1 /*
2 * This file is part of the openHiTLS project.
3 *
4 * openHiTLS is licensed under the Mulan PSL v2.
5 * You can use this software according to the terms and conditions of the Mulan PSL v2.
6 * You may obtain a copy of Mulan PSL v2 at:
7 *
8 * http://license.coscl.org.cn/MulanPSL2
9 *
10 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
11 * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
12 * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
13 * See the Mulan PSL v2 for more details.
14 */
15
16 #include "hitls_build.h"
17 #ifdef HITLS_PKI_X509_CRT
18 #include <stdio.h>
19 #include "securec.h"
20 #include "bsl_sal.h"
21 #ifdef HITLS_BSL_SAL_FILE
22 #include "sal_file.h"
23 #endif
24 #include "sal_time.h"
25 #include "bsl_log_internal.h"
26 #include "bsl_log.h"
27 #include "bsl_obj_internal.h"
28 #include "hitls_pki_errno.h"
29 #include "hitls_x509_local.h"
30 #include "crypt_eal_codecs.h"
31 #include "crypt_encode_decode_key.h"
32 #include "crypt_errno.h"
33 #include "crypt_eal_md.h"
34
35 #ifdef HITLS_BSL_PEM
36 #include "bsl_pem_internal.h"
37 #endif // HITLS_BSL_PEM
38
39 #include "bsl_err_internal.h"
40 #include "hitls_csr_local.h"
41 #include "hitls_cert_local.h"
42
43 #ifdef HITLS_PKI_INFO
44 #include "hitls_print_local.h"
45 #endif // HITLS_PKI_INFO
46
47 #include "hitls_pki_utils.h"
48 #include "hitls_pki_csr.h"
49 #include "hitls_pki_cert.h"
50
51 #define HITLS_CERT_CTX_SPECIFIC_TAG_VER 0
52 #define HITLS_CERT_CTX_SPECIFIC_TAG_ISSUERID 1
53 #define HITLS_CERT_CTX_SPECIFIC_TAG_SUBJECTID 2
54 #define HITLS_CERT_CTX_SPECIFIC_TAG_EXTENSION 3
55 #define MAX_DN_STR_LEN 256
56 #define PRINT_TIME_MAX_SIZE 32
57
58 #define HITLS_X509_CERT_PARSE_FLAG 0x01
59 #define HITLS_X509_CERT_GEN_FLAG 0x02
60
61 typedef enum {
62 HITLS_X509_ISSUER_DN_NAME,
63 HITLS_X509_SUBJECT_DN_NAME,
64 } DISTINCT_NAME_TYPE;
65
66 typedef enum {
67 HITLS_X509_BEFORE_TIME,
68 HITLS_X509_AFTER_TIME,
69 } X509_TIME_TYPE;
70
71 BSL_ASN1_TemplateItem g_certTempl[] = {
72 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, 0}, /* x509 */
73 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, 1}, /* tbs */
74 /* 2: version */
75 {BSL_ASN1_CLASS_CTX_SPECIFIC | BSL_ASN1_TAG_CONSTRUCTED | HITLS_CERT_CTX_SPECIFIC_TAG_VER,
76 BSL_ASN1_FLAG_DEFAULT, 2},
77 {BSL_ASN1_TAG_INTEGER, 0, 3},
78 /* 2: serial number */
79 {BSL_ASN1_TAG_INTEGER, 0, 2},
80 /* 2: signature info */
81 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, 2},
82 {BSL_ASN1_TAG_OBJECT_ID, 0, 3},
83 {BSL_ASN1_TAG_ANY, BSL_ASN1_FLAG_OPTIONAL, 3}, // 8
84 /* 2: issuer */
85 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, BSL_ASN1_FLAG_HEADERONLY | BSL_ASN1_FLAG_SAME, 2},
86 /* 2: validity */
87 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, 2},
88 {BSL_ASN1_TAG_CHOICE, 0, 3},
89 {BSL_ASN1_TAG_CHOICE, 0, 3}, // 12
90 /* 2: subject ref: issuer */
91 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, BSL_ASN1_FLAG_HEADERONLY | BSL_ASN1_FLAG_SAME, 2},
92 /* 2: subject public key info ref signature info */
93 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, BSL_ASN1_FLAG_HEADERONLY, 2},
94 /* 2: issuer id, subject id */
95 {BSL_ASN1_CLASS_CTX_SPECIFIC | HITLS_CERT_CTX_SPECIFIC_TAG_ISSUERID, BSL_ASN1_FLAG_OPTIONAL, 2},
96 {BSL_ASN1_CLASS_CTX_SPECIFIC | HITLS_CERT_CTX_SPECIFIC_TAG_SUBJECTID, BSL_ASN1_FLAG_OPTIONAL, 2},
97 /* 2: extension */
98 {BSL_ASN1_CLASS_CTX_SPECIFIC | BSL_ASN1_TAG_CONSTRUCTED | HITLS_CERT_CTX_SPECIFIC_TAG_EXTENSION,
99 BSL_ASN1_FLAG_OPTIONAL | BSL_ASN1_FLAG_HEADERONLY | BSL_ASN1_FLAG_SAME, 2}, // 17
100 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, 1}, /* signAlg */
101 {BSL_ASN1_TAG_OBJECT_ID, 0, 2},
102 {BSL_ASN1_TAG_ANY, BSL_ASN1_FLAG_OPTIONAL, 2}, // 20
103 {BSL_ASN1_TAG_BITSTRING, 0, 1} /* sig */
104 };
105
106 typedef enum {
107 HITLS_X509_CERT_VERSION_IDX = 0,
108 HITLS_X509_CERT_SERIAL_IDX = 1,
109 HITLS_X509_CERT_TBS_SIGNALG_OID_IDX = 2,
110 HITLS_X509_CERT_TBS_SIGNALG_ANY_IDX = 3,
111 HITLS_X509_CERT_ISSUER_IDX = 4,
112 HITLS_X509_CERT_BEFORE_VALID_IDX = 5,
113 HITLS_X509_CERT_AFTER_VALID_IDX = 6,
114 HITLS_X509_CERT_SUBJECT_IDX = 7,
115 HITLS_X509_CERT_SUBKEYINFO_IDX = 8,
116 HITLS_X509_CERT_ISSUERID_IDX = 9,
117 HITLS_X509_CERT_SUBJECTID_IDX = 10,
118 HITLS_X509_CERT_EXT_IDX = 11,
119 HITLS_X509_CERT_SIGNALG_IDX = 12,
120 HITLS_X509_CERT_SIGNALG_ANY_IDX = 13,
121 HITLS_X509_CERT_SIGN_IDX = 14,
122 HITLS_X509_CERT_MAX_IDX = 15,
123 } HITLS_X509_CERT_IDX;
124
125 #define X509_ASN1_START_TIME_IDX 10
126 #define X509_ASN1_END_TIME_IDX 11
127
128 #define X509_ASN1_TBS_SIGNALG_ANY 7
129 #define X509_ASN1_SIGNALG_ANY 19
130
131 #ifdef HITLS_PKI_X509_CRT_PARSE
HITLS_X509_CertTagGetOrCheck(int32_t type,uint32_t idx,void * data,void * expVal)132 int32_t HITLS_X509_CertTagGetOrCheck(int32_t type, uint32_t idx, void *data, void *expVal)
133 {
134 switch (type) {
135 case BSL_ASN1_TYPE_CHECK_CHOICE_TAG: {
136 if (idx == X509_ASN1_START_TIME_IDX || idx == X509_ASN1_END_TIME_IDX) {
137 uint8_t tag = *(uint8_t *) data;
138 if ((tag == BSL_ASN1_TAG_UTCTIME) || (tag == BSL_ASN1_TAG_GENERALIZEDTIME)) {
139 *(uint8_t *) expVal = tag;
140 return BSL_SUCCESS;
141 }
142 }
143 return HITLS_X509_ERR_CHECK_TAG;
144 }
145 case BSL_ASN1_TYPE_GET_ANY_TAG: {
146 if (idx == X509_ASN1_TBS_SIGNALG_ANY || idx == X509_ASN1_SIGNALG_ANY) {
147 BSL_ASN1_Buffer *param = (BSL_ASN1_Buffer *) data;
