1 /*
2 * Copyright 2014-2022 The GmSSL Project. All Rights Reserved.
3 *
4 * Licensed under the Apache License, Version 2.0 (the License); you may
5 * not use this file except in compliance with the License.
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 */
9
10
11
12 #include <stdio.h>
13 #include <string.h>
14 #include <stdlib.h>
15 #include <stdint.h>
16 #include <assert.h>
17 #include <gmssl/sm2.h>
18 #include <gmssl/oid.h>
19 #include <gmssl/asn1.h>
20 #include <gmssl/x509.h>
21 #include <gmssl/error.h>
22
23
24 static uint32_t oid_at_name[] = { oid_at,41 };
25 static uint32_t oid_at_surname[] = { oid_at,4 };
26 static uint32_t oid_at_given_name[] = { oid_at,42 };
27 static uint32_t oid_at_initials[] = { oid_at,43 };
28 static uint32_t oid_at_generation_qualifier[] = { oid_at,44 };
29 static uint32_t oid_at_common_name[] = { oid_at,3 };
30 static uint32_t oid_at_locality_name[] = { oid_at,7 };
31 static uint32_t oid_at_state_or_province_name[] = { oid_at,8 };
32 static uint32_t oid_at_organization_name[] = { oid_at,10 };
33 static uint32_t oid_at_organizational_unit_name[] = { oid_at,11 };
34 static uint32_t oid_at_title[] = { oid_at,12 };
35 static uint32_t oid_at_dn_qualifier[] = { oid_at,46 };
36 static uint32_t oid_at_country_name[] = { oid_at,6 };
37 static uint32_t oid_at_serial_number[] = { oid_at,5 };
38 static uint32_t oid_at_pseudonym[] = { oid_at,65 };
39 static uint32_t oid_domain_component[] = { 0,9,2342,19200300,100,1,25 };
40 static uint32_t oid_email_address[] = { 1,2,840,113549,1,9,1 };
41
42 #define OID_AT_CNT (sizeof(oid_at_name)/sizeof(int))
43
44 static const ASN1_OID_INFO x509_name_types[] = {
45 { OID_at_name, "name", oid_at_name, OID_AT_CNT },
46 { OID_at_surname, "surname", oid_at_surname, OID_AT_CNT },
47 { OID_at_given_name, "givenName", oid_at_given_name, OID_AT_CNT },
48 { OID_at_initials, "initials", oid_at_initials, OID_AT_CNT },
49 { OID_at_generation_qualifier, "generationQualifier", oid_at_generation_qualifier, OID_AT_CNT },
50 { OID_at_common_name, "commonName", oid_at_common_name, OID_AT_CNT },
51 { OID_at_locality_name, "localityName", oid_at_locality_name, OID_AT_CNT },
52 { OID_at_state_or_province_name, "stateOrProvinceName", oid_at_state_or_province_name, OID_AT_CNT },
53 { OID_at_organization_name, "organizationName", oid_at_organization_name, OID_AT_CNT },
54 { OID_at_organizational_unit_name, "organizationalUnitName", oid_at_organizational_unit_name, OID_AT_CNT },
55 { OID_at_title, "title", oid_at_title, OID_AT_CNT },
56 { OID_at_dn_qualifier, "dnQualifier", oid_at_dn_qualifier, OID_AT_CNT },
57 { OID_at_country_name, "countryName", oid_at_country_name, OID_AT_CNT },
58 { OID_at_serial_number, "serialNumber", oid_at_serial_number, OID_AT_CNT },
59 { OID_at_pseudonym, "pseudonym", oid_at_pseudonym, OID_AT_CNT },
60 { OID_domain_component, "domainComponent", oid_domain_component, sizeof(oid_domain_component)/sizeof(int) },
61 { OID_email_address, "emailAddress", oid_email_address, sizeof(oid_email_address)/sizeof(int) },
62 };
63
64 static const int x509_name_types_count
65 = sizeof(x509_name_types)/sizeof(x509_name_types[0]);
66
x509_name_type_name(int oid)67 const char *x509_name_type_name(int oid)
68 {
69 const ASN1_OID_INFO *info;
70 if (!(info = asn1_oid_info_from_oid(x509_name_types, x509_name_types_count, oid))) {
71 error_print();
