diff --git a/CMakeLists.txt b/CMakeLists.txt index 135aa932..1605b0ec 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -47,13 +47,12 @@ set(src src/hex.c src/base64.c src/pem.c - src/x509_oid.c src/x509_alg.c - src/x509_str.c src/x509_cer.c src/x509_ext.c src/x509_req.c src/x509_crl.c + src/x509_new.c src/cms.c src/sdf/sdf.c src/sdf/sdf_lib.c @@ -159,6 +158,35 @@ set(tests tls13 ) +set(demos + demo_sm2_encrypt + demo_sm2_keygen + demo_sm2_keyparse + demo_sm2_private_key + demo_sm2_private_key_parse + demo_sm2_public_key + demo_sm2_sign + demo_sm2_sign_ctx + demo_sm3 + demo_sm3_hmac + demo_sm3_kdf + demo_sm4 + demo_sm4_cbc + demo_sm4_cbc_decrypt_update + demo_sm4_cbc_encrypt_update + demo_sm4_cbc_padding + demo_sm4_ctr + demo_sm4_ctr_encrypt_update + demo_sm4_gcm + demo_sm9_encrypt + demo_sm9_keygen + demo_sm9_sign +# demo_tlcp_get +# demo_tlcp_post +# demo_wget + demo_zuc +) + option(ENABLE_TLS_DEBUG "Enable TLS and TLCP print debug message" OFF) if (ENABLE_TLS_DEBUG) @@ -283,6 +311,10 @@ if (NOT ${CMAKE_SYSTEM_NAME} STREQUAL "iOS") target_link_libraries (${name}test LINK_PUBLIC gmssl) endforeach() + foreach(name ${demos}) + add_executable(${name} demos/src/${name}.c) + target_link_libraries(${name} LINK_PUBLIC gmssl) + endforeach() install(TARGETS gmssl-bin RUNTIME DESTINATION bin) endif() diff --git a/demos/cademo.sh b/demos/scripts/cademo.sh similarity index 86% rename from demos/cademo.sh rename to demos/scripts/cademo.sh index 6ccd5db3..80bda978 100755 --- a/demos/cademo.sh +++ b/demos/scripts/cademo.sh @@ -6,17 +6,17 @@ gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 - gmssl certparse -in rootcacert.pem gmssl sm2keygen -pass 1234 -out cakey.pem -gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -key cakey.pem -pass 1234 -out careq.pem gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem gmssl certparse -in cacert.pem gmssl sm2keygen -pass 1234 -out signkey.pem -gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass 1234 -out signreq.pem gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem gmssl certparse -in signcert.pem gmssl sm2keygen -pass 1234 -out enckey.pem -gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key enckey.pem -pass 1234 -out encreq.pem gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem gmssl certparse -in enccert.pem diff --git a/demos/certdemo.sh b/demos/scripts/certdemo.sh similarity index 100% rename from demos/certdemo.sh rename to demos/scripts/certdemo.sh diff --git a/demos/cmsdemo.sh b/demos/scripts/cmsdemo.sh similarity index 100% rename from demos/cmsdemo.sh rename to demos/scripts/cmsdemo.sh diff --git a/demos/pbkdf2demo.sh b/demos/scripts/pbkdf2demo.sh similarity index 100% rename from demos/pbkdf2demo.sh rename to demos/scripts/pbkdf2demo.sh diff --git a/demos/reqdemo.sh b/demos/scripts/reqdemo.sh similarity index 89% rename from demos/reqdemo.sh rename to demos/scripts/reqdemo.sh index 3b8217a2..d178f498 100755 --- a/demos/reqdemo.sh +++ b/demos/scripts/reqdemo.sh @@ -7,13 +7,13 @@ gmssl certparse -in cacert.pem # generate a req and sign by CA certificate gmssl sm2keygen -pass 1234 -out signkey.pem -pubout pubkey.pem -gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Alice -days 365 -key signkey.pem -pass 1234 -out signreq.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Alice -key signkey.pem -pass 1234 -out signreq.pem gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem gmssl certparse -in signcert.pem # sign a encryption certificate with the same DN, different KeyUsage extension gmssl sm2keygen -pass 1234 -out enckey.pem -pubout pubkey.pem -gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Alice -days 365 -key enckey.pem -pass 1234 -out encreq.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Alice -key enckey.pem -pass 1234 -out encreq.pem gmssl reqsign -in encreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem gmssl certparse -in enccert.pem diff --git a/demos/sm2demo.sh b/demos/scripts/sm2demo.sh similarity index 100% rename from demos/sm2demo.sh rename to demos/scripts/sm2demo.sh diff --git a/demos/sm3demo.sh b/demos/scripts/sm3demo.sh similarity index 100% rename from demos/sm3demo.sh rename to demos/scripts/sm3demo.sh diff --git a/demos/sm4demo.sh b/demos/scripts/sm4demo.sh similarity index 100% rename from demos/sm4demo.sh rename to demos/scripts/sm4demo.sh diff --git a/demos/sm9demo.sh b/demos/scripts/sm9demo.sh similarity index 100% rename from demos/sm9demo.sh rename to demos/scripts/sm9demo.sh diff --git a/demos/tlcp_client.sh b/demos/scripts/tlcp_client.sh similarity index 100% rename from demos/tlcp_client.sh rename to demos/scripts/tlcp_client.sh diff --git a/demos/tlcp_server.sh b/demos/scripts/tlcp_server.sh similarity index 100% rename from demos/tlcp_server.sh rename to demos/scripts/tlcp_server.sh diff --git a/demos/tlcpdemo.sh b/demos/scripts/tlcpdemo.sh similarity index 100% rename from demos/tlcpdemo.sh rename to demos/scripts/tlcpdemo.sh diff --git a/demos/tls12demo.sh b/demos/scripts/tls12demo.sh similarity index 100% rename from demos/tls12demo.sh rename to demos/scripts/tls12demo.sh diff --git a/demos/tls13demo.sh b/demos/scripts/tls13demo.sh similarity index 100% rename from demos/tls13demo.sh rename to demos/scripts/tls13demo.sh diff --git a/demos/zucdemo.sh b/demos/scripts/zucdemo.sh similarity index 100% rename from demos/zucdemo.sh rename to demos/scripts/zucdemo.sh diff --git a/demos/sm2/Makefile b/demos/sm2/Makefile deleted file mode 100644 index 851b0cc9..00000000 --- a/demos/sm2/Makefile +++ /dev/null @@ -1,18 +0,0 @@ -all: - cc sm2_keygen_demo.c -lgmssl -o sm2_keygen_demo - cc sm2_private_key_demo.c -lgmssl -o sm2_private_key_demo - cc sm2_private_key_parse_demo.c -lgmssl -o sm2_private_key_parse_demo - cc sm2_public_key_demo.c -lgmssl -o sm2_public_key_demo - cc sm2_sign_demo.c -lgmssl -o sm2_sign_demo - cc sm2_sign_ctx_demo.c -lgmssl -o sm2_sign_ctx_demo - cc sm2_encrypt_demo.c -lgmssl -o sm2_encrypt_demo - -clear: - rm -fr sm2_keygen_demo - rm -fr sm2_private_key_demo - rm -fr sm2_private_key_parse_demo - rm -fr sm2_public_key_demo - rm -fr sm2_sign_demo - rm -fr sm2_sign_ctx_demo - rm -fr sm2_encrypt_demo - diff --git a/demos/sm3/CMakeLists.txt b/demos/sm3/CMakeLists.txt deleted file mode 100644 index 27daa262..00000000 --- a/demos/sm3/CMakeLists.txt +++ /dev/null @@ -1,12 +0,0 @@ -cmake_minimum_required(VERSION 3.0) -project(sm3demo) - -include_directories(/usr/local/include) -link_directories(/usr/local/lib) - -add_executable(sm3_demo sm3_demo.c) -add_executable(sm3_hmac_demo sm3_hmac_demo.c) -add_executable(sm3_kdf_demo sm3_kdf_demo.c) -target_link_libraries(sm3_demo gmssl) -target_link_libraries(sm3_hmac_demo gmssl) -target_link_libraries(sm3_kdf_demo gmssl) diff --git a/demos/sm3/Makefile b/demos/sm3/Makefile deleted file mode 100644 index 1c31e1ce..00000000 --- a/demos/sm3/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -all: - cc sm3_demo.c -lgmssl -o sm3_demo - cc sm3_hmac_demo.c -lgmssl -o sm3_hmac_demo - cc sm3_kdf_demo.c -lgmssl -o sm3_kdf_demo -clean: - rm -fr sm3_demo - rm -fr sm3_hmac_demo - rm -fr sm3_kdf_demo - diff --git a/demos/sm4/Makefile b/demos/sm4/Makefile deleted file mode 100644 index f3adb612..00000000 --- a/demos/sm4/Makefile +++ /dev/null @@ -1,22 +0,0 @@ -all: - cc sm4_demo.c -lgmssl -o sm4_demo - cc sm4_cbc_demo.c -lgmssl -o sm4_cbc_demo - cc sm4_cbc_padding_demo.c -lgmssl -o sm4_cbc_padding_demo - cc sm4_ctr_demo.c -lgmssl -o sm4_ctr_demo - cc sm4_gcm_demo.c -lgmssl -o sm4_gcm_demo - cc sm4_cbc_encrypt_update_demo.c -lgmssl -o sm4_cbc_encrypt_update_demo - cc sm4_cbc_decrypt_update_demo.c -lgmssl -o sm4_cbc_decrypt_update_demo - cc sm4_ctr_encrypt_update_demo.c -lgmssl -o sm4_ctr_encrypt_update_demo - cc sm4_ctr_encrypt_update_demo.c -lgmssl -o sm4_ctr_decrypt_update_demo - -clean: - rm -fr sm4_demo - rm -fr sm4_cbc_demo - rm -fr sm4_cbc_padding_demo - rm -fr sm4_ctr_demo - rm -fr sm4_gcm_demo - rm -fr sm4_cbc_encrypt_update_demo - rm -fr sm4_cbc_decrypt_update_demo - rm -fr sm4_ctr_encrypt_update_demo - rm -fr sm4_ctr_decrypt_update_demo - diff --git a/demos/sm9/Makefile b/demos/sm9/Makefile deleted file mode 100644 index 96e469f3..00000000 --- a/demos/sm9/Makefile +++ /dev/null @@ -1,10 +0,0 @@ -all: - cc sm9_keygen_demo.c -lgmssl -o sm9_keygen_demo - cc sm9_sign_demo.c -lgmssl -o sm9_sign_demo - cc sm9_encrypt_demo.c -lgmssl -o sm9_encrypt_demo - -clean: - rm -fr sm9_keygen_demo - rm -fr sm9_sign_demo - rm -fr sm9_encrypt_demo - diff --git a/demos/sm2/sm2_encrypt_demo.c