148 BslOidString oidStr = {param->len, (char *)param->buff, 0};
149 BslCid cid = BSL_OBJ_GetCID(&oidStr);
150 if (cid == BSL_CID_UNKNOWN) {
151 return HITLS_X509_ERR_GET_ANY_TAG;
152 }
153 if (cid == BSL_CID_RSASSAPSS) {
154 // note: any can be encoded empty null
155 *(uint8_t *)expVal = BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE;
156 return BSL_SUCCESS;
157 } else {
158 *(uint8_t *)expVal = BSL_ASN1_TAG_NULL; // is null
159 return BSL_SUCCESS;
160 }
161 }
162 return HITLS_X509_ERR_GET_ANY_TAG;
163 }
164 default:
165 return HITLS_X509_ERR_INVALID_PARAM;
166 }
167 }
168 #endif // HITLS_PKI_X509_CRT_PARSE
169
HITLS_X509_CertFree(HITLS_X509_Cert * cert)170 void HITLS_X509_CertFree(HITLS_X509_Cert *cert)
171 {
172 if (cert == NULL) {
173 return;
174 }
175
176 int ret = 0;
177 BSL_SAL_AtomicDownReferences(&(cert->references), &ret);
178 if (ret > 0) {
179 return;
180 }
181
182 if (cert->flag == HITLS_X509_CERT_GEN_FLAG) {
183 BSL_SAL_FREE(cert->tbs.serialNum.buff);
184 BSL_SAL_FREE(cert->tbs.tbsRawData);
185 BSL_SAL_FREE(cert->signature.buff);
186 BSL_LIST_FREE(cert->tbs.issuerName, (BSL_LIST_PFUNC_FREE)HITLS_X509_FreeNameNode);
187 BSL_LIST_FREE(cert->tbs.subjectName, (BSL_LIST_PFUNC_FREE)HITLS_X509_FreeNameNode);
188 } else {
189 BSL_LIST_FREE(cert->tbs.issuerName, NULL);
190 BSL_LIST_FREE(cert->tbs.subjectName, NULL);
191 }
192 #ifdef HITLS_CRYPTO_SM2
193 if (cert->signAlgId.algId == BSL_CID_SM2DSAWITHSM3) {
194 BSL_SAL_FREE(cert->signAlgId.sm2UserId.data);
195 }
196 #endif
197 X509_ExtFree(&cert->tbs.ext, false);
198 BSL_SAL_FREE(cert->rawData);
199 CRYPT_EAL_PkeyFreeCtx(cert->tbs.ealPubKey);
200 BSL_SAL_ReferencesFree(&(cert->references));
201 BSL_SAL_Free(cert);
202 }
203
HITLS_X509_CertNew(void)204 HITLS_X509_Cert *HITLS_X509_CertNew(void)
205 {
206 BSL_ASN1_List *issuerName = NULL;
207 BSL_ASN1_List *subjectName = NULL;
208 HITLS_X509_Ext *ext = NULL;
209 HITLS_X509_Cert *cert = (HITLS_X509_Cert *)BSL_SAL_Calloc(1, sizeof(HITLS_X509_Cert));
210 if (cert == NULL) {
211 return NULL;
212 }
213
214 issuerName = BSL_LIST_New(sizeof(HITLS_X509_NameNode));
215 if (issuerName == NULL) {
216 goto ERR;
217 }
218
219 subjectName = BSL_LIST_New(sizeof(HITLS_X509_NameNode));
220 if (subjectName == NULL) {
221 goto ERR;
222 }
223
224 ext = X509_ExtNew(&cert->tbs.ext, HITLS_X509_EXT_TYPE_CERT);
225 if (ext == NULL) {
226 goto ERR;
227 }
228 BSL_SAL_ReferencesInit(&(cert->references));
229 cert->tbs.issuerName = issuerName;
230 cert->tbs.subjectName = subjectName;
231 cert->state = HITLS_X509_CERT_STATE_NEW;
232 return cert;
233 ERR:
234 BSL_SAL_Free(cert);
235 BSL_SAL_Free(issuerName);
236 BSL_SAL_Free(subjectName);
237 return NULL;
238 }
239
240 #ifdef HITLS_PKI_X509_CRT_PARSE
HITLS_X509_ParseCertTbs(BSL_ASN1_Buffer * asnArr,HITLS_X509_Cert * cert)241 int32_t HITLS_X509_ParseCertTbs(BSL_ASN1_Buffer *asnArr, HITLS_X509_Cert *cert)
242 {
243 int32_t ret;
244 // version: default is 0
245 if (asnArr[HITLS_X509_CERT_VERSION_IDX].tag != 0) {
246 ret = BSL_ASN1_DecodePrimitiveItem(&asnArr[HITLS_X509_CERT_VERSION_IDX], &cert->tbs.version);
247 if (ret != BSL_SUCCESS) {
248 BSL_ERR_PUSH_ERROR(ret);
249 return ret;
250 }
251 }
252
253 // serialNum
254 cert->tbs.serialNum = asnArr[HITLS_X509_CERT_SERIAL_IDX];
255
256 // sign alg
257 ret = HITLS_X509_ParseSignAlgInfo(&asnArr[HITLS_X509_CERT_TBS_SIGNALG_OID_IDX],
258 &asnArr[HITLS_X509_CERT_TBS_SIGNALG_ANY_IDX], &cert->tbs.signAlgId);
259 if (ret != HITLS_PKI_SUCCESS) {
260 BSL_ERR_PUSH_ERROR(ret);
261 return ret;
262 }
263
264 // issuer name
265 ret = HITLS_X509_ParseNameList(&asnArr[HITLS_X509_CERT_ISSUER_IDX], cert->tbs.issuerName);
266 if (ret != HITLS_PKI_SUCCESS) {
267 BSL_ERR_PUSH_ERROR(ret);
268 return ret;
269 }
270
271 // validity
272 ret = HITLS_X509_ParseTime(&asnArr[HITLS_X509_CERT_BEFORE_VALID_IDX], &asnArr[HITLS_X509_CERT_AFTER_VALID_IDX],
273 &cert->tbs.validTime);
274 if (ret != BSL_SUCCESS) {
275 BSL_ERR_PUSH_ERROR(ret);
276 goto ERR;
277 }
278
279 // subject name
280 ret = HITLS_X509_ParseNameList(&asnArr[HITLS_X509_CERT_SUBJECT_IDX], cert->tbs.subjectName);
281 if (ret != HITLS_PKI_SUCCESS) {
282 BSL_ERR_PUSH_ERROR(ret);
283 goto ERR;
284 }
285
286 // subject public key info
287 BSL_Buffer subPubKeyBuff = {asnArr[HITLS_X509_CERT_SUBKEYINFO_IDX].buff,
288 asnArr[HITLS_X509_CERT_SUBKEYINFO_IDX].len};
289 ret = CRYPT_EAL_ProviderDecodeBuffKey(cert->libCtx, cert->attrName, BSL_CID_UNKNOWN, "ASN1",
290 "PUBKEY_SUBKEY_WITHOUT_SEQ", &subPubKeyBuff, NULL, (CRYPT_EAL_PkeyCtx **)&cert->tbs.ealPubKey);
291 if (ret != CRYPT_SUCCESS) {
292 BSL_ERR_PUSH_ERROR(ret);
293 goto ERR;
294 }
295
296 // ext
297 ret = HITLS_X509_ParseExt(&asnArr[HITLS_X509_CERT_EXT_IDX], &cert->tbs.ext);
298 if (ret != BSL_SUCCESS) {
299 BSL_ERR_PUSH_ERROR(ret);
300 goto ERR;
301 }
302
303 return ret;
304 ERR:
305 if (cert->tbs.ealPubKey != NULL) {
306 CRYPT_EAL_PkeyFreeCtx(cert->tbs.ealPubKey);
307 cert->tbs.ealPubKey = NULL;
308 }
309 BSL_LIST_DeleteAll(cert->tbs.issuerName, NULL);
310 BSL_LIST_DeleteAll(cert->tbs.subjectName, NULL);
311 return ret;
312 }
313
HITLS_X509_ParseAsn1Cert(uint8_t * encode,uint32_t encodeLen,HITLS_X509_Cert * cert)314 int32_t HITLS_X509_ParseAsn1Cert(uint8_t *encode, uint32_t encodeLen, HITLS_X509_Cert *cert)
315 {
316 uint8_t *temp = encode;
317 uint32_t tempLen = encodeLen;
318 cert->rawData = encode; // cert takes over the encode immediately.
