diff --git a/include/gmssl/x509_crl.h b/include/gmssl/x509_crl.h index 6b1675e7..3aaed1be 100644 --- a/include/gmssl/x509_crl.h +++ b/include/gmssl/x509_crl.h @@ -57,12 +57,15 @@ int x509_crl_entry_ext_id_from_name(const char *name); int x509_crl_entry_ext_id_to_der(int oid, uint8_t **out, size_t *outlen); int x509_crl_entry_ext_id_from_der(int *oid, const uint8_t **in, size_t *inlen); -int x509_crl_entry_ext_critical_validate(int oid, int critical); +int x509_crl_entry_ext_critical_check(int oid, int critical); + +int x509_crl_entry_ext_to_der(int oid, int critical, const uint8_t *val, size_t vlen, uint8_t **out, size_t *outlen); int x509_crl_reason_ext_to_der(int critical, int reason, uint8_t **out, size_t *outlen); int x509_invalidity_date_ext_to_der(int critical, time_t date, uint8_t **out, size_t *outlen); int x509_cert_issuer_ext_to_der(int critical, const uint8_t *d, size_t dlen, uint8_t **out, size_t *outlen); -int x509_crl_entry_ext_from_der(int *oid, int *critical, +int x509_crl_entry_ext_from_der(int *oid, int *critical, const uint8_t **val, size_t *vlen, const uint8_t **in, size_t *inlen); +int x509_crl_entry_ext_from_der_ex(int *oid, int *critical, int *reason, time_t *invalid_date, const uint8_t **cert_issuer, size_t *cert_issuer_len, const uint8_t **in, size_t *inlen); int x509_crl_entry_ext_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); @@ -75,7 +78,7 @@ int x509_crl_entry_exts_from_der( const uint8_t **in, size_t *inlen); int x509_crl_entry_exts_get(const uint8_t *d, size_t dlen, int *reason, time_t *invalid_date, const uint8_t **cert_issuer, size_t *cert_issuer_len); -int x509_crl_entry_exts_validate(const uint8_t *d, size_t dlen); +int x509_crl_entry_exts_check(const uint8_t *d, size_t dlen); int x509_crl_entry_exts_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); @@ -159,7 +162,7 @@ int x509_issuing_distribution_point_from_der( const uint8_t **in, size_t *inlen); int x509_issuing_distribution_point_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); -int x509_crl_ext_critical_validate(int oid, int critical); +int x509_crl_ext_critical_check(int oid, int critical); int x509_crl_ext_to_der(int oid, int critical, const uint8_t *val, size_t vlen, uint8_t **out, size_t *outlen); int x509_crl_ext_from_der_ex(int *oid, uint32_t *nodes, size_t *nodes_cnt, int *critical, const uint8_t **val, size_t *vlen, @@ -208,7 +211,7 @@ int x509_crl_exts_add_authority_info_acess( const char *ca_issuers_uri, size_t ca_issuers_urilen, const char *ocsp_uri, size_t ocsp_urilen); -int x509_crl_exts_validate(const uint8_t *d, size_t dlen); +int x509_crl_exts_check(const uint8_t *d, size_t dlen); #define x509_crl_exts_to_der(d,dlen,out,outlen) x509_explicit_exts_to_der(0,d,dlen,out,outlen) #define x509_crl_exts_from_der(d,dlen,in,inlen) x509_explicit_exts_from_der(0,d,dlen,in,inlen) int x509_crl_exts_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); @@ -250,9 +253,6 @@ CertificateList ::= SEQUENCE { signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } */ -#define x509_cert_list_to_der(tbs,tbslen,sig_alg,sig,siglen,out,outlen) x509_signed_to_der(tbs,tbslen,sig_alg,sig,siglen,out,outlen) -#define