/* * Copyright 2014-2023 The GmSSL Project. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the License); you may * not use this file except in compliance with the License. * * http://www.apache.org/licenses/LICENSE-2.0 */ #include #include #include #include #include #include #include #include #include static const char *usage = "-in revoked_certs.der -key pem -pass str -cacert pem [-next_update time] " "[-gen_authority_key_id] [-crl_num num] [-delta_crl_indicator num] [-ca_issuers_uri uri] [-ocsp_uri uri] [-out crl.der]"; static void print_options(const char *prog) { printf("Options\n"); printf("\n"); printf(" -in revoked_certs.der To be revoked certificate list\n"); printf(" This input file format is DER-encoding of SEQUENCE OF RevokedCertificate\n"); printf(" revoked_certs.der can be generated by `gmssl certrevoke`\n"); printf("\n"); printf(" -key pkcs8.pem The issuer private key.\n"); printf("\n"); printf(" -cacert cert.pem The issuer certificate.\n"); printf("\n"); printf(" -next_update time Optional CRL attribute.\n"); printf("\n"); printf(" -out crl.der Output CRL in DER-encoding\n"); } int crlgen_main(int argc, char **argv) { int ret = 1; char *prog = argv[0]; char *infile = NULL; uint8_t *revoked_certs = NULL; size_t revoked_certs_len = 0; char *outfile = NULL; FILE *outfp = stdout; char *keyfile = NULL; char *pass = NULL; FILE *keyfp = NULL; SM2_KEY sign_key; char *cacertfile = NULL; uint8_t *cacert = NULL; size_t cacert_len = 0; const uint8_t *issuer; size_t issuer_len; time_t next_update = -1; uint8_t exts[512]; size_t extslen = 0; int gen_authority_key_id = 0; int crl_num = -1; int delta_crl_indicator = -1; char *http_uri = NULL; char *ldap_uri = NULL; char *ca_issuers_uri = NULL; char *ocsp_uri = NULL; uint8_t outbuf[64 * 1024]; uint8_t *out = outbuf; size_t outlen = 0; argc--; argv++; while (argc > 0) { if (!strcmp(*argv, "-help")) { printf("usage: %s %s\n", prog, usage); printf("\n"); print_options(prog); goto end; } else if (!strcmp(*argv, "-in")) { if (--argc < 1) goto bad; infile = *(++argv); if (file_read_all(infile, &revoked_certs, &revoked_certs_len) != 1) { fprintf(stderr, "%s: read input file failed\n", prog); goto end; } } else if (!strcmp(*argv, "-out")) { if (--argc < 1) goto bad; outfile = *(++argv); if (!(outfp = fopen(outfile, "wb"))) { fprintf(stderr, "%s: open '%s' failure : %s\n", prog, outfile, strerror(errno)); goto end; } } else if (!strcmp(*argv, "-key")) { if (--argc < 1) goto bad; keyfile = *(++argv); if (!(keyfp = fopen(keyfile, "rb"))) { fprintf(stderr, "%s: open '%s' failure : %s\n", prog, keyfile, strerror(errno)); goto end; } } else if (!strcmp(*argv, "-pass")) { if (--argc < 1) goto bad; } else if (!strcmp(*argv, "-cacert")) { if (--argc < 1) goto bad; cacertfile = *(++argv); if (x509_cert_new_from_file(&cacert, &cacert_len, cacertfile) != 1) { goto end; } } else if (!strcmp(*argv, "-next_update")) { if (--argc < 1) goto bad; if (asn1_time_from_str(0, &next_update, *(++argv)) != 1) { fprintf(stderr, "%s: invalid time format for '-next_update', should be 'YYYYMMDDHHMMSSZ'\n", prog); goto bad; } } else if (!strcmp(*argv, "-gen_authority_key_id")) { gen_authority_key_id = 1; } else if (!strcmp(*argv, "-crl_num")) { if (--argc < 1) goto bad; crl_num = atoi(*(++argv)); } else if (!strcmp(*argv, "-delta_crl_indicator")) { if (--argc < 1) goto bad; delta_crl_indicator = atoi(*(++argv)); } else if (!strcmp(*argv, "-http_uri")) { if (--argc < 1) goto bad; http_uri = *(++argv); } else if (!strcmp(*argv, "-ldap_uri")) { if (--argc < 1) goto bad; ldap_uri = *(++argv); } else if (!strcmp(*argv, "-ca_issuers_uri")) { ca_issuers_uri = *(++argv); } else if (!strcmp(*argv, "-ocsp_uri")) { if (--argc < 1) goto bad; ocsp_uri = *(++argv); } else { fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv); goto end; bad: fprintf(stderr, "%s: '%s' option value missing\n", prog, *argv); goto end; } argc--; argv++; } if (!infile) { fprintf(stderr, "%s: '-in' option required\n", prog); goto end; } if (!cacertfile) { fprintf(stderr, "%s: '-cacert' option required\n", prog); goto end; } if (!keyfile) { fprintf(stderr, "%s: '-key' option required\n", prog); goto end; } if (!pass) { fprintf(stderr, "%s: '-pass' option required\n", prog); goto end; } if (!revoked_certs || !revoked_certs_len) { fprintf(stderr, "usage: %s %s\n", prog, usage); goto end; } if (x509_cert_get_subject(cacert, cacert_len, &issuer, &issuer_len) != 1) { fprintf(stderr, "%s: parse CA certificate failure\n", prog); goto end; } if (sm2_private_key_info_decrypt_from_pem(&sign_key, pass, keyfp) != 1) { fprintf(stderr, "%s: load private key failure\n", prog); goto end; } if (gen_authority_key_id) { if (x509_crl_exts_add_default_authority_key_identifier(exts, &extslen, sizeof(exts), &sign_key) != 1) { fprintf(stderr, "%s: inner error\n", prog); goto end; } } if (x509_crl_exts_add_crl_number(exts, &extslen, sizeof(exts), -1, crl_num) < 0 || x509_crl_exts_add_delta_crl_indicator(exts, &extslen, sizeof(exts), X509_critical, delta_crl_indicator) < 0) { fprintf(stderr, "%s: inner error\n", prog); goto end; } if (ca_issuers_uri || ocsp_uri) { if (x509_crl_exts_add_authority_info_acess(exts, &extslen, sizeof(exts), -1, ca_issuers_uri, ca_issuers_uri ? strlen(ca_issuers_uri) : 0, ocsp_uri, ocsp_uri ? strlen(ocsp_uri) : 0) != 1) { fprintf(stderr, "%s: inner error\n", prog); goto end; } } if (http_uri || ldap_uri) { if (x509_crl_exts_add_freshest_crl(exts, &extslen, sizeof(exts), -1, http_uri, http_uri ? strlen(http_uri) : 0, ldap_uri, ldap_uri ? strlen(ldap_uri) : 0) != 1) { fprintf(stderr, "%s: inner error\n", prog); goto end; } } if (x509_crl_sign_to_der( X509_version_v2, OID_sm2sign_with_sm3, issuer, issuer_len, time(NULL), next_update, revoked_certs, revoked_certs_len, extslen ? exts : NULL, extslen, &sign_key, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH, &out, &outlen) != 1) { // error_print(); return -1; } if (fwrite(outbuf, 1, outlen, outfp) != outlen) { fprintf(stderr, "%s: output failure\n", prog); return -1; } ret = 0; end: //if (cert) free(cert); if (outfile && outfp) fclose(outfp); return ret; }