319 if ((cert->flag & HITLS_X509_CERT_GEN_FLAG) != 0) {
320 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
321 return HITLS_X509_ERR_INVALID_PARAM;
322 }
323 // template parse
324 BSL_ASN1_Buffer asnArr[HITLS_X509_CERT_MAX_IDX] = {0};
325 BSL_ASN1_Template templ = {g_certTempl, sizeof(g_certTempl) / sizeof(g_certTempl[0])};
326 int32_t ret = BSL_ASN1_DecodeTemplate(&templ, HITLS_X509_CertTagGetOrCheck,
327 &temp, &tempLen, asnArr, HITLS_X509_CERT_MAX_IDX);
328 if (ret != BSL_SUCCESS) {
329 BSL_ERR_PUSH_ERROR(ret);
330 return ret;
331 }
332 // parse tbs raw data
333 ret = HITLS_X509_ParseTbsRawData(encode, encodeLen, &cert->tbs.tbsRawData, &cert->tbs.tbsRawDataLen);
334 if (ret != HITLS_PKI_SUCCESS) {
335 BSL_ERR_PUSH_ERROR(ret);
336 return ret;
337 }
338 // parse tbs
339 ret = HITLS_X509_ParseCertTbs(asnArr, cert);
340 if (ret != HITLS_PKI_SUCCESS) {
341 BSL_ERR_PUSH_ERROR(ret);
342 return ret;
343 }
344 // parse sign alg
345 ret = HITLS_X509_ParseSignAlgInfo(&asnArr[HITLS_X509_CERT_SIGNALG_IDX],
346 &asnArr[HITLS_X509_CERT_SIGNALG_ANY_IDX], &cert->signAlgId);
347 if (ret != HITLS_PKI_SUCCESS) {
348 BSL_ERR_PUSH_ERROR(ret);
349 goto ERR;
350 }
351 // parse signature
352 ret = BSL_ASN1_DecodePrimitiveItem(&asnArr[HITLS_X509_CERT_SIGN_IDX], &cert->signature);
353 if (ret != BSL_SUCCESS) {
354 BSL_ERR_PUSH_ERROR(ret);
355 goto ERR;
356 }
357 cert->rawDataLen = encodeLen - tempLen;
358 cert->flag |= HITLS_X509_CERT_PARSE_FLAG;
359 return HITLS_PKI_SUCCESS;
360 ERR:
361 CRYPT_EAL_PkeyFreeCtx(cert->tbs.ealPubKey);
362 cert->tbs.ealPubKey = NULL;
363 BSL_LIST_DeleteAll(cert->tbs.issuerName, NULL);
364 BSL_LIST_DeleteAll(cert->tbs.subjectName, NULL);
365 BSL_LIST_DeleteAll(cert->tbs.ext.extList, NULL);
366 return ret;
367 }
368
HITLS_X509_CertMulParseBuff(CRYPT_EAL_LibCtx * libCtx,const char * attrName,int32_t format,const BSL_Buffer * encode,HITLS_X509_List ** certlist)369 int32_t HITLS_X509_CertMulParseBuff(CRYPT_EAL_LibCtx *libCtx, const char *attrName, int32_t format,
370 const BSL_Buffer *encode, HITLS_X509_List **certlist)
371 {
372 int32_t ret;
373 if (encode == NULL || encode->data == NULL || encode->dataLen == 0 || certlist == NULL) {
374 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
375 return HITLS_X509_ERR_INVALID_PARAM;
376 }
377 X509_ParseFuncCbk certCbk = {
378 .asn1Parse = (HITLS_X509_Asn1Parse)HITLS_X509_ParseAsn1Cert,
379 .x509ProviderNew = (HITLS_X509_ProviderNew)HITLS_X509_ProviderCertNew,
380 .x509Free = (HITLS_X509_Free)HITLS_X509_CertFree
381 };
382 HITLS_X509_List *list = BSL_LIST_New(sizeof(HITLS_X509_Cert));
383 if (list == NULL) {
384 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
385 return BSL_MALLOC_FAIL;
386 }
387
388 ret = HITLS_X509_ParseX509(libCtx, attrName, format, encode, true, &certCbk, list);
389 if (ret != HITLS_PKI_SUCCESS) {
390 BSL_LIST_FREE(list, (BSL_LIST_PFUNC_FREE)HITLS_X509_CertFree);
391 BSL_ERR_PUSH_ERROR(ret);
392 return ret;
393 }
394 *certlist = list;
395 return ret;
396 }
397
ProviderCertParseBuffInternal(HITLS_PKI_LibCtx * libCtx,const char * attrName,int32_t format,const BSL_Buffer * encode,HITLS_X509_Cert ** cert)398 static int32_t ProviderCertParseBuffInternal(HITLS_PKI_LibCtx *libCtx, const char *attrName, int32_t format,
399 const BSL_Buffer *encode, HITLS_X509_Cert **cert)
400 {
401 HITLS_X509_List *list = NULL;
402 if (cert == NULL || *cert != NULL) {
403 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
404 return HITLS_X509_ERR_INVALID_PARAM;
405 }
406 int32_t ret = HITLS_X509_CertMulParseBuff(libCtx, attrName, format, encode, &list);
407 if (ret != HITLS_PKI_SUCCESS) {
408 BSL_ERR_PUSH_ERROR(ret);
409 return ret;
410 }
411 HITLS_X509_Cert *tmp = BSL_LIST_GET_FIRST(list);
412 int ref;
413 ret = HITLS_X509_CertCtrl(tmp, HITLS_X509_REF_UP, &ref, sizeof(int));
414 BSL_LIST_FREE(list, (BSL_LIST_PFUNC_FREE)HITLS_X509_CertFree);
415 if (ret != HITLS_PKI_SUCCESS) {
416 return ret;
417 }
418 *cert = tmp;
419 return HITLS_PKI_SUCCESS;
420 }
421
HITLS_X509_CertParseBuff(int32_t format,const BSL_Buffer * encode,HITLS_X509_Cert ** cert)422 int32_t HITLS_X509_CertParseBuff(int32_t format, const BSL_Buffer *encode, HITLS_X509_Cert **cert)
423 {
424 return ProviderCertParseBuffInternal(NULL, NULL, format, encode, cert);
425 }
426
427 #ifdef HITLS_BSL_SAL_FILE
ProviderCertParseBundleFileInternal(HITLS_PKI_LibCtx * libCtx,const char * attrName,int32_t format,const char * path,HITLS_X509_List ** certlist)428 static int32_t ProviderCertParseBundleFileInternal(HITLS_PKI_LibCtx *libCtx, const char *attrName, int32_t format,
429 const char *path, HITLS_X509_List **certlist)
430 {
431 uint8_t *data = NULL;
432 uint32_t dataLen = 0;
433 int32_t ret = BSL_SAL_ReadFile(path, &data, &dataLen);
434 if (ret != BSL_SUCCESS) {
435 return ret;
436 }
437
438 BSL_Buffer encode = {data, dataLen};
439 ret = HITLS_X509_CertMulParseBuff(libCtx, attrName, format, &encode, certlist);
440 BSL_SAL_Free(data);
441 return ret;
442 }
443
HITLS_X509_CertParseFile(int32_t format,const char * path,HITLS_X509_Cert ** cert)444 int32_t HITLS_X509_CertParseFile(int32_t format, const char *path, HITLS_X509_Cert **cert)
445 {
446 uint8_t *data = NULL;
447 uint32_t dataLen = 0;
448 int32_t ret = BSL_SAL_ReadFile(path, &data, &dataLen);
449 if (ret != BSL_SUCCESS) {
450 BSL_ERR_PUSH_ERROR(ret);
451 return ret;
452 }
453
454 BSL_Buffer encode = {data, dataLen};
455 ret = ProviderCertParseBuffInternal(NULL, NULL, format, &encode, cert);
456 BSL_SAL_Free(data);
457 return ret;
458 }
459
HITLS_X509_CertParseBundleFile(int32_t format,const char * path,HITLS_X509_List ** certlist)460 int32_t HITLS_X509_CertParseBundleFile(int32_t format, const char *path, HITLS_X509_List **certlist)
461 {
462 return ProviderCertParseBundleFileInternal(NULL, NULL, format, path, certlist);
463 }
464 #endif // HITLS_BSL_SAL_FILE
465 #endif // HITLS_PKI_X509_CRT_PARSE
466
467 #ifdef HITLS_PKI_INFO
468 /* RFC2253 https://www.rfc-editor.org/rfc/rfc2253 */
GetDistinguishNameStrFromList(BSL_ASN1_List * nameList,BSL_Buffer * buff)469 static int32_t GetDistinguishNameStrFromList(BSL_ASN1_List *nameList, BSL_Buffer *buff)
470 {
471 int64_t writeNum = 0;
472 uint8_t *dnBuf = NULL;
473 uint32_t dnBufLen = 0;
474 BSL_UIO *bufUio = BSL_UIO_New(BSL_UIO_MemMethod());
475 if (bufUio == NULL) {
476 BSL_ERR_PUSH_ERROR(HITLS_PRINT_ERR_UIO);
477 return HITLS_PRINT_ERR_UIO;
478 }
479 int32_t ret = HITLS_PKI_PrintCtrl(HITLS_PKI_PRINT_DN, nameList, sizeof(BslList), bufUio);
480 if (ret != HITLS_PKI_SUCCESS) {
481 goto ERR;
482 }
483 ret = BSL_UIO_Ctrl(bufUio, BSL_UIO_GET_WRITE_NUM, (int32_t)sizeof(writeNum), (void *)&writeNum);
484 if (ret != BSL_SUCCESS) {
485 goto ERR;
486 }
487 dnBuf = BSL_SAL_Calloc(writeNum + 1, sizeof(uint8_t));
488 if (dnBuf == NULL) {
489 ret = BSL_MALLOC_FAIL;
490 goto ERR;
491 }
492 ret = BSL_UIO_Read(bufUio, dnBuf, writeNum + 1, &dnBufLen);