x509_cert_list_from_der(tbs,tbslen,sig_alg,sig,siglen,in,inlen) x509_signed_from_der(tbs,tbslen,sig_alg,sig,siglen,in,inlen) -int x509_cert_list_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); // x509_crl_ functions int x509_crl_to_der(const uint8_t *a, size_t alen, uint8_t **out, size_t *outlen); @@ -279,7 +279,7 @@ int x509_crl_from_der_ex( const uint8_t **exts, size_t *exts_len, int *sig_alg, const uint8_t **sig, size_t *siglen, const uint8_t **in, size_t *inlen); -int x509_crl_validate(const uint8_t *a, size_t alen, time_t now); +int x509_crl_check(const uint8_t *a, size_t alen, time_t now); int x509_crl_verify(const uint8_t *a, size_t alen, const SM2_KEY *sign_pub_key, const char *signer_id, size_t signer_id_len); int x509_crl_verify_by_ca_cert(const uint8_t *a, size_t alen, const uint8_t *cacert, size_t cacertlen, diff --git a/src/x509_cer.c b/src/x509_cer.c index c7d71e80..fbb49990 100644 --- a/src/x509_cer.c +++ b/src/x509_cer.c @@ -912,8 +912,8 @@ int x509_tbs_cert_from_der( size_t dlen; if ((ret = asn1_sequence_from_der(&d, &dlen, in, inlen)) != 1) { - error_print(); - return -1; + if (ret < 0) error_print(); + return ret; } if (x509_explicit_version_from_der(0, version, &d, &dlen) < 0 || asn1_integer_from_der(serial, serial_len, &d, &dlen) != 1 @@ -1142,6 +1142,10 @@ int x509_cert_verify_by_ca_cert(const uint8_t *a, size_t alen, int x509_cert_to_der(const uint8_t *a, size_t alen, uint8_t **out, size_t *outlen) { int ret; + if (x509_cert_get_subject(a, alen, NULL, NULL) != 1) { + error_print(); + return -1; + } if ((ret = asn1_any_to_der(a, alen, out, outlen)) != 1) { if (ret < 0) error_print(); return ret; diff --git a/src/x509_crl.c b/src/x509_crl.c index cc14e0f8..6358cb3c 100644 --- a/src/x509_crl.c +++ b/src/x509_crl.c @@ -40,7 +40,6 @@ static const char *x509_crl_reason_names[] = { static const size_t x509_crl_reason_names_count = sizeof(x509_crl_reason_names)/sizeof(x509_crl_reason_names[0]); -// 这个函数也不应该有错误的输入值 const char *x509_crl_reason_name(int reason) { if (reason < 0 || reason >= x509_crl_reason_names_count) { @@ -50,8 +49,6 @@ const char *x509_crl_reason_name(int reason) return x509_crl_reason_names[reason]; } -// 这个函数由于需要用在判断中,最好不要打印错误值。并且有可能这个name是一个我们不识别的值,因此返回0? -// 不识别的name还是应该返回-1更合适 int x509_crl_reason_from_name(int *reason, const char *name) { int i; @@ -61,7 +58,8 @@ int x509_crl_reason_from_name(int *reason, const char *name) return 1; } } - return 0; + error_print(); + return -1; } int x509_crl_reason_to_der(int reason, uint8_t **out, size_t *outlen) @@ -94,6 +92,7 @@ int x509_crl_reason_from_der(int *reason, const uint8_t **in, size_t *inlen) return 1; } +/* int x509_implicit_crl_reason_from_der(int index, int *reason, const uint8_t **in, size_t *inlen) { int ret; @@ -107,7 +106,7 @@ int x509_implicit_crl_reason_from_der(int index, int *reason, const uint8_t **in } return 1; } - +*/ static uint32_t oid_ce_crl_reasons[] = { oid_ce,21 }; static uint32_t oid_ce_invalidity_date[] = { oid_ce,24 }; @@ -170,7 +169,7 @@ int x509_crl_entry_ext_id_from_der(int *oid, const uint8_t **in, size_t *inlen) return 1; } -int x509_crl_entry_ext_critical_validate(int