1 /*
2 * Copyright 2014-2022 The GmSSL Project. All Rights Reserved.
3 *
4 * Licensed under the Apache License, Version 2.0 (the License); you may
5 * not use this file except in compliance with the License.
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 */
9
10
11 #include <stdio.h>
12 #include <string.h>
13 #include <stdlib.h>
14 #include <gmssl/asn1.h>
15 #include <gmssl/oid.h>
16 #include <gmssl/x509.h>
17 #include <gmssl/x509_crl.h>
18 #include <gmssl/x509_alg.h>
19 #include <gmssl/x509_ext.h>
20 #include <gmssl/pem.h>
21 #include <gmssl/error.h>
22
23 static const char *x509_crl_reason_names[] = {
24 "unspecified",
25 "keyCompromise",
26 "cACompromise",
27 "affiliationChanged",
28 "superseded",
29 "cessationOfOperation",
30 "certificateHold",
31 "notAssigned",
32 "removeFromCRL",
33 "privilegeWithdrawn",
34 "aACompromise",
35 };
36
37 static const size_t x509_crl_reason_names_count =
38 sizeof(x509_crl_reason_names)/sizeof(x509_crl_reason_names[0]);
39
x509_crl_reason_name(int reason)40 const char *x509_crl_reason_name(int reason)
41 {
42 if (reason < 0 || reason >= x509_crl_reason_names_count) {
43 error_print();
44 return NULL;
45 }
46 return x509_crl_reason_names[reason];
47 }
48
x509_crl_reason_from_name(int * reason,const char * name)49 int x509_crl_reason_from_name(int *reason, const char *name)
50 {
51 int i;
52 for (i = 0; i < x509_crl_reason_names_count; i++) {
53 if (strcmp(name, x509_crl_reason_names[i]) == 0) {
54 *reason = i;
55 return 1;
56 }
57 }
58 return 0;
59 }
60
x509_crl_reason_to_der(int reason,uint8_t ** out,size_t * outlen)61 int x509_crl_reason_to_der(int reason, uint8_t **out, size_t *outlen)
62 {
63 if (reason >= 0 && !x509_crl_reason_name(reason)) {
64 error_print();
65 return -1;
66 }
67 return asn1_enumerated_to_der(reason, out, outlen);
68 }
69
x509_crl_reason_from_der(int * reason,const uint8_t ** in,size_t * inlen)70 int x509_crl_reason_from_der(int *reason, const uint8_t **in, size_t *inlen)
71 {
72 return asn1_enumerated_from_der(reason, in, inlen);
73 }
74
x509_implicit_crl_reason_from_der(int index,int * reason,const uint8_t ** in,size_t * inlen)75 int x509_implicit_crl_reason_from_der(int index, int *reason, const uint8_t **in, size_t *inlen)
76 {
77 return asn1_implicit_enumerated_from_der(index, reason, in, inlen);
78 }
79
80
81 static uint32_t oid_ce_crl_reasons[] = { oid_ce,21 };
82 static uint32_t oid_ce_invalidity_date[] = { oid_ce,24 };
83 static uint32_t oid_ce_certificate_issuer[] = { oid_ce,29 };
84
85 static const ASN1_OID_INFO x509_crl_entry_exts[] = {
86 { OID_ce_crl_reasons, "CRLReasons", oid_ce_crl_reasons, sizeof(oid_ce_crl_reasons)/sizeof(int) },
87 { OID_ce_invalidity_date, "InvalidityDate", oid_ce_invalidity_date, sizeof(oid_ce_invalidity_date)/sizeof(int) },
88 { OID_ce_certificate_issuer, "CertificateIssuer", oid_ce_certificate_issuer, sizeof(oid_ce_certificate_issuer)/sizeof(int) },
89 };
90
91 static const int x509_crl_entry_exts_count =
92 sizeof(x509_crl_entry_exts)/sizeof(x509_crl_entry_exts[0]);
93
x509_crl_entry_ext_id_name(int oid)94 const char *x509_crl_entry_ext_id_name(int oid)
95 {
96 const ASN1_OID_INFO *info;
97 if (!(info = asn1_oid_info_from_oid(x509_crl_entry_exts, x509_crl_entry_exts_count, oid))) {
98 error_print();
99 return NULL;
100 }
101 return info->name;
102 }
103
x509_crl_entry_ext_id_from_name(const char * name)104 int x509_crl_entry_ext_id_from_name(const char *name)
105 {
106 const ASN1_OID_INFO *info;
107 if (!(info = asn1_oid_info_from_name(x509_crl_entry_exts, x509_crl_entry_exts_count, name))) {
108 error_print();
109 return OID_undef;
110 }
111 return info->oid;
112 }
113
x509_crl_entry_ext_id_to_der(int oid,uint8_t ** out,size_t * outlen)114 int x509_crl_entry_ext_id_to_der(int oid, uint8_t **out, size_t *outlen)
115 {
116 const ASN1_OID_INFO *info;
117 if (!(info = asn1_oid_info_from_oid(x509_crl_entry_exts, x509_crl_entry_exts_count, oid))) {
118 error_print();
119 return -1;
120 }
121 if (asn1_object_identifier_to_der(info->nodes, info->nodes_cnt, out, outlen) != 1) {
122 error_print();
123 return -1;
124 }
125 return 1;
126 }
127
x509_crl_entry_ext_id_from_der(int * oid,const uint8_t ** in,size_t * inlen)128 int x509_crl_entry_ext_id_from_der(int *oid, const uint8_t **in, size_t *inlen)
129 {
130 int ret;
131 const ASN1_OID_INFO *info;
132
133 if ((ret = asn1_oid_info_from_der(&info, x509_crl_entry_exts, x509_crl_entry_exts_count, in, inlen)) != 1) {
134 if (ret < 0) error_print();
135 else *oid = -1;
136 return ret;
137 }
138 *oid = info->oid;
139 return 1;
140 }
141
x509_crl_entry_exts_add_reason(uint8_t * exts,size_t * extslen,size_t maxlen,int critical,int reason)142 int x509_crl_entry_exts_add_reason(uint8_t *exts, size_t *extslen, size_t maxlen,
143 int critical, int reason)
144 {
145 int oid = OID_ce_crl_reasons;
146 size_t curlen = *extslen;
147 uint8_t val[16];
148 uint8_t *p = val;
149 size_t vlen = 0;
150
151 exts += *extslen;
152 if (x509_crl_reason_to_der(reason, &p, &vlen) != 1
153 || x509_ext_to_der(oid, critical, val, vlen, NULL, &curlen) != 1
154 || asn1_length_le(curlen, maxlen) != 1
155 || x509_ext_to_der(oid, critical, val, vlen, &exts, extslen) != 1) {
156 error_print();
157 return -1;
158 }
159 return 1;
160 }
161
x509_crl_entry_exts_add_invalidity_date(uint8_t * exts,size_t * extslen,size_t maxlen,int critical,time_t tv)162 int x509_crl_entry_exts_add_invalidity_date(uint8_t *exts, size_t *extslen, size_t maxlen,
163 int critical, time_t tv)
164 {
165 int oid = OID_ce_invalidity_date;
166 size_t curlen = *extslen;
167 uint8_t val[16];
168 uint8_t *p = val;
169 size_t vlen = 0;
170
171 exts += *extslen;