493 BSL_UIO_Free(bufUio);
494 if (ret != BSL_SUCCESS || dnBufLen != writeNum) {
495 ret = HITLS_PRINT_ERR_UIO;
496 goto ERR;
497 }
498 buff->data = dnBuf;
499 buff->dataLen = dnBufLen;
500 return HITLS_PKI_SUCCESS;
501 ERR:
502 BSL_SAL_Free(dnBuf);
503 BSL_UIO_Free(bufUio);
504 BSL_ERR_PUSH_ERROR(ret);
505 return ret;
506 }
507
X509_GetDistinguishNameStr(HITLS_X509_Cert * cert,BSL_Buffer * val,int32_t opt)508 static int32_t X509_GetDistinguishNameStr(HITLS_X509_Cert *cert, BSL_Buffer *val, int32_t opt)
509 {
510 if (val == NULL) {
511 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
512 return HITLS_X509_ERR_INVALID_PARAM;
513 }
514 switch (opt) {
515 case HITLS_X509_ISSUER_DN_NAME:
516 return GetDistinguishNameStrFromList(cert->tbs.issuerName, val);
517 case HITLS_X509_SUBJECT_DN_NAME:
518 return GetDistinguishNameStrFromList(cert->tbs.subjectName, val);
519 default:
520 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
521 return HITLS_X509_ERR_INVALID_PARAM;
522 }
523 }
524
GetAsn1SerialNumStr(const BSL_ASN1_Buffer * number,BSL_Buffer * val)525 static int32_t GetAsn1SerialNumStr(const BSL_ASN1_Buffer *number, BSL_Buffer *val)
526 {
527 if (number == NULL || number->buff == NULL || number->len == 0 || number->tag != BSL_ASN1_TAG_INTEGER ||
528 val == NULL) {
529 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
530 return HITLS_X509_ERR_INVALID_PARAM;
531 }
532
533 for (size_t i = 0; i < number->len - 1; i++) {
534 if (sprintf_s((char *)&val->data[3 * i], val->dataLen - 3 * i, "%02x:", number->buff[i]) == -1) { // 3: "xx:"
535 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CERT_INVALID_SERIAL_NUM);
536 return HITLS_X509_ERR_CERT_INVALID_SERIAL_NUM;
537 }
538 }
539 size_t index = 3 * (number->len - 1); // 3: "xx:"
540 if (sprintf_s((char *)&val->data[index], val->dataLen - index, "%02x", number->buff[number->len - 1]) == -1) {
541 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CERT_INVALID_SERIAL_NUM);
542 return HITLS_X509_ERR_CERT_INVALID_SERIAL_NUM;
543 }
544 val->dataLen = 3 * number->len - 1; // 3: "xx:"
545 return HITLS_PKI_SUCCESS;
546 }
547
X509_GetSerialNumStr(HITLS_X509_Cert * cert,BSL_Buffer * val)548 static int32_t X509_GetSerialNumStr(HITLS_X509_Cert *cert, BSL_Buffer *val)
549 {
550 if (val == NULL || cert->tbs.serialNum.buff == NULL) {
551 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
552 return HITLS_X509_ERR_INVALID_PARAM;
553 }
554 BSL_ASN1_Buffer serialNum = cert->tbs.serialNum;
555 val->data = BSL_SAL_Calloc(serialNum.len * 3, sizeof(uint8_t));
556 if (val->data == NULL) {
557 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
558 return BSL_MALLOC_FAIL;
559 }
560 val->dataLen = serialNum.len * 3;
561 int32_t ret = GetAsn1SerialNumStr(&serialNum, val);
562 if (ret != HITLS_PKI_SUCCESS) {
563 BSL_SAL_FREE(val->data);
564 val->dataLen = 0;
565 }
566
567 return ret;
568 }
569
570 // rfc822: https://www.w3.org/Protocols/rfc822/
571 static const char g_monAsn1Str[12][4] = {
572 "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
573 };
GetAsn1BslTimeStr(const BSL_TIME * time,BSL_Buffer * val)574 static int32_t GetAsn1BslTimeStr(const BSL_TIME *time, BSL_Buffer *val)
575 {
576 if (time == NULL) {
577 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
578 return HITLS_X509_ERR_INVALID_PARAM;
579 }
580 val->data = BSL_SAL_Calloc(PRINT_TIME_MAX_SIZE, sizeof(uint8_t));
581 if (val->data == NULL) {
582 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
583 return BSL_MALLOC_FAIL;
584 }
585 if (sprintf_s((char *)val->data, PRINT_TIME_MAX_SIZE, "%s %u %02u:%02u:%02u %u%s",
586 g_monAsn1Str[time->month - 1], time->day, time->hour, time->minute, time->second, time->year, " GMT") == -1) {
587 BSL_SAL_FREE(val->data);
588 val->dataLen = 0;
589 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CERT_INVALID_TIME);
590 return HITLS_X509_ERR_CERT_INVALID_TIME;
591 }
592 val->dataLen = (uint32_t)strlen((char *)val->data);
593 return HITLS_PKI_SUCCESS;
594 }
595
X509_GetAsn1BslTimeStr(HITLS_X509_Cert * cert,BSL_Buffer * val,int32_t opt)596 static int32_t X509_GetAsn1BslTimeStr(HITLS_X509_Cert *cert, BSL_Buffer *val, int32_t opt)
597 {
598 if (val == NULL) {
599 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
600 return HITLS_X509_ERR_INVALID_PARAM;
601 }
602
603 switch (opt) {
604 case HITLS_X509_BEFORE_TIME:
605 return GetAsn1BslTimeStr(&cert->tbs.validTime.start, val);
606 case HITLS_X509_AFTER_TIME:
607 return GetAsn1BslTimeStr(&cert->tbs.validTime.end, val);
608 default:
609 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
610 return HITLS_X509_ERR_INVALID_PARAM;
611 }
612 }
613 #endif // HITLS_PKI_INFO
614
X509_CertGetCtrl(HITLS_X509_Cert * cert,int32_t cmd,void * val,uint32_t valLen)615 static int32_t X509_CertGetCtrl(HITLS_X509_Cert *cert, int32_t cmd, void *val, uint32_t valLen)
616 {
617 switch (cmd) {
618 case HITLS_X509_GET_ENCODELEN:
619 return HITLS_X509_GetEncodeLen(cert->rawDataLen, val, valLen);
620 case HITLS_X509_GET_ENCODE:
621 return HITLS_X509_GetEncodeData(cert->rawData, val);
622 case HITLS_X509_GET_PUBKEY:
623 return HITLS_X509_GetPubKey(cert->tbs.ealPubKey, val);
624 case HITLS_X509_GET_SIGNALG:
625 return HITLS_X509_GetSignAlg(cert->signAlgId.algId, val, valLen);
626 case HITLS_X509_GET_SIGN_MDALG:
627 return HITLS_X509_GetSignMdAlg(&cert->signAlgId, val, (int32_t)valLen);
628 case HITLS_X509_GET_SUBJECT_DN:
629 return HITLS_X509_GetList(cert->tbs.subjectName, val, valLen);
630 case HITLS_X509_GET_ISSUER_DN:
631 return HITLS_X509_GetList(cert->tbs.issuerName, val, valLen);
632 case HITLS_X509_GET_SERIALNUM:
633 return HITLS_X509_GetSerial(&cert->tbs.serialNum, val, valLen);
634 #ifdef HITLS_PKI_INFO
635 case HITLS_X509_GET_SUBJECT_DN_STR:
636 return X509_GetDistinguishNameStr(cert, val, HITLS_X509_SUBJECT_DN_NAME);
637 case HITLS_X509_GET_ISSUER_DN_STR:
638 return X509_GetDistinguishNameStr(cert, val, HITLS_X509_ISSUER_DN_NAME);
639 case HITLS_X509_GET_SERIALNUM_STR:
640 return X509_GetSerialNumStr(cert, val);
641 case HITLS_X509_GET_BEFORE_TIME_STR:
642 return X509_GetAsn1BslTimeStr(cert, val, HITLS_X509_BEFORE_TIME);
643 case HITLS_X509_GET_AFTER_TIME_STR:
644 return X509_GetAsn1BslTimeStr(cert, val, HITLS_X509_AFTER_TIME);
645 #endif // HITLS_PKI_INFO
646 default:
647 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
648 return HITLS_X509_ERR_INVALID_PARAM;
649 }
650 }
651
652 #ifdef HITLS_PKI_X509_CRT_GEN
653 typedef bool (*SetParamCheck)(const void *val, uint32_t valLen);
654
VersionCheck(const void * val,uint32_t valLen)655 static bool VersionCheck(const void *val, uint32_t valLen)
656 {
657 return valLen == sizeof(int32_t) && *(const int32_t *)val >= HITLS_X509_VERSION_1 &&
658 *(const int32_t *)val <= HITLS_X509_VERSION_3;
659 }
660
TimeCheck(const void * val,uint32_t valLen)661 static bool TimeCheck(const void *val, uint32_t valLen)