oid, int critical) +int x509_crl_entry_ext_critical_check(int oid, int critical) { switch (oid) { case OID_ce_crl_reasons: @@ -193,6 +192,47 @@ int x509_crl_entry_ext_critical_validate(int oid, int critical) return 1; } +int x509_crl_entry_ext_to_der(int oid, int critical, const uint8_t *val, size_t vlen, uint8_t **out, size_t *outlen) +{ + size_t len = 0; + + if (vlen == 0) { + return 0; + } + if (x509_crl_entry_ext_id_to_der(oid, NULL, &len) != 1 + || asn1_boolean_to_der(critical, NULL, &len) < 0 + || asn1_octet_string_to_der(val, vlen, NULL, &len) != 1 + || asn1_sequence_header_to_der(len, out, outlen) != 1 + || x509_crl_entry_ext_id_to_der(oid, out, outlen) != 1 + || asn1_boolean_to_der(critical, out, outlen) < 0 + || asn1_octet_string_to_der(val, vlen, out, outlen) != 1) { + error_print(); + return -1; + } + return 1; +} + +int x509_crl_entry_ext_from_der(int *oid, int *critical, const uint8_t **val, size_t *vlen, + const uint8_t **in, size_t *inlen) +{ + int ret; + const uint8_t *d; + size_t dlen; + + if ((ret = asn1_sequence_from_der(&d, &dlen, in, inlen)) != 1) { + if (ret < 0) error_print(); + return ret; + } + if (x509_crl_entry_ext_id_from_der(oid, &d, &dlen) != 1 + || asn1_boolean_from_der(critical, &d, &dlen) < 0 + || asn1_octet_string_from_der(val, vlen, &d, &dlen) != 1 + || asn1_length_is_zero(dlen) != 1) { + error_print(); + return -1; + } + return 1; +} + int x509_crl_reason_ext_to_der(int critical, int reason, uint8_t **out, size_t *outlen) { int oid = OID_ce_crl_reasons; @@ -205,7 +245,7 @@ int x509_crl_reason_ext_to_der(int critical, int reason, uint8_t **out, size_t * } if (x509_crl_reason_to_der(reason, &p, &vlen) != 1 || asn1_length_le(vlen, sizeof(val)) != 1 - || x509_ext_to_der(oid, critical, val, vlen, out, outlen) != 1) { + || x509_crl_entry_ext_to_der(oid, critical, val, vlen, out, outlen) != 1) { error_print(); return -1; } @@ -224,7 +264,7 @@ int x509_invalidity_date_ext_to_der(int critical, time_t date, uint8_t **out, si } if (asn1_generalized_time_to_der(date, &p, &vlen) != 1 || asn1_length_le(vlen, sizeof(val)) != 1 - || x509_ext_to_der(oid, critical, val, vlen, out, outlen) != 1) { + || x509_crl_entry_ext_to_der(oid, critical, val, vlen, out, outlen) != 1) { error_print(); return -1; } @@ -248,34 +288,31 @@ int x509_cert_issuer_ext_to_der(int critical, const uint8_t *d, size_t dlen, uin } vlen = 0; if (asn1_sequence_to_der(d, dlen, &p, &vlen) != 1 - || x509_ext_to_der(oid, critical, val, vlen, out, outlen) != 1) { + || x509_crl_entry_ext_to_der(oid, critical, val, vlen, out, outlen) != 1) { error_print(); return -1; } return 1; } -int x509_crl_entry_ext_from_der(int *oid, int *critical, +int x509_crl_entry_ext_from_der_ex(int *oid, int *critical, int *reason, time_t *invalid_date, const uint8_t **cert_issuer, size_t *cert_issuer_len, const uint8_t **in, size_t *inlen) { int ret; - const uint8_t *d; - size_t dlen; const uint8_t *val; size_t vlen; - if ((ret = asn1_sequence_from_der(&d, &dlen, in, inlen)) != 1) { + if ((ret = x509_crl_entry_ext_from_der(oid, critical, &val, &vlen, in, inlen)) != 1) { if (ret < 0) error_print(); + else { + *reason = -1; + *invalid_date = -1; + *cert_issuer = NULL; + *cert_issuer_len = 0; + } return ret; } - if (x509_crl_entry_ext_id_from_der(oid, &d, &dlen) != 1 - || asn1_boolean_from_der(critical, &d, &dlen) < 0 - || asn1_octet_string_from_der(&val, &vlen, &d, &dlen) != 1 - || asn1_length_is_zero(dlen) != 1) { - error_print(); - return -1; - } switch (*oid) { case OID_ce_crl_reasons: if (*reason != -1) { @@ -399,11 +436,11 @@ int x509_crl_entry_exts_get(const uint8_t *d, size_t dlen, *cert_issuer_len = 0; while (dlen) { - if (x509_crl_entry_ext_from_der(&oid, &critical, reason, invalid_date, cert_issuer, cert_issuer_len, &d, &dlen) != 1) { + if (x509_crl_entry_ext_from_der_ex(&oid, &critical, reason, invalid_date, cert_issuer, cert_issuer_len, &d, &dlen) != 1) { error_print(); return -1; } - if (x509_crl_entry_ext_critical_validate(oid, critical) != 1) { + if (x509_crl_entry_ext_critical_check(oid, critical) != 1) { error_print(); return -1; } @@ -434,7 +471,7 @@ int x509_crl_entry_exts_from_der( return 1; } -int x509_crl_entry_exts_validate(const uint8_t *d, size_t dlen) +int x509_crl_entry_exts_check(const uint8_t *d, size_t dlen) { int oid; int critical; @@ -444,12 +481,12 @@ int x509_crl_entry_exts_validate(const uint8_t *d, size_t dlen) size_t cert_issuer_len = 0; while (dlen) { - if (x509_crl_entry_ext_from_der(&oid, &critical, + if (x509_crl_entry_ext_from_der_ex(&oid, &critical, &reason, &invalid_date, &cert_issuer, &cert_issuer_len, &d, &dlen) != 1) { error_print(); return -1; } - if (x509_crl_entry_ext_critical_validate(oid, critical) != 1) { + if (x509_crl_entry_ext_critical_check(oid, critical) != 1) { error_print(); return -1; } @@ -850,7 +887,7 @@ end: return -1; } -int x509_crl_ext_critical_validate(int oid, int critical) +int x509_crl_ext_critical_check(int oid, int critical) { switch (oid) { // MUST be critical @@ -992,6 +1029,7 @@ err: return -1; } +// 这类函数应该支持返回0,也就是没有加入数据,这样就不用检查输入是否为空了 int x509_crl_exts_add_authority_key_identifier( uint8_t *exts, size_t *extslen, size_t maxlen, int critical, @@ -1156,7 +1194,7 @@ int x509_crl_exts_add_authority_info_acess( return 1; } -int x509_crl_exts_validate(const uint8_t *d, size_t dlen) +int x509_crl_exts_check(const uint8_t *d, size_t dlen) { int oid; uint32_t nodes[32]; @@ -1173,7 +1211,7 @@ int x509_crl_exts_validate(const uint8_t *d, size_t dlen) error_print(); return -1; } - if (x509_crl_ext_critical_validate(oid, critical) != 1) { + if (x509_crl_ext_critical_check(oid, critical) != 1) { error_print(); return -1; } @@ -1250,7 +1288,6 @@ int x509_tbs_crl_from_der( if ((ret = asn1_sequence_from_der(&d, &dlen, in, inlen)) != 1) { if (ret < 0) error_print(); - else error_print(); return ret; } if (asn1_int_from_der(version, &d, &dlen) < 0 @@ -1313,7 +1350,7 @@ err: return -1; } -int x509_cert_list_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen) +static int x509_cert_list_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen) { int val; const uint8_t *p; @@ -1334,10 +1371,13 @@ err: int x509_crl_to_der(const uint8_t *a, size_t alen, uint8_t **out, size_t *outlen) { - int ret; - if ((ret = asn1_any_to_der(a, alen, out, outlen)) != 1) { - if (ret < 0) error_print(); - return