abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-05-07 08:56:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update CRL functions and tools

Browse Source
This commit is contained in:
Zhi Guan
2023-01-25 22:39:12 +08:00
parent c6ca4dd37b
commit c4c11ffe6b
21 changed files with 1854 additions and 527 deletions
Download Patch File Download Diff File Expand all files Collapse all files

139
tools/certrevoke.c Normal file
View File

@@ -0,0 +1,139 @@
/*
* Copyright 2014-2023 The GmSSL Project. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the License); you may
* not use this file except in compliance with the License.
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <gmssl/pem.h>
#include <gmssl/x509.h>
#include <gmssl/x509_crl.h>
// 20220105Z
static const char *options = "-in cert.pem [-reason str] [-invalid_date timestamp] [-out RevokedCertificate.der]";
static void print_options(FILE *fp, const char *prog)
{
int i;
fprintf(fp, "Options:\n");
fprintf(fp, " -in cert.pem Certificate in PEM format to be revoked\n");
fprintf(fp, " -reason code Revocation reason code, avaiable codes:\n");
for (i = 0; i <= X509_cr_aa_compromise; i++) {
fprintf(fp, " %s (%d)\n", x509_crl_reason_name(i), i);
}
fprintf(fp, " -invalid_date time Revocation timestamp in YYYYMMDDHHMMSSZ format\n");
fprintf(fp, " Example: -invalid_date 20221231000000Z\n");
fprintf(fp, " -out file.der Output ASN.1 RevokedCertificate in DER format\n");
fprintf(fp, "Examples:\n");
fprintf(fp, " %s -in cert1.pem -reason keyCompromise -invalid_date 20221230000000Z -out revoked_certs.der\n", prog);
fprintf(fp, " %s -in cert2.pem -reason keyCompromise -invalid_date 20221231000000Z >> revoked_certs.der\n", prog);
}
int certrevoke_main(int argc, char **argv)
{
int ret = 1;
char *prog = argv[0];
char *infile = NULL;
char *outfile = NULL;
int reason = -1;
time_t invalid_date = -1;
uint8_t *cert = NULL;
size_t certlen;
uint8_t *outbuf = NULL;
uint8_t *out;
size_t outlen;
FILE *outfp = stdout;
argc--;
argv++;
while (argc > 0) {
if (!strcmp(*argv, "-help")) {
printf("usage: %s %s\n", prog, options);
print_options(stdout, prog);
goto end;
} else if (!strcmp(*argv, "-in")) {
if (--argc < 1) goto bad;
infile = *(++argv);
if (x509_cert_new_from_file(&cert, &certlen, infile) != 1) {
fprintf(stderr, "%s: open cert file %s failure\n", prog, infile);
goto end;
}
} else if (!strcmp(*argv, "-out")) {
if (--argc < 1) goto bad;
outfile = *(++argv);
if (!(outfp = fopen(outfile, "wb"))) {
fprintf(stderr, "%s: open '%s' failure : %s\n", prog, outfile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-reason")) {
char *name;
int i;
if (--argc < 1) goto bad;
name = *(++argv);
if (x509_crl_reason_from_name(&reason, name) != 1) {
fprintf(stderr, "%s: invalid reason '%s'\n", prog, name);
fprintf(stderr, "-reason values:\n");
for (i = 0; i <= X509_cr_aa_compromise; i++) {
fprintf(stderr, " %s\n", x509_crl_reason_name(i));
}
}
} else if (!strcmp(*argv, "-invalid_date")) {
char *time_str;
if (--argc < 1) goto bad;
time_str =*(++argv);
if (asn1_time_from_str(0, &invalid_date, time_str) != 1) {
fprintf(stderr, "%s: invalid time '%s', should provide 'YYYYMMDDHHMMSSZ'\n", prog, time_str);
goto bad;
}
} else {
fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
goto end;
bad:
fprintf(stderr, "%s: '%s' option value missing\n", prog, *argv);
goto end;
}
argc--;
argv++;
}
if (!infile) {
fprintf(stderr, "usage: %s %s\n", prog, options);
goto end;
}
if (x509_cert_revoke_to_der(cert, certlen, time(NULL), reason, invalid_date, NULL, 0, NULL, &outlen) != 1) {
fprintf(stderr, "%s: inner error\n", prog);
goto end;
}
if (!(outbuf = malloc(outlen))) {
fprintf(stderr, "%s: malloc failure\n", prog);
goto end;
}
out = outbuf;
outlen = 0;
if (x509_cert_revoke_to_der(cert, certlen, time(NULL), reason, invalid_date, NULL, 0, &out, &outlen) != 1) {
fprintf(stderr, "%s: inner error\n", prog);
goto end;
}
if (fwrite(outbuf, 1, outlen, outfp) != outlen) {
fprintf(stderr, "%s: output failure\n", prog);
goto end;
}
ret = 0;
end:
if (cert) free(cert);
if (outfile && outfp) fclose(outfp);
if (outbuf) free(outbuf);
return ret;
}