662 {
663 (void)val;
664 return valLen == sizeof(BSL_TIME) && BSL_DateTimeCheck((const BSL_TIME *)val);
665 }
666
CertSet(void * dest,uint32_t size,void * val,uint32_t valLen,SetParamCheck check)667 static int32_t CertSet(void *dest, uint32_t size, void *val, uint32_t valLen, SetParamCheck check)
668 {
669 if (check(val, valLen) != true) {
670 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
671 return HITLS_X509_ERR_INVALID_PARAM;
672 }
673 (void)memcpy_s(dest, size, val, size);
674 return HITLS_PKI_SUCCESS;
675 }
676
677 #ifdef HITLS_PKI_X509_CSR
HITLS_X509_SetCsrExt(HITLS_X509_Ext * ext,HITLS_X509_Csr * csr)678 static int32_t HITLS_X509_SetCsrExt(HITLS_X509_Ext *ext, HITLS_X509_Csr *csr)
679 {
680 HITLS_X509_Ext *csrExt = NULL;
681 int32_t ret = HITLS_X509_AttrCtrl(
682 csr->reqInfo.attributes, HITLS_X509_ATTR_GET_REQUESTED_EXTENSIONS, &csrExt, sizeof(HITLS_X509_Ext *));
683 if (ret == HITLS_X509_ERR_ATTR_NOT_FOUND) {
684 return ret;
685 }
686 if (ret != HITLS_PKI_SUCCESS) {
687 BSL_ERR_PUSH_ERROR(ret);
688 return ret;
689 }
690 ret = HITLS_X509_ExtReplace(ext, csrExt);
691 X509_ExtFree(csrExt, true);
692 return ret;
693 }
694 #endif
695
X509_CertSetCtrl(HITLS_X509_Cert * cert,int32_t cmd,void * val,uint32_t valLen)696 static int32_t X509_CertSetCtrl(HITLS_X509_Cert *cert, int32_t cmd, void *val, uint32_t valLen)
697 {
698 if (val == NULL) {
699 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
700 return HITLS_X509_ERR_INVALID_PARAM;
701 }
702 if ((cert->flag & HITLS_X509_CERT_PARSE_FLAG) != 0) {
703 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_SET_AFTER_PARSE);
704 return HITLS_X509_ERR_SET_AFTER_PARSE;
705 }
706 cert->flag |= HITLS_X509_CERT_GEN_FLAG;
707 cert->state = HITLS_X509_CERT_STATE_SET;
708 int32_t ret;
709 switch (cmd) {
710 case HITLS_X509_SET_VERSION:
711 return CertSet(&cert->tbs.version, sizeof(int32_t), val, valLen, VersionCheck);
712 case HITLS_X509_SET_SERIALNUM:
713 return HITLS_X509_SetSerial(&cert->tbs.serialNum, val, valLen);
714 case HITLS_X509_SET_BEFORE_TIME:
715 ret = CertSet(&cert->tbs.validTime.start, sizeof(BSL_TIME), val, valLen, TimeCheck);
716 if (ret == HITLS_PKI_SUCCESS) {
717 cert->tbs.validTime.flag |= BSL_TIME_BEFORE_SET;
718 cert->tbs.validTime.flag |=
719 cert->tbs.validTime.start.year <= BSL_TIME_UTC_MAX_YEAR ? BSL_TIME_BEFORE_IS_UTC : 0;
720 }
721 return ret;
722 case HITLS_X509_SET_AFTER_TIME:
723 ret = CertSet(&cert->tbs.validTime.end, sizeof(BSL_TIME), val, valLen, TimeCheck);
724 if (ret == HITLS_PKI_SUCCESS) {
725 cert->tbs.validTime.flag |= BSL_TIME_AFTER_SET;
726 cert->tbs.validTime.flag |=
727 cert->tbs.validTime.end.year <= BSL_TIME_UTC_MAX_YEAR ? BSL_TIME_AFTER_IS_UTC : 0;
728 }
729 return ret;
730 case HITLS_X509_SET_PUBKEY:
731 return HITLS_X509_SetPkey(&cert->tbs.ealPubKey, val);
732 case HITLS_X509_SET_ISSUER_DN:
733 return HITLS_X509_SetNameList(&cert->tbs.issuerName, val, valLen);
734 case HITLS_X509_SET_SUBJECT_DN:
735 return HITLS_X509_SetNameList(&cert->tbs.subjectName, val, valLen);
736 #ifdef HITLS_PKI_X509_CSR
737 case HITLS_X509_SET_CSR_EXT:
738 return HITLS_X509_SetCsrExt(&cert->tbs.ext, val);
739 #endif
740 default:
741 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
742 return HITLS_X509_ERR_INVALID_PARAM;
743 }
744 }
745 #endif // HITLS_PKI_X509_CRT_GEN
746
HITLS_X509_CertCtrl(HITLS_X509_Cert * cert,int32_t cmd,void * val,uint32_t valLen)747 int32_t HITLS_X509_CertCtrl(HITLS_X509_Cert *cert, int32_t cmd, void *val, uint32_t valLen)
748 {
749 if (cert == NULL) {
750 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
751 return HITLS_X509_ERR_INVALID_PARAM;
752 }
753 if (cmd == HITLS_X509_REF_UP) {
754 return HITLS_X509_RefUp(&cert->references, val, valLen);
755 } else if (cmd >= HITLS_X509_GET_ENCODELEN && cmd < HITLS_X509_SET_VERSION) {
756 return X509_CertGetCtrl(cert, cmd, val, valLen);
757 #ifdef HITLS_PKI_X509_CRT_GEN
758 } else if (cmd >= HITLS_X509_SET_VERSION && cmd < HITLS_X509_EXT_SET_SKI) {
759 return X509_CertSetCtrl(cert, cmd, val, valLen);
760 #endif
761 } else if (cmd <= HITLS_X509_EXT_CHECK_SKI) {
762 static int32_t cmdSet[] = {HITLS_X509_EXT_SET_SKI, HITLS_X509_EXT_SET_AKI, HITLS_X509_EXT_SET_KUSAGE,
763 HITLS_X509_EXT_SET_SAN, HITLS_X509_EXT_SET_BCONS, HITLS_X509_EXT_SET_EXKUSAGE, HITLS_X509_EXT_GET_SKI,
764 HITLS_X509_EXT_GET_AKI, HITLS_X509_EXT_CHECK_SKI, HITLS_X509_EXT_GET_KUSAGE};
765 if (!X509_CheckCmdValid(cmdSet, sizeof(cmdSet) / sizeof(int32_t), cmd)) {
766 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_EXT_UNSUPPORT);
767 return HITLS_X509_ERR_EXT_UNSUPPORT;
768 }
769 return X509_ExtCtrl(&cert->tbs.ext, cmd, val, valLen);
770 } else {
771 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
772 return HITLS_X509_ERR_INVALID_PARAM;
773 }
774 }
775
776 #ifdef HITLS_PKI_X509_CRT_PARSE
HITLS_X509_CertDup(HITLS_X509_Cert * src)777 HITLS_X509_Cert *HITLS_X509_CertDup(HITLS_X509_Cert *src)
778 {
779 if (src == NULL) {
780 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
781 return NULL;
782 }
783 HITLS_X509_Cert *tempCert = NULL;
784 BSL_Buffer encode = {src->rawData, src->rawDataLen};
785 int32_t ret = HITLS_X509_ProviderCertParseBuff(src->libCtx, src->attrName, "ASN1", &encode, &tempCert);
786 if (ret != HITLS_PKI_SUCCESS) {
787 BSL_ERR_PUSH_ERROR(ret);
788 return NULL;
789 }
790 return tempCert;
791 }
792 #endif // HITLS_PKI_X509_CRT_PARSE
793
794 #ifdef HITLS_PKI_X509_VFY
795 /**
796 * Confirm whether the certificate is the issuer of the current certificate
797 * 1. Check if the issueName matches the subjectName
798 * 2. Is the issuer certificate a CA
799 * 3. Check if the algorithm of the issuer certificate matches that of the sub certificate
800 * 4. Check if the certificate keyusage has a certificate sign
801 */
HITLS_X509_CheckIssued(HITLS_X509_Cert * issue,HITLS_X509_Cert * subject,bool * res)802 int32_t HITLS_X509_CheckIssued(HITLS_X509_Cert *issue, HITLS_X509_Cert *subject, bool *res)
803 {
804 int32_t ret = HITLS_X509_CmpNameNode(issue->tbs.subjectName, subject->tbs.issuerName);
805 if (ret != HITLS_PKI_SUCCESS) {
806 *res = false;
807 return HITLS_PKI_SUCCESS;
808 }
809 if (issue->tbs.version == HITLS_X509_VERSION_3 && subject->tbs.version == HITLS_X509_VERSION_3) {
810 ret = HITLS_X509_CheckAki(&issue->tbs.ext, &subject->tbs.ext, issue->tbs.issuerName, &issue->tbs.serialNum);
811 if (ret != HITLS_PKI_SUCCESS && ret != HITLS_X509_ERR_VFY_AKI_SKI_NOT_MATCH) {
812 return ret;
813 }
814 if (ret == HITLS_X509_ERR_VFY_AKI_SKI_NOT_MATCH) {
815 *res = false;
816 return HITLS_PKI_SUCCESS;
817 }
818 }
819
820 /**
821 * If the basic constraints extension is not present in a version 3 certificate,
822 * or the extension is present but the cA boolean is not asserted,
823 * then the certified public key MUST NOT be used to verify certificate signatures.