172 if (asn1_generalized_time_to_der(tv, &p, &vlen) != 1
173 || x509_ext_to_der(oid, critical, val, vlen, NULL, &curlen) != 1
174 || asn1_length_le(curlen, maxlen) != 1
175 || x509_ext_to_der(oid, critical, val, vlen, &exts, extslen) != 1) {
176 error_print();
177 return -1;
178 }
179 return 1;
180 }
181
x509_crl_entry_exts_add_certificate_issuer(uint8_t * exts,size_t * extslen,size_t maxlen,int critical,const uint8_t * d,size_t dlen)182 int x509_crl_entry_exts_add_certificate_issuer(uint8_t *exts, size_t *extslen, size_t maxlen,
183 int critical, const uint8_t *d, size_t dlen)
184 {
185 int oid = OID_ce_certificate_issuer;
186 return x509_exts_add_sequence(exts, extslen, maxlen, oid, critical, d, dlen);
187 }
188
x509_crl_entry_ext_print(FILE * fp,int fmt,int ind,const char * label,const uint8_t * d,size_t dlen)189 int x509_crl_entry_ext_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen)
190 {
191 int ret, oid, critical;
192 const uint8_t *v;
193 size_t vlen;
194
195 format_print(fp, fmt, ind, "%s\n", label);
196 ind += 4;
197
198 if (x509_crl_entry_ext_id_from_der(&oid, &d, &dlen) != 1) goto err;
199 format_print(fp, fmt, ind, "extnID: %s\n", x509_crl_entry_ext_id_name(oid));
200 if ((ret = asn1_boolean_from_der(&critical, &d, &dlen)) < 0) goto err;
201 if (ret) format_print(fp, fmt, ind, "critical: %s\n", asn1_boolean_name(critical));
202 if (asn1_octet_string_from_der(&v, &vlen, &d, &dlen) != 1) goto err;
203
204 if (oid == OID_ce_crl_reasons) {
205 int reason;
206 if (x509_crl_reason_from_der(&reason, &v, &vlen) != 1) {
207 error_print();
208 return -1;
209 }
210 format_print(fp, fmt, ind, "reasonCode: %s\n", x509_crl_reason_name(reason));
211
212 } else if (oid == OID_ce_invalidity_date) {
213 time_t invalidity_date;
214 if (asn1_generalized_time_from_der(&invalidity_date, &v, &vlen) != 1) {
215 error_print();
216 return -1;
217 }
218 format_print(fp, fmt, ind, "invalidityDate: %s", ctime(&invalidity_date));
219
220 } else if (oid == OID_ce_certificate_issuer) {
221 const uint8_t *gns;
222 size_t gnslen;
223 if (asn1_sequence_from_der(&gns, &gnslen, &v, &vlen) != 1) {
224 error_print();
225 return -1;
226 }
227 x509_general_names_print(fp, fmt, ind, "certificateIssuer", gns, gnslen);
228
229 } else {
230 err:
231 error_print();
232 return -1;
233 }
234
235 return 1;
236 }
237
x509_crl_entry_exts_print(FILE * fp,int fmt,int ind,const char * label,const uint8_t * d,size_t dlen)238 int x509_crl_entry_exts_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen)
239 {
240 const uint8_t *p;
241 size_t len;
242
243 format_print(fp, fmt, ind, "%s\n", label);
244 ind += 4;
245
246 while (dlen) {
247 if (asn1_sequence_from_der(&p, &len, &d, &dlen) != 1) {
248 error_print();
249 return -1;
250 }
251 x509_crl_entry_ext_print(fp, fmt, ind, "Extension", p, len);
252 }
253 return 1;
254 }
255
x509_revoked_cert_to_der(const uint8_t * serial,size_t serial_len,time_t revoke_date,const uint8_t * entry_exts,size_t entry_exts_len,uint8_t ** out,size_t * outlen)256 int x509_revoked_cert_to_der(
257 const uint8_t *serial, size_t serial_len,
258 time_t revoke_date,
259 const uint8_t *entry_exts, size_t entry_exts_len,
260 uint8_t **out, size_t *outlen)
261 {
262 size_t len = 0;
263 if (asn1_integer_to_der(serial, serial_len, NULL, &len) != 1
264 || x509_time_to_der(revoke_date, NULL, &len) != 1
265 || asn1_sequence_to_der(entry_exts, entry_exts_len, NULL, &len) < 0
266 || asn1_sequence_header_to_der(len, out, outlen) != 1
267 || asn1_integer_to_der(serial, serial_len, out, outlen) != 1
268 || x509_time_to_der(revoke_date, out, outlen) != 1
269 || asn1_sequence_to_der(entry_exts, entry_exts_len, out, outlen) < 0) {
270 error_print();
271 return -1;
272 }
273 return 1;
274 }
275
x509_revoked_cert_from_der(const uint8_t ** serial,size_t * serial_len,time_t * revoke_date,const uint8_t ** entry_exts,size_t * entry_exts_len,const uint8_t ** in,size_t * inlen)276 int x509_revoked_cert_from_der(
277 const uint8_t **serial, size_t *serial_len,
278 time_t *revoke_date,
279 const uint8_t **entry_exts, size_t *entry_exts_len,
280 const uint8_t **in, size_t *inlen)
281 {
282 int ret;
283 const uint8_t *d;
284 size_t dlen;
285
286 if ((ret = asn1_sequence_from_der(&d, &dlen, in, inlen)) != 1) {
287 if (ret < 0) error_print();
288 return ret;
289 }
290 if (asn1_integer_from_der(serial, serial_len, &d, &dlen) != 1
291 || x509_time_from_der(revoke_date, &d, &dlen) != 1
292 || asn1_sequence_from_der(entry_exts, entry_exts_len, &d, &dlen) < 0
293 || asn1_length_is_zero(dlen) != 1) {
294 error_print();
295 return -1;
296 }
297 return 1;
298 }
299
x509_revoked_cert_print(FILE * fp,int fmt,int ind,const char * label,const uint8_t * d,size_t dlen)300 int x509_revoked_cert_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen)
301 {
302 int ret;
303 const uint8_t *p;
304 size_t len;
305 time_t tv;
306
307 format_print(fp, fmt, ind, "%s\n", label);
308 ind += 4;
309
310 if (asn1_integer_from_der(&p, &len, &d, &dlen) != 1) goto err;
311 format_bytes(fp, fmt, ind, "userCertificate", p, len);
312 if (x509_time_from_der(&tv, &d, &dlen) != 1) goto err;
313 format_print(fp, fmt, ind, "revocationDate: %s", ctime(&tv));
314 if ((ret = asn1_sequence_from_der(&p, &len, &d, &dlen)) < 0) goto err;
315 if (ret) x509_crl_entry_exts_print(fp, fmt, ind, "crlEntryExtensions", p, len);
316 if (asn1_length_is_zero(dlen) != 1) goto err;
317 return 1;
318 err:
319 error_print();
320 return -1;
321 }
322
x509_revoked_certs_add_revoked_cert(uint8_t * d,size_t * dlen,size_t maxlen,const uint8_t * serial,size_t serial_len,time_t revoke_date,const uint8_t * entry_exts,size_t entry_exts_len)323 int x509_revoked_certs_add_revoked_cert(uint8_t *d, size_t *dlen, size_t maxlen,
