1 /*
2 * This file is part of the openHiTLS project.
3 *
4 * openHiTLS is licensed under the Mulan PSL v2.
5 * You can use this software according to the terms and conditions of the Mulan PSL v2.
6 * You may obtain a copy of Mulan PSL v2 at:
7 *
8 * http://license.coscl.org.cn/MulanPSL2
9 *
10 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
11 * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
12 * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
13 * See the Mulan PSL v2 for more details.
14 */
15
16 #include "hitls_build.h"
17 #ifdef HITLS_PKI_X509_CRL
18 #include "securec.h"
19 #include "bsl_sal.h"
20 #include "bsl_obj_internal.h"
21 #include "bsl_log_internal.h"
22 #ifdef HITLS_BSL_PEM
23 #include "bsl_pem_internal.h"
24 #endif
25 #include "bsl_err_internal.h"
26 #include "sal_time.h"
27 #ifdef HITLS_BSL_SAL_FILE
28 #include "sal_file.h"
29 #endif
30 #include "crypt_errno.h"
31 #include "hitls_pki_errno.h"
32 #include "hitls_x509_local.h"
33 #include "hitls_crl_local.h"
34 #include "hitls_pki_crl.h"
35
36 #define HITLS_CRL_CTX_SPECIFIC_TAG_EXTENSION 0
37
38 #ifdef HITLS_PKI_X509_CRL_PARSE
39 BSL_ASN1_TemplateItem g_crlTempl[] = {
40 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, 0}, /* x509 */
41 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, 1}, /* tbs */
42 /* 2: version */
43 {BSL_ASN1_TAG_INTEGER, BSL_ASN1_FLAG_DEFAULT, 2},
44 /* 2: signature info */
45 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, 2},
46 {BSL_ASN1_TAG_OBJECT_ID, 0, 3},
47 {BSL_ASN1_TAG_ANY, BSL_ASN1_FLAG_OPTIONAL, 3}, // 6
48 /* 2: issuer */
49 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, BSL_ASN1_FLAG_HEADERONLY | BSL_ASN1_FLAG_SAME, 2},
50 /* 2: validity */
51 {BSL_ASN1_TAG_CHOICE, 0, 2},
52 {BSL_ASN1_TAG_CHOICE, BSL_ASN1_FLAG_OPTIONAL, 2},
53 /* 2: revoked crl list */
54 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE,
55 BSL_ASN1_FLAG_HEADERONLY | BSL_ASN1_FLAG_SAME | BSL_ASN1_FLAG_OPTIONAL, 2},
56 /* 2: extension */
57 {BSL_ASN1_CLASS_CTX_SPECIFIC | BSL_ASN1_TAG_CONSTRUCTED | HITLS_CRL_CTX_SPECIFIC_TAG_EXTENSION,
58 BSL_ASN1_FLAG_OPTIONAL | BSL_ASN1_FLAG_HEADERONLY | BSL_ASN1_FLAG_SAME, 2}, // 11
59 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, 1}, /* signAlg */
60 {BSL_ASN1_TAG_OBJECT_ID, 0, 2},
61 {BSL_ASN1_TAG_ANY, BSL_ASN1_FLAG_OPTIONAL, 2},
62 {BSL_ASN1_TAG_BITSTRING, 0, 1} /* sig */
63 };
64
65 typedef enum {
66 HITLS_X509_CRL_VERSION_IDX,
67 HITLS_X509_CRL_TBS_SIGNALG_OID_IDX,
68 HITLS_X509_CRL_TBS_SIGNALG_ANY_IDX,
69 HITLS_X509_CRL_ISSUER_IDX,
70 HITLS_X509_CRL_BEFORE_VALID_IDX,
71 HITLS_X509_CRL_AFTER_VALID_IDX,
72 HITLS_X509_CRL_CRL_LIST_IDX,
73 HITLS_X509_CRL_EXT_IDX,
74 HITLS_X509_CRL_SIGNALG_IDX,
75 HITLS_X509_CRL_SIGNALG_ANY_IDX,
76 HITLS_X509_CRL_SIGN_IDX,
77 HITLS_X509_CRL_MAX_IDX,
78 } HITLS_X509_CRL_IDX;
79
HITLS_X509_CrlTagGetOrCheck(int32_t type,uint32_t idx,void * data,void * expVal)80 int32_t HITLS_X509_CrlTagGetOrCheck(int32_t type, uint32_t idx, void *data, void *expVal)
81 {
82 (void) idx;
83 switch (type) {
84 case BSL_ASN1_TYPE_CHECK_CHOICE_TAG: {
85 uint8_t tag = *(uint8_t *) data;
86 if ((tag == BSL_ASN1_TAG_UTCTIME) || (tag == BSL_ASN1_TAG_GENERALIZEDTIME)) {
87 *(uint8_t *) expVal = tag;