b/demos/src/demo_sm2_encrypt.c similarity index 100% rename from demos/sm2/sm2_encrypt_demo.c rename to demos/src/demo_sm2_encrypt.c diff --git a/demos/sm2/sm2_keygen_demo.c b/demos/src/demo_sm2_keygen.c similarity index 100% rename from demos/sm2/sm2_keygen_demo.c rename to demos/src/demo_sm2_keygen.c diff --git a/demos/sm2/sm2keyparse.c b/demos/src/demo_sm2_keyparse.c similarity index 100% rename from demos/sm2/sm2keyparse.c rename to demos/src/demo_sm2_keyparse.c diff --git a/demos/sm2/sm2_private_key_demo.c b/demos/src/demo_sm2_private_key.c similarity index 100% rename from demos/sm2/sm2_private_key_demo.c rename to demos/src/demo_sm2_private_key.c diff --git a/demos/sm2/sm2_private_key_parse_demo.c b/demos/src/demo_sm2_private_key_parse.c similarity index 100% rename from demos/sm2/sm2_private_key_parse_demo.c rename to demos/src/demo_sm2_private_key_parse.c diff --git a/demos/sm2/sm2_public_key_demo.c b/demos/src/demo_sm2_public_key.c similarity index 100% rename from demos/sm2/sm2_public_key_demo.c rename to demos/src/demo_sm2_public_key.c diff --git a/demos/sm2/sm2_sign_demo.c b/demos/src/demo_sm2_sign.c similarity index 100% rename from demos/sm2/sm2_sign_demo.c rename to demos/src/demo_sm2_sign.c diff --git a/demos/sm2/sm2_sign_ctx_demo.c b/demos/src/demo_sm2_sign_ctx.c similarity index 100% rename from demos/sm2/sm2_sign_ctx_demo.c rename to demos/src/demo_sm2_sign_ctx.c diff --git a/demos/sm3/sm3_demo.c b/demos/src/demo_sm3.c similarity index 100% rename from demos/sm3/sm3_demo.c rename to demos/src/demo_sm3.c diff --git a/demos/sm3/sm3_hmac_demo.c b/demos/src/demo_sm3_hmac.c similarity index 100% rename from demos/sm3/sm3_hmac_demo.c rename to demos/src/demo_sm3_hmac.c diff --git a/demos/sm3/sm3_kdf_demo.c b/demos/src/demo_sm3_kdf.c similarity index 100% rename from demos/sm3/sm3_kdf_demo.c rename to demos/src/demo_sm3_kdf.c diff --git a/demos/sm4/sm4_demo.c b/demos/src/demo_sm4.c similarity index 100% rename from demos/sm4/sm4_demo.c rename to demos/src/demo_sm4.c diff --git a/demos/sm4/sm4_cbc_demo.c b/demos/src/demo_sm4_cbc.c similarity index 100% rename from demos/sm4/sm4_cbc_demo.c rename to demos/src/demo_sm4_cbc.c diff --git a/demos/sm4/sm4_cbc_decrypt_update_demo.c b/demos/src/demo_sm4_cbc_decrypt_update.c similarity index 100% rename from demos/sm4/sm4_cbc_decrypt_update_demo.c rename to demos/src/demo_sm4_cbc_decrypt_update.c diff --git a/demos/sm4/sm4_cbc_encrypt_update_demo.c b/demos/src/demo_sm4_cbc_encrypt_update.c similarity index 100% rename from demos/sm4/sm4_cbc_encrypt_update_demo.c rename to demos/src/demo_sm4_cbc_encrypt_update.c diff --git a/demos/sm4/sm4_cbc_padding_demo.c b/demos/src/demo_sm4_cbc_padding.c similarity index 100% rename from demos/sm4/sm4_cbc_padding_demo.c rename to demos/src/demo_sm4_cbc_padding.c diff --git a/demos/sm4/sm4_ctr_demo.c b/demos/src/demo_sm4_ctr.c similarity index 100% rename from demos/sm4/sm4_ctr_demo.c rename to demos/src/demo_sm4_ctr.c diff --git a/demos/sm4/sm4_ctr_encrypt_update_demo.c b/demos/src/demo_sm4_ctr_encrypt_update.c similarity index 100% rename from demos/sm4/sm4_ctr_encrypt_update_demo.c rename to demos/src/demo_sm4_ctr_encrypt_update.c diff --git a/demos/sm4/sm4_gcm_demo.c b/demos/src/demo_sm4_gcm.c similarity index 100% rename from demos/sm4/sm4_gcm_demo.c rename to demos/src/demo_sm4_gcm.c diff --git a/demos/sm9/sm9_encrypt_demo.c b/demos/src/demo_sm9_encrypt.c similarity index 100% rename from demos/sm9/sm9_encrypt_demo.c rename to demos/src/demo_sm9_encrypt.c diff --git a/demos/sm9/sm9_keygen_demo.c b/demos/src/demo_sm9_keygen.c similarity index 100% rename from demos/sm9/sm9_keygen_demo.c rename to demos/src/demo_sm9_keygen.c diff --git a/demos/sm9/sm9_sign_demo.c b/demos/src/demo_sm9_sign.c similarity index 100% rename from demos/sm9/sm9_sign_demo.c rename to demos/src/demo_sm9_sign.c diff --git a/demos/tlcp/tlcp_get.c b/demos/src/demo_tlcp_get.c similarity index 100% rename from demos/tlcp/tlcp_get.c rename to demos/src/demo_tlcp_get.c diff --git a/demos/tlcp/tlcp_post.c b/demos/src/demo_tlcp_post.c similarity index 100% rename from demos/tlcp/tlcp_post.c rename to demos/src/demo_tlcp_post.c diff --git a/demos/wget.c b/demos/src/demo_wget.c similarity index 100% rename from demos/wget.c rename to demos/src/demo_wget.c diff --git a/demos/zuc/zuc_demo.c b/demos/src/demo_zuc.c similarity index 100% rename from demos/zuc/zuc_demo.c rename to demos/src/demo_zuc.c diff --git a/demos/tlcp/url_parser.c b/demos/src/url_parser.c similarity index 100% rename from demos/tlcp/url_parser.c rename to demos/src/url_parser.c diff --git a/demos/tlcp/url_parser.h b/demos/src/url_parser.h similarity index 100% rename from demos/tlcp/url_parser.h rename to demos/src/url_parser.h diff --git a/demos/tlcp/Makefile b/demos/tlcp/Makefile deleted file mode 100644 index 44462eec..00000000 --- a/demos/tlcp/Makefile +++ /dev/null @@ -1,8 +0,0 @@ -all: - cc tlcp_get.c url_parser.c -lgmssl -o tlcp_get - cc tlcp_post.c url_parser.c -lgmssl -o tlcp_post - -clean: - rm -fr tlcp_get - rm -fr tlcp_post - diff --git a/demos/zuc/Makefile b/demos/zuc/Makefile deleted file mode 100644 index 18e178f8..00000000 --- a/demos/zuc/Makefile +++ /dev/null @@ -1,8 +0,0 @@ -all: - cc zuc_demo.c -lgmssl -o zuc_encrypt_demo - cc zuc_demo.c -lgmssl -o zuc_decrypt_demo - -clean: - rm -fr zuc_encrypt_demo - rm -fr zuc_decrypt_demo - diff --git a/include/gmssl/x509.h b/include/gmssl/x509.h index d9e34726..0ba72cd8 100644 --- a/include/gmssl/x509.h +++ b/include/gmssl/x509.h @@ -24,36 +24,6 @@ extern "C" { #endif -/* -X509 Public API - - x509_name_add_rdn - x509_name_add_country_name - x509_name_add_state_or_province_name - x509_name_add_locality_name - x509_name_add_organization_name - x509_name_add_organizational_unit_name - x509_name_add_common_name - x509_name_add_domain_component - x509_name_to_der - x509_name_from_der - x509_name_print - x509_name_get_value_by_type - x509_name_get_common_name - - x509_cert_sign - x509_cert_verify - x509_cert_verify_by_ca_cert - x509_cert_get_issuer_and_serial_number - x509_cert_get_issuer - x509_cert_get_subject - x509_cert_get_subject_public_key - x509_cert_to_der - x509_cert_from_der - x509_cert_to_pem - x509_cert_from_pem - x509_cert_print -*/ enum X509_Version { X509_version_v1 = 0, @@ -114,23 +84,28 @@ AttributeTypeAndValue ::= SEQUENCE { value ANY -- DEFINED BY AttributeType } id-at - name DirectoryName 1..ub-name - surname DirectoryName 1..ub-name - givenName DirectoryName 1..ub-name - initials DirectoryName 1..ub-name - generationQualifier DirectoryName 1..ub-name - commonName DirectoryName 1..ub-common-name - localityName DirectoryName 1..ub-locality-name - stateOrProvinceName DirectoryName 1..ub-state-name - organizationName DirectoryName 1..ub-organization-name - organizationalUnitName DirectoryName 1..ub-organizational-unit-name - title DirectoryName 1..ub-title - dnQualifier PrintableString N/A - countryName PrintableString 2..2 - serialNumber PrintableString 1..ub-serial-number - pseudonym DirectoryName 1..ub-pseudonym - domainComponent IA5String N/A + OID_at_name name DirectoryName 1..ub-name + OID_at_surname surname DirectoryName 1..ub-name + OID_at_given_name givenName DirectoryName 1..ub-name + OID_at_initials initials DirectoryName 1..ub-name + OID_at_generation_qualifier generationQualifier DirectoryName 1..ub-name + OID_at_common_name commonName DirectoryName 1..ub-common-name + OID_at_locality_name localityName DirectoryName 1..ub-locality-name + OID_at_state_or_province_name stateOrProvinceName DirectoryName 1..ub-state-name + OID_at_organization_name organizationName DirectoryName 1..ub-organization-name + OID_at_organizational_unit_name organizationalUnitName DirectoryName 1..ub-organizational-unit-name + OID_at_title title DirectoryName 1..ub-title + OID_at_dn_qualifier dnQualifier PrintableString N/A + OID_at_country_name countryName PrintableString 2..2 + OID_at_serial_number serialNumber PrintableString 1..ub-serial-number + OID_at_pseudonym pseudonym DirectoryName 1..ub-pseudonym + OID_domain_component domainComponent IA5String N/A */ +const char *x509_name_type_name(int oid); +int x509_name_type_from_name(const char *name); +int x509_name_type_from_der(int *oid, const uint8_t **in, size_t *inlen); +int x509_name_type_to_der(int oid, uint8_t **out, size_t *outlen); + #define X509_ub_name 32768 #define X509_ub_common_name 64 #define X509_ub_locality_name 128 @@ -156,16 +131,6 @@ int x509_rdn_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t /* Name ::= SEQUENCE