ret; + if (x509_crl_get_issuer(a, alen, NULL, NULL) != 1) { + error_print(); + return -1; + } + if (asn1_any_to_der(a, alen, out, outlen) != 1) { + error_print(); + return -1; } return 1; } @@ -1349,67 +1389,13 @@ int x509_crl_from_der(const uint8_t **a, size_t *alen, const uint8_t **in, size_ if (ret < 0) error_print(); return ret; } - return 1; -} - -int x509_crl_to_pem(const uint8_t *a, size_t alen, FILE *fp) -{ - if (pem_write(fp, "X509 CRL", a, alen) != 1) { + if (x509_crl_get_issuer(*a, *alen, NULL, NULL) != 1) { error_print(); return -1; } return 1; } -int x509_crl_from_pem(uint8_t *a, size_t *alen, size_t maxlen, FILE *fp) -{ - int ret; - if ((ret = pem_read(fp, "X509 CRL", a, alen, maxlen)) != 1) { - if (ret < 0) error_print(); - return ret; - } - return 1; -} - -/* -int x509_crl_to_fp(const uint8_t *a, size_t alen, FILE *fp) -{ - if (fwrite(a, 1, alen, fp) != alen) { - error_print(); - return -1; - } - return 1; -} - -int x509_crl_from_fp(uint8_t *a, size_t *alen, size_t maxlen, FILE *fp) -{ - size_t len; - const uint8_t *d = a; - size_t dlen; - const uint8_t *crl; - size_t crl_len; - - if (!(len = fread(a, 1, maxlen, fp))) { - if (feof(fp)) { - return 0; - } else { - error_print(); - return -1; - } - } - - dlen = len; - if (x509_crl_from_der(&crl, &crl_len, &d, &dlen) != 1 - || asn1_length_is_zero(dlen) != 1) { - error_print(); - return -1; - } - - *alen = len; - return 1; -} -*/ - int x509_crl_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *a, size_t alen) { const uint8_t *d; @@ -1583,7 +1569,7 @@ int x509_crl_get_details(const uint8_t *a, size_t alen, return 1; } -int x509_crl_validate(const uint8_t *a, size_t alen, time_t now) +int x509_crl_check(const uint8_t *a, size_t alen, time_t now) { int version; int inner_sig_alg; @@ -1620,7 +1606,7 @@ int x509_crl_validate(const uint8_t *a, size_t alen, time_t now) return -1; } } - if (x509_crl_exts_validate(exts, exts_len) != 1) { + if (x509_crl_exts_check(exts, exts_len) != 1) { error_print(); return -1; } @@ -1807,7 +1793,7 @@ int x509_cert_check_crl(const uint8_t *cert, size_t certlen, const uint8_t *cace error_print(); return -1; } - if (x509_crl_validate(crl, crl_len, time(NULL)) != 1) { + if (x509_crl_check(crl, crl_len, time(NULL)) != 1) { error_print(); goto end; } diff --git a/src/x509_req.c b/src/x509_req.c index 996df3bf..e39aad53 100644 --- a/src/x509_req.c +++ b/src/x509_req.c @@ -208,23 +208,23 @@ int x509_req_sign_to_der( return 1; } -int x509_req_verify(const uint8_t *req, size_t reqlen, const char *signer_id, size_t signer_id_len) +int x509_req_verify(const uint8_t *a, size_t alen, const char *signer_id, size_t signer_id_len) { SM2_KEY public_key; - if (x509_req_get_details(req, reqlen, + if (x509_req_get_details(a, alen, NULL, NULL, NULL, &public_key, NULL, NULL, NULL, NULL, NULL) != 1) { error_print(); return -1; } - if (x509_signed_verify(req, reqlen, &public_key, signer_id, signer_id_len) != 1) { + if (x509_signed_verify(a, alen, &public_key, signer_id, signer_id_len) != 1) { error_print(); return -1; } return 1; } -int x509_req_get_details(const uint8_t *req, size_t reqlen, +int x509_req_get_details(const uint8_t *a, size_t