88 return BSL_SUCCESS;
89 }
90 return HITLS_X509_ERR_CHECK_TAG;
91 }
92 case BSL_ASN1_TYPE_GET_ANY_TAG: {
93 BSL_ASN1_Buffer *param = (BSL_ASN1_Buffer *) data;
94 BslOidString oidStr = {param->len, (char *)param->buff, 0};
95 BslCid cid = BSL_OBJ_GetCID(&oidStr);
96 if (cid == BSL_CID_UNKNOWN) {
97 return HITLS_X509_ERR_GET_ANY_TAG;
98 }
99 if (cid == BSL_CID_RSASSAPSS) {
100 // note: any It can be encoded empty or it can be null
101 *(uint8_t *) expVal = BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE;
102 return BSL_SUCCESS;
103 } else {
104 *(uint8_t *) expVal = BSL_ASN1_TAG_NULL; // is null
105 return BSL_SUCCESS;
106 }
107 return HITLS_X509_ERR_GET_ANY_TAG;
108 }
109 default:
110 return HITLS_X509_ERR_INVALID_PARAM;
111 }
112 }
113 #endif // HITLS_PKI_X509_CRL_PARSE
114
HITLS_X509_CrlFree(HITLS_X509_Crl * crl)115 void HITLS_X509_CrlFree(HITLS_X509_Crl *crl)
116 {
117 if (crl == NULL) {
118 return;
119 }
120
121 int ret = 0;
122 BSL_SAL_AtomicDownReferences(&(crl->references), &ret);
123 if (ret > 0) {
124 return;
125 }
126 if ((crl->flag & HITLS_X509_CRL_GEN_FLAG) != 0) {
127 BSL_LIST_FREE(crl->tbs.issuerName, (BSL_LIST_PFUNC_FREE)HITLS_X509_FreeNameNode);
128 BSL_SAL_FREE(crl->tbs.tbsRawData);
129 BSL_SAL_FREE(crl->signature.buff);
130 } else {
131 BSL_LIST_FREE(crl->tbs.issuerName, NULL);
132 }
133 #ifdef HITLS_CRYPTO_SM2
134 if (crl->signAlgId.algId == BSL_CID_SM2DSAWITHSM3) {
135 BSL_SAL_FREE(crl->signAlgId.sm2UserId.data);
136 }
137 #endif
138 BSL_LIST_FREE(crl->tbs.revokedCerts, (BSL_LIST_PFUNC_FREE)HITLS_X509_CrlEntryFree);
139 X509_ExtFree(&crl->tbs.crlExt, false);
140 BSL_SAL_ReferencesFree(&(crl->references));
141 BSL_SAL_FREE(crl->rawData);
142 BSL_SAL_Free(crl);
143 return;
144 }
145
HITLS_X509_CrlNew(void)146 HITLS_X509_Crl *HITLS_X509_CrlNew(void)
147 {
148 HITLS_X509_Crl *crl = NULL;
149 BSL_ASN1_List *issuerName = NULL;
150 BSL_ASN1_List *entryList = NULL;
151 HITLS_X509_Ext *ext = NULL;
152 crl = (HITLS_X509_Crl *)BSL_SAL_Calloc(1, sizeof(HITLS_X509_Crl));
153 if (crl == NULL) {
154 return NULL;
155 }
156
157 issuerName = BSL_LIST_New(sizeof(HITLS_X509_NameNode));
158 if (issuerName == NULL) {
159 goto ERR;
160 }
161
162 entryList = BSL_LIST_New(sizeof(HITLS_X509_CrlEntry));
163 if (entryList == NULL) {
164 goto ERR;
165 }
166 ext = X509_ExtNew(&crl->tbs.crlExt, HITLS_X509_EXT_TYPE_CRL);
167 if (ext == NULL) {
168 goto ERR;
169 }
170 BSL_SAL_ReferencesInit(&(crl->references));
171 crl->tbs.issuerName = issuerName;
172 crl->tbs.revokedCerts = entryList;
173 crl->state = HITLS_X509_CRL_STATE_NEW;
174 return crl;
175 ERR:
176 BSL_SAL_Free(crl);
177 BSL_SAL_Free(issuerName);
178 BSL_SAL_Free(entryList);
179 return NULL;
180 }
181
182 #ifdef HITLS_PKI_X509_CRL_PARSE
HITLS_CRL_ParseExtAsnItem(uint32_t layer,BSL_ASN1_Buffer * asn,void * param,BSL_ASN1_List * list)183 int32_t HITLS_CRL_ParseExtAsnItem(uint32_t layer, BSL_ASN1_Buffer *asn, void *param, BSL_ASN1_List *list)
184 {
185 (void) param;
186 (void) layer;
187 HITLS_X509_ExtEntry extEntry = {0};
188 int32_t ret = HITLS_X509_ParseExtItem(asn, &extEntry);
189 if (ret != HITLS_PKI_SUCCESS) {
190 BSL_ERR_PUSH_ERROR(ret);
191 return ret;
192 }
193