OF RelativeDistinguishedName - -Example: - SEQUENCE LEN - SET LEN - SEQUENCE LEN OID=countryName, String=CN - SET LEN - SEQUENCE LEN OID=stateName, String=CN - SEQUENCE LEN OID=unknown, String=ABC - SET LEN - SEQUENCE LEN OID=commonNmame, String=ABC */ int x509_name_add_rdn(uint8_t *d, size_t *dlen, size_t maxlen, int oid, int tag, const uint8_t *val, size_t vlen, const uint8_t *more, size_t mlen); int x509_name_add_country_name(uint8_t *d, size_t *dlen, size_t maxlen, const char val[2] ); // val: PrintableString SIZE(2) @@ -208,7 +173,30 @@ Extension ::= SEQUENCE { extnID OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING -- contains the DER encoding of an ASN.1 value + +id-ce: + OID_ce_authority_key_identifier + OID_ce_subject_key_identifier + OID_ce_key_usage + OID_ce_certificate_policies + OID_ce_policy_mappings + OID_ce_subject_alt_name + OID_ce_issuer_alt_name + OID_ce_subject_directory_attributes + OID_ce_basic_constraints + OID_ce_name_constraints + OID_ce_policy_constraints + OID_ce_ext_key_usage + OID_ce_crl_distribution_points + OID_ce_inhibit_any_policy + OID_ce_freshest_crl + OID_netscape_cert_comment */ +const char *x509_ext_id_name(int oid); +int x509_ext_id_from_name(const char *name); +int x509_ext_id_from_der(int *oid, uint32_t *nodes, size_t *nodes_count, const uint8_t **in, size_t *inlen); +int x509_ext_id_to_der(int oid, uint8_t **out, size_t *outlen); + int x509_ext_to_der(int oid, int critical, const uint8_t *val, size_t vlen, uint8_t **out, size_t *outlen); int x509_ext_from_der(int *oid, uint32_t *nodes, size_t *nodes_cnt, int *critical, const uint8_t **val, size_t *vlen, const uint8_t **in, size_t *inlen); int x509_ext_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); @@ -286,11 +274,6 @@ int x509_certificate_from_der( const uint8_t **sig, size_t *siglen, const uint8_t **in, size_t *inlen); -int x509_signed_to_der( - const uint8_t *tbs, size_t tbslen, - int signature_algor, - const uint8_t *sig, size_t siglen, - uint8_t **out, size_t *outlen); int x509_signed_from_der( const uint8_t **tbs, size_t *tbslen, int *signature_algor, @@ -301,8 +284,6 @@ int x509_signed_verify(const uint8_t *a, size_t alen, const SM2_KEY *pub_key, int x509_signed_verify_by_ca_cert(const uint8_t *a, size_t alen, const uint8_t *cacert, size_t cacertlen, const char *signer_id, size_t signer_id_len); -//int x509_certificate_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); - // x509_cert functions int x509_cert_sign_to_der( int version, @@ -317,22 +298,6 @@ int x509_cert_sign_to_der( const uint8_t *exts, size_t exts_len, const SM2_KEY *sign_key, const char *signer_id, size_t signer_id_len, uint8_t **out, size_t *outlen); -/* -int x509_cert_sign( - uint8_t *cert, size_t *certlen, size_t maxlen, - int version, - const uint8_t *serial, size_t serial_len, - int signature_algor, - const uint8_t *issuer, size_t issuer_len, - time_t not_before, time_t not_after, - const uint8_t *subject, size_t subject_len, - const SM2_KEY *subject_public_key, - const uint8_t *issuer_unique_id, size_t issuer_unique_id_len, - const uint8_t *subject_unique_id, size_t subject_unique_id_len, - const uint8_t *exts, size_t exts_len, - const SM2_KEY *sign_key, - const char *signer_id, size_t signer_id_len); -*/ int x509_cert_to_der(const uint8_t *a, size_t alen, uint8_t **out, size_t *outlen); int x509_cert_from_der(const uint8_t **a, size_t *alen, const uint8_t **in, size_t *inlen); @@ -357,9 +322,20 @@ int x509_cert_get_details(const uint8_t *a, size_t alen, const uint8_t **extensions, size_t *extensions_len, int *signature_algor, const uint8_t **signature, size_t *signature_len); -int x509_cert_check(const uint8_t *cert, size_t certlen, int cert_type, int *path_len_constraints); +typedef enum { + X509_cert_server_auth, + X509_cert_client_auth, + X509_cert_server_key_encipher, + X509_cert_client_key_encipher, + X509_cert_ca, + X509_cert_root_ca, + X509_cert_crl_sign, +} X509_CERT_TYPE; + +int x509_cert_check(const uint8_t *cert, size_t certlen, int cert_type, int *path_len_constraints); + /* IssuerAndSerialNumber ::= SEQUENCE { isser Name, @@ -390,20 +366,12 @@ int x509_certs_get_cert_by_issuer_and_serial_number( const uint8_t *serial, size_t serial_len, const uint8_t **cert, size_t *cert_len); - -typedef enum { - X509_verify_err_cert_revoked = -2, - X509_verify_err_cert_not_yet_valid = -3, - X509_verify_err_cert_has_expired = -4, - X509_verify_err_cert_chain_too_long = -5, -} X509_VERIFY_ERR; - typedef enum { X509_cert_chain_server, X509_cert_chain_client, } X509_CERT_CHAIN_TYPE; -#define X509_MAX_VERIFY_DEPTH 6 // TODO: any requirement from CA/B or OpenSSL? +#define X509_MAX_VERIFY_DEPTH 6 int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type, const uint8_t *rootcerts, size_t rootcertslen, int depth, int *verify_result); int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type, @@ -416,18 +384,6 @@ int x509_cert_new_from_file(uint8_t **out, size_t *outlen, const char *file); int x509_certs_new_from_file(uint8_t **out, size_t *outlen, const char *file); -typedef enum { - X509_cert_server_auth, - X509_cert_client_auth, - X509_cert_server_key_encipher, - X509_cert_client_key_encipher, - X509_cert_ca, - X509_cert_root_ca, - X509_cert_crl_sign, -} X509_CERT_TYPE; - - - #ifdef __cplusplus } #endif diff --git a/include/gmssl/x509_crl.h b/include/gmssl/x509_crl.h index 3aaed1be..76a9e941 100644 --- a/include/gmssl/x509_crl.h +++ b/include/gmssl/x509_crl.h @@ -57,18 +57,17 @@ int x509_crl_entry_ext_id_from_name(const char *name); int x509_crl_entry_ext_id_to_der(int oid, uint8_t **out, size_t *outlen); int x509_crl_entry_ext_id_from_der(int *oid, const uint8_t **in, size_t *inlen); -int x509_crl_entry_ext_critical_check(int oid, int critical); - - int x509_crl_entry_ext_to_der(int oid, int critical, const uint8_t *val, size_t vlen, uint8_t **out, size_t *outlen); +int x509_crl_entry_ext_from_der(int *oid, int *critical, const uint8_t **val, size_t *vlen, const uint8_t **in, size_t *inlen); +int x509_crl_entry_ext_critical_check(int oid, int critical); +int x509_crl_entry_ext_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); + int x509_crl_reason_ext_to_der(int critical, int reason, uint8_t **out, size_t *outlen); int x509_invalidity_date_ext_to_der(int critical, time_t date, uint8_t **out, size_t *outlen); int x509_cert_issuer_ext_to_der(int critical, const uint8_t *d, size_t dlen, uint8_t **out, size_t *outlen); -int x509_crl_entry_ext_from_der(int *oid, int *critical, const uint8_t **val, size_t *vlen, const uint8_t **in, size_t *inlen); int x509_crl_entry_ext_from_der_ex(int *oid, int *critical, int *reason, time_t *invalid_date, const uint8_t **cert_issuer, size_t *cert_issuer_len, const uint8_t **in, size_t *inlen); -int x509_crl_entry_ext_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); int x509_crl_entry_exts_to_der( int reason, time_t invalid_date, const uint8_t *cert_issuer, size_t cert_issuer_len, @@ -81,7 +80,6 @@ int x509_crl_entry_exts_get(const uint8_t *d, size_t dlen, int x509_crl_entry_exts_check(const uint8_t *d, size_t dlen); int x509_crl_entry_exts_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); - /* RevokedCertificate ::= SEQUENCE { userCertificate CertificateSerialNumber, @@ -143,7 +141,6 @@ IssuingDistributionPoint ::= SEQUENCE { indirectCRL [4] IMPLICIT BOOLEAN DEFAULT FALSE, onlyContainsAttributeCerts [5] IMPLICIT BOOLEAN DEFAULT FALSE } */ - int x509_issuing_distribution_point_to_der( const char *dist_point_uri, size_t dist_point_uri_len, int only_contains_user_certs, @@ -162,11 +159,11 @@ int x509_issuing_distribution_point_from_der( const uint8_t **in, size_t *inlen); int x509_issuing_distribution_point_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); -int x509_crl_ext_critical_check(int oid, int critical); int x509_crl_ext_to_der(int oid, int critical, const uint8_t *val, size_t vlen, uint8_t **out, size_t *outlen); int x509_crl_ext_from_der_ex(int *oid, uint32_t *nodes, size_t *nodes_cnt, int *critical, const uint8_t **val, size_t *vlen, const uint8_t **in, size_t *inlen); +int x509_crl_ext_critical_check(int oid, int critical); int x509_crl_ext_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); @@ -211,12 +208,11 @@ int x509_crl_exts_add_authority_info_acess( const char *ca_issuers_uri, size_t ca_issuers_urilen, const char *ocsp_uri, size_t ocsp_urilen); -int x509_crl_exts_check(const uint8_t *d, size_t dlen); #define x509_crl_exts_to_der(d,dlen,out,outlen) x509_explicit_exts_to_der(0,d,dlen,out,outlen) #define