mirror of
https://github.com/guanzhi/GmSSL.git
synced 2026-06-20 03:44:15 +08:00
250 lines
6.9 KiB
C
250 lines
6.9 KiB
C
/*
|
|
* Copyright 2014-2026 The GmSSL Project. All Rights Reserved.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the License); you may
|
|
* not use this file except in compliance with the License.
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*/
|
|
|
|
|
|
#include <stdio.h>
|
|
#include <errno.h>
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
#include <gmssl/hex.h>
|
|
#include <gmssl/x509.h>
|
|
#include <gmssl/sct.h>
|
|
#include <gmssl/error.h>
|
|
|
|
|
|
#define SCTVERIFY_MAX_SCT_LIST_SIZE 65536
|
|
#define SCTVERIFY_MAX_ENTRY_SIZE 65536
|
|
#define SCTVERIFY_MAX_CT_LOGS 16
|
|
|
|
|
|
static const char *options =
|
|
"-in file [-cert pem | -precert der] [-issuer_key_hash hex]"
|
|
" -log_key pem [-log_key pem ...] [-at_least num] [-digest name]"
|
|
" [-verbose]";
|
|
|
|
static const char *help =
|
|
"Options\n"
|
|
"\n"
|
|
" -in file Input SignedCertificateTimestampList in binary format\n"
|
|
" -cert pem Input certificate and verify SCTs over an x509_entry\n"
|
|
" -precert der Input TBSCertificate DER and verify SCTs over a precert_entry\n"
|
|
" -issuer_key_hash hex\n"
|
|
" 32-byte issuer key hash, required with -precert\n"
|
|
" -log_key pem CT Log public key in SubjectPublicKeyInfo PEM format\n"
|
|
" This option can be repeated\n"
|
|
" -at_least num Required number of successful SCT verifications, default 1\n"
|
|
" -digest name Digest for CT Log ID, default sha256\n"
|
|
" -verbose Print verification result to stderr\n"
|
|
"\n"
|
|
"Examples\n"
|
|
"\n"
|
|
" gmssl sctverify -in sctlist.bin -cert cert.pem -log_key ctlog.pem -at_least 1\n"
|
|
" gmssl sctverify -in sctlist.bin -precert tbs.der -issuer_key_hash HEX -log_key ctlog.pem\n"
|
|
"\n";
|
|
|
|
static int read_file(const char *file, uint8_t *buf, size_t *buflen, size_t maxlen)
|
|
{
|
|
FILE *fp;
|
|
size_t len;
|
|
|
|
if (!(fp = fopen(file, "rb"))) {
|
|
return -1;
|
|
}
|
|
len = fread(buf, 1, maxlen, fp);
|
|
if (ferror(fp) || (len == maxlen && fgetc(fp) != EOF)) {
|
|
fclose(fp);
|
|
return -1;
|
|
}
|
|
fclose(fp);
|
|
*buflen = len;
|
|
return 1;
|
|
}
|
|
|
|
int sctverify_main(int argc, char **argv)
|
|
{
|
|
int ret = 1;
|
|
char *prog = argv[0];
|
|
char *infile = NULL;
|
|
char *certfile = NULL;
|
|
char *precertfile = NULL;
|
|
char *digest_name = "sha256";
|
|
char *str;
|
|
FILE *certfp = NULL;
|
|
FILE *logkeyfp = NULL;
|
|
int entry_type = -1;
|
|
int verbose = 0;
|
|
size_t at_least = 1;
|
|
size_t i;
|
|
|
|
uint8_t sct_list[SCTVERIFY_MAX_SCT_LIST_SIZE];
|
|
size_t sct_list_len = 0;
|
|
uint8_t entry[SCTVERIFY_MAX_ENTRY_SIZE];
|
|
size_t entry_len = 0;
|
|
uint8_t issuer_key_hash[SCT_ISSUER_KEY_HASH_SIZE];
|
|
size_t issuer_key_hash_len = 0;
|
|
CT_LOG_INFO ct_logs[SCTVERIFY_MAX_CT_LOGS];
|
|
size_t ct_logs_cnt = 0;
|
|
const DIGEST *digest;
|
|
|
|
argc--;
|
|
argv++;
|
|
|
|
while (argc > 0) {
|
|
if (!strcmp(*argv, "-help")) {
|
|
printf("usage: %s %s\n\n", prog, options);
|
|
printf("%s\n", help);
|
|
ret = 0;
|
|
goto end;
|
|
} else if (!strcmp(*argv, "-in")) {
|
|
if (--argc < 1) goto bad;
|
|
infile = *(++argv);
|
|
} else if (!strcmp(*argv, "-cert")) {
|
|
if (--argc < 1) goto bad;
|
|
certfile = *(++argv);
|
|
entry_type = SCT_log_entry_type_x509_entry;
|
|
} else if (!strcmp(*argv, "-precert")) {
|
|
if (--argc < 1) goto bad;
|
|
precertfile = *(++argv);
|
|
entry_type = SCT_log_entry_type_precert_entry;
|
|
} else if (!strcmp(*argv, "-issuer_key_hash")) {
|
|
if (--argc < 1) goto bad;
|
|
str = *(++argv);
|
|
if (hex_to_bytes(str, strlen(str), issuer_key_hash,
|
|
&issuer_key_hash_len) != 1
|
|
|| issuer_key_hash_len != sizeof(issuer_key_hash)) {
|
|
fprintf(stderr, "%s: invalid `-issuer_key_hash` value\n", prog);
