mirror of
https://github.com/guanzhi/GmSSL.git
synced 2026-05-06 16:36:16 +08:00
464 lines
12 KiB
C
464 lines
12 KiB
C
/*
|
|
* Copyright 2014-2023 The GmSSL Project. All Rights Reserved.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the License); you may
|
|
* not use this file except in compliance with the License.
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*/
|
|
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
#include <gmssl/oid.h>
|
|
#include <gmssl/x509_alg.h>
|
|
#include <gmssl/x509_oid.h>
|
|
#include <gmssl/x509_crl.h>
|
|
#include <gmssl/x509_ext.h>
|
|
#include <gmssl/x509.h>
|
|
#include <gmssl/rand.h>
|
|
#include <gmssl/error.h>
|
|
|
|
|
|
static int test_x509_crl_reason(void)
|
|
{
|
|
uint8_t buf[256];
|
|
uint8_t *p = buf;
|
|
const uint8_t *cp = buf;
|
|
size_t len = 0;
|
|
int reason;
|
|
int i;
|
|
|
|
for (i = 0; i < 11; i++) {
|
|
if (x509_crl_reason_to_der(i, &p, &len) != 1) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
format_bytes(stderr, 0, 4, "", buf, len);
|
|
}
|
|
for (i = 0; i < 11; i++) {
|
|
if (x509_crl_reason_from_der(&reason, &cp, &len) != 1
|
|
|| asn1_check(reason == i) != 1) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
format_print(stderr, 0, 4, "%s (%d)\n", x509_crl_reason_name(reason), reason);
|
|
}
|
|
(void)asn1_length_is_zero(len);
|
|
printf("%s() ok\n", __FUNCTION__);
|
|
return 1;
|
|
}
|
|
|
|
static int test_x509_crl_entry_ext(void)
|
|
{
|
|
int exts[] = {
|
|
OID_ce_crl_reasons,
|
|
OID_ce_invalidity_date,
|
|
OID_ce_certificate_issuer,
|
|
};
|
|
uint8_t buf[256];
|
|
uint8_t *p = buf;
|
|
const uint8_t *cp = buf;
|
|
size_t len = 0;
|
|
int oid;
|
|
int i;
|
|
|
|
for (i = 0; i < sizeof(exts)/sizeof(exts[0]); i++) {
|
|
if (x509_crl_entry_ext_id_to_der(exts[i], &p, &len) != 1) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
format_bytes(stderr, 0, 4, "", buf, len);
|
|
}
|
|
for (i = 0; i < sizeof(exts)/sizeof(exts[0]); i++) {
|
|
if (x509_crl_entry_ext_id_from_der(&oid, &cp, &len) != 1
|
|
|| asn1_check(oid == exts[i]) != 1) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
format_print(stderr, 0, 4, "%s\n", x509_crl_entry_ext_id_name(oid));
|
|
}
|
|
(void)asn1_length_is_zero(len);
|
|
printf("%s() ok\n", __FUNCTION__);
|
|
return 1;
|
|
}
|
|
|
|
static int test_vector_gen_uri_as_general_names(void)
|
|
{
|
|
const char *uri = "http://www.example.com/path";
|
|
uint8_t buf[256];
|
|
uint8_t *p;
|
|
const uint8_t *cp;
|
|
size_t len;
|
|
const uint8_t *d;
|
|
size_t dlen;
|
|
size_t i;
|
|
|
|
cp = p = buf; len = 0;
|
|
if (x509_uri_as_general_names_to_der(uri, strlen(uri), &p, &len) != 1
|
|
|| asn1_sequence_from_der(&d, &dlen, &cp, &len) != 1
|
|
|| asn1_length_is_zero(len) != 1) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
printf("// generated by %s()\n", __FUNCTION__);
|
|
printf("const uint8_t cert_issuer[] = {\n\t");
|
|
for (i = 0; i < dlen; i++) {
|
|
printf("0x%02x,", d[i]);
|
|
if ((i + 1) % 8 == 0) printf("\n\t");
|
|
}
|
|
printf("\n};\n");
|
|
return 1;
|
|
}
|
|
|
|
|
|
static int test_x509_crl_entry_exts(void)
|
|
{
|
|
// generated by test_vector_gen_uri_as_general_names()
|
|
const uint8_t cert_issuer[] = {
|
|
0x86,0x1b,0x68,0x74,0x74,0x70,0x3a,0x2f,
|
|
0x2f,0x77,0x77,0x77,0x2e,0x65,0x78,0x61,
|
|
0x6d,0x70,0x6c,0x65,0x2e,0x63,0x6f,0x6d,