324 const uint8_t *serial, size_t serial_len,
325 time_t revoke_date,
326 const uint8_t *entry_exts, size_t entry_exts_len)
327 {
328 error_print();
329 return -1;
330 }
331
x509_revoked_certs_get_revoked_cert_by_serial_number(const uint8_t * d,size_t dlen,const uint8_t * serial,size_t serial_len,time_t * revoke_date,const uint8_t ** entry_exts,size_t * entry_exts_len)332 int x509_revoked_certs_get_revoked_cert_by_serial_number(const uint8_t *d, size_t dlen,
333 const uint8_t *serial, size_t serial_len,
334 time_t *revoke_date,
335 const uint8_t **entry_exts, size_t *entry_exts_len)
336 {
337 error_print();
338 return -1;
339 }
340
x509_revoked_certs_print(FILE * fp,int fmt,int ind,const char * label,const uint8_t * d,size_t dlen)341 int x509_revoked_certs_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen)
342 {
343 const uint8_t *p;
344 size_t len;
345
346 format_print(fp, fmt, ind, "%s\n", label);
347 ind += 4;
348
349 while (dlen) {
350 if (asn1_sequence_from_der(&p, &len, &d, &dlen) != 1) {
351 error_print();
352 return -1;
353 }
354 x509_revoked_cert_print(fp, fmt, ind, "RevokedCertificate", p, len);
355 }
356 return 1;
357 }
358
359
360 static uint32_t oid_ce_authority_key_identifier[] = { oid_ce,35 };
361 static uint32_t oid_ce_issuer_alt_name[] = { oid_ce,18 };
362 static uint32_t oid_ce_crl_number[] = { oid_ce,20 };
363 static uint32_t oid_ce_delta_crl_indicator[] = { oid_ce,27 };
364 static uint32_t oid_ce_issuing_distribution_point[] = { oid_ce,28 };
365 static uint32_t oid_ce_freshest_crl[] = { oid_ce,46 };
366 static uint32_t oid_pe_authority_info_access[] = { oid_pe,1 };
367
368
369 static const ASN1_OID_INFO x509_crl_exts[] = {
370 { OID_ce_authority_key_identifier, "AuthorityKeyIdentifier", oid_ce_authority_key_identifier, sizeof(oid_ce_authority_key_identifier)/sizeof(int) },
371 { OID_ce_issuer_alt_name, "IssuerAltName", oid_ce_issuer_alt_name, sizeof(oid_ce_issuer_alt_name)/sizeof(int) },
372 { OID_ce_crl_number, "CRLNumber", oid_ce_crl_number, sizeof(oid_ce_crl_number)/sizeof(int) },
373 { OID_ce_delta_crl_indicator, "DeltaCRLIndicator", oid_ce_delta_crl_indicator, sizeof(oid_ce_delta_crl_indicator)/sizeof(int) },
374 { OID_ce_issuing_distribution_point, "IssuingDistributionPoint", oid_ce_issuing_distribution_point, sizeof(oid_ce_issuing_distribution_point)/sizeof(int) },
375 { OID_ce_freshest_crl, "FreshestCRL", oid_ce_freshest_crl, sizeof(oid_ce_freshest_crl)/sizeof(int) },
376 { OID_pe_authority_info_access, "AuthorityInfoAccess", oid_pe_authority_info_access, sizeof(oid_pe_authority_info_access)/sizeof(int) },
377 };
378
379 static const int x509_crl_exts_count =
380 sizeof(x509_crl_exts)/sizeof(x509_crl_exts[0]);
381
x509_crl_ext_id_name(int oid)382 const char *x509_crl_ext_id_name(int oid)
383 {
384 const ASN1_OID_INFO *info;
385 if (!(info = asn1_oid_info_from_oid(x509_crl_exts, x509_crl_exts_count, oid))) {
386 return NULL;
387 }
388 return info->name;
389 }
390
x509_crl_ext_id_from_name(const char * name)391 int x509_crl_ext_id_from_name(const char *name)
392 {
393 const ASN1_OID_INFO *info;
394 if (!(info = asn1_oid_info_from_name(x509_crl_exts, x509_crl_exts_count, name))) {
395 error_print();
396 return OID_undef;
397 }
398 return info->oid;
399 }
400
x509_crl_ext_id_to_der(int oid,uint8_t ** out,size_t * outlen)401 int x509_crl_ext_id_to_der(int oid, uint8_t **out, size_t *outlen)
402 {
403 const ASN1_OID_INFO *info;
404 size_t len = 0;
405 if (!(info = asn1_oid_info_from_oid(x509_crl_exts, x509_crl_exts_count, oid))) {
406 error_print();
407 return -1;
408 }
409 if (asn1_object_identifier_to_der(info->nodes, info->nodes_cnt, NULL, &len) != 1
410 || asn1_sequence_header_to_der(len, out, outlen) != 1
411 || asn1_object_identifier_to_der(info->nodes, info->nodes_cnt, out, outlen) != 1) {
412 error_print();
413 return -1;
414 }
415 return 1;
416 }
417
x509_crl_ext_id_from_der_ex(int * oid,uint32_t * nodes,size_t * nodes_cnt,const uint8_t ** in,size_t * inlen)418 int x509_crl_ext_id_from_der_ex(int *oid, uint32_t *nodes, size_t *nodes_cnt, const uint8_t **in, size_t *inlen)
419 {
420 int ret;
421 const uint8_t *p;
422 size_t len;
423 const ASN1_OID_INFO *info;
424
425 *oid = 0;
426 if ((ret = asn1_oid_info_from_der_ex(&info, nodes, nodes_cnt, x509_crl_exts, x509_crl_exts_count, in, inlen)) != 1) {
427 error_print();
428 return -1;
429 }
430 if (info) {
431 *oid = info->oid;
432 }
433 return ret;
434 }
435
x509_crl_exts_add_authority_key_identifier(uint8_t * exts,size_t * extslen,size_t maxlen,int critical,const uint8_t * keyid,size_t keyid_len,const uint8_t * issuer,size_t issuer_len,const uint8_t * serial,size_t serial_len)436 int x509_crl_exts_add_authority_key_identifier(
437 uint8_t *exts, size_t *extslen, size_t maxlen,
438 int critical,
439 const uint8_t *keyid, size_t keyid_len,
440 const uint8_t *issuer, size_t issuer_len,
441 const uint8_t *serial, size_t serial_len)
442 {
443 if (x509_exts_add_authority_key_identifier(exts, extslen, maxlen, critical,
444 keyid, keyid_len, issuer, issuer_len, serial, serial_len) != 1) {
445 error_print();
446 return -1;
447 }
448 return 1;
449 }
450
x509_crl_exts_add_issuer_alt_name(uint8_t * exts,size_t * extslen,size_t maxlen,int critical,const uint8_t * d,size_t dlen)451 int x509_crl_exts_add_issuer_alt_name(
452 uint8_t *exts, size_t *extslen, size_t maxlen,
453 int critical,
454 const uint8_t *d, size_t dlen)
455 {
456 if (x509_exts_add_issuer_alt_name(exts, extslen, maxlen, critical, d, dlen) != 1) {
457 error_print();
458 return -1;
459 }
460 return 1;
461 }
462