x509_crl_exts_from_der(d,dlen,in,inlen) x509_explicit_exts_from_der(0,d,dlen,in,inlen) +int x509_crl_exts_check(const uint8_t *d, size_t dlen); int x509_crl_exts_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); - /* TBSCertList ::= SEQUENCE { version INTEGER OPTIONAL, -- if present, MUST be v2 @@ -253,8 +249,6 @@ CertificateList ::= SEQUENCE { signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } */ - -// x509_crl_ functions int x509_crl_to_der(const uint8_t *a, size_t alen, uint8_t **out, size_t *outlen); int x509_crl_from_der(const uint8_t **a, size_t *alen, const uint8_t **in, size_t *inlen); int x509_crl_to_pem(const uint8_t *a, size_t alen, FILE *fp); @@ -300,8 +294,8 @@ int x509_crl_get_revoked_certs(const uint8_t *a, size_t alen, const uint8_t **d, int x509_crl_find_revoked_cert_by_serial_number(const uint8_t *a, size_t alen, const uint8_t *serial, size_t serial_len, time_t *revoke_date, const uint8_t **entry_exts, size_t *entry_exts_len); -int x509_crls_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); +int x509_crls_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); int x509_crl_new_from_uri(uint8_t **crl, size_t *crl_len, const char *uri, size_t urilen); int x509_crl_new_from_cert(uint8_t **crl, size_t *crl_len, const uint8_t *cert, size_t certlen); diff --git a/include/gmssl/x509_ext.h b/include/gmssl/x509_ext.h index 6f04ca1a..0765fd89 100644 --- a/include/gmssl/x509_ext.h +++ b/include/gmssl/x509_ext.h @@ -116,12 +116,12 @@ int x509_edi_party_name_print(FILE *fp, int fmt, int ind, const char *label, con /* GeneralName ::= CHOICE { - otherName [0] IMPLICIT OtherName, -- 只在GeneralName中出现 + otherName [0] IMPLICIT OtherName, -- Only in GeneralName rfc822Name [1] IMPLICIT IA5String, dNSName [2] IMPLICIT IA5String, x400Address [3] IMPLICIT ORAddress, - directoryName [4] IMPLICIT Name, -- SEQENCE OF,因此是d,dlen - ediPartyName [5] IMPLICIT EDIPartyName, -- 只在GeneralName中出现 + directoryName [4] IMPLICIT Name, -- SEQENCE OF + ediPartyName [5] IMPLICIT EDIPartyName, -- Only in GeneralName uniformResourceIdentifier [6] IMPLICIT IA5String, iPAddress [7] IMPLICIT OCTET STRING, -- 4 bytes or string? registeredID [8] IMPLICIT OBJECT IDENTIFIER } @@ -276,10 +276,19 @@ PolicyQualifierInfo ::= SEQUENCE { policyQualifierId PolicyQualifierId, qualifier ANY DEFINED BY policyQualifierId } +id-qt + OID_qt_cps + OID_qt_unotice + switch(policyQualifierId) case id-qt-cps : qualifier ::= IA5String case id-qt-unotice : qualifier ::= UserNotice */ +const char *x509_qualifier_id_name(int oid); +int x509_qualifier_id_from_name(const char *name); +int x509_qualifier_id_from_der(int *oid, const uint8_t **in, size_t *inlen); +int x509_qualifier_id_to_der(int oid, uint8_t **out, size_t *outlen); + int x509_policy_qualifier_info_to_der( int oid, const uint8_t *qualifier, size_t qualifier_len, @@ -300,7 +309,13 @@ PolicyInformation ::= SEQUENCE { policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL } CertPolicyId ::= OBJECT IDENTIFIER -- undefined + + OID_any_policy */ +char *x509_cert_policy_id_name(int oid); +int x509_cert_policy_id_from_name(const char *name); +int x509_cert_policy_id_from_der(int *oid, uint32_t *nodes, size_t *nodes_cnt, const uint8_t **in, size_t *inlen); +int x509_cert_policy_id_to_der(int oid, const uint32_t *nodes, size_t nodes_cnt, uint8_t **out, size_t *outlen); int x509_policy_information_to_der( int policy_oid, const uint32_t *policy_nodes, size_t policy_nodes_cnt, @@ -413,8 +428,7 @@ int x509_general_subtree_print(FILE *fp, int fmt, int ind, const char *label, co /* GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree */ -// 应该参考general_names_add_xxx来改写这个函数,只是不知道这个函数用的多不多 -int x509_general_subtrees_add_general_subtree(uint8_t *d, size_t *dlen, size_t maxlen, // 这个功能和general_names很类似,只是多了一点点内容 +int x509_general_subtrees_add_general_subtree(uint8_t *d, size_t *dlen, size_t maxlen, int base_choice, const uint8_t *base, size_t base_len, int minimum, int maximum); int x509_general_subtrees_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen); @@ -453,6 +467,7 @@ ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId KeyPurposeId: OID_any_extended_key_usage + id-kp OID_kp_server_auth OID_kp_client_auth OID_kp_code_signing @@ -461,6 +476,12 @@ KeyPurposeId: OID_kp_ocsp_signing */ #define X509_MAX_KEY_PURPOSES 7 +const char *x509_key_purpose_name(int oid); +const char *x509_key_purpose_text(int oid); +int x509_key_purpose_from_name(const char *name); +int x509_key_purpose_from_der(int *oid, const uint8_t **in, size_t *inlen); +int x509_key_purpose_to_der(int oid, uint8_t **out, size_t *outlen); + int x509_ext_key_usage_to_der(const int *oids, size_t oids_cnt, uint8_t **out, size_t *outlen); int x509_ext_key_usage_from_der(int *oids, size_t *oids_cnt, size_t max_cnt, const uint8_t **in, size_t *inlen); int x509_ext_key_usage_check(const int *oids, size_t oids_cnt, int cert_type); diff --git a/include/gmssl/x509_oid.h b/include/gmssl/x509_oid.h deleted file mode 100644 index 9140699a..00000000 --- a/include/gmssl/x509_oid.h +++ /dev/null @@ -1,112 +0,0 @@ -/* - * Copyright 2014-2022 The GmSSL Project. All Rights Reserved. - * - * Licensed under the Apache License, Version 2.0 (the License); you may - * not use this file except in compliance with the License. - * - * http://www.apache.org/licenses/LICENSE-2.0 - */ - - -#ifndef GMSSL_X509_OID_H -#define GMSSL_X509_OID_H - - -#include -#include -#include -#include -#include -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/* -id-at: - OID_at_name - OID_at_surname - OID_at_given_name - OID_at_initials - OID_at_generation_qualifier - OID_at_common_name - OID_at_locality_name - OID_at_state_or_province_name - OID_at_organization_name - OID_at_organizational_unit_name - OID_at_title - OID_at_dn_qualifier - OID_at_country_name - OID_at_serial_number - OID_at_pseudonym - OID_domain_component -*/ -const char *x509_name_type_name(int oid); -int x509_name_type_from_name(const char *name); -int x509_name_type_from_der(int *oid, const uint8_t **in, size_t *inlen); -int x509_name_type_to_der(int oid, uint8_t **out, size_t *outlen); - -/* -id-ce: - OID_ce_authority_key_identifier - OID_ce_subject_key_identifier - OID_ce_key_usage - OID_ce_certificate_policies - OID_ce_policy_mappings - OID_ce_subject_alt_name - OID_ce_issuer_alt_name - OID_ce_subject_directory_attributes - OID_ce_basic_constraints - OID_ce_name_constraints - OID_ce_policy_constraints - OID_ce_ext_key_usage - OID_ce_crl_distribution_points - OID_ce_inhibit_any_policy - OID_ce_freshest_crl - OID_netscape_cert_comment -*/ -const char *x509_ext_id_name(int oid); -int x509_ext_id_from_name(const char *name); -int x509_ext_id_from_der(int *oid, uint32_t *nodes, size_t *nodes_count, const uint8_t **in, size_t *inlen); -int x509_ext_id_to_der(int oid, uint8_t **out, size_t *outlen); - -/* -id-qt - OID_qt_cps - OID_qt_unotice -*/ -const char *x509_qualifier_id_name(int oid); -int x509_qualifier_id_from_name(const char *name); -int x509_qualifier_id_from_der(int *oid, const uint8_t **in, size_t *inlen); -int x509_qualifier_id_to_der(int oid, uint8_t **out, size_t *outlen); - -/* - OID_any_policy -*/ -char *x509_cert_policy_id_name(int oid); -int x509_cert_policy_id_from_name(const char *name); -int x509_cert_policy_id_from_der(int *oid, uint32_t *nodes, size_t *nodes_cnt, const uint8_t **in, size_t *inlen); -int x509_cert_policy_id_to_der(int oid, const uint32_t *nodes, size_t nodes_cnt, uint8_t **out, size_t *outlen); - -/* - OID_any_extended_key_usage -id-kp - OID_kp_server_auth - OID_kp_client_auth - OID_kp_code_signing - OID_kp_email_protection - OID_kp_time_stamping - OID_kp_ocsp_signing -*/ -const char *x509_key_purpose_name(int oid); -const char *x509_key_purpose_text(int oid); -int x509_key_purpose_from_name(const char *name); -int x509_key_purpose_from_der(int *oid, const uint8_t **in, size_t *inlen); -int x509_key_purpose_to_der(int oid, uint8_t **out, size_t *outlen); - -#ifdef __cplusplus -} -#endif -#endif diff --git a/include/gmssl/x509_req.h b/include/gmssl/x509_req.h index e2e81d8f..43536ae5 100644 --- a/include/gmssl/x509_req.h +++ b/include/gmssl/x509_req.h @@ -67,9 +67,10 @@ int x509_req_get_details(const uint8_t *req, size_t reqlen, const uint8_t **signature, size_t *signature_len); int x509_req_to_der(const uint8_t *a, size_t alen, uint8_t **out, size_t *outlen); int x509_req_from_der(const uint8_t **a, size_t *alen, const uint8_t **in, size_t *inlen); -int x509_req_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *req, size_t