|
|
0x2f,0x70,0x61,0x74,0x68,
|
|
};
|
|
struct {
|
|
int reason;
|
|
time_t invalid_date;
|
|
const uint8_t *cert_issuer;
|
|
size_t cert_issuer_len;
|
|
} tests[] = {
|
|
{ X509_cr_key_compromise, -1, NULL, 0 },
|
|
{ -1, time(NULL), NULL, 0 },
|
|
{ -1, -1, cert_issuer, sizeof(cert_issuer) },
|
|
{ X509_cr_key_compromise, time(NULL), NULL, 0 },
|
|
{ X509_cr_key_compromise, time(NULL), cert_issuer, sizeof(cert_issuer) },
|
|
};
|
|
|
|
uint8_t buf[1024];
|
|
uint8_t *p;
|
|
const uint8_t *cp;
|
|
size_t len;
|
|
size_t i;
|
|
|
|
int reason;
|
|
time_t invalid_date;
|
|
const uint8_t *issuer;
|
|
size_t issuer_len;
|
|
|
|
cp = p = buf; len = 0;
|
|
if (x509_crl_entry_exts_to_der(-1, -1, NULL, 0, &p, &len) != 0) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) {
|
|
if (x509_crl_entry_exts_to_der(
|
|
tests[i].reason,
|
|
tests[i].invalid_date,
|
|
tests[i].cert_issuer,
|
|
tests[i].cert_issuer_len, &p, &len) != 1) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
//printf("%s %d: test %zu passed\n", __FILE__, __LINE__, i);
|
|
if (len > sizeof(buf)) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
{
|
|
size_t left = len;
|
|
const uint8_t *d;
|
|
size_t dlen;
|
|
cp = buf;
|
|
while (left) {
|
|
if (asn1_sequence_from_der(&d, &dlen, &cp, &left) != 1) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
x509_crl_entry_exts_print(stderr, 0, 0, "CRLEntryExtensions", d, dlen);
|
|
|
|
if (x509_crl_entry_exts_check(d, dlen) != 1) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
}
|
|
}
|
|
|
|
cp = p = buf;
|
|
for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) {
|
|
if (x509_crl_entry_exts_from_der(&reason, &invalid_date, &issuer, &issuer_len, &cp, &len) != 1) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
if (reason != tests[i].reason) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
if (invalid_date != tests[i].invalid_date) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
if (issuer_len != tests[i].cert_issuer_len || memcmp(issuer, tests[i].cert_issuer, issuer_len) != 0) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
//printf("%s %d: test %zu passed\n", __FILE__, __LINE__, i);
|
|
}
|
|
if (len != 0) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
|
|
printf("%s() ok\n", __FUNCTION__);
|
|
return 1;
|
|
}
|
|
|
|
static int test_x509_revoked_cert(void)
|
|
{
|
|
uint8_t serial_buf[16] = { 0x01,0x02,0x00 };
|
|
time_t revoke_date = time(NULL);
|
|
int reason = X509_cr_key_compromise;
|
|
time_t invalid_date = revoke_date;
|
|
// generated by test_vector_gen_uri_as_general_names()
|
|
const uint8_t cert_issuer_buf[] = {
|
|
0x86,0x1b,0x68,0x74,0x74,0x70,0x3a,0x2f,
|
|
0x2f,0x77,0x77,0x77,0x2e,0x65,0x78,0x61,
|
|
0x6d,0x70,0x6c,0x65,0x2e,0x63,0x6f,0x6d,
|
|
0x2f,0x70,0x61,0x74,0x68,
|
|
};
|
|
const uint8_t *serial;
|
|
size_t serial_len;
|
|
const uint8_t *cert_issuer;
|
|
size_t cert_issuer_len;
|
|
|
|
uint8_t buf[512];
|
|
uint8_t *p;
|
|
const uint8_t *cp;
|
|
size_t len = 0;
|
|
const uint8_t *d;
|
|
size_t dlen;
|
|
|
|
cp = p = buf; len = 0;
|
|
if (x509_revoked_cert_to_der_ex(serial_buf, sizeof(serial_buf), revoke_date,
|
|
reason, invalid_date, cert_issuer_buf, sizeof(cert_issuer_buf), &p, &len) != 1
|
|
|| asn1_sequence_from_der(&d, &dlen, &cp, &len) != 1
|
|