x509_crl_exts_add_crl_number(uint8_t * exts,size_t * extslen,size_t maxlen,int critical,int num)463 int x509_crl_exts_add_crl_number(
464 uint8_t *exts, size_t *extslen, size_t maxlen,
465 int critical,
466 int num)
467 {
468 int oid = OID_ce_crl_number;
469 size_t curlen = *extslen;
470 uint8_t val[32];
471 uint8_t *p = val;
472 size_t vlen = 0;
473
474 exts += *extslen;
475 if (asn1_int_to_der(num, &p, &vlen) != 1
476 || x509_ext_to_der(oid, critical, val, vlen, NULL, &curlen) != 1
477 || asn1_length_le(curlen, maxlen) != 1
478 || x509_ext_to_der(oid, critical, val, vlen, &exts, extslen) != 1) {
479 error_print();
480 return -1;
481 }
482 return 1;
483 }
484
x509_crl_exts_add_delta_crl_indicator(uint8_t * exts,size_t * extslen,size_t maxlen,int critical,int num)485 int x509_crl_exts_add_delta_crl_indicator(
486 uint8_t *exts, size_t *extslen, size_t maxlen,
487 int critical,
488 int num)
489 {
490 int oid = OID_ce_delta_crl_indicator;
491 size_t curlen = *extslen;
492 uint8_t val[32];
493 uint8_t *p = val;
494 size_t vlen = 0;
495
496 exts += *extslen;
497 if (asn1_int_to_der(num, &p, &vlen) != 1
498 || x509_ext_to_der(oid, critical, val, vlen, NULL, &curlen) != 1
499 || asn1_length_le(curlen, maxlen) != 1
500 || x509_ext_to_der(oid, critical, val, vlen, &exts, extslen) != 1) {
501 error_print();
502 return -1;
503 }
504 return 1;
505 }
506
x509_crl_exts_add_issuing_distribution_point(uint8_t * exts,size_t * extslen,size_t maxlen,int critical,const uint8_t * dist_point,size_t dist_point_len,int only_contains_user_certs,int only_contains_ca_certs,int only_some_reasons,int indirect_crl,int only_contains_attr_certs)507 int x509_crl_exts_add_issuing_distribution_point(
508 uint8_t *exts, size_t *extslen, size_t maxlen,
509 int critical,
510 const uint8_t *dist_point, size_t dist_point_len,
511 int only_contains_user_certs,
512 int only_contains_ca_certs,
513 int only_some_reasons,
514 int indirect_crl,
515 int only_contains_attr_certs)
516 {
517 error_print();
518 return -1;
519 }
520
x509_issuing_distribution_point_to_der(int dist_point_choice,const uint8_t * dist_point,size_t dist_point_len,int only_contains_user_certs,int only_contains_ca_certs,int only_some_reasons,int indirect_crl,int only_contains_attr_certs,uint8_t ** out,size_t * outlen)521 int x509_issuing_distribution_point_to_der(
522 int dist_point_choice, const uint8_t *dist_point, size_t dist_point_len,
523 int only_contains_user_certs,
524 int only_contains_ca_certs,
525 int only_some_reasons,
526 int indirect_crl,
527 int only_contains_attr_certs,
528 uint8_t **out, size_t *outlen)
529 {
530 size_t len = 0;
531 if (x509_explicit_distribution_point_name_to_der(0, dist_point_choice, dist_point, dist_point_len, NULL, &len) < 0
532 || asn1_implicit_boolean_to_der(1, only_contains_user_certs, NULL, &len) < 0
533 || asn1_implicit_boolean_to_der(2, only_contains_ca_certs, NULL, &len) < 0
534 || asn1_implicit_bits_to_der(3, only_some_reasons, NULL, &len) < 0 // 是否有特化的类型
535 || asn1_implicit_boolean_to_der(4, indirect_crl, NULL, &len) < 0
536 || asn1_implicit_boolean_to_der(5, only_contains_attr_certs, NULL, &len) < 0
537 || asn1_sequence_header_to_der(len, out, outlen) != 1
538 || x509_explicit_distribution_point_name_to_der(0, dist_point_choice, dist_point, dist_point_len, out, outlen) < 0
539 || asn1_implicit_boolean_to_der(1, only_contains_user_certs, out, outlen) < 0
540 || asn1_implicit_boolean_to_der(2, only_contains_ca_certs, out, outlen) < 0
541 || asn1_implicit_bits_to_der(3, only_some_reasons, out, outlen) < 0 // 是否有特化的类型
542 || asn1_implicit_boolean_to_der(4, indirect_crl, out, outlen) < 0
543 || asn1_implicit_boolean_to_der(5, only_contains_attr_certs, out, outlen) < 0) {
544 error_print();
545 return -1;
546 }
547 return 1;
548 }
549
x509_issuing_distribution_point_from_der(int * dist_point_choice,const uint8_t ** dist_point,size_t * dist_point_len,int * only_contains_user_certs,int * only_contains_ca_certs,int * only_some_reasons,int * indirect_crl,int * only_contains_attr_certs,const uint8_t ** in,size_t * inlen)550 int x509_issuing_distribution_point_from_der(
551 int *dist_point_choice, const uint8_t **dist_point, size_t *dist_point_len,
552 int *only_contains_user_certs,
553 int *only_contains_ca_certs,
554 int *only_some_reasons,
555 int *indirect_crl,
556 int *only_contains_attr_certs,
557 const uint8_t **in, size_t *inlen)
558 {
559 int ret;
560 const uint8_t *d;
561 size_t dlen;
562
563 if ((ret = asn1_sequence_from_der(&d, &dlen, in, inlen)) != 1) {
564 if (ret < 0) error_print();
565 return ret;
566 }
567 if (x509_explicit_distribution_point_name_from_der(0, dist_point_choice, dist_point, dist_point_len, &d, &dlen) < 0
568 || asn1_implicit_boolean_from_der(1, only_contains_user_certs, &d, &dlen) < 0
569 || asn1_implicit_boolean_from_der(2, only_contains_ca_certs, &d, &dlen) < 0
570 || asn1_implicit_bits_from_der(3, only_some_reasons, &d, &dlen) < 0
571 || asn1_implicit_boolean_from_der(4, indirect_crl, &d, &dlen) < 0
572 || asn1_implicit_boolean_from_der(5, only_contains_attr_certs, &d, &dlen) < 0
573 || asn1_length_is_zero(dlen) != 1) {
574 error_print();
575 return -1;
576 }
577 return 1;
578 }
579
x509_issuing_distribution_point_print(FILE * fp,int fmt,int ind,const char * label,const uint8_t * d,size_t dlen)580 int x509_issuing_distribution_point_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen)
581 {
582 int ret, val;
583 const uint8_t *p;
584 size_t len;
585
586 format_print(fp, fmt, ind, "%s\n", label);
587 ind += 4;
588
589 if ((ret = asn1_explicit_from_der(0, &p, &len, &d, &dlen)) < 0) goto end;
590 if (ret) x509_distribution_point_name_print(fp, fmt, ind, "distributionPoint", p, len);