72 return NULL;
73 }
74 return info->name;
75 }
76
x509_name_type_from_name(const char * name)77 int x509_name_type_from_name(const char *name)
78 {
79 const ASN1_OID_INFO *info;
80 if (!(info = asn1_oid_info_from_name(x509_name_types, x509_name_types_count, name))) {
81 error_print();
82 return OID_undef;
83 }
84 return info->oid;
85 }
86
x509_name_type_to_der(int oid,uint8_t ** out,size_t * outlen)87 int x509_name_type_to_der(int oid, uint8_t **out, size_t *outlen)
88 {
89 const ASN1_OID_INFO *info;
90 if (!(info = asn1_oid_info_from_oid(x509_name_types, x509_name_types_count, oid))) {
91 error_print();
92 return -1;
93 }
94 if (asn1_object_identifier_to_der(info->nodes, info->nodes_cnt, out, outlen) != 1) {
95 error_print();
96 return -1;
97 }
98 return 1;
99 }
100
x509_name_type_from_der(int * oid,const uint8_t ** in,size_t * inlen)101 int x509_name_type_from_der(int *oid, const uint8_t **in, size_t *inlen)
102 {
103 int ret;
104 const ASN1_OID_INFO *info;
105
106 if ((ret = asn1_oid_info_from_der(&info, x509_name_types, x509_name_types_count, in, inlen)) != 1) {
107 if (ret < 0) error_print();
108 else *oid = -1;
109 return ret;
110 }
111 *oid = info->oid;
112 return 1;
113 }
114
115
116 static uint32_t oid_ce_subject_directory_attributes[] = { oid_ce,9 };
117 static uint32_t oid_ce_subject_key_identifier[] = { oid_ce,14 };
118 static uint32_t oid_ce_key_usage[] = { oid_ce,15 };
119 static uint32_t oid_ce_subject_alt_name[] = { oid_ce,17 };
120 static uint32_t oid_ce_issuer_alt_name[] = { oid_ce,18 };
121 static uint32_t oid_ce_basic_constraints[] = { oid_ce,19 };
122 static uint32_t oid_ce_name_constraints[] = { oid_ce,30 };
123 static uint32_t oid_ce_crl_distribution_points[] = { oid_ce,31 };
124 static uint32_t oid_ce_certificate_policies[] = { oid_ce,32 };
125 static uint32_t oid_ce_policy_mappings[] = { oid_ce,33 };
126 static uint32_t oid_ce_authority_key_identifier[] = { oid_ce,35 };
127 static uint32_t oid_ce_policy_constraints[] = { oid_ce,36 };
128 static uint32_t oid_ce_ext_key_usage[] = { oid_ce,37 };
129 static uint32_t oid_ce_freshest_crl[] = { oid_ce,46 };
130 static uint32_t oid_ce_inhibit_any_policy[] = { oid_ce,54 };
131 static uint32_t oid_ce_crl_reasons[] = { oid_ce,21 }; // crl_entry_ext
132 static uint32_t oid_ce_invalidity_date[] = { oid_ce,24 }; // crl_entry_ext
133 static uint32_t oid_ce_certificate_issuer[] = { oid_ce,29 }; // crl_entry_ext
134 #define OID_CE_CNT sizeof(oid_ce_subject_directory_attributes)/sizeof(int)
135 static uint32_t oid_netscape_cert_type[] = { 2,16,840,1,113730,1,1 };
136 static uint32_t oid_netscape_cert_comment[] = { 2,16,840,1,113730,1,13 };
137 static uint32_t oid_cert_authority_info_access[] = { 1,3,6,1,5,5,7,1,1 };
138 static uint32_t oid_ct_precertificate_scts[] = { 1,3,6,1,4,1,11129,2,4,2 };
139
140 static const ASN1_OID_INFO x509_ext_ids[] = {
141 { OID_ce_authority_key_identifier, "AuthorityKeyIdentifier", oid_ce_authority_key_identifier, OID_CE_CNT },
142 { OID_ce_subject_key_identifier, "SubjectKeyIdentifier", oid_ce_subject_key_identifier, OID_CE_CNT },
143 { OID_ce_key_usage, "KeyUsage", oid_ce_key_usage, OID_CE_CNT },
144 { OID_ce_certificate_policies, "CertificatePolicies", oid_ce_certificate_policies, OID_CE_CNT },
145 { OID_ce_policy_mappings, "PolicyMappings", oid_ce_policy_mappings, OID_CE_CNT },