824 */
825 HITLS_X509_CertExt *certExt = (HITLS_X509_CertExt *)issue->tbs.ext.extData;
826 if (issue->tbs.version == HITLS_X509_VERSION_3 && (certExt->extFlags & HITLS_X509_EXT_FLAG_BCONS) == 0 &&
827 !certExt->isCa) {
828 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CERT_NOT_CA);
829 return HITLS_X509_ERR_CERT_NOT_CA;
830 }
831
832 ret = HITLS_X509_CheckAlg(issue->tbs.ealPubKey, &subject->tbs.signAlgId);
833 if (ret != HITLS_PKI_SUCCESS) {
834 BSL_ERR_PUSH_ERROR(ret);
835 return ret;
836 }
837 /**
838 * Conforming CAs MUST include this extension
839 * in certificates that contain public keys that are used to validate digital signatures on
840 * other public key certificates or CRLs.
841 */
842 if ((certExt->extFlags & HITLS_X509_EXT_FLAG_KUSAGE) != 0) {
843 if (((certExt->keyUsage & HITLS_X509_EXT_KU_KEY_CERT_SIGN)) == 0) {
844 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_VFY_KU_NO_CERTSIGN);
845 return HITLS_X509_ERR_VFY_KU_NO_CERTSIGN;
846 }
847 }
848 *res = true;
849 return HITLS_PKI_SUCCESS;
850 }
851
HITLS_X509_CertIsCA(HITLS_X509_Cert * cert)852 bool HITLS_X509_CertIsCA(HITLS_X509_Cert *cert)
853 {
854 HITLS_X509_CertExt *certExt = (HITLS_X509_CertExt *)cert->tbs.ext.extData;
855 if (cert->tbs.version == HITLS_X509_VERSION_3) {
856 if ((certExt->extFlags & HITLS_X509_EXT_FLAG_BCONS) == 0) {
857 return false;
858 } else {
859 return certExt->isCa;
860 }
861 }
862 return true;
863 }
864 #endif // HITLS_PKI_X509_VFY
865
866 #ifdef HITLS_PKI_X509_CRT_GEN
EncodeTbsItems(HITLS_X509_CertTbs * tbs,BSL_ASN1_Buffer * signAlg,BSL_ASN1_Buffer * issuer,BSL_ASN1_Buffer * subject,BSL_ASN1_Buffer * pubkey,BSL_ASN1_Buffer * ext)867 static int32_t EncodeTbsItems(HITLS_X509_CertTbs *tbs, BSL_ASN1_Buffer *signAlg, BSL_ASN1_Buffer *issuer,
868 BSL_ASN1_Buffer *subject, BSL_ASN1_Buffer *pubkey, BSL_ASN1_Buffer *ext)
869 {
870 BSL_Buffer pub = {0};
871 int32_t ret = HITLS_X509_EncodeSignAlgInfo(&tbs->signAlgId, signAlg);
872 if (ret != HITLS_PKI_SUCCESS) {
873 BSL_ERR_PUSH_ERROR(ret);
874 return ret;
875 }
876
877 ret = HITLS_X509_EncodeNameList(tbs->issuerName, issuer);
878 if (ret != HITLS_PKI_SUCCESS) {
879 BSL_ERR_PUSH_ERROR(ret);
880 goto ERR;
881 }
882 ret = HITLS_X509_EncodeNameList(tbs->subjectName, subject);
883 if (ret != HITLS_PKI_SUCCESS) {
884 BSL_ERR_PUSH_ERROR(ret);
885 goto ERR;
886 }
887 ret = CRYPT_EAL_EncodePubKeyBuffInternal(tbs->ealPubKey, BSL_FORMAT_ASN1, CRYPT_PUBKEY_SUBKEY, false, &pub);
888 if (ret != CRYPT_SUCCESS) {
889 BSL_ERR_PUSH_ERROR(ret);
890 goto ERR;
891 }
892
893 if (tbs->version == HITLS_X509_VERSION_3) {
894 ret = HITLS_X509_EncodeExt(BSL_ASN1_CLASS_CTX_SPECIFIC | BSL_ASN1_TAG_CONSTRUCTED |
895 HITLS_CERT_CTX_SPECIFIC_TAG_EXTENSION, tbs->ext.extList, ext);
896 if (ret != HITLS_PKI_SUCCESS) {
897 BSL_ERR_PUSH_ERROR(ret);
898 goto ERR;
899 }
900 }
901 pubkey->buff = pub.data;
902 pubkey->len = pub.dataLen;
903 return ret;
904 ERR:
905 BSL_SAL_Free(signAlg->buff);
906 BSL_SAL_Free(issuer->buff);
907 BSL_SAL_Free(subject->buff);
908 BSL_SAL_Free(pub.data);
909 return ret;
910 }
911
912 BSL_ASN1_TemplateItem g_tbsTempl[] = {
913 /* version */
914 {BSL_ASN1_CLASS_CTX_SPECIFIC | BSL_ASN1_TAG_CONSTRUCTED | HITLS_CERT_CTX_SPECIFIC_TAG_VER,
915 BSL_ASN1_FLAG_DEFAULT, 0},
916 {BSL_ASN1_TAG_INTEGER, BSL_ASN1_FLAG_DEFAULT, 1},
917 /* serial number */
918 {BSL_ASN1_TAG_INTEGER, 0, 0},
919 /* signature info */
920 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, 0},
921 /* issuer */
922 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, BSL_ASN1_FLAG_HEADERONLY | BSL_ASN1_FLAG_SAME, 0},
923 /* validity */
924 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, 0},
925 {BSL_ASN1_TAG_CHOICE, 0, 1},
926 {BSL_ASN1_TAG_CHOICE, 0, 1},
927 /* subject ref: issuer */
928 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, BSL_ASN1_FLAG_HEADERONLY | BSL_ASN1_FLAG_SAME, 0},
929 /* subject public key info ref signature info */
930 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, BSL_ASN1_FLAG_HEADERONLY, 0},
931 /* Note!!: issuer id, subject id are not supported */
932 /* extension */
933 {BSL_ASN1_CLASS_CTX_SPECIFIC | BSL_ASN1_TAG_CONSTRUCTED | HITLS_CERT_CTX_SPECIFIC_TAG_EXTENSION,
934 BSL_ASN1_FLAG_OPTIONAL | BSL_ASN1_FLAG_HEADERONLY | BSL_ASN1_FLAG_SAME, 0},
935 };
936 #define HITLS_X509_CERT_TBS_SIZE 9
937
EncodeTbsCertificate(HITLS_X509_CertTbs * tbs,BSL_ASN1_Buffer * tbsBuff)938 static int32_t EncodeTbsCertificate(HITLS_X509_CertTbs *tbs, BSL_ASN1_Buffer *tbsBuff)
939 {
940 BSL_ASN1_Buffer signAlg = {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, NULL};
941 BSL_ASN1_Buffer issuer = {0};
942 BSL_ASN1_Buffer subject = {0};
943 BSL_ASN1_Buffer pubkey = {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, NULL};
944 BSL_ASN1_Buffer ext = {BSL_ASN1_CLASS_CTX_SPECIFIC | BSL_ASN1_TAG_CONSTRUCTED |
945 HITLS_CERT_CTX_SPECIFIC_TAG_EXTENSION, 0, NULL};
946
947 int32_t ret = EncodeTbsItems(tbs, &signAlg, &issuer, &subject, &pubkey, &ext);
948 if (ret != HITLS_PKI_SUCCESS) {
949 BSL_ERR_PUSH_ERROR(ret);
950 return ret;
951 }
952
953 uint8_t ver = (uint8_t)tbs->version;
954 BSL_ASN1_Template templ = {g_tbsTempl, sizeof(g_tbsTempl) / sizeof(g_tbsTempl[0])};
955 BSL_ASN1_Buffer asns[HITLS_X509_CERT_TBS_SIZE] = {
956 {BSL_ASN1_TAG_INTEGER, ver == HITLS_X509_VERSION_1 ? 0 : 1, ver == HITLS_X509_VERSION_1 ? NULL : &ver}, // 0
957 tbs->serialNum, // 1 serial number
958 signAlg, // 2 sigAlg
959 issuer, // 3 issuer
960 {(tbs->validTime.flag & BSL_TIME_BEFORE_IS_UTC) != 0 ? BSL_ASN1_TAG_UTCTIME : BSL_ASN1_TAG_GENERALIZEDTIME,
961 sizeof(BSL_TIME), (uint8_t *)&tbs->validTime.start}, // 4 start
962 {(tbs->validTime.flag & BSL_TIME_AFTER_IS_UTC) != 0 ? BSL_ASN1_TAG_UTCTIME : BSL_ASN1_TAG_GENERALIZEDTIME,
963 sizeof(BSL_TIME), (uint8_t *)&tbs->validTime.end}, // 5 end
964 subject, // 6 subject
965 pubkey, // 7 pubkey info
966 ext, // 8 extensions, only for v3
967 };
968 ret = BSL_ASN1_EncodeTemplate(&templ, asns, HITLS_X509_CERT_TBS_SIZE, &tbsBuff->buff, &tbsBuff->len);
969 BSL_SAL_Free(signAlg.buff);
970 BSL_SAL_Free(issuer.buff);
971 BSL_SAL_Free(subject.buff);
972 BSL_SAL_Free(pubkey.buff);
973 if (ver == HITLS_X509_VERSION_3 && ext.buff != NULL) {