591 if ((ret = asn1_implicit_boolean_from_der(1, &val, &d, &dlen)) < 0) goto end;
592 if (!ret) val = 0;
593 format_print(fp, fmt, ind, "onlyContainsUserCerts: %s\n", asn1_boolean_name(val));
594 if ((ret = asn1_implicit_boolean_from_der(2, &val, &d, &dlen)) < 0) goto end;
595 if (!ret) val = 0;
596 format_print(fp, fmt, ind, "onlyContainsCACerts: %s\n", asn1_boolean_name(val));
597 if ((ret = x509_implicit_crl_reason_from_der(3, &val, &d, &dlen)) < 0) goto end;
598 if (ret) format_print(fp, fmt, ind, "onlySomeReasons: %s\n", x509_crl_reason_name(val));
599 if ((ret = asn1_implicit_boolean_from_der(4, &val, &d, &dlen)) < 0) goto end;
600 if (!ret) val = 0;
601 format_print(fp, fmt, ind, "indirectCRL: %s\n", asn1_boolean_name(val));
602 if ((ret = asn1_implicit_boolean_from_der(5, &val, &d, &dlen)) < 0) goto end;
603 if (!ret) val = 0;
604 format_print(fp, fmt, ind, "onlyContainsAttributeCerts: %s\n", asn1_boolean_name(val));
605 if (asn1_length_is_zero(dlen) != 1) goto end;
606 return 1;
607 end:
608 error_print();
609 return -1;
610 }
611
x509_access_descriptions_print(FILE * fp,int fmt,int ind,const char * label,const uint8_t * d,size_t dlen)612 int x509_access_descriptions_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen)
613 {
614 error_print();
615 return -1;
616 }
617
x509_crl_ext_print(FILE * fp,int fmt,int ind,const char * label,const uint8_t * d,size_t dlen)618 int x509_crl_ext_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen)
619 {
620 int ret, oid, critical;
621 const char *name;
622 const uint8_t *v;
623 size_t vlen;
624 const uint8_t *p;
625 size_t len;
626 uint32_t nodes[32];
627 size_t nodes_cnt;
628 int num;
629
630 format_print(fp, fmt, ind, "%s\n", label);
631 ind += 4;
632
633 if (x509_crl_ext_id_from_der_ex(&oid, nodes, &nodes_cnt, &d, &dlen) != 1) goto err;
634 asn1_object_identifier_print(fp, fmt, ind, "extnID", x509_crl_ext_id_name(oid), nodes, nodes_cnt);
635 if ((ret = asn1_boolean_from_der(&critical, &d, &dlen)) < 0) goto err;
636 if (ret) format_print(fp, fmt, ind, "critical: %s\n", asn1_boolean_name(critical));
637 if (asn1_octet_string_from_der(&v, &vlen, &d, &dlen) != 1) goto err;
638
639 switch (oid) {
640 case OID_ce_authority_key_identifier:
641 case OID_ce_issuer_alt_name:
642 case OID_ce_issuing_distribution_point:
643 case OID_ce_freshest_crl:
644 case OID_pe_authority_info_access:
645 if (asn1_sequence_from_der(&p, &len, &v, &vlen) != 1) {
646 error_print();
647 return -1;
648 }
649 break;
650 case OID_ce_crl_number:
651 case OID_ce_delta_crl_indicator:
652 if (asn1_int_from_der(&num, &v, &vlen) != 1) {
653 error_print();
654 return -1;
655 }
656 break;
657 default:
658 if (asn1_any_from_der(&p, &len, &v, &vlen) != 1) {
659 error_print();
660 return -1;
661 }
662 }
663
664 name = x509_crl_ext_id_name(oid);
665
666 switch (oid) {
667 case OID_ce_authority_key_identifier: x509_authority_key_identifier_print(fp, fmt, ind, name, p, len); break;
668 case OID_ce_issuer_alt_name: x509_general_names_print(fp, fmt, ind, name, p, len); break;
669 case OID_ce_crl_number: format_print(fp, fmt, ind, "%s: %d\n", name, num); break;
670 case OID_ce_delta_crl_indicator: format_print(fp, fmt, ind, "%s: %d\n", name, num); break;
671 case OID_ce_issuing_distribution_point: x509_issuing_distribution_point_print(fp, fmt, ind, name, p, len); break;
672 case OID_ce_freshest_crl: x509_crl_distribution_points_print(fp, fmt, ind, name, p, len); break;
673 case OID_pe_authority_info_access: x509_access_descriptions_print(fp, fmt, ind, name, p, len); break;
674 default: format_bytes(fp, fmt, ind, "value", p, len);
675 }
676 if (asn1_length_is_zero(vlen) != 1) goto err;
677 return 1;
678 err:
679 error_print();
680 return -1;
681 }
682
x509_crl_exts_print(FILE * fp,int fmt,int ind,const char * label,const uint8_t * d,size_t dlen)683 int x509_crl_exts_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen)
684 {
685 const uint8_t *p;
686 size_t len;
687
688 format_print(fp, fmt, ind, "%s\n", label);
689 ind += 4;
690
691 while (dlen) {
692 if (asn1_sequence_from_der(&p, &len, &d, &dlen) != 1) {
693 error_print();
694 return -1;
695 }
696 x509_crl_ext_print(fp, fmt, ind, "Extension", p, len);
697 }
698 return 1;
699 }
700
x509_tbs_crl_to_der(int version,int signature_algor,const uint8_t * issuer,size_t issuer_len,time_t this_update,time_t next_update,const uint8_t * revoked_certs,size_t revoked_certs_len,const uint8_t * exts,size_t exts_len,uint8_t ** out,size_t * outlen)701 int x509_tbs_crl_to_der(
702 int version,
703 int signature_algor,
704 const uint8_t *issuer, size_t issuer_len,
705 time_t this_update, time_t next_update,
706 const uint8_t *revoked_certs, size_t revoked_certs_len,
707 const uint8_t *exts, size_t exts_len,
708 uint8_t **out, size_t *outlen)
709 {
710 size_t len = 0;
711 if (asn1_int_to_der(version, NULL, &len) < 0
712 || x509_signature_algor_to_der(signature_algor, NULL, &len) != 1
713 || x509_name_to_der(issuer, issuer_len, NULL, &len) != 1
714 || x509_time_to_der(this_update, NULL, &len) != 1
715 || x509_time_to_der(next_update, NULL, &len) < 0
716 || asn1_sequence_to_der(revoked_certs, revoked_certs_len, NULL, &len) < 0
717 || asn1_sequence_to_der(exts, exts_len, NULL, &len) < 0
718 || asn1_sequence_header_to_der(len, out, outlen) != 1
719 || asn1_int_to_der(version, out, outlen) < 0
720 || x509_signature_algor_to_der(signature_algor, out, outlen) != 1
721 || x509_name_to_der(issuer, issuer_len, out, outlen) != 1
722 || x509_time_to_der(this_update, out, outlen) != 1
723 || x509_time_to_der(next_update, out, outlen) < 0
724 || asn1_sequence_to_der(revoked_certs, revoked_certs_len, out, outlen) < 0