146 { OID_ce_subject_alt_name, "SubjectAltName", oid_ce_subject_alt_name, OID_CE_CNT },
147 { OID_ce_issuer_alt_name, "IssuerAltName", oid_ce_issuer_alt_name, OID_CE_CNT },
148 { OID_ce_subject_directory_attributes, "SubjectDirectoryAttributes", oid_ce_subject_directory_attributes, OID_CE_CNT },
149 { OID_ce_basic_constraints, "BasicConstraints", oid_ce_basic_constraints, OID_CE_CNT },
150 { OID_ce_name_constraints, "NameConstraints", oid_ce_name_constraints, OID_CE_CNT },
151 { OID_ce_policy_constraints, "PolicyConstraints", oid_ce_policy_constraints, OID_CE_CNT },
152 { OID_ce_ext_key_usage, "ExtKeyUsage", oid_ce_ext_key_usage, OID_CE_CNT },
153 { OID_ce_crl_distribution_points, "CRLDistributionPoints", oid_ce_crl_distribution_points, OID_CE_CNT },
154 { OID_ce_inhibit_any_policy, "InhibitAnyPolicy", oid_ce_inhibit_any_policy, OID_CE_CNT },
155 { OID_ce_freshest_crl, "FreshestCRL", oid_ce_freshest_crl, OID_CE_CNT },
156 { OID_ce_crl_reasons, "CRLReasons", oid_ce_crl_reasons, OID_CE_CNT },
157 { OID_ce_invalidity_date, "InvalidityDate", oid_ce_invalidity_date, OID_CE_CNT },
158 { OID_ce_certificate_issuer, "CertificateIssuer", oid_ce_certificate_issuer, OID_CE_CNT },
159 { OID_netscape_cert_type, "NetscapeCertType", oid_netscape_cert_type, sizeof(oid_netscape_cert_type)/sizeof(int) },
160 { OID_netscape_cert_comment, "NetscapeCertComment", oid_netscape_cert_comment, sizeof(oid_netscape_cert_comment)/sizeof(int) },
161 { OID_cert_authority_info_access, "CertificateAuthorityInformationAccess", oid_cert_authority_info_access, sizeof(oid_cert_authority_info_access)/sizeof(int) },
162 { OID_ct_precertificate_scts, "CT-PrecertificateSCTs", oid_ct_precertificate_scts, sizeof(oid_ct_precertificate_scts)/sizeof(int) },
163 };
164
165 static const int x509_ext_ids_count =
166 sizeof(x509_ext_ids)/sizeof(x509_ext_ids[0]);
167
x509_ext_id_name(int oid)168 const char *x509_ext_id_name(int oid)
169 {
170 const ASN1_OID_INFO *info;
171 if (oid == 0) {
172 return NULL;
173 }
174 if (!(info = asn1_oid_info_from_oid(x509_ext_ids, x509_ext_ids_count, oid))) {
175 error_print();
176 return NULL;
177 }
178 return info->name;
179 }
180
x509_ext_id_from_name(const char * name)181 int x509_ext_id_from_name(const char *name)
182 {
183 const ASN1_OID_INFO *info;
184 if (!(info = asn1_oid_info_from_name(x509_ext_ids, x509_ext_ids_count, name))) {
185 error_print();
186 return OID_undef;
187 }
188 return info->oid;
189 }
190
x509_ext_id_to_der(int oid,uint8_t ** out,size_t * outlen)191 int x509_ext_id_to_der(int oid, uint8_t **out, size_t *outlen)
192 {
193 const ASN1_OID_INFO *info;
194 if (!(info = asn1_oid_info_from_oid(x509_ext_ids, x509_ext_ids_count, oid))) {
195 error_print();
196 return -1;
197 }
198 if (asn1_object_identifier_to_der(info->nodes, info->nodes_cnt, out, outlen) != 1) {
199 error_print();
200 return -1;
201 }
202 return 1;
203 }
204
205 // 如果要支持未知的ext_id,应该提供一个callback
x509_ext_id_from_der(int * oid,uint32_t * nodes,size_t * nodes_cnt,const uint8_t ** in,size_t * inlen)206 int x509_ext_id_from_der(int *oid, uint32_t *nodes, size_t *nodes_cnt, const uint8_t **in, size_t *inlen)
207 {
208 int ret;
209 const ASN1_OID_INFO *info;
210
211 if ((ret = asn1_oid_info_from_der_ex(&info, nodes, nodes_cnt, x509_ext_ids, x509_ext_ids_count, in, inlen)) != 1) {
212 if (ret < 0) error_print();
213 else *oid = -1;
214 return ret;