974 BSL_SAL_Free(ext.buff);
975 }
976 return ret;
977 }
978
979 BSL_ASN1_TemplateItem g_briefCertTempl[] = {
980 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, 0}, /* x509 */
981 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, 1}, /* tbs */
982 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, 1}, /* signAlg */
983 {BSL_ASN1_TAG_BITSTRING, 0, 1} /* sig */
984 };
985
986 #define HITLS_X509_CERT_BRIEF_SIZE 3
987
EncodeAsn1Cert(HITLS_X509_Cert * cert)988 static int32_t EncodeAsn1Cert(HITLS_X509_Cert *cert)
989 {
990 if (cert->signature.buff == NULL || cert->signature.len == 0 ||
991 cert->tbs.tbsRawData == NULL || cert->tbs.tbsRawDataLen == 0) {
992 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CERT_NOT_SIGNED);
993 return HITLS_X509_ERR_CERT_NOT_SIGNED;
994 }
995
996 BSL_ASN1_Buffer asns[HITLS_X509_CERT_BRIEF_SIZE] = {
997 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, cert->tbs.tbsRawDataLen, cert->tbs.tbsRawData},
998 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, NULL},
999 {BSL_ASN1_TAG_BITSTRING, sizeof(BSL_ASN1_BitString), (uint8_t *)&cert->signature},
1000 };
1001 uint32_t valLen = 0;
1002 int32_t ret = BSL_ASN1_DecodeTagLen(asns[0].tag, &asns[0].buff, &asns[0].len, &valLen); // 0 is tbs
1003 if (ret != HITLS_PKI_SUCCESS) {
1004 BSL_ERR_PUSH_ERROR(ret);
1005 return ret;
1006 }
1007
1008 ret = HITLS_X509_EncodeSignAlgInfo(&cert->signAlgId, &asns[1]); // 1 is signAlg
1009 if (ret != HITLS_PKI_SUCCESS) {
1010 BSL_ERR_PUSH_ERROR(ret);
1011 return ret;
1012 }
1013
1014 BSL_ASN1_Template templ = {g_briefCertTempl, sizeof(g_briefCertTempl) / sizeof(g_briefCertTempl[0])};
1015 ret = BSL_ASN1_EncodeTemplate(&templ, asns, HITLS_X509_CERT_BRIEF_SIZE, &cert->rawData, &cert->rawDataLen);
1016 BSL_SAL_Free(asns[1].buff);
1017 return ret;
1018 }
1019
CheckCertTbs(HITLS_X509_Cert * cert)1020 static int32_t CheckCertTbs(HITLS_X509_Cert *cert)
1021 {
1022 if (cert == NULL) {
1023 return HITLS_X509_ERR_INVALID_PARAM;
1024 }
1025 if (BSL_LIST_COUNT(cert->tbs.ext.extList) > 0 && cert->tbs.version != HITLS_X509_VERSION_3) {
1026 return HITLS_X509_ERR_CERT_INACCURACY_VERSION;
1027 }
1028 if (cert->tbs.serialNum.buff == NULL || cert->tbs.serialNum.len == 0) {
1029 return HITLS_X509_ERR_CERT_INVALID_SERIAL_NUM;
1030 }
1031 if (BSL_LIST_COUNT(cert->tbs.issuerName) <= 0 || BSL_LIST_COUNT(cert->tbs.subjectName) <= 0) {
1032 return HITLS_X509_ERR_CERT_INVALID_DN;
1033 }
1034 if ((cert->tbs.validTime.flag & BSL_TIME_BEFORE_SET) == 0 || (cert->tbs.validTime.flag & BSL_TIME_AFTER_SET) == 0) {
1035 return HITLS_X509_ERR_CERT_INVALID_TIME;
1036 }
1037 int32_t ret = BSL_SAL_DateTimeCompare(&cert->tbs.validTime.start, &cert->tbs.validTime.end, NULL);
1038 if (ret != BSL_TIME_DATE_BEFORE && ret != BSL_TIME_CMP_EQUAL) {
1039 return HITLS_X509_ERR_CERT_START_TIME_LATER;
1040 }
1041 if (cert->tbs.ealPubKey == NULL) {
1042 return HITLS_X509_ERR_CERT_INVALID_PUBKEY;
1043 }
1044
1045 return HITLS_PKI_SUCCESS;
1046 }
1047
1048 /**
1049 * @brief Encode ASN.1 certificate
1050 *
1051 * @param cert [IN] Pointer to the certificate structure
1052 * @param buff [OUT] Pointer to the buffer.
1053 * If NULL, only the ASN.1 certificate is encoded.
1054 * If non-NULL, the DER encoding content of the certificate is stored in buff
1055 * @return int32_t Return value, 0 means success, other values mean failure
1056 */
HITLS_X509_EncodeAsn1Cert(HITLS_X509_Cert * cert,BSL_Buffer * buff)1057 static int32_t HITLS_X509_EncodeAsn1Cert(HITLS_X509_Cert *cert, BSL_Buffer *buff)
1058 {
1059 int32_t ret;
1060 if ((cert->flag & HITLS_X509_CERT_GEN_FLAG) != 0) {
1061 if (cert->state != HITLS_X509_CERT_STATE_SIGN && cert->state != HITLS_X509_CERT_STATE_GEN) {
1062 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CERT_NOT_SIGNED);
1063 return HITLS_X509_ERR_CERT_NOT_SIGNED;
1064 }
1065 if (cert->state == HITLS_X509_CERT_STATE_SIGN) {
1066 ret = EncodeAsn1Cert(cert);
1067 if (ret != HITLS_PKI_SUCCESS) {
1068 BSL_ERR_PUSH_ERROR(ret);
1069 return ret;
1070 }
1071 cert->state = HITLS_X509_CERT_STATE_GEN;
1072 }
1073 }
1074 if (cert->rawData == NULL || cert->rawDataLen == 0) {
1075 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CERT_NOT_SIGNED);
1076 return HITLS_X509_ERR_CERT_NOT_SIGNED;
1077 }
1078 if (buff == NULL) {
1079 return HITLS_PKI_SUCCESS;
1080 }
1081 buff->data = BSL_SAL_Dump(cert->rawData, cert->rawDataLen);
1082 if (buff->data == NULL) {
1083 BSL_ERR_PUSH_ERROR(BSL_DUMP_FAIL);
1084 return BSL_DUMP_FAIL;
1085 }
1086 buff->dataLen = cert->rawDataLen;
1087 return HITLS_PKI_SUCCESS;
1088 }
1089
1090 #ifdef HITLS_BSL_PEM
HITLS_X509_EncodePemCert(HITLS_X509_Cert * cert,BSL_Buffer * buff)1091 int32_t HITLS_X509_EncodePemCert(HITLS_X509_Cert *cert, BSL_Buffer *buff)
1092 {
1093 int32_t ret = HITLS_X509_EncodeAsn1Cert(cert, NULL);
1094 if (ret != HITLS_PKI_SUCCESS) {
1095 BSL_ERR_PUSH_ERROR(ret);
1096 return ret;
1097 }
1098
1099 BSL_PEM_Symbol symbol = {BSL_PEM_CERT_BEGIN_STR, BSL_PEM_CERT_END_STR};
1100 return BSL_PEM_EncodeAsn1ToPem(cert->rawData, cert->rawDataLen, &symbol, (char **)&buff->data, &buff->dataLen);
1101 }
1102 #endif // HITLS_BSL_PEM
1103
HITLS_X509_CertGenBuff(int32_t format,HITLS_X509_Cert * cert,BSL_Buffer * buff)1104 int32_t HITLS_X509_CertGenBuff(int32_t format, HITLS_X509_Cert *cert, BSL_Buffer *buff)
1105 {
1106 if (cert == NULL || buff == NULL || buff->data != NULL) {
1107 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1108 return HITLS_X509_ERR_INVALID_PARAM;
1109 }
1110 switch (format) {
1111 case BSL_FORMAT_ASN1:
1112 return HITLS_X509_EncodeAsn1Cert(cert, buff);
1113 #ifdef HITLS_BSL_PEM
1114 case BSL_FORMAT_PEM:
1115 return HITLS_X509_EncodePemCert(cert, buff);
1116 #endif // HITLS_BSL_PEM
1117 default:
1118 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1119 return HITLS_X509_ERR_INVALID_PARAM;
1120 }
1121 }
1122
1123 #ifdef HITLS_BSL_SAL_FILE
HITLS_X509_CertGenFile(int32_t format,HITLS_X509_Cert * cert,const char * path)1124 int32_t HITLS_X509_CertGenFile(int32_t format, HITLS_X509_Cert *cert, const char *path)
1125 {
1126 if (path == NULL) {
1127 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1128 return HITLS_X509_ERR_INVALID_PARAM;