725 || asn1_sequence_to_der(exts, exts_len, out, outlen) < 0) {
726 error_print();
727 return -1;
728 }
729 return 1;
730 }
731
x509_tbs_crl_from_der(int * version,int * signature_algor,const uint8_t ** issuer,size_t * issuer_len,time_t * this_update,time_t * next_update,const uint8_t ** revoked_certs,size_t * revoked_certs_len,const uint8_t ** exts,size_t * exts_len,const uint8_t ** in,size_t * inlen)732 int x509_tbs_crl_from_der(
733 int *version,
734 int *signature_algor,
735 const uint8_t **issuer, size_t *issuer_len,
736 time_t *this_update,
737 time_t *next_update,
738 const uint8_t **revoked_certs, size_t *revoked_certs_len,
739 const uint8_t **exts, size_t *exts_len,
740 const uint8_t **in, size_t *inlen)
741 {
742 int ret;
743 const uint8_t *d;
744 size_t dlen;
745
746 if ((ret = asn1_sequence_from_der(&d, &dlen, in, inlen)) != 1) {
747 if (ret < 0) error_print();
748 else error_print();
749 return ret;
750 }
751 if (asn1_int_from_der(version, &d, &dlen) < 0
752 || x509_signature_algor_from_der(signature_algor, &d, &dlen) != 1
753 || x509_name_from_der(issuer, issuer_len, &d, &dlen) != 1
754 || x509_time_from_der(this_update, &d, &dlen) != 1
755 || x509_time_from_der(next_update, &d, &dlen) < 0
756 || asn1_sequence_from_der(revoked_certs, revoked_certs_len, &d, &dlen) < 0
757 || x509_explicit_exts_from_der(0, exts, exts_len, &d, &dlen) < 0
758 || asn1_length_is_zero(dlen) != 1) {
759 error_print();
760 return -1;
761 }
762 if (*version >= 0 && *version != X509_version_v2) {
763 error_print();
764 return -1;
765 }
766 if (*revoked_certs && *version != X509_version_v2) {
767 error_print();
768 return -1;
769 }
770 if (*exts && *version != X509_version_v2) {
771 error_print();
772 return -1;
773 }
774
775 return 1;
776 }
777
x509_tbs_crl_print(FILE * fp,int fmt,int ind,const char * label,const uint8_t * d,size_t dlen)778 int x509_tbs_crl_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen)
779 {
780 int ret, val;
781 const uint8_t *p;
782 size_t len;
783 time_t tv;
784
785 format_print(fp, fmt, ind, "%s\n", label);
786 ind += 4;
787
788 if ((ret = asn1_int_from_der(&val, &d, &dlen)) < 0) goto err;
789 if (ret) format_print(fp, fmt, ind, "version: %s (%d)\n", x509_version_name(val), val);
790 if (x509_signature_algor_from_der(&val, &d, &dlen) != 1) goto err;
791 format_print(fp, fmt, ind, "signature: %s\n", x509_signature_algor_name(val));
792 if (x509_name_from_der(&p, &len, &d, &dlen) != 1) goto err;
793 x509_name_print(fp, fmt, ind, "issuer", p, len);
794 if (x509_time_from_der(&tv, &d, &dlen) != 1) goto err;
795 format_print(fp, fmt, ind, "thisUpdate: %s", ctime(&tv));
796 if ((ret = x509_time_from_der(&tv, &d, &dlen)) < 0) goto err;
797 if (ret) format_print(fp, fmt, ind, "nextUpdate: %s", ctime(&tv));
798 if ((ret = asn1_sequence_from_der(&p, &len, &d, &dlen)) < 0) goto err;
799 if (ret) x509_revoked_certs_print(fp, fmt, ind, "revokedCertificates", p, len);
800 if ((ret = x509_explicit_exts_from_der(0, &p, &len, &d, &dlen)) < 0) goto err;
801 if (ret) {
802 x509_crl_exts_print(fp, fmt, ind, "crlExtensions", p, len);
803 }
804 if (asn1_length_is_zero(dlen) != 1) goto err;
805 return 1;
806 err:
807 error_print();
808 return -1;
809 }
810
x509_cert_list_to_der(const uint8_t * tbs_crl,size_t tbs_crl_len,int signature_algor,const uint8_t * sig,size_t siglen,uint8_t ** out,size_t * outlen)811 int x509_cert_list_to_der(const uint8_t *tbs_crl, size_t tbs_crl_len,
812 int signature_algor, const uint8_t *sig, size_t siglen,
813 uint8_t **out, size_t *outlen)
814 {
815 size_t len = 0;
816 if (asn1_sequence_to_der(tbs_crl, tbs_crl_len, NULL, &len) != 1
817 || x509_signature_algor_to_der(signature_algor, NULL, &len) != 1
818 || asn1_bit_octets_to_der(sig, siglen, NULL, &len) != 1
819 || asn1_sequence_header_to_der(len, out, outlen) != 1
820 || asn1_sequence_to_der(tbs_crl, tbs_crl_len, out, outlen) != 1
821 || x509_signature_algor_to_der(signature_algor, out, outlen) != 1
822 || asn1_bit_octets_to_der(sig, siglen, out, outlen) != 1) {
823 error_print();
824 return -1;
825 }
826 return 1;
827 }
828
x509_cert_list_from_der(const uint8_t ** tbs_crl,size_t * tbs_crl_len,int * signature_algor,const uint8_t ** sig,size_t * siglen,const uint8_t ** in,size_t * inlen)829 int x509_cert_list_from_der(const uint8_t **tbs_crl, size_t *tbs_crl_len,
830 int *signature_algor, const uint8_t **sig, size_t *siglen,
831 const uint8_t **in, size_t *inlen)
832 {
833 int ret;
834 const uint8_t *d;
835 size_t dlen;
836
837 if ((ret = asn1_sequence_from_der(&d, &dlen, in, inlen)) != 1) {
838 if (ret < 0) error_print();
839 return ret;
840 }
841 if (asn1_sequence_from_der(tbs_crl, tbs_crl_len, &d, &dlen) != 1
842 || x509_signature_algor_from_der(signature_algor, &d, &dlen) != 1
843 || asn1_bit_octets_from_der(sig, siglen, &d, &dlen) != 1
844 || asn1_length_is_zero(dlen) != 1) {
845 error_print();
846 return -1;
847 }
848 return 1;
849 }
850
x509_cert_list_print(FILE * fp,int fmt,int ind,const char * label,const uint8_t * d,size_t dlen)851 int x509_cert_list_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen)
852 {
853 int val;
854 const uint8_t *p;
855 size_t len;
856
857 if (asn1_sequence_from_der(&p, &len, &d, &dlen) != 1) goto err;
858 x509_tbs_crl_print(fp, fmt, ind, "tbsCertList", p, len);
859 if (x509_signature_algor_from_der(&val, &d, &dlen) != 1) goto err;
860 format_print(fp, fmt, ind, "signatureAlgorithm: %s\n", x509_signature_algor_name(val));
861 if (asn1_bit_octets_from_der(&p, &len, &d, &dlen) != 1) goto err;
862 format_bytes(fp, fmt, ind, "signatureValue", p, len);
863 if (asn1_length_is_zero(dlen) != 1) goto err;