alen, int *version, const uint8_t **subject, size_t *subject_len, SM2_KEY *subject_public_key, @@ -243,8 +243,8 @@ int x509_req_get_details(const uint8_t *req, size_t reqlen, size_t siglen; if (x509_request_from_der(&ver, &subj, &subj_len, &pub_key, &attrs, &attrs_len, - &sig_alg, &sig, &siglen, &req, &reqlen) != 1 - || asn1_length_is_zero(reqlen) != 1) { + &sig_alg, &sig, &siglen, &a, &alen) != 1 + || asn1_length_is_zero(alen) != 1) { error_print(); return -1; } @@ -263,6 +263,11 @@ int x509_req_get_details(const uint8_t *req, size_t reqlen, int x509_req_to_der(const uint8_t *a, size_t alen, uint8_t **out, size_t *outlen) { int ret; + if (x509_req_get_details(a, alen, + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL) != 1) { + error_print(); + return -1; + } if ((ret = asn1_any_to_der(a, alen, out, outlen)) != 1) { if (ret < 0) error_print(); return ret; @@ -285,13 +290,13 @@ int x509_req_from_der(const uint8_t **a, size_t *alen, const uint8_t **in, size_ return 1; } -int x509_req_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *req, size_t reqlen) +int x509_req_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *a, size_t alen) { const uint8_t *d; size_t dlen; - if (asn1_sequence_from_der(&d, &dlen, &req, &reqlen) != 1 - || asn1_length_is_zero(reqlen) != 1) { + if (asn1_sequence_from_der(&d, &dlen, &a, &alen) != 1 + || asn1_length_is_zero(alen) != 1) { error_print(); return -1; } @@ -299,18 +304,28 @@ int x509_req_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t return 1; } -int x509_req_to_pem(const uint8_t *req, size_t reqlen, FILE *fp) +int x509_req_to_pem(const uint8_t *a, size_t alen, FILE *fp) { - if (pem_write(fp, "CERTIFICATE REQUEST", req, reqlen) <= 0) { + if (x509_req_get_details(a, alen, + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL) != 1) { + error_print(); + return -1; + } + if (pem_write(fp, "CERTIFICATE REQUEST", a, alen) <= 0) { error_print(); return -1; } return 1; } -int x509_req_from_pem(uint8_t *req, size_t *reqlen, size_t maxlen, FILE *fp) +int x509_req_from_pem(uint8_t *a, size_t *alen, size_t maxlen, FILE *fp) { - if (pem_read(fp, "CERTIFICATE REQUEST", req, reqlen, maxlen) != 1) { + if (pem_read(fp, "CERTIFICATE REQUEST", a, alen, maxlen) != 1) { + error_print(); + return -1; + } + if (x509_req_get_details(a, *alen, + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL) != 1) { error_print(); return -1; } diff --git a/tests/x509_crltest.c b/tests/x509_crltest.c index 98e14b96..c7f3d372 100644 --- a/tests/x509_crltest.c +++ b/tests/x509_crltest.c @@ -179,7 +179,7 @@ static int test_x509_crl_entry_exts(void) } x509_crl_entry_exts_print(stderr, 0, 0, "CRLEntryExtensions", d, dlen); - if (x509_crl_entry_exts_validate(d, dlen) != 1) { + if (x509_crl_entry_exts_check(d, dlen) != 1) { error_print(); return -1; } diff --git a/tools/crlverify.c b/tools/crlverify.c index 981c8a1e..f22989b2 100644 --- a/tools/crlverify.c +++ b/tools/crlverify.c @@ -121,7 +121,7 @@ bad: goto end; } - if (x509_crl_validate(crl, crl_len, time(NULL)) != 1) { + if (x509_crl_check(crl, crl_len, time(NULL)) != 1) { fprintf(stderr, "%s: invalid CRL data or format\n", prog); goto end; }