|| asn1_length_is_zero(len) != 1) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
x509_revoked_cert_print(stderr, 0, 0, "RevokedCertificate", d, dlen);
|
|
|
|
cp = p = buf; len = 0;
|
|
if (x509_revoked_cert_to_der_ex(serial_buf, sizeof(serial_buf), revoke_date,
|
|
reason, invalid_date, cert_issuer_buf, sizeof(cert_issuer_buf), &p, &len) != 1
|
|
|| x509_revoked_cert_from_der_ex(&serial, &serial_len, &revoke_date,
|
|
&reason, &invalid_date, &cert_issuer, &cert_issuer_len, &cp, &len) != 1
|
|
|| asn1_length_is_zero(len) != 1) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
|
|
printf("%s() ok\n", __FUNCTION__);
|
|
return 1;
|
|
}
|
|
|
|
static int test_x509_crl_ext_id(void)
|
|
{
|
|
int crl_ext_oids[] = {
|
|
OID_ce_authority_key_identifier,
|
|
OID_ce_issuer_alt_name,
|
|
OID_ce_crl_number,
|
|
OID_ce_delta_crl_indicator,
|
|
OID_ce_issuing_distribution_point,
|
|
OID_ce_freshest_crl,
|
|
OID_pe_authority_info_access,
|
|
};
|
|
int oid;
|
|
|
|
uint8_t buf[512];
|
|
uint8_t *p;
|
|
const uint8_t *cp;
|
|
size_t len;
|
|
size_t i;
|
|
|
|
cp = p = buf; len = 0;
|
|
for (i = 0; i < sizeof(crl_ext_oids)/sizeof(crl_ext_oids[0]); i++) {
|
|
if (x509_crl_ext_id_to_der(crl_ext_oids[i], &p, &len) != 1) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
format_bytes(stderr, 0, 0, "", buf, len);
|
|
}
|
|
for (i = 0; i < sizeof(crl_ext_oids)/sizeof(crl_ext_oids[0]); i++) {
|
|
if (x509_crl_ext_id_from_der(&oid, &cp, &len) != 1) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
printf(" %s\n", x509_crl_ext_id_name(oid));
|
|
}
|
|
if (len) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
|
|
printf("%s() ok\n", __FUNCTION__);
|
|
return 1;
|
|
}
|
|
|
|
static int test_x509_issuing_distribution_point(void)
|
|
{
|
|
char *dist_point_uri = "http://www.example.com/crl.crl";
|
|
int reason_flags = X509_RF_KEY_COMPROMISE|X509_RF_CA_COMPROMISE;
|
|
|
|
uint8_t buf[512];
|
|
uint8_t *p = buf;
|
|
const uint8_t *cp = buf;
|
|
size_t len = 0;
|
|
const uint8_t *d;
|
|
size_t dlen;
|
|
|
|
if (x509_issuing_distribution_point_to_der(
|
|
dist_point_uri, strlen(dist_point_uri),
|
|
ASN1_TRUE,
|
|
ASN1_TRUE,
|
|
reason_flags,
|
|
ASN1_TRUE,
|
|
ASN1_TRUE, &p, &len) != 1) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
if (asn1_sequence_from_der(&d, &dlen, &cp, &len) != 1
|
|
|| asn1_length_is_zero(len) != 1) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
x509_issuing_distribution_point_print(stderr, 0, 0, "IssuingDistributionPoint", d, dlen);
|
|
|
|
printf("%s() ok\n", __FUNCTION__);
|
|
return 1;
|
|
}
|
|
|
|
static int test_x509_issuing_distribution_point_from_der(void)
|
|
{
|
|
char *uri = "http://www.example.com/crl.crl";
|
|
int flags = X509_RF_KEY_COMPROMISE|X509_RF_CA_COMPROMISE;
|
|
|
|
uint8_t buf[512];
|
|
uint8_t *p = buf;
|
|
const uint8_t *cp = buf;
|
|
size_t len = 0;
|
|
|
|
int dist_point_choice;
|
|
const uint8_t *dist_point;
|
|
size_t dist_point_len;
|
|
int only_contains_user_certs;
|
|
int only_contains_ca_certs;
|
|
int only_some_reasons;
|
|
int indirect_crl;
|
|
int only_contains_attr_certs;
|
|
|
|
if (x509_issuing_distribution_point_to_der(
|
|
uri, strlen(uri),
|
|
ASN1_TRUE,
|
|
ASN1_FALSE,
|
|
flags,
|
|
-1,
|
|
ASN1_FALSE, &p, &len) != 1) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
if (x509_issuing_distribution_point_from_der(
|