864 return 1;
865 err:
866 error_print();
867 return -1;
868 }
869
870 // FIXME: 这两个函数应该检查CRL格式是否正确
x509_crl_to_der(const uint8_t * a,size_t alen,uint8_t ** out,size_t * outlen)871 int x509_crl_to_der(const uint8_t *a, size_t alen, uint8_t **out, size_t *outlen)
872 {
873 int ret;
874 if ((ret = asn1_any_to_der(a, alen, out, outlen)) != 1) {
875 if (ret < 0) error_print();
876 return ret;
877 }
878 return 1;
879 }
880
x509_crl_from_der(const uint8_t ** a,size_t * alen,const uint8_t ** in,size_t * inlen)881 int x509_crl_from_der(const uint8_t **a, size_t *alen, const uint8_t **in, size_t *inlen)
882 {
883 int ret;
884 if ((ret = asn1_any_from_der(a, alen, in, inlen)) != 1) {
885 if (ret < 0) error_print();
886 return ret;
887 }
888 return 1;
889 }
890
x509_crl_to_pem(const uint8_t * a,size_t alen,FILE * fp)891 int x509_crl_to_pem(const uint8_t *a, size_t alen, FILE *fp)
892 {
893 if (pem_write(fp, "X509 CRL", a, alen) != 1) {
894 error_print();
895 return -1;
896 }
897 return 1;
898 }
899
x509_crl_from_pem(uint8_t * a,size_t * alen,size_t maxlen,FILE * fp)900 int x509_crl_from_pem(uint8_t *a, size_t *alen, size_t maxlen, FILE *fp)
901 {
902 int ret;
903 if ((ret = pem_read(fp, "X509 CRL", a, alen, maxlen)) != 1) {
904 if (ret < 0) error_print();
905 return ret;
906 }
907 return 1;
908 }
909
x509_crl_to_fp(const uint8_t * a,size_t alen,FILE * fp)910 int x509_crl_to_fp(const uint8_t *a, size_t alen, FILE *fp)
911 {
912 if (fwrite(a, 1, alen, fp) != alen) {
913 error_print();
914 return -1;
915 }
916 return 1;
917 }
918
x509_crl_from_fp(uint8_t * a,size_t * alen,size_t maxlen,FILE * fp)919 int x509_crl_from_fp(uint8_t *a, size_t *alen, size_t maxlen, FILE *fp)
920 {
921 size_t len;
922 const uint8_t *d = a;
923 size_t dlen;
924 const uint8_t *crl;
925 size_t crl_len;
926
927 if (!(len = fread(a, 1, maxlen, fp))) {
928 if (feof(fp)) {
929 return 0;
930 } else {
931 error_print();
932 return -1;
933 }
934 }
935
936 dlen = len;
937 if (x509_crl_from_der(&crl, &crl_len, &d, &dlen) != 1
938 || asn1_length_is_zero(dlen) != 1) {
939 error_print();
940 return -1;
941 }
942
943 *alen = len;
944 return 1;
945 }
946
947
x509_crl_print(FILE * fp,int fmt,int ind,const char * label,const uint8_t * a,size_t alen)948 int x509_crl_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *a, size_t alen)
949 {
950 const uint8_t *d;
951 size_t dlen;
952
953 format_print(fp, fmt, ind, "%s\n", label);
954 ind += 4;
955
956 if (asn1_sequence_from_der(&d, &dlen, &a, &alen) != 1
957 || asn1_length_is_zero(alen) != 1) {
958 error_print();
959 return -1;
960 }
961 x509_cert_list_print(fp, fmt, ind, label, d, dlen);
962 return 1;
963 }
964
x509_tbs_crl_sign(int version,int signature_algor,const uint8_t * issuer,size_t issuer_len,time_t this_update,time_t next_update,const uint8_t * revoked_certs,size_t revoked_certs_len,const uint8_t * exts,size_t exts_len,const SM2_KEY * sign_key,const char * signer_id,size_t signer_id_len,uint8_t * crl,size_t * crl_len)965 int x509_tbs_crl_sign(
966 int version,
967 int signature_algor,
968 const uint8_t *issuer, size_t issuer_len,
969 time_t this_update, time_t next_update,
970 const uint8_t *revoked_certs, size_t revoked_certs_len,
971 const uint8_t *exts, size_t exts_len,
972 const SM2_KEY *sign_key, const char *signer_id, size_t signer_id_len,
973 uint8_t *crl, size_t *crl_len)
974 {
975 uint8_t tbs[512];
976 size_t tbslen;
977 SM2_SIGN_CTX sign_ctx;
978 uint8_t sig[SM2_MAX_SIGNATURE_SIZE];
979 size_t siglen;
980 uint8_t *p = tbs;
981 size_t len = 0;
982 uint8_t *out = crl;
983 size_t outlen = 0;
984
985 if (x509_tbs_crl_to_der(version, signature_algor, issuer, issuer_len,
986 this_update, next_update, revoked_certs, revoked_certs_len,
987 exts, exts_len, &p, &tbslen) != 1) {
988 error_print();
989 return -1;
990 }
991 if (sm2_sign_init(&sign_ctx, sign_key, signer_id, signer_id_len) != 1
992 || sm2_sign_update(&sign_ctx, tbs, tbslen) != 1
993 || sm2_sign_finish(&sign_ctx, sig, &siglen) != 1) {
994 error_print();
995 return -1;
996 }
997 if (asn1_data_to_der(tbs, tbslen, NULL, &len) != 1
998 || x509_signature_algor_to_der(signature_algor, NULL, &len) != 1
999 || asn1_bit_octets_to_der(sig, siglen, NULL, &len) != 1
1000 || asn1_sequence_header_to_der(len, &out, &outlen) != 1
1001 || asn1_data_to_der(tbs, tbslen, &out, &outlen) != 1
1002 || x509_signature_algor_to_der(signature_algor, &out, &outlen) != 1
1003 || asn1_bit_octets_to_der(sig, siglen, &out, &outlen) != 1) {
1004 error_print();
1005 return -1;
1006 }
1007 *crl_len = outlen;
1008 return 1;
1009 }
1010
x509_crl_verify(const uint8_t * a,size_t alen,const SM2_KEY * pub_key,const char * signer_id,size_t signer_id_len)1011 int x509_crl_verify(const uint8_t *a, size_t alen,
1012 const SM2_KEY *pub_key, const char *signer_id, size_t signer_id_len)
1013 {
1014 int ret;
1015 const uint8_t *d;
1016 size_t dlen;
1017 const uint8_t *tbs;
1018 size_t tbslen;
1019 int sig_alg;
1020 const uint8_t *sig;
1021 size_t siglen;
1022 SM2_SIGN_CTX verify_ctx;
1023
1024 if ((ret = asn1_sequence_from_der(&d, &dlen, &a, &alen)) != 1) {
1025 if (ret < 0) error_print();
1026 else error_print();
1027 return -1;
1028 }
1029 if (asn1_any_from_der(&tbs, &tbslen, &d, &dlen) != 1
1030 || x509_signature_algor_from_der(&sig_alg, &d, &dlen) != 1
1031 || asn1_bit_octets_from_der(&sig, &siglen, &d, &dlen) != 1
1032 || asn1_length_is_zero(dlen) != 1) {
1033 error_print();
1034 return -1;
1035 }
1036 if (sig_alg != OID_sm2sign_with_sm3) {
1037 error_print();
1038 return -1;
1039 }
1040 if (sm2_verify_init(&verify_ctx, pub_key, signer_id, signer_id_len) != 1
1041 || sm2_verify_update(&verify_ctx, tbs, tbslen) != 1) {