215 }
216 *oid = info ? info->oid : 0;
217 return 1;
218 }
219
220
221 static uint32_t oid_qt_cps[] = { oid_qt,1 };
222 static uint32_t oid_qt_unotice[] = {oid_qt,2 };
223
224 static const ASN1_OID_INFO x509_qt_ids[] = {
225 { OID_qt_cps, "CPS", oid_qt_cps, sizeof(oid_qt_cps)/sizeof(int) },
226 { OID_qt_unotice, "userNotice", oid_qt_unotice, sizeof(oid_qt_unotice)/sizeof(int) }
227 };
228
229 static const int x509_qt_ids_count =
230 sizeof(x509_qt_ids)/sizeof(x509_qt_ids[0]);
231
x509_qualifier_id_from_name(const char * name)232 int x509_qualifier_id_from_name(const char *name)
233 {
234 const ASN1_OID_INFO *info;
235 if (!(info = asn1_oid_info_from_name(x509_qt_ids, x509_qt_ids_count, name))) {
236 error_print();
237 return OID_undef;
238 }
239 return info->oid;
240 }
241
x509_qualifier_id_name(int oid)242 const char *x509_qualifier_id_name(int oid)
243 {
244 const ASN1_OID_INFO *info;
245 if (!(info = asn1_oid_info_from_oid(x509_qt_ids, x509_qt_ids_count, oid))) {
246 error_print();
247 return NULL;
248 }
249 return info->name;
250 }
251
x509_qualifier_id_to_der(int oid,uint8_t ** out,size_t * outlen)252 int x509_qualifier_id_to_der(int oid, uint8_t **out, size_t *outlen)
253 {
254 const ASN1_OID_INFO *info;
255 if (!(info = asn1_oid_info_from_oid(x509_qt_ids, x509_qt_ids_count, oid))) {
256 error_print();
257 return -1;
258 }
259 if (asn1_object_identifier_to_der(info->nodes, info->nodes_cnt, out, outlen) != 1) {
260 error_print();
261 return -1;
262 }
263 return 1;
264 }
265
x509_qualifier_id_from_der(int * oid,const uint8_t ** in,size_t * inlen)266 int x509_qualifier_id_from_der(int *oid, const uint8_t **in, size_t *inlen)
267 {
268 int ret;
269 const ASN1_OID_INFO *info;
270 if ((ret = asn1_oid_info_from_der(&info, x509_qt_ids, x509_qt_ids_count, in, inlen)) != 1) {
271 if (ret < 0) error_print();
272 else *oid = -1;
273 return ret;
274 }
275 *oid = info->oid;
276 return 1;
277 }
278
279
x509_cert_policy_id_from_name(const char * name)280 int x509_cert_policy_id_from_name(const char *name)
281 {
282 if (strcmp(name, "anyPolicy") == 0) {
283 return OID_any_policy;
284 }
285 return OID_undef;
286 }
287
x509_cert_policy_id_name(int oid)288 char *x509_cert_policy_id_name(int oid)
289 {
290 switch (oid) {
291 case OID_any_policy: return "anyPolicy";
292 }
293 return NULL;
294 }
295
296 static uint32_t oid_any_policy[] = { oid_ce,32,0 };
297
x509_cert_policy_id_to_der(int oid,const uint32_t * nodes,size_t nodes_cnt,uint8_t ** out,size_t * outlen)298 int x509_cert_policy_id_to_der(int oid, const uint32_t *nodes, size_t nodes_cnt, uint8_t **out, size_t *outlen)
299 {
300 switch (oid) {
301 case OID_any_policy:
302 if (asn1_object_identifier_to_der(oid_any_policy, sizeof(oid_any_policy)/sizeof(int), out, outlen) != 1) {
303 error_print();
304 return -1;
305 }
306 break;
307 case OID_undef:
308 if (asn1_object_identifier_to_der(nodes, nodes_cnt, out, outlen) != 1) {
309 error_print();
310 return -1;
311 }
312 break;
313 default:
314 error_print();
315 return -1;
316 }
317 return 1;
318 }
319
x509_cert_policy_id_from_der(int * oid,uint32_t * nodes,size_t * nodes_cnt,const uint8_t ** in,size_t * inlen)320 int x509_cert_policy_id_from_der(int *oid, uint32_t *nodes, size_t *nodes_cnt, const uint8_t **in, size_t *inlen)
321 {
322 int ret;
323 if ((ret = asn1_object_identifier_from_der(nodes, nodes_cnt, in, inlen)) != 1) {