|
|
goto end;
|
|
}
|
|
} else if (!strcmp(*argv, "-log_key")) {
|
|
if (--argc < 1) goto bad;
|
|
if (ct_logs_cnt >= SCTVERIFY_MAX_CT_LOGS) {
|
|
fprintf(stderr, "%s: too many `-log_key` options\n", prog);
|
|
goto end;
|
|
}
|
|
str = *(++argv);
|
|
if (!(logkeyfp = fopen(str, "rb"))) {
|
|
fprintf(stderr, "%s: open '%s' failure : %s\n",
|
|
prog, str, strerror(errno));
|
|
goto end;
|
|
}
|
|
memset(&ct_logs[ct_logs_cnt], 0, sizeof(CT_LOG_INFO));
|
|
if (x509_public_key_info_from_pem(&ct_logs[ct_logs_cnt].log_key,
|
|
logkeyfp) != 1) {
|
|
fprintf(stderr, "%s: parse CT log public key failure\n", prog);
|
|
goto end;
|
|
}
|
|
fclose(logkeyfp);
|
|
logkeyfp = NULL;
|
|
ct_logs[ct_logs_cnt].log_name = str;
|
|
ct_logs_cnt++;
|
|
} else if (!strcmp(*argv, "-at_least")) {
|
|
if (--argc < 1) goto bad;
|
|
str = *(++argv);
|
|
at_least = (size_t)atoi(str);
|
|
if (!at_least) {
|
|
fprintf(stderr, "%s: invalid `-at_least` value\n", prog);
|
|
goto end;
|
|
}
|
|
} else if (!strcmp(*argv, "-digest")) {
|
|
if (--argc < 1) goto bad;
|
|
digest_name = *(++argv);
|
|
} else if (!strcmp(*argv, "-verbose")) {
|
|
verbose = 1;
|
|
} else {
|
|
fprintf(stderr, "%s: illegal option '%s'\n", prog, *argv);
|
|
goto end;
|
|
bad:
|
|
fprintf(stderr, "%s: '%s' option value missing\n", prog, *argv);
|
|
goto end;
|
|
}
|
|
|
|
argc--;
|
|
argv++;
|
|
}
|
|
|
|
if (!infile) {
|
|
fprintf(stderr, "%s: '-in' option required\n", prog);
|
|
goto end;
|
|
}
|
|
if ((certfile && precertfile) || (!certfile && !precertfile)) {
|
|
fprintf(stderr, "%s: exactly one of '-cert' or '-precert' required\n", prog);
|
|
goto end;
|
|
}
|
|
if (!ct_logs_cnt) {
|
|
fprintf(stderr, "%s: '-log_key' option required\n", prog);
|
|
goto end;
|
|
}
|
|
if (at_least > ct_logs_cnt) {
|
|
fprintf(stderr, "%s: `-at_least` must be <= number of CT log keys\n", prog);
|
|
goto end;
|
|
}
|
|
if (!(digest = digest_from_name(digest_name))) {
|
|
fprintf(stderr, "%s: invalid `-digest` value\n", prog);
|
|
goto end;
|
|
}
|
|
if (read_file(infile, sct_list, &sct_list_len, sizeof(sct_list)) != 1) {
|
|
fprintf(stderr, "%s: read SCT list failure\n", prog);
|
|
goto end;
|
|
}
|
|
|
|
switch (entry_type) {
|
|
case SCT_log_entry_type_x509_entry:
|
|
if (!(certfp = fopen(certfile, "rb"))) {
|
|
fprintf(stderr, "%s: open '%s' failure : %s\n",
|
|
prog, certfile, strerror(errno));
|
|
goto end;
|
|
}
|
|
if (x509_cert_from_pem(entry, &entry_len, sizeof(entry), certfp) != 1) {
|
|
fprintf(stderr, "%s: read certificate failure\n", prog);
|
|
goto end;
|
|
}
|
|
break;
|
|
case SCT_log_entry_type_precert_entry:
|
|
if (issuer_key_hash_len != SCT_ISSUER_KEY_HASH_SIZE) {
|
|
fprintf(stderr, "%s: '-issuer_key_hash' option required with '-precert'\n", prog);
|
|
goto end;
|
|
}
|
|
if (read_file(precertfile, entry, &entry_len, sizeof(entry)) != 1) {
|
|
fprintf(stderr, "%s: read TBSCertificate failure\n", prog);
|
|
goto end;
|
|
}
|
|
break;
|
|
}
|
|
|
|
for (i = 0; i < ct_logs_cnt; i++) {
|
|
size_t dgstlen;
|
|
|
|
if (x509_public_key_digest_ex(&ct_logs[i].log_key, digest,
|
|
ct_logs[i].log_id, &dgstlen) != 1
|
|
|| dgstlen != SCT_LOG_ID_SIZE) {
|
|
fprintf(stderr, "%s: compute CT log id failure\n", prog);
|
|
goto end;
|
|
}
|
|
}
|
|
|
|
if (sct_list_verify(sct_list, sct_list_len, entry_type,
|
|
issuer_key_hash_len ? issuer_key_hash : NULL,
|
|
entry, entry_len, ct_logs, ct_logs_cnt, at_least) != 1) {
|
|
fprintf(stderr, "%s: SCT list verification failure\n", prog);
|
|
goto end;
|
|
}
|
|
|
|
if (verbose) {
|
|
fprintf(stderr, "%s: SCT list verification success\n", prog);
|
|
fprintf(stderr, "%s: verified at least %zu SCT(s) with %zu CT log key(s)\n",
|
|
prog, at_least, ct_logs_cnt);
|
|
}
|
|
ret = 0;
|
|
|
|
end:
|
|
if (certfp) fclose(certfp);
|
|
if (logkeyfp) fclose(logkeyfp);
|
|
return ret;
|
|
}
|