1042 error_print();
1043 return -1;
1044 }
1045 if ((ret = sm2_verify_finish(&verify_ctx, sig, siglen)) != 1) {
1046 if (ret < 0) error_print();
1047 else error_print();
1048 return -1;
1049 }
1050 return 1;
1051 }
1052
x509_crl_verify_by_ca_cert(const uint8_t * a,size_t alen,const uint8_t * cacert,size_t cacertlen,const char * signer_id,size_t signer_id_len)1053 int x509_crl_verify_by_ca_cert(const uint8_t *a, size_t alen, const uint8_t *cacert, size_t cacertlen,
1054 const char *signer_id, size_t signer_id_len)
1055 {
1056 int ret;
1057 SM2_KEY public_key;
1058
1059 if (x509_cert_get_subject_public_key(cacert, cacertlen, &public_key) != 1
1060 || (ret = x509_crl_verify(a, alen, &public_key, signer_id, signer_id_len)) < 0) {
1061 error_print();
1062 return -1;
1063 }
1064 if (!ret) error_print();
1065 return ret;
1066 }
1067
x509_crl_get_details(const uint8_t * a,size_t alen,int * opt_version,const uint8_t ** opt_issuer,size_t * opt_issuer_len,time_t * opt_this_update,time_t * opt_next_update,const uint8_t ** opt_revoked_certs,size_t * opt_revoked_certs_len,const uint8_t ** opt_exts,size_t * opt_exts_len,int * opt_signature_algor,const uint8_t ** opt_sig,size_t * opt_siglen)1068 int x509_crl_get_details(const uint8_t *a, size_t alen,
1069 int *opt_version,
1070 const uint8_t **opt_issuer, size_t *opt_issuer_len,
1071 time_t *opt_this_update,
1072 time_t *opt_next_update,
1073 const uint8_t **opt_revoked_certs, size_t *opt_revoked_certs_len,
1074 const uint8_t **opt_exts, size_t *opt_exts_len,
1075 int *opt_signature_algor,
1076 const uint8_t **opt_sig, size_t *opt_siglen)
1077 {
1078 int ret;
1079 const uint8_t *d;
1080 size_t dlen;
1081 const uint8_t *tbs;
1082 size_t tbs_len;
1083 int signature_algor;
1084 const uint8_t *sig;
1085 size_t siglen;
1086
1087 int version;
1088 int sig_alg;
1089 const uint8_t *issuer;
1090 size_t issuer_len;
1091 time_t this_update;
1092 time_t next_update;
1093 const uint8_t *revoked_certs;
1094 size_t revoked_certs_len;
1095 const uint8_t *exts;
1096 size_t exts_len;
1097
1098 if ((ret = asn1_sequence_from_der(&d, &dlen, &a, &alen)) != 1) {
1099 if (ret < 0) error_print();
1100 else error_print();
1101 return -1;
1102 }
1103 if (asn1_any_from_der(&tbs, &tbs_len, &d, &dlen) != 1
1104 || x509_signature_algor_from_der(&sig_alg, &d, &dlen) != 1
1105 || asn1_bit_octets_from_der(&sig, &siglen, &d, &dlen) != 1
1106 || asn1_length_is_zero(dlen) != 1) {
1107 error_print();
1108 return -1;
1109 }
1110 if (opt_signature_algor) *opt_signature_algor = signature_algor;
1111 if (opt_sig) *opt_sig = sig;
1112 if (opt_siglen) *opt_siglen = siglen;
1113
1114 if (x509_tbs_crl_from_der(&version, &sig_alg, &issuer, &issuer_len,
1115 &this_update, &next_update, &revoked_certs, &revoked_certs_len,
1116 &exts, &exts_len, &tbs, &tbs_len) != 1
1117 || asn1_length_is_zero(tbs_len) != 1) {
1118 error_print();
1119 return -1;
1120 }
1121
1122 if (opt_version) *opt_version = version;
1123 if (opt_issuer) *opt_issuer = issuer;
1124 if (opt_issuer_len) *opt_issuer_len = issuer_len;
1125 if (opt_this_update) *opt_this_update = this_update;
1126 if (opt_next_update) *opt_next_update = next_update;
1127 if (opt_revoked_certs) *opt_revoked_certs = revoked_certs;
1128 if (opt_revoked_certs_len) *opt_revoked_certs_len = revoked_certs_len;
1129 if (opt_exts) *opt_exts = exts;
1130 if (opt_exts_len) *opt_exts_len = exts_len;
1131 return 1;
1132 }
1133
x509_crl_get_issuer(const uint8_t * crl,size_t crl_len,const uint8_t ** issuer,size_t * issuer_len)1134 int x509_crl_get_issuer(const uint8_t *crl, size_t crl_len,
1135 const uint8_t **issuer, size_t *issuer_len)
1136 {
1137 if (x509_crl_get_details(crl, crl_len,
1138 NULL, // version
1139 issuer, issuer_len,
1140 NULL, NULL, // this_udpate, next_update
1141 NULL, NULL, // revoked_certs, revoked_certs_len
1142 NULL, NULL, // exts, exts_len,
1143 NULL, // signature_algor
1144 NULL, NULL // sig, siglen
1145 ) != 1) {
1146 error_print();
1147 return -1;
1148 }
1149 return 1;
1150 }
1151
x509_crl_find_revoked_cert_by_serial_number(const uint8_t * a,size_t alen,const uint8_t * serial,size_t serial_len,time_t * revoke_date,const uint8_t ** entry_exts,size_t * entry_exts_len)1152 int x509_crl_find_revoked_cert_by_serial_number(const uint8_t *a, size_t alen,
1153 const uint8_t *serial, size_t serial_len,
1154 time_t *revoke_date,
1155 const uint8_t **entry_exts, size_t *entry_exts_len)
1156 {
1157 const uint8_t *certs;
1158 size_t certslen;
1159
1160 if (x509_crl_get_details(a, alen,
1161 NULL, NULL, NULL, NULL, NULL,
1162 &certs, &certslen,
1163 NULL, NULL, NULL, NULL, NULL) != 1) {
1164 error_print();
1165 return -1;
1166 }
1167 while (certslen) {
1168 const uint8_t *serial_number;
1169 size_t serial_number_len;
1170
1171 if (x509_revoked_cert_from_der(
1172 &serial_number, &serial_number_len,
1173 revoke_date,
1174 entry_exts, entry_exts_len,
1175 &certs, &certslen) != 1) {
1176 error_print();
1177 return -1;
1178 }
1179 if (serial_number_len == serial_len
1180 && memcmp(serial_number, serial, serial_len) == 0) {
1181 return 1;
1182 }
1183 }
1184
1185 return 0;
1186 }
1187
x509_crls_print(FILE * fp,int fmt,int ind,const char * label,const uint8_t * d,size_t dlen)1188 int x509_crls_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen)
1189 {
1190 const uint8_t *p;
1191 size_t len;
1192
1193 format_print(fp, fmt, ind, "%s\n", label);
1194 ind += 4;
1195
1196 while (dlen) {
1197 if (asn1_sequence_from_der(&p, &len, &d, &dlen) != 1) {
1198 error_print();
1199 return -1;
1200 }
1201 x509_cert_list_print(fp, fmt, ind, "CertificateRevocationList", p, len);
1202 }
1203 return 1;
1204 }
1205