reqlen); int x509_req_to_pem(const uint8_t *req, size_t reqlen, FILE *fp); int x509_req_from_pem(uint8_t *req, size_t *reqlen, size_t maxlen, FILE *fp); +int x509_req_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *req, size_t reqlen); + int x509_req_new_from_pem(uint8_t **req, size_t *reqlen, FILE *fp); int x509_req_new_from_file(uint8_t **req, size_t *reqlen, const char *file); diff --git a/src/x509_cer.c b/src/x509_cer.c index b3790764..51688f46 100644 --- a/src/x509_cer.c +++ b/src/x509_cer.c @@ -20,7 +20,6 @@ #include #include #include -#include #include #include #include @@ -217,6 +216,98 @@ err: return -1; } + +static uint32_t oid_at_name[] = { oid_at,41 }; +static uint32_t oid_at_surname[] = { oid_at,4 }; +static uint32_t oid_at_given_name[] = { oid_at,42 }; +static uint32_t oid_at_initials[] = { oid_at,43 }; +static uint32_t oid_at_generation_qualifier[] = { oid_at,44 }; +static uint32_t oid_at_common_name[] = { oid_at,3 }; +static uint32_t oid_at_locality_name[] = { oid_at,7 }; +static uint32_t oid_at_state_or_province_name[] = { oid_at,8 }; +static uint32_t oid_at_organization_name[] = { oid_at,10 }; +static uint32_t oid_at_organizational_unit_name[] = { oid_at,11 }; +static uint32_t oid_at_title[] = { oid_at,12 }; +static uint32_t oid_at_dn_qualifier[] = { oid_at,46 }; +static uint32_t oid_at_country_name[] = { oid_at,6 }; +static uint32_t oid_at_serial_number[] = { oid_at,5 }; +static uint32_t oid_at_pseudonym[] = { oid_at,65 }; +static uint32_t oid_domain_component[] = { 0,9,2342,19200300,100,1,25 }; +static uint32_t oid_email_address[] = { 1,2,840,113549,1,9,1 }; + +#define OID_AT_CNT (sizeof(oid_at_name)/sizeof(int)) + +static const ASN1_OID_INFO x509_name_types[] = { + { OID_at_name, "name", oid_at_name, OID_AT_CNT }, + { OID_at_surname, "surname", oid_at_surname, OID_AT_CNT }, + { OID_at_given_name, "givenName", oid_at_given_name, OID_AT_CNT }, + { OID_at_initials, "initials", oid_at_initials, OID_AT_CNT }, + { OID_at_generation_qualifier, "generationQualifier", oid_at_generation_qualifier, OID_AT_CNT }, + { OID_at_common_name, "commonName", oid_at_common_name, OID_AT_CNT }, + { OID_at_locality_name, "localityName", oid_at_locality_name, OID_AT_CNT }, + { OID_at_state_or_province_name, "stateOrProvinceName", oid_at_state_or_province_name, OID_AT_CNT }, + { OID_at_organization_name, "organizationName", oid_at_organization_name, OID_AT_CNT }, + { OID_at_organizational_unit_name, "organizationalUnitName", oid_at_organizational_unit_name, OID_AT_CNT }, + { OID_at_title, "title", oid_at_title, OID_AT_CNT }, + { OID_at_dn_qualifier, "dnQualifier", oid_at_dn_qualifier, OID_AT_CNT }, + { OID_at_country_name, "countryName", oid_at_country_name, OID_AT_CNT }, + { OID_at_serial_number, "serialNumber", oid_at_serial_number, OID_AT_CNT }, + { OID_at_pseudonym, "pseudonym", oid_at_pseudonym, OID_AT_CNT }, + { OID_domain_component, "domainComponent", oid_domain_component, sizeof(oid_domain_component)/sizeof(int) }, + { OID_email_address, "emailAddress", oid_email_address, sizeof(oid_email_address)/sizeof(int) }, +}; + +static const int x509_name_types_count + = sizeof(x509_name_types)/sizeof(x509_name_types[0]); + +const char *x509_name_type_name(int oid) +{ + const ASN1_OID_INFO *info; + if (!(info = asn1_oid_info_from_oid(x509_name_types, x509_name_types_count, oid))) { + error_print(); + return NULL; + } + return info->name; +} + +int x509_name_type_from_name(const char *name) +{ + const ASN1_OID_INFO *info; + if (!(info = asn1_oid_info_from_name(x509_name_types, x509_name_types_count, name))) { + error_print(); + return OID_undef; + } + return info->oid; +} + +int x509_name_type_to_der(int oid, uint8_t **out, size_t *outlen) +{ + const ASN1_OID_INFO *info; + if (!(info = asn1_oid_info_from_oid(x509_name_types, x509_name_types_count, oid))) { + error_print(); + return -1; + } + if (asn1_object_identifier_to_der(info->nodes, info->nodes_cnt, out, outlen) != 1) { + error_print(); + return -1; + } + return 1; +} + +int x509_name_type_from_der(int *oid, const uint8_t **in, size_t *inlen) +{ + int ret; + const ASN1_OID_INFO *info; + + if ((ret = asn1_oid_info_from_der(&info, x509_name_types, x509_name_types_count, in, inlen)) != 1) { + if (ret < 0) error_print(); + else *oid = -1; + return ret; + } + *oid = info->oid; + return 1; +} + int x509_directory_name_check(int tag, const uint8_t *d, size_t dlen) { if (dlen == 0) { @@ -355,7 +446,7 @@ static const struct { int is_printable_string_only; int minlen; int maxlen; -} x509_name_types[] = { +} x509_name_types_info[] = { { OID_at_country_name, 1, 2, 2 }, { OID_at_state_or_province_name, 0, 1, X509_ub_state_name }, { OID_at_locality_name, 0, 1, X509_ub_locality_name }, @@ -372,21 +463,21 @@ static const struct { { OID_at_pseudonym, 0, 1, X509_ub_pseudonym }, }; -static const int x509_name_types_count - = sizeof(x509_name_types)/sizeof(x509_name_types[0]); +static const int x509_name_types_info_count + = sizeof(x509_name_types_info)/sizeof(x509_name_types_info[0]); int x509_attr_type_and_value_check(int oid, int tag, const uint8_t *val, size_t vlen) { int i; - for (i = 0; i < x509_name_types_count; i++) { - if (oid == x509_name_types[i].oid) { - if (x509_name_types[i].is_printable_string_only + for (i = 0; i < x509_name_types_info_count; i++) { + if (oid == x509_name_types_info[i].oid) { + if (x509_name_types_info[i].is_printable_string_only && tag != ASN1_TAG_PrintableString) { error_print(); return -1; } if (x509_directory_name_check_ex(tag, val, vlen, - x509_name_types[i].minlen, x509_name_types[i].maxlen) != 1) { + x509_name_types_info[i].minlen, x509_name_types_info[i].maxlen) != 1) { error_print(); return -1; } diff --git a/src/x509_ext.c b/src/x509_ext.c index f2e1476c..f1097471 100644 --- a/src/x509_ext.c +++ b/src/x509_ext.c @@ -18,11 +18,115 @@ #include #include #include -#include #include #include + +static uint32_t oid_ce_subject_directory_attributes[] = { oid_ce,9 }; +static uint32_t oid_ce_subject_key_identifier[] = { oid_ce,14 }; +static uint32_t oid_ce_key_usage[] = { oid_ce,15 }; +static uint32_t oid_ce_subject_alt_name[] = { oid_ce,17 }; +static uint32_t oid_ce_issuer_alt_name[] = { oid_ce,18 }; +static uint32_t oid_ce_basic_constraints[] = { oid_ce,19 }; +static uint32_t oid_ce_name_constraints[] = { oid_ce,30 }; +static uint32_t oid_ce_crl_distribution_points[] = { oid_ce,31 }; +static uint32_t oid_ce_certificate_policies[] = { oid_ce,32 }; +static uint32_t oid_ce_policy_mappings[] = { oid_ce,33 }; +static uint32_t oid_ce_authority_key_identifier[] = { oid_ce,35 }; +static uint32_t oid_ce_policy_constraints[] = { oid_ce,36 }; +static uint32_t oid_ce_ext_key_usage[] = { oid_ce,37 }; +static uint32_t oid_ce_freshest_crl[] = { oid_ce,46 }; +static uint32_t oid_ce_inhibit_any_policy[] = { oid_ce,54 }; +static uint32_t oid_ce_crl_reasons[] = { oid_ce,21 }; // crl_entry_ext +static uint32_t oid_ce_invalidity_date[] = { oid_ce,24 }; // crl_entry_ext +static uint32_t oid_ce_certificate_issuer[] = { oid_ce,29 }; // crl_entry_ext +#define OID_CE_CNT sizeof(oid_ce_subject_directory_attributes)/sizeof(int) +static uint32_t oid_netscape_cert_type[] = { 2,16,840,1,113730,1,1 }; +static uint32_t oid_netscape_cert_comment[] = { 2,16,840,1,113730,1,13 }; +static uint32_t oid_pe_authority_info_access[] = { 1,3,6,1,5,5,7,1,1 }; +static uint32_t oid_ct_precertificate_scts[] = { 1,3,6,1,4,1,11129,2,4,2 }; + +static const ASN1_OID_INFO x509_ext_ids[] = { + { OID_ce_authority_key_identifier, "AuthorityKeyIdentifier", oid_ce_authority_key_identifier, OID_CE_CNT }, + { OID_ce_subject_key_identifier, "SubjectKeyIdentifier", oid_ce_subject_key_identifier, OID_CE_CNT }, + { OID_ce_key_usage, "KeyUsage", oid_ce_key_usage, OID_CE_CNT }, + { OID_ce_certificate_policies, "CertificatePolicies", oid_ce_certificate_policies, OID_CE_CNT }, + { OID_ce_policy_mappings, "PolicyMappings", oid_ce_policy_mappings, OID_CE_CNT }, + { OID_ce_subject_alt_name, "SubjectAltName", oid_ce_subject_alt_name, OID_CE_CNT }, + { OID_ce_issuer_alt_name, "IssuerAltName", oid_ce_issuer_alt_name, OID_CE_CNT }, + { OID_ce_subject_directory_attributes, "SubjectDirectoryAttributes", oid_ce_subject_directory_attributes, OID_CE_CNT }, + { OID_ce_basic_constraints, "BasicConstraints", oid_ce_basic_constraints, OID_CE_CNT }, + { OID_ce_name_constraints, "NameConstraints", oid_ce_name_constraints, OID_CE_CNT }, + { OID_ce_policy_constraints, "PolicyConstraints", oid_ce_policy_constraints, OID_CE_CNT }, + { OID_ce_ext_key_usage, "ExtKeyUsage", oid_ce_ext_key_usage, OID_CE_CNT }, + { OID_ce_crl_distribution_points, "CRLDistributionPoints", oid_ce_crl_distribution_points, OID_CE_CNT }, + { OID_ce_inhibit_any_policy, "InhibitAnyPolicy", oid_ce_inhibit_any_policy, OID_CE_CNT }, + { OID_ce_freshest_crl, "FreshestCRL", oid_ce_freshest_crl, OID_CE_CNT }, + { OID_ce_crl_reasons, "CRLReasons", oid_ce_crl_reasons, OID_CE_CNT }, + { OID_ce_invalidity_date, "InvalidityDate", oid_ce_invalidity_date, OID_CE_CNT }, + { OID_ce_certificate_issuer, "CertificateIssuer", oid_ce_certificate_issuer, OID_CE_CNT }, + { OID_netscape_cert_type, "NetscapeCertType", oid_netscape_cert_type, sizeof(oid_netscape_cert_type)/sizeof(int) }, + { OID_netscape_cert_comment, "NetscapeCertComment", oid_netscape_cert_comment, sizeof(oid_netscape_cert_comment)/sizeof(int) }, + { OID_pe_authority_info_access, "AuthorityInformationAccess", oid_pe_authority_info_access, sizeof(oid_pe_authority_info_access)/sizeof(int) }, + { OID_ct_precertificate_scts, "CT-PrecertificateSCTs", oid_ct_precertificate_scts, sizeof(oid_ct_precertificate_scts)/sizeof(int) }, +}; + +static const int x509_ext_ids_count = + sizeof(x509_ext_ids)/sizeof(x509_ext_ids[0]); + +const char *x509_ext_id_name(int oid) +{ + const ASN1_OID_INFO *info; + if (oid == 0) { + return NULL; + } + if (!(info = asn1_oid_info_from_oid(x509_ext_ids, x509_ext_ids_count, oid))) { + error_print(); + return NULL; + } + return info->name; +} + +int x509_ext_id_from_name(const char *name) +{ + const ASN1_OID_INFO *info; + if (!(info = asn1_oid_info_from_name(x509_ext_ids, x509_ext_ids_count, name))) { + error_print(); + return OID_undef; + } + return info->oid; +} + +int x509_ext_id_to_der(int oid, uint8_t **out, size_t *outlen) +{ + const ASN1_OID_INFO *info; + if (!(info = asn1_oid_info_from_oid(x509_ext_ids, x509_ext_ids_count, oid))) { + error_print(); + return -1; + } + if (asn1_object_identifier_to_der(info->nodes, info->nodes_cnt, out, outlen) != 1) { + error_print(); + return -1; + } + return 1; +} + +// 如果要支持未知的ext_id,应该提供一个callback +int x509_ext_id_from_der(int *oid, uint32_t *nodes, size_t *nodes_cnt, const uint8_t **in, size_t *inlen) +{ + int ret; + const ASN1_OID_INFO *info; + + if ((ret = asn1_oid_info_from_der_ex(&info, nodes, nodes_cnt, x509_ext_ids, x509_ext_ids_count, in, inlen)) != 1) { + if (ret < 0) error_print(); + else *oid = -1; + return ret; + } + *oid = info ? info->oid : 0; + return 1; +} + int x509_ext_to_der(int oid, int critical, const uint8_t *val, size_t vlen, uint8_t **out, size_t *outlen) { size_t len = 0; @@ -1433,6 +1537,68 @@ err: return -1; } + + + +static uint32_t oid_qt_cps[] = { oid_qt,1 }; +static uint32_t oid_qt_unotice[] = {oid_qt,2 }; + +static const ASN1_OID_INFO x509_qt_ids[] = { + { OID_qt_cps, "CPS", oid_qt_cps, sizeof(oid_qt_cps)/sizeof(int) }, + { OID_qt_unotice, "userNotice", oid_qt_unotice, sizeof(oid_qt_unotice)/sizeof(int) } +}; + +static const int x509_qt_ids_count = + sizeof(x509_qt_ids)/sizeof(x509_qt_ids[0]); + +int x509_qualifier_id_from_name(const char *name) +{ + const ASN1_OID_INFO *info; + if (!(info = asn1_oid_info_from_name(x509_qt_ids, x509_qt_ids_count, name))) { + error_print(); + return OID_undef; + } + return info->oid; +} + +const char *x509_qualifier_id_name(int oid) +{ + const ASN1_OID_INFO *info; + if (!(info = asn1_oid_info_from_oid(x509_qt_ids, x509_qt_ids_count, oid))) { + error_print(); + return NULL; + } + return info->name; +} + +int x509_qualifier_id_to_der(int oid, uint8_t **out, size_t *outlen) +{ + const ASN1_OID_INFO *info; + if (!(info = asn1_oid_info_from_oid(x509_qt_ids, x509_qt_ids_count, oid))) { + error_print(); + return -1; + } + if (asn1_object_identifier_to_der(info->nodes, info->nodes_cnt, out, outlen) != 1) { + error_print(); + return -1; + } + return 1; +} + +int x509_qualifier_id_from_der(int *oid, const uint8_t **in, size_t *inlen) +{ + int ret; + const ASN1_OID_INFO *info; + if ((ret = asn1_oid_info_from_der(&info, x509_qt_ids, x509_qt_ids_count, in, inlen)) != 1) { + if (ret < 0) error_print(); + else *oid = -1; + return ret; + } + *oid = info->oid; + return 1; +} + + int x509_policy_qualifier_info_to_der( int oid, const uint8_t *qualifier, size_t qualifier_len, @@ -1513,6 +1679,61 @@ int x509_policy_qualifier_infos_print(FILE *fp, int fmt, int ind, const char *la return 1; } + +int x509_cert_policy_id_from_name(const char *name) +{ + if (strcmp(name, "anyPolicy") == 0) { + return OID_any_policy; + } + return OID_undef; +} + +char *x509_cert_policy_id_name(int oid) +{ + switch (oid) { + case OID_any_policy: return "anyPolicy"; + } + return NULL; +} + +static uint32_t oid_any_policy[] = { oid_ce,32,0 }; + +int x509_cert_policy_id_to_der(int oid, const uint32_t *nodes, size_t nodes_cnt, uint8_t **out, size_t *outlen) +{ + switch (oid) { + case OID_any_policy: + if (asn1_object_identifier_to_der(oid_any_policy, sizeof(oid_any_policy)/sizeof(int), out, outlen) != 1) { + error_print(); + return -1; + } + break; + case OID_undef: + if (asn1_object_identifier_to_der(nodes, nodes_cnt, out, outlen) != 1) { + error_print(); + return -1; + } + break; + default: + error_print(); + return -1; + } + return 1; +} + +int x509_cert_policy_id_from_der(int *oid, uint32_t *nodes, size_t *nodes_cnt, const uint8_t **in, size_t *inlen) +{ + int ret; + if ((ret = asn1_object_identifier_from_der(nodes, nodes_cnt, in, inlen)) != 1) { + if (ret < 0) error_print(); + else *oid = -1; + return ret; + } + if (asn1_object_identifier_equ(nodes, *nodes_cnt, oid_any_policy, oid_cnt(oid_any_policy))) + *oid = OID_any_policy; + else *oid = 0; + return 1; +} + int x509_policy_information_to_der( int oid, const uint32_t *nodes, size_t nodes_cnt, const uint8_t *qualifiers, size_t qualifiers_len, @@ -2105,6 +2326,90 @@ err: return -1; } + +static uint32_t oid_any_extended_key_usage[] = { oid_ce,37,0 }; + +#define oid_kp oid_pkix,3 + +static uint32_t oid_kp_server_auth[] = { oid_kp,1 }; +static uint32_t oid_kp_client_auth[] = { oid_kp,2 }; +static uint32_t oid_kp_code_signing[] = { oid_kp,3 }; +static uint32_t oid_kp_email_protection[] = { oid_kp,4 }; +static uint32_t oid_kp_time_stamping[] = { oid_kp,8 }; +static uint32_t oid_kp_ocsp_signing[] = { oid_kp,9 }; +#define OID_KP_CNT sizeof(oid_kp_server_auth)/sizeof(int) + +static const ASN1_OID_INFO x509_key_purposes[] = { + { OID_any_extended_key_usage, "anyExtendedKeyUsage", oid_any_extended_key_usage, sizeof(oid_any_extended_key_usage)/sizeof(uint32_t), 0, "Any Extended Key Usage" }, + { OID_kp_server_auth, "serverAuth", oid_kp_server_auth, OID_KP_CNT, 0, "TLS WWW server authentication" }, + { OID_kp_client_auth, "clientAuth", oid_kp_client_auth, OID_KP_CNT, 0, "TLS WWW client authentication" }, + { OID_kp_code_signing, "codeSigning", oid_kp_code_signing, OID_KP_CNT, 0, "Signing of downloadable executable code" }, + { OID_kp_email_protection, "emailProtection", oid_kp_email_protection, OID_KP_CNT, 0, "Email protection" }, + { OID_kp_time_stamping, "timeStamping", oid_kp_time_stamping, OID_KP_CNT, 0, "Binding the hash of an object to a time" }, + { OID_kp_ocsp_signing, "OCSPSigning", oid_kp_ocsp_signing, OID_KP_CNT, 0, "Signing OCSP responses" }, +}; + +static const int x509_key_purposes_count = + sizeof(x509_key_purposes)/sizeof(x509_key_purposes[0]); + +int x509_key_purpose_from_name(const char *name) +{ + const ASN1_OID_INFO *info; + if (!(info = asn1_oid_info_from_name(x509_key_purposes, x509_key_purposes_count, name))) { + error_print(); + return OID_undef; + } + return info->oid; +} + +const char *x509_key_purpose_name(int oid) +{ + const ASN1_OID_INFO *info; + if (!(info = asn1_oid_info_from_oid(x509_key_purposes, x509_key_purposes_count, oid))) { + error_print(); + return NULL; + } + return info->name; +} + +const char *x509_key_purpose_text(int oid) +{ + const ASN1_OID_INFO *info; + if (!(info = asn1_oid_info_from_oid(x509_key_purposes, x509_key_purposes_count, oid))) { + error_print(); + return NULL; + } + return info->description; +} + +int x509_key_purpose_to_der(int oid, uint8_t **out, size_t *outlen) +{ + const ASN1_OID_INFO *info; + if (!