161
tools/crlgen.c Normal file
View File

@@ -0,0 +1,161 @@
/*
* Copyright 2014-2023 The GmSSL Project. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the License); you may
* not use this file except in compliance with the License.
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <gmssl/pem.h>
#include <gmssl/x509.h>
#include <gmssl/x509_crl.h>
#include <gmssl/file.h>
static const char *options =
"-in RevokedCertificate.der"
" -key pem -pass str -cert pem"
" [-next_update timestamp] "
" [-out crl.der]";
int crlgen_main(int argc, char **argv)
{
int ret = 1;
char *prog = argv[0];
char *infile = NULL;
uint8_t *revoked_certs = NULL;
size_t revoked_certs_len = 0;
char *outfile = NULL;
FILE *outfp = stdout;
char *keyfile = NULL;
char *pass = NULL;
FILE *keyfp = NULL;
SM2_KEY sign_key;
char *cacertfile = NULL;
uint8_t *cacert = NULL;
size_t cacert_len = 0;
const uint8_t *issuer;
size_t issuer_len;
time_t next_update = -1;
uint8_t outbuf[64 * 1024];
uint8_t *out = outbuf;
size_t outlen = 0;
argc--;
argv++;
while (argc > 0) {
if (!strcmp(*argv, "-help")) {
printf("usage: %s %s\n", prog, options);
goto end;
} else if (!strcmp(*argv, "-in")) {
if (--argc < 1) goto bad;
infile = *(++argv);
if (file_read_all(infile, &revoked_certs, &revoked_certs_len) != 1) {
fprintf(stderr, "%s: read input file failed\n", prog);
goto end;
}
} else if (!strcmp(*argv, "-out")) {
if (--argc < 1) goto bad;
outfile = *(++argv);
if (!(outfp = fopen(outfile, "wb"))) {
fprintf(stderr, "%s: open '%s' failure : %s\n", prog, outfile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-key")) {
if (--argc < 1) goto bad;
keyfile = *(++argv);
if (!(keyfp = fopen(keyfile, "rb"))) {
fprintf(stderr, "%s: open '%s' failure : %s\n", prog, keyfile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-pass")) {
if (--argc < 1) goto bad;
} else if (!strcmp(*argv, "-cacert")) {
if (--argc < 1) goto bad;
cacertfile = *(++argv);
if (x509_cert_new_from_file(&cacert, &cacert_len, cacertfile) != 1) {
goto end;
}
} else if (!strcmp(*argv, "-next_update")) {
if (--argc < 1) goto bad;
next_update = atoi(*(++argv));
} else {
fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
goto end;
bad:
fprintf(stderr, "%s: '%s' option value missing\n", prog, *argv);
goto end;
}
argc--;
argv++;
}
if (!infile) {
fprintf(stderr, "%s: '-in' option required\n", prog);
goto end;
}
if (!cacertfile) {
fprintf(stderr, "%s: '-cacert' option required\n", prog);
goto end;
}
if (!keyfile) {
fprintf(stderr, "%s: '-key' option required\n", prog);
goto end;
}
if (!pass) {
fprintf(stderr, "%s: '-pass' option required\n", prog);
goto end;
}
if (!revoked_certs || !revoked_certs_len) {
fprintf(stderr, "usage: %s %s\n", prog, options);
goto end;
}
if (x509_cert_get_subject(cacert, cacert_len, &issuer, &issuer_len) != 1) {
fprintf(stderr, "%s: parse CA certificate failure\n", prog);
goto end;
}
if (sm2_private_key_info_decrypt_from_pem(&sign_key, pass, keyfp) != 1) {
fprintf(stderr, "%s: load private key failure\n", prog);
goto end;
}
if (x509_crl_sign_to_der(
X509_version_v2,
OID_sm2sign_with_sm3,
issuer, issuer_len,
time(NULL), next_update,
revoked_certs, revoked_certs_len,
NULL, 0,
&sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH,
&out, &outlen) != 1) {
// error_print();
return -1;
}
if (fwrite(outbuf, 1, outlen, outfp) != outlen) {
fprintf(stderr, "%s: output failure\n", prog);
return -1;
}
ret = 0;
end:
//if (cert) free(cert);
if (outfile && outfp) fclose(outfp);
return ret;
}

10
tools/gmssl.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2014-2022 The GmSSL Project. All Rights Reserved.
* Copyright 2014-2023 The GmSSL Project. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the License); you may
* not use this file except in compliance with the License.
@@ -18,6 +18,8 @@ extern int rand_main(int argc, char **argv);
extern int certgen_main(int argc, char **argv);
extern int certparse_main(int argc, char **argv);
extern int certverify_main(int argc, char **argv);
extern int certrevoke_main(int argc, char **argv);
extern int crlgen_main(int argc, char **argv);
extern int crlparse_main(int argc, char **argv);
extern int crlverify_main(int argc, char **argv);
extern int pbkdf2_main(int argc, char **argv);
@@ -80,11 +82,13 @@ static const char *options =
" reqgen Generate certificate signing request (CSR)\n"
" reqsign Generate certificate from CSR\n"
" reqparse Parse and print a CSR\n"
" crlgen Sign a CRL with CA certificate and private key\n"
" crlparse Verify a CRL with certificate\n"
" crlverify Parse and print CRL\n"
" certgen Generate a self-signed certificate\n"
" certparse Parse and print certificates\n"
" certverify Verify certificate chain\n"
" certrevoke Revoke certificate and output RevokedCertificate in DER\n"
" cmsparse Parse cryptographic message syntax (CMS)\n"
" cmsencrypt Generate CMS EnvelopedData\n"
" cmsdecrypt Decrypt CMS EnvelopedData\n"
@@ -128,6 +132,10 @@ int main(int argc, char **argv)
return certparse_main(argc, argv);
} else if (!strcmp(*argv, "certverify")) {
return certverify_main(argc, argv);
} else if (!strcmp(*argv, "certrevoke")) {
return certrevoke_main(argc, argv);
} else if (!strcmp(*argv, "crlgen")) {
return crlgen_main(argc, argv);
} else if (!strcmp(*argv, "crlparse")) {
return crlparse_main(argc, argv);
} else if (!strcmp(*argv, "crlverify")) {