1129 }
1130
1131 BSL_Buffer encode = {0};
1132 int32_t ret = HITLS_X509_CertGenBuff(format, cert, &encode);
1133 if (ret != HITLS_PKI_SUCCESS) {
1134 BSL_ERR_PUSH_ERROR(ret);
1135 return ret;
1136 }
1137 ret = BSL_SAL_WriteFile(path, encode.data, encode.dataLen);
1138 BSL_SAL_Free(encode.data);
1139 return ret;
1140 }
1141 #endif // HITLS_BSL_SAL_FILE
1142
1143 #endif // HITLS_PKI_X509_CRT_GEN
1144
HITLS_X509_CertDigest(HITLS_X509_Cert * cert,CRYPT_MD_AlgId mdId,uint8_t * data,uint32_t * dataLen)1145 int32_t HITLS_X509_CertDigest(HITLS_X509_Cert *cert, CRYPT_MD_AlgId mdId, uint8_t *data, uint32_t *dataLen)
1146 {
1147 if (cert == NULL || data == NULL || dataLen == NULL) {
1148 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1149 return HITLS_X509_ERR_INVALID_PARAM;
1150 }
1151 if ((cert->flag & HITLS_X509_CERT_PARSE_FLAG) != 0 || (cert->state == HITLS_X509_CERT_STATE_GEN)) {
1152 return CRYPT_EAL_Md(mdId, cert->rawData, cert->rawDataLen, data, dataLen);
1153 }
1154
1155 #ifdef HITLS_PKI_X509_CRT_GEN
1156 int32_t ret = HITLS_X509_EncodeAsn1Cert(cert, NULL);
1157 if (ret != HITLS_PKI_SUCCESS) {
1158 BSL_ERR_PUSH_ERROR(ret);
1159 return ret;
1160 }
1161 return CRYPT_EAL_Md(mdId, cert->rawData, cert->rawDataLen, data, dataLen);
1162 #else
1163 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_FUNC_UNSUPPORT);
1164 return HITLS_X509_ERR_FUNC_UNSUPPORT;
1165 #endif
1166 }
1167
1168 #ifdef HITLS_PKI_X509_CRT_GEN
CertSignCb(int32_t mdId,CRYPT_EAL_PkeyCtx * pivKey,HITLS_X509_Asn1AlgId * signAlgId,HITLS_X509_Cert * cert)1169 static int32_t CertSignCb(int32_t mdId, CRYPT_EAL_PkeyCtx *pivKey, HITLS_X509_Asn1AlgId *signAlgId,
1170 HITLS_X509_Cert *cert)
1171 {
1172 BSL_ASN1_Buffer tbsAsn1 = {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, NULL};
1173 BSL_Buffer signBuff = {0};
1174
1175 cert->signAlgId = *signAlgId;
1176 cert->tbs.signAlgId = *signAlgId;
1177 int32_t ret = EncodeTbsCertificate(&cert->tbs, &tbsAsn1);
1178 if (ret != HITLS_PKI_SUCCESS) {
1179 BSL_ERR_PUSH_ERROR(ret);
1180 return ret;
1181 }
1182 ret = HITLS_X509_SignAsn1Data(pivKey, mdId, &tbsAsn1, &signBuff, &cert->signature);
1183 BSL_SAL_Free(tbsAsn1.buff);
1184 if (ret != HITLS_PKI_SUCCESS) {
1185 BSL_ERR_PUSH_ERROR(ret);
1186 return ret;
1187 }
1188
1189 cert->tbs.tbsRawData = signBuff.data;
1190 cert->tbs.tbsRawDataLen = signBuff.dataLen;
1191 cert->state = HITLS_X509_CERT_STATE_SIGN;
1192 return ret;
1193 }
1194
HITLS_X509_CertSign(int32_t mdId,const CRYPT_EAL_PkeyCtx * prvKey,const HITLS_X509_SignAlgParam * algParam,HITLS_X509_Cert * cert)1195 int32_t HITLS_X509_CertSign(int32_t mdId, const CRYPT_EAL_PkeyCtx *prvKey, const HITLS_X509_SignAlgParam *algParam,
1196 HITLS_X509_Cert *cert)
1197 {
1198 if (cert == NULL || prvKey == NULL) {
1199 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1200 return HITLS_X509_ERR_INVALID_PARAM;
1201 }
1202 if ((cert->flag & HITLS_X509_CERT_PARSE_FLAG) != 0) {
1203 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_SIGN_AFTER_PARSE);
1204 return HITLS_X509_ERR_SIGN_AFTER_PARSE;
1205 }
1206 if (cert->state == HITLS_X509_CERT_STATE_SIGN || cert->state == HITLS_X509_CERT_STATE_GEN) {
1207 return HITLS_PKI_SUCCESS;
1208 }
1209
1210 int32_t ret = CheckCertTbs(cert);
1211 if (ret != HITLS_PKI_SUCCESS) {
1212 BSL_ERR_PUSH_ERROR(ret);
1213 return ret;
1214 }
1215
1216 BSL_SAL_FREE(cert->signature.buff);
1217 cert->signature.len = 0;
1218 BSL_SAL_FREE(cert->tbs.tbsRawData);
1219 cert->tbs.tbsRawDataLen = 0;
1220 BSL_SAL_FREE(cert->rawData);
1221 cert->rawDataLen = 0;
1222 #ifdef HITLS_CRYPTO_SM2
1223 if (cert->signAlgId.algId == BSL_CID_SM2DSAWITHSM3) {
1224 BSL_SAL_FREE(cert->signAlgId.sm2UserId.data);
1225 cert->signAlgId.sm2UserId.dataLen = 0;
1226 }
1227 #endif
1228 return HITLS_X509_Sign(mdId, prvKey, algParam, cert, (HITLS_X509_SignCb)CertSignCb);
1229 }
1230 #endif // HITLS_PKI_X509_CRT_GEN
1231
HITLS_X509_ProviderCertNew(HITLS_PKI_LibCtx * libCtx,const char * attrName)1232 HITLS_X509_Cert *HITLS_X509_ProviderCertNew(HITLS_PKI_LibCtx *libCtx, const char *attrName)
1233 {
1234 HITLS_X509_Cert *cert = HITLS_X509_CertNew();
1235 if (cert == NULL) {
1236 return NULL;
1237 }
1238 cert->libCtx = libCtx;
1239 cert->attrName = attrName;
1240 return cert;
1241 }
1242
1243 #ifdef HITLS_PKI_X509_CRT_PARSE
HITLS_X509_ProviderCertParseBuff(HITLS_PKI_LibCtx * libCtx,const char * attrName,const char * format,const BSL_Buffer * encode,HITLS_X509_Cert ** cert)1244 int32_t HITLS_X509_ProviderCertParseBuff(HITLS_PKI_LibCtx *libCtx, const char *attrName, const char *format,
1245 const BSL_Buffer *encode, HITLS_X509_Cert **cert)
1246 {
1247 int32_t encodeFormat = CRYPT_EAL_GetEncodeFormat(format);
1248 return ProviderCertParseBuffInternal(libCtx, attrName, encodeFormat, encode, cert);
1249 }
1250
1251 #ifdef HITLS_BSL_SAL_FILE
HITLS_X509_ProviderCertParseFile(HITLS_PKI_LibCtx * libCtx,const char * attrName,const char * format,const char * path,HITLS_X509_Cert ** cert)1252 int32_t HITLS_X509_ProviderCertParseFile(HITLS_PKI_LibCtx *libCtx, const char *attrName, const char *format,
1253 const char *path, HITLS_X509_Cert **cert)
1254 {
1255 uint8_t *data = NULL;
1256 uint32_t dataLen = 0;
1257 int32_t ret = BSL_SAL_ReadFile(path, &data, &dataLen);
1258 if (ret != BSL_SUCCESS) {
1259 BSL_ERR_PUSH_ERROR(ret);
1260 return ret;
1261 }
1262
1263 BSL_Buffer encode = {data, dataLen};
1264 ret = HITLS_X509_ProviderCertParseBuff(libCtx, attrName, format, &encode, cert);
1265 BSL_SAL_Free(data);
1266 return ret;
1267 }
1268
HITLS_X509_ProviderCertParseBundleFile(HITLS_PKI_LibCtx * libCtx,const char * attrName,const char * format,const char * path,HITLS_X509_List ** certlist)1269 int32_t HITLS_X509_ProviderCertParseBundleFile(HITLS_PKI_LibCtx *libCtx, const char *attrName, const char *format,
1270 const char *path, HITLS_X509_List **certlist)
1271 {
1272 int32_t encodeFormat = CRYPT_EAL_GetEncodeFormat(format);
1273 return ProviderCertParseBundleFileInternal(libCtx, attrName, encodeFormat, path, certlist);
1274 }
1275 #endif // HITLS_BSL_SAL_FILE
1276 #endif // HITLS_PKI_X509_CRT_PARSE
1277 #endif // HITLS_PKI_X509_CRT
1278