(info = asn1_oid_info_from_oid(x509_key_purposes, x509_key_purposes_count, oid))) { + error_print(); + return -1; + } + if (asn1_object_identifier_to_der(info->nodes, info->nodes_cnt, out, outlen) != 1) { + error_print(); + return -1; + } + return 1; +} + +int x509_key_purpose_from_der(int *oid, const uint8_t **in, size_t *inlen) +{ + int ret; + const ASN1_OID_INFO *info; + if ((ret = asn1_oid_info_from_der(&info, x509_key_purposes, x509_key_purposes_count, in, inlen)) != 1) { + if (ret < 0) error_print(); + else *oid = -1; + return ret; + } + *oid = info->oid; + return 1; +} + + int x509_ext_key_usage_to_der(const int *oids, size_t oids_cnt, uint8_t **out, size_t *outlen) { size_t len = 0; diff --git a/src/x509_str.c b/src/x509_new.c similarity index 100% rename from src/x509_str.c rename to src/x509_new.c diff --git a/src/x509_oid.c b/src/x509_oid.c deleted file mode 100644 index 868b2524..00000000 --- a/src/x509_oid.c +++ /dev/null @@ -1,415 +0,0 @@ -/* - * Copyright 2014-2022 The GmSSL Project. All Rights Reserved. - * - * Licensed under the Apache License, Version 2.0 (the License); you may - * not use this file except in compliance with the License. - * - * http://www.apache.org/licenses/LICENSE-2.0 - */ - - - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - - -static uint32_t oid_at_name[] = { oid_at,41 }; -static uint32_t oid_at_surname[] = { oid_at,4 }; -static uint32_t oid_at_given_name[] = { oid_at,42 }; -static uint32_t oid_at_initials[] = { oid_at,43 }; -static uint32_t oid_at_generation_qualifier[] = { oid_at,44 }; -static uint32_t oid_at_common_name[] = { oid_at,3 }; -static uint32_t oid_at_locality_name[] = { oid_at,7 }; -static uint32_t oid_at_state_or_province_name[] = { oid_at,8 }; -static uint32_t oid_at_organization_name[] = { oid_at,10 }; -static uint32_t oid_at_organizational_unit_name[] = { oid_at,11 }; -static uint32_t oid_at_title[] = { oid_at,12 }; -static uint32_t oid_at_dn_qualifier[] = { oid_at,46 }; -static uint32_t oid_at_country_name[] = { oid_at,6 }; -static uint32_t oid_at_serial_number[] = { oid_at,5 }; -static uint32_t oid_at_pseudonym[] = { oid_at,65 }; -static uint32_t oid_domain_component[] = { 0,9,2342,19200300,100,1,25 }; -static uint32_t oid_email_address[] = { 1,2,840,113549,1,9,1 }; - -#define OID_AT_CNT (sizeof(oid_at_name)/sizeof(int)) - -static const ASN1_OID_INFO x509_name_types[] = { - { OID_at_name, "name", oid_at_name, OID_AT_CNT }, - { OID_at_surname, "surname", oid_at_surname, OID_AT_CNT }, - { OID_at_given_name, "givenName", oid_at_given_name, OID_AT_CNT }, - { OID_at_initials, "initials", oid_at_initials, OID_AT_CNT }, - { OID_at_generation_qualifier, "generationQualifier", oid_at_generation_qualifier, OID_AT_CNT }, - { OID_at_common_name, "commonName", oid_at_common_name, OID_AT_CNT }, - { OID_at_locality_name, "localityName", oid_at_locality_name, OID_AT_CNT }, - { OID_at_state_or_province_name, "stateOrProvinceName", oid_at_state_or_province_name, OID_AT_CNT }, - { OID_at_organization_name, "organizationName", oid_at_organization_name, OID_AT_CNT }, - { OID_at_organizational_unit_name, "organizationalUnitName", oid_at_organizational_unit_name, OID_AT_CNT }, - { OID_at_title, "title", oid_at_title, OID_AT_CNT }, - { OID_at_dn_qualifier, "dnQualifier", oid_at_dn_qualifier, OID_AT_CNT }, - { OID_at_country_name, "countryName", oid_at_country_name, OID_AT_CNT }, - { OID_at_serial_number, "serialNumber", oid_at_serial_number, OID_AT_CNT }, - { OID_at_pseudonym, "pseudonym", oid_at_pseudonym, OID_AT_CNT }, - { OID_domain_component, "domainComponent", oid_domain_component, sizeof(oid_domain_component)/sizeof(int) }, - { OID_email_address, "emailAddress", oid_email_address, sizeof(oid_email_address)/sizeof(int) }, -}; - -static const int x509_name_types_count - = sizeof(x509_name_types)/sizeof(x509_name_types[0]); - -const char *x509_name_type_name(int oid) -{ - const ASN1_OID_INFO *info; - if (!(info = asn1_oid_info_from_oid(x509_name_types, x509_name_types_count, oid))) { - error_print(); - return NULL; - } - return info->name; -} - -int x509_name_type_from_name(const char *name) -{ - const ASN1_OID_INFO *info; - if (!(info = asn1_oid_info_from_name(x509_name_types, x509_name_types_count, name))) { - error_print(); - return OID_undef; - } - return info->oid; -} - -int x509_name_type_to_der(int oid, uint8_t **out, size_t *outlen) -{ - const ASN1_OID_INFO *info; - if (!(info = asn1_oid_info_from_oid(x509_name_types, x509_name_types_count, oid))) { - error_print(); - return -1; - } - if (asn1_object_identifier_to_der(info->nodes, info->nodes_cnt, out, outlen) != 1) { - error_print(); - return -1; - } - return 1; -} - -int x509_name_type_from_der(int *oid, const uint8_t **in, size_t *inlen) -{ - int ret; - const ASN1_OID_INFO *info; - - if ((ret = asn1_oid_info_from_der(&info, x509_name_types, x509_name_types_count, in, inlen)) != 1) { - if (ret < 0) error_print(); - else *oid = -1; - return ret; - } - *oid = info->oid; - return 1; -} - - -static uint32_t oid_ce_subject_directory_attributes[] = { oid_ce,9 }; -static uint32_t oid_ce_subject_key_identifier[] = { oid_ce,14 }; -static uint32_t oid_ce_key_usage[] = { oid_ce,15 }; -static uint32_t oid_ce_subject_alt_name[] = { oid_ce,17 }; -static uint32_t oid_ce_issuer_alt_name[] = { oid_ce,18 }; -static uint32_t oid_ce_basic_constraints[] = { oid_ce,19 }; -static uint32_t oid_ce_name_constraints[] = { oid_ce,30 }; -static uint32_t oid_ce_crl_distribution_points[] = { oid_ce,31 }; -static uint32_t oid_ce_certificate_policies[] = { oid_ce,32 }; -static uint32_t oid_ce_policy_mappings[] = { oid_ce,33 }; -static uint32_t oid_ce_authority_key_identifier[] = { oid_ce,35 }; -static uint32_t oid_ce_policy_constraints[] = { oid_ce,36 }; -static uint32_t oid_ce_ext_key_usage[] = { oid_ce,37 }; -static uint32_t oid_ce_freshest_crl[] = { oid_ce,46 }; -static uint32_t oid_ce_inhibit_any_policy[] = { oid_ce,54 }; -static uint32_t oid_ce_crl_reasons[] = { oid_ce,21 }; // crl_entry_ext -static uint32_t oid_ce_invalidity_date[] = { oid_ce,24 }; // crl_entry_ext -static uint32_t oid_ce_certificate_issuer[] = { oid_ce,29 }; // crl_entry_ext -#define OID_CE_CNT sizeof(oid_ce_subject_directory_attributes)/sizeof(int) -static uint32_t oid_netscape_cert_type[] = { 2,16,840,1,113730,1,1 }; -static uint32_t oid_netscape_cert_comment[] = { 2,16,840,1,113730,1,13 }; -static uint32_t oid_pe_authority_info_access[] = { 1,3,6,1,5,5,7,1,1 }; -static uint32_t oid_ct_precertificate_scts[] = { 1,3,6,1,4,1,11129,2,4,2 }; - -static const ASN1_OID_INFO x509_ext_ids[] = { - { OID_ce_authority_key_identifier, "AuthorityKeyIdentifier", oid_ce_authority_key_identifier, OID_CE_CNT }, - { OID_ce_subject_key_identifier, "SubjectKeyIdentifier", oid_ce_subject_key_identifier, OID_CE_CNT }, - { OID_ce_key_usage, "KeyUsage", oid_ce_key_usage, OID_CE_CNT }, - { OID_ce_certificate_policies, "CertificatePolicies", oid_ce_certificate_policies, OID_CE_CNT }, - { OID_ce_policy_mappings, "PolicyMappings", oid_ce_policy_mappings, OID_CE_CNT }, - { OID_ce_subject_alt_name, "SubjectAltName", oid_ce_subject_alt_name, OID_CE_CNT }, - { OID_ce_issuer_alt_name, "IssuerAltName", oid_ce_issuer_alt_name, OID_CE_CNT }, - { OID_ce_subject_directory_attributes, "SubjectDirectoryAttributes", oid_ce_subject_directory_attributes, OID_CE_CNT }, - { OID_ce_basic_constraints, "BasicConstraints", oid_ce_basic_constraints, OID_CE_CNT }, - { OID_ce_name_constraints, "NameConstraints", oid_ce_name_constraints, OID_CE_CNT }, - { OID_ce_policy_constraints, "PolicyConstraints", oid_ce_policy_constraints, OID_CE_CNT }, - { OID_ce_ext_key_usage, "ExtKeyUsage", oid_ce_ext_key_usage, OID_CE_CNT }, - { OID_ce_crl_distribution_points, "CRLDistributionPoints", oid_ce_crl_distribution_points, OID_CE_CNT }, - { OID_ce_inhibit_any_policy, "InhibitAnyPolicy", oid_ce_inhibit_any_policy, OID_CE_CNT }, - { OID_ce_freshest_crl, "FreshestCRL", oid_ce_freshest_crl, OID_CE_CNT }, - { OID_ce_crl_reasons, "CRLReasons", oid_ce_crl_reasons, OID_CE_CNT }, - { OID_ce_invalidity_date, "InvalidityDate", oid_ce_invalidity_date, OID_CE_CNT }, - { OID_ce_certificate_issuer, "CertificateIssuer", oid_ce_certificate_issuer, OID_CE_CNT }, - { OID_netscape_cert_type, "NetscapeCertType", oid_netscape_cert_type, sizeof(oid_netscape_cert_type)/sizeof(int) }, - { OID_netscape_cert_comment, "NetscapeCertComment", oid_netscape_cert_comment, sizeof(oid_netscape_cert_comment)/sizeof(int) }, - { OID_pe_authority_info_access, "AuthorityInformationAccess", oid_pe_authority_info_access, sizeof(oid_pe_authority_info_access)/sizeof(int) }, - { OID_ct_precertificate_scts, "CT-PrecertificateSCTs", oid_ct_precertificate_scts, sizeof(oid_ct_precertificate_scts)/sizeof(int) }, -}; - -static const int x509_ext_ids_count = - sizeof(x509_ext_ids)/sizeof(x509_ext_ids[0]); - -const char *x509_ext_id_name(int oid) -{ - const ASN1_OID_INFO *info; - if (oid == 0) { - return NULL; - } - if (!