|
&dist_point_choice, &dist_point, &dist_point_len,
|
|
&only_contains_user_certs,
|
|
&only_contains_ca_certs,
|
|
&only_some_reasons,
|
|
&indirect_crl,
|
|
&only_contains_attr_certs, &cp, &len) != 1
|
|
|| asn1_length_is_zero(len) != 1) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
|
|
printf("%s() ok\n", __FUNCTION__);
|
|
return 1;
|
|
}
|
|
|
|
static int test_x509_crl_exts(void)
|
|
{
|
|
uint8_t exts[1024];
|
|
size_t extslen = 0;
|
|
uint8_t key_id[32];
|
|
uint8_t issuer[128];
|
|
size_t issuer_len = 0;
|
|
uint8_t serial[20];
|
|
char *http_uri = "http://www.example.com/crl.crl";
|
|
char *ldap_uri = "ldap://www.example.com/ldap";
|
|
char *ca_issuers_uri = "http://www.example.com/ca.crt";
|
|
char *ocsp_uri = "http://www.example.com/ocsp";
|
|
char *dist_point_uri = "http://www.example.com/crl.crl";
|
|
int reason_flags = X509_RF_KEY_COMPROMISE|X509_RF_CA_COMPROMISE;
|
|
|
|
if (rand_bytes(key_id, sizeof(key_id)) != 1
|
|
|| x509_general_names_add_uniform_resource_identifier(issuer, &issuer_len, sizeof(issuer), "http://www.example.com") != 1
|
|
|| rand_bytes(serial, sizeof(serial)) != 1) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
|
|
if (x509_crl_exts_add_authority_key_identifier(exts, &extslen, sizeof(exts),
|
|
-1, key_id, sizeof(key_id), issuer, issuer_len, serial, sizeof(serial)) != 1
|
|
|| x509_crl_exts_add_issuer_alt_name(exts, &extslen, sizeof(exts),
|
|
X509_non_critical, issuer, issuer_len) != 1
|
|
|| x509_crl_exts_add_crl_number(exts, &extslen, sizeof(exts),
|
|
X509_non_critical, 112) != 1
|
|
|| x509_crl_exts_add_delta_crl_indicator(exts, &extslen, sizeof(exts),
|
|
X509_critical, 113) != 1
|
|
|| x509_crl_exts_add_issuing_distribution_point(exts, &extslen, sizeof(exts),
|
|
X509_critical, dist_point_uri, strlen(dist_point_uri),
|
|
ASN1_FALSE, ASN1_FALSE, reason_flags, ASN1_FALSE, ASN1_FALSE) != 1
|
|
|| x509_crl_exts_add_freshest_crl(exts, &extslen, sizeof(exts),
|
|
X509_non_critical, http_uri, strlen(http_uri), ldap_uri, strlen(ldap_uri)) != 1
|
|
|| x509_crl_exts_add_authority_info_acess(exts, &extslen, sizeof(exts),
|
|
X509_non_critical, ca_issuers_uri, strlen(ca_issuers_uri), ocsp_uri, strlen(ocsp_uri)) != 1
|
|
) {
|
|
error_print();
|
|
return -1;
|
|
}
|
|
|
|
x509_crl_exts_print(stderr, 0, 0, "CRLExtensions", exts, extslen);
|
|
|
|
return 1;
|
|
}
|
|
|
|
static int test_x509_cert_revoke(void)
|
|
{
|
|
printf("%s() ok\n", __FUNCTION__);
|
|
return 1;
|
|
}
|
|
|
|
/*
|
|
http://mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20RSA%20TLS%20CA%2002.crl
|
|
http://crl.microsoft.com/pki/mscorp/crl/Microsoft%20RSA%20TLS%20CA%2002.crl
|
|
http://crl3.digicert.com/Omniroot2025.crl
|
|
*/
|
|
|
|
int main(void)
|
|
{
|
|
if (test_x509_crl_reason() != 1) goto err;
|
|
if (test_x509_crl_entry_ext() != 1) goto err;
|
|
if (test_x509_crl_entry_exts() != 1) goto err;
|
|
if (test_x509_revoked_cert() != 1) goto err;
|
|
if (test_vector_gen_uri_as_general_names() != 1) goto err;
|
|
if (test_x509_crl_ext_id() != 1) goto err;
|
|
if (test_x509_issuing_distribution_point() != 1) goto err;
|
|
if (test_x509_issuing_distribution_point_from_der() != 1) goto err;
|
|
if (test_x509_crl_exts() != 1) goto err;
|
|
printf("%s all tests passed\n", __FILE__);
|
|
return 0;
|
|
err:
|
|
error_print();
|
|
return 1;
|
|
}
|