = *(++argv);
 		} else {
-			printf("Usage: %s [-cert pem] -cacert pem\n", prog);
-			return 0;
-			break;
+			fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
+			goto end;
+bad:
+			fprintf(stderr, "%s: '%s' option value missing\n", prog, *argv);
+			goto end;
 		}
 
 		argc--;
 		argv++;
 	}
 
-	if (!certfp || !cacertfp) {
-		error_print();
-		return -1;
+	if (!cacertfile) {
+		fprintf(stderr, "%s: '-cacert' option required\n", prog);
+		goto end;
 	}
 
-
-	if (x509_cert_from_pem(cert, &certlen, sizeof(cert), certfp) != 1) {
-		error_print();
-		return -1;
+	if (x509_cert_from_pem(cert, &certlen, sizeof(cert), infp) != 1) {
+		fprintf(stderr, "%s: read certificate failure\n", prog);
+		goto end;
 	}
-	if (x509_cert_from_pem(cacert, &cacertlen, sizeof(cacert), cacertfp) != 1) {
-		error_print();
-		return -1;
+	if (x509_cert_get_subject(cert, certlen, &issuer, &issuer_len) != 1) {
+		fprintf(stderr, "%s: parse certificate error\n", prog);
+		goto end;
 	}
-	if (x509_cert_verify_by_ca_cert(cert, certlen, cacert, cacertlen, signer_id, strlen(signer_id)) != 1) {
-		error_print();
-		return -1;
+	if (x509_cert_from_pem_by_subject(cacert, &cacertlen, sizeof(cacert), issuer, issuer_len, cacertfp) != 1) {
+		fprintf(stderr, "%s: load CA certificate failure\n", prog);
+		goto end;
 	}
-	ret = 1;
-	printf("Verification %s\n", ret ? "success" : "failure");
-
+	if ((rv = x509_cert_verify_by_ca_cert(cert, certlen, cacert, cacertlen, signer_id, strlen(signer_id))) < 0) {
+		fprintf(stderr, "%s: inner error\n", prog);
+		goto end;
+	}
+	printf("Verification %s\n", rv ? "success" : "failure");
 	ret = 0;
-	goto end;
-
-bad:
-	fprintf(stderr, "%s: commands should not be used together\n", prog);
-
 end:
+	if (infile && infp) fclose(infp);
+	if (cacertfp) fclose(cacertfp);
 	return ret;
 }