(info = asn1_oid_info_from_oid(x509_ext_ids, x509_ext_ids_count, oid))) { - error_print(); - return NULL; - } - return info->name; -} - -int x509_ext_id_from_name(const char *name) -{ - const ASN1_OID_INFO *info; - if (!(info = asn1_oid_info_from_name(x509_ext_ids, x509_ext_ids_count, name))) { - error_print(); - return OID_undef; - } - return info->oid; -} - -int x509_ext_id_to_der(int oid, uint8_t **out, size_t *outlen) -{ - const ASN1_OID_INFO *info; - if (!(info = asn1_oid_info_from_oid(x509_ext_ids, x509_ext_ids_count, oid))) { - error_print(); - return -1; - } - if (asn1_object_identifier_to_der(info->nodes, info->nodes_cnt, out, outlen) != 1) { - error_print(); - return -1; - } - return 1; -} - -// 如果要支持未知的ext_id,应该提供一个callback -int x509_ext_id_from_der(int *oid, uint32_t *nodes, size_t *nodes_cnt, const uint8_t **in, size_t *inlen) -{ - int ret; - const ASN1_OID_INFO *info; - - if ((ret = asn1_oid_info_from_der_ex(&info, nodes, nodes_cnt, x509_ext_ids, x509_ext_ids_count, in, inlen)) != 1) { - if (ret < 0) error_print(); - else *oid = -1; - return ret; - } - *oid = info ? info->oid : 0; - return 1; -} - - -static uint32_t oid_qt_cps[] = { oid_qt,1 }; -static uint32_t oid_qt_unotice[] = {oid_qt,2 }; - -static const ASN1_OID_INFO x509_qt_ids[] = { - { OID_qt_cps, "CPS", oid_qt_cps, sizeof(oid_qt_cps)/sizeof(int) }, - { OID_qt_unotice, "userNotice", oid_qt_unotice, sizeof(oid_qt_unotice)/sizeof(int) } -}; - -static const int x509_qt_ids_count = - sizeof(x509_qt_ids)/sizeof(x509_qt_ids[0]); - -int x509_qualifier_id_from_name(const char *name) -{ - const ASN1_OID_INFO *info; - if (!(info = asn1_oid_info_from_name(x509_qt_ids, x509_qt_ids_count, name))) { - error_print(); - return OID_undef; - } - return info->oid; -} - -const char *x509_qualifier_id_name(int oid) -{ - const ASN1_OID_INFO *info; - if (!(info = asn1_oid_info_from_oid(x509_qt_ids, x509_qt_ids_count, oid))) { - error_print(); - return NULL; - } - return info->name; -} - -int x509_qualifier_id_to_der(int oid, uint8_t **out, size_t *outlen) -{ - const ASN1_OID_INFO *info; - if (!(info = asn1_oid_info_from_oid(x509_qt_ids, x509_qt_ids_count, oid))) { - error_print(); - return -1; - } - if (asn1_object_identifier_to_der(info->nodes, info->nodes_cnt, out, outlen) != 1) { - error_print(); - return -1; - } - return 1; -} - -int x509_qualifier_id_from_der(int *oid, const uint8_t **in, size_t *inlen) -{ - int ret; - const ASN1_OID_INFO *info; - if ((ret = asn1_oid_info_from_der(&info, x509_qt_ids, x509_qt_ids_count, in, inlen)) != 1) { - if (ret < 0) error_print(); - else *oid = -1; - return ret; - } - *oid = info->oid; - return 1; -} - - -int x509_cert_policy_id_from_name(const char *name) -{ - if (strcmp(name, "anyPolicy") == 0) { - return OID_any_policy; - } - return OID_undef; -} - -char *x509_cert_policy_id_name(int oid) -{ - switch (oid) { - case OID_any_policy: return "anyPolicy"; - } - return NULL; -} - -static uint32_t oid_any_policy[] = { oid_ce,32,0 }; - -int x509_cert_policy_id_to_der(int oid, const uint32_t *nodes, size_t nodes_cnt, uint8_t **out, size_t *outlen) -{ - switch (oid) { - case OID_any_policy: - if (asn1_object_identifier_to_der(oid_any_policy, sizeof(oid_any_policy)/sizeof(int), out, outlen) != 1) { - error_print(); - return -1; - } - break; - case OID_undef: - if (asn1_object_identifier_to_der(nodes, nodes_cnt, out, outlen) != 1) { - error_print(); - return -1; - } - break; - default: - error_print(); - return -1; - } - return 1; -} - -int x509_cert_policy_id_from_der(int *oid, uint32_t *nodes, size_t *nodes_cnt, const uint8_t **in, size_t *inlen) -{ - int ret; - if ((ret = asn1_object_identifier_from_der(nodes, nodes_cnt, in, inlen)) != 1) { - if (ret < 0) error_print(); - else *oid = -1; - return ret; - } - if (asn1_object_identifier_equ(nodes, *nodes_cnt, oid_any_policy, oid_cnt(oid_any_policy))) - *oid = OID_any_policy; - else *oid = 0; - return 1; -} - - -static uint32_t oid_any_extended_key_usage[] = { oid_ce,37,0 }; - -#define oid_kp oid_pkix,3 - -static uint32_t oid_kp_server_auth[] = { oid_kp,1 }; -static uint32_t oid_kp_client_auth[] = { oid_kp,2 }; -static uint32_t oid_kp_code_signing[] = { oid_kp,3 }; -static uint32_t oid_kp_email_protection[] = { oid_kp,4 }; -static uint32_t oid_kp_time_stamping[] = { oid_kp,8 }; -static uint32_t oid_kp_ocsp_signing[] = { oid_kp,9 }; -#define OID_KP_CNT sizeof(oid_kp_server_auth)/sizeof(int) - -static const ASN1_OID_INFO x509_key_purposes[] = { - { OID_any_extended_key_usage, "anyExtendedKeyUsage", oid_any_extended_key_usage, sizeof(oid_any_extended_key_usage)/sizeof(uint32_t), 0, "Any Extended Key Usage" }, - { OID_kp_server_auth, "serverAuth", oid_kp_server_auth, OID_KP_CNT, 0, "TLS WWW server authentication" }, - { OID_kp_client_auth, "clientAuth", oid_kp_client_auth, OID_KP_CNT, 0, "TLS WWW client authentication" }, - { OID_kp_code_signing, "codeSigning", oid_kp_code_signing, OID_KP_CNT, 0, "Signing of downloadable executable code" }, - { OID_kp_email_protection, "emailProtection", oid_kp_email_protection, OID_KP_CNT, 0, "Email protection" }, - { OID_kp_time_stamping, "timeStamping", oid_kp_time_stamping, OID_KP_CNT, 0, "Binding the hash of an object to a time" }, - { OID_kp_ocsp_signing, "OCSPSigning", oid_kp_ocsp_signing, OID_KP_CNT, 0, "Signing OCSP responses" }, -}; - -static const int x509_key_purposes_count = - sizeof(x509_key_purposes)/sizeof(x509_key_purposes[0]); - -int x509_key_purpose_from_name(const char *name) -{ - const ASN1_OID_INFO *info; - if (!(info = asn1_oid_info_from_name(x509_key_purposes, x509_key_purposes_count, name))) { - error_print(); - return OID_undef; - } - return info->oid; -} - -const char *x509_key_purpose_name(int oid) -{ - const ASN1_OID_INFO *info; - if (!(info = asn1_oid_info_from_oid(x509_key_purposes, x509_key_purposes_count, oid))) { - error_print(); - return NULL; - } - return info->name; -} - -const char *x509_key_purpose_text(int oid) -{ - const ASN1_OID_INFO *info; - if (!(info = asn1_oid_info_from_oid(x509_key_purposes, x509_key_purposes_count, oid))) { - error_print(); - return NULL; - } - return info->description; -} - -int x509_key_purpose_to_der(int oid, uint8_t **out, size_t *outlen) -{ - const ASN1_OID_INFO *info; - if (!(info = asn1_oid_info_from_oid(x509_key_purposes, x509_key_purposes_count, oid))) { - error_print(); - return -1; - } - if (asn1_object_identifier_to_der(info->nodes, info->nodes_cnt, out, outlen) != 1) { - error_print(); - return -1; - } - return 1; -} - -int x509_key_purpose_from_der(int *oid, const uint8_t **in, size_t *inlen) -{ - int ret; - const ASN1_OID_INFO *info; - if ((ret = asn1_oid_info_from_der(&info, x509_key_purposes, x509_key_purposes_count, in, inlen)) != 1) { - if (ret < 0) error_print(); - else *oid = -1; - return ret; - } - *oid = info->oid; - return 1; -} diff --git a/tests/http_crltest.c b/tests/http_crltest.c index 0f67d5fa..3c156eca 100644 --- a/tests/http_crltest.c +++ b/tests/http_crltest.c @@ -13,7 +13,6 @@ #include #include #include -#include #include #include #include diff --git a/tests/x509_crltest.c b/tests/x509_crltest.c index c7f3d372..217b2fb1 100644 --- a/tests/x509_crltest.c +++ b/tests/x509_crltest.c @@ -13,7 +13,6 @@ #include #include #include -#include #include #include #include diff --git a/tests/x509_exttest.c b/tests/x509_exttest.c index 47d6188b..1b2ca6c9 100644 --- a/tests/x509_exttest.c +++ b/tests/x509_exttest.c @@ -13,7 +13,6 @@ #include #include #include -#include #include #include #include diff --git a/tests/x509_oidtest.c b/tests/x509_oidtest.c index 1f15f1e4..85041402 100644 --- a/tests/x509_oidtest.c +++ b/tests/x509_oidtest.c @@ -12,8 +12,8 @@ #include #include #include -#include #include +#include #include #include diff --git a/tests/x509_reqtest.c b/tests/x509_reqtest.c index 666b5caa..8dd04706 100644 --- a/tests/x509_reqtest.c +++ b/tests/x509_reqtest.c @@ -13,7 +13,6 @@ #include #include #include -#include #include #include #include diff --git a/tests/x509test.c b/tests/x509test.c index e8df4fa5..ddc2977b 100644 --- a/tests/x509test.c +++ b/tests/x509test.c @@ -13,7 +13,6 @@ #include #include #include -#include #include #include #include diff --git a/tools/certgen.c b/tools/certgen.c index 38830658..6c8301f2 100644 --- a/tools/certgen.c +++ b/tools/certgen.c @@ -18,7 +18,6 @@ #include #include #include -#include #include diff --git a/tools/reqsign.c b/tools/reqsign.c index 34c4a911..31f74b74 100644 --- a/tools/reqsign.c +++ b/tools/reqsign.c @@ -18,7 +18,6 @@ #include #include #include -#include static const char *options =