324 if (ret < 0) error_print();
325 else *oid = -1;
326 return ret;
327 }
328 if (asn1_object_identifier_equ(nodes, *nodes_cnt, oid_any_policy, oid_cnt(oid_any_policy)))
329 *oid = OID_any_policy;
330 else *oid = 0;
331 return 1;
332 }
333
334
335 #define oid_kp oid_pkix,3
336
337 static uint32_t oid_kp_server_auth[] = { oid_kp,1 };
338 static uint32_t oid_kp_client_auth[] = { oid_kp,2 };
339 static uint32_t oid_kp_code_signing[] = { oid_kp,3 };
340 static uint32_t oid_kp_email_protection[] = { oid_kp,4 };
341 static uint32_t oid_kp_time_stamping[] = { oid_kp,8 };
342 static uint32_t oid_kp_ocsp_signing[] = { oid_kp,9 };
343 #define OID_KP_CNT sizeof(oid_kp_server_auth)/sizeof(int)
344
345 static const ASN1_OID_INFO x509_key_purposes[] = {
346 { OID_kp_server_auth, "serverAuth", oid_kp_server_auth, OID_KP_CNT, 0, "TLS WWW server authentication" },
347 { OID_kp_client_auth, "clientAuth", oid_kp_client_auth, OID_KP_CNT, 0, "TLS WWW client authentication" },
348 { OID_kp_code_signing, "codeSigning", oid_kp_code_signing, OID_KP_CNT, 0, "Signing of downloadable executable code" },
349 { OID_kp_email_protection, "emailProtection", oid_kp_email_protection, OID_KP_CNT, 0, "Email protection" },
350 { OID_kp_time_stamping, "timeStamping", oid_kp_time_stamping, OID_KP_CNT, 0, "Binding the hash of an object to a time" },
351 { OID_kp_ocsp_signing, "OCSPSigning", oid_kp_ocsp_signing, OID_KP_CNT, 0, "Signing OCSP responses" },
352 };
353
354 static const int x509_key_purposes_count =
355 sizeof(x509_key_purposes)/sizeof(x509_key_purposes[0]);
356
x509_key_purpose_from_name(const char * name)357 int x509_key_purpose_from_name(const char *name)
358 {
359 const ASN1_OID_INFO *info;
360 if (!(info = asn1_oid_info_from_name(x509_key_purposes, x509_key_purposes_count, name))) {
361 error_print();
362 return OID_undef;
363 }
364 return info->oid;
365 }
366
x509_key_purpose_name(int oid)367 const char *x509_key_purpose_name(int oid)
368 {
369 const ASN1_OID_INFO *info;
370 if (!(info = asn1_oid_info_from_oid(x509_key_purposes, x509_key_purposes_count, oid))) {
371 error_print();
372 return NULL;
373 }
374 return info->name;
375 }
376
x509_key_purpose_text(int oid)377 const char *x509_key_purpose_text(int oid)
378 {
379 const ASN1_OID_INFO *info;
380 if (!(info = asn1_oid_info_from_oid(x509_key_purposes, x509_key_purposes_count, oid))) {
381 error_print();
382 return NULL;
383 }
384 return info->description;
385 }
386
x509_key_purpose_to_der(int oid,uint8_t ** out,size_t * outlen)387 int x509_key_purpose_to_der(int oid, uint8_t **out, size_t *outlen)
388 {
389 const ASN1_OID_INFO *info;
390 if (!(info = asn1_oid_info_from_oid(x509_key_purposes, x509_key_purposes_count, oid))) {
391 error_print();
392 return -1;
393 }
394 if (asn1_object_identifier_to_der(info->nodes, info->nodes_cnt, out, outlen) != 1) {
395 error_print();
396 return -1;
397 }
398 return 1;
399 }
400
x509_key_purpose_from_der(int * oid,const uint8_t ** in,size_t * inlen)401 int x509_key_purpose_from_der(int *oid, const uint8_t **in, size_t *inlen)
402 {
403 int ret;
404 const ASN1_OID_INFO *info;
405 if ((ret = asn1_oid_info_from_der(&info, x509_key_purposes, x509_key_purposes_count, in, inlen)) != 1) {
406 if (ret < 0) error_print();
407 else *oid = -1;
408 return ret;
409 }
410 *oid = info->oid;
411 return 1;
412 }
413