194 return HITLS_X509_AddListItemDefault(&extEntry, sizeof(HITLS_X509_ExtEntry), list);
195 }
196
HITLS_CRL_ParseExtSeqof(uint32_t layer,BSL_ASN1_Buffer * asn,void * param,BSL_ASN1_List * list)197 int32_t HITLS_CRL_ParseExtSeqof(uint32_t layer, BSL_ASN1_Buffer *asn, void *param, BSL_ASN1_List *list)
198 {
199 if (layer == 1) {
200 return HITLS_PKI_SUCCESS;
201 }
202 return HITLS_CRL_ParseExtAsnItem(layer, asn, param, list);
203 }
204
HITLS_X509_ParseCrlExt(BSL_ASN1_Buffer * ext,HITLS_X509_Crl * crl)205 int32_t HITLS_X509_ParseCrlExt(BSL_ASN1_Buffer *ext, HITLS_X509_Crl *crl)
206 {
207 if ((crl->tbs.crlExt.flag & HITLS_X509_EXT_FLAG_GEN) != 0) {
208 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_EXT_PARSE_AFTER_SET);
209 return HITLS_X509_ERR_EXT_PARSE_AFTER_SET;
210 }
211 uint8_t expTag[] = {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE,
212 BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE};
213 BSL_ASN1_DecodeListParam listParam = {2, expTag};
214 int32_t ret = BSL_ASN1_DecodeListItem(&listParam, ext, &HITLS_CRL_ParseExtSeqof, crl, crl->tbs.crlExt.extList);
215 if (ret != BSL_SUCCESS) {
216 BSL_LIST_DeleteAll(crl->tbs.crlExt.extList, NULL);
217 BSL_ERR_PUSH_ERROR(ret);
218 return ret;
219 }
220 crl->tbs.crlExt.flag |= HITLS_X509_EXT_FLAG_PARSE;
221 return ret;
222 }
223
224 BSL_ASN1_TemplateItem g_crlEntryTempl[] = {
225 {BSL_ASN1_TAG_INTEGER, 0, 0},
226 {BSL_ASN1_TAG_CHOICE, 0, 0},
227 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, BSL_ASN1_FLAG_OPTIONAL | BSL_ASN1_FLAG_HEADERONLY, 0}
228 };
229
230 typedef enum {
231 HITLS_X509_CRLENTRY_NUM_IDX,
232 HITLS_X509_CRLENTRY_TIME_IDX,
233 HITLS_X509_CRLENTRY_EXT_IDX,
234 HITLS_X509_CRLENTRY_MAX_IDX
235 } HITLS_X509_CRLENTRY_IDX;
236 #endif // HITLS_PKI_X509_CRL_PARSE
237
HITLS_X509_CrlEntryChoiceCheck(int32_t type,uint32_t idx,void * data,void * expVal)238 int32_t HITLS_X509_CrlEntryChoiceCheck(int32_t type, uint32_t idx, void *data, void *expVal)
239 {
240 (void) idx;
241 (void) expVal;
242 if (type == BSL_ASN1_TYPE_CHECK_CHOICE_TAG) {
243 uint8_t tag = *(uint8_t *) data;
244 if ((tag & BSL_ASN1_TAG_UTCTIME) != 0 || (tag & BSL_ASN1_TAG_GENERALIZEDTIME) != 0) {
245 *(uint8_t *) expVal = tag;
246 return BSL_SUCCESS;
247 }
248 return HITLS_X509_ERR_CHECK_TAG;
249 }
250 return HITLS_X509_ERR_CHECK_TAG;
251 }
252
253 #ifdef HITLS_PKI_X509_CRL_PARSE
DecodeCrlRevokeExt(BSL_ASN1_Buffer * asnArr,HITLS_X509_CrlEntry * crlEntry)254 static int32_t DecodeCrlRevokeExt(BSL_ASN1_Buffer *asnArr, HITLS_X509_CrlEntry *crlEntry)
255 {
256 if (asnArr->buff == NULL) {
257 return HITLS_PKI_SUCCESS;
258 }
259 BslList *list = BSL_LIST_New(sizeof(HITLS_X509_ExtEntry));
260 if (list == NULL) {
261 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
262 return BSL_MALLOC_FAIL;
263 }
264 uint8_t expTag = (BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE);
265 BSL_ASN1_DecodeListParam listParam = {1, &expTag};
266 int32_t ret = BSL_ASN1_DecodeListItem(&listParam, asnArr, (BSL_ASN1_ParseListAsnItem)HITLS_CRL_ParseExtAsnItem,
267 NULL, list);
268 if (ret != BSL_SUCCESS) {
269 BSL_LIST_FREE(list, NULL);
270 return ret;
271 }
272
273 crlEntry->extList = list;
274 return HITLS_PKI_SUCCESS;
275 }
276
HITLS_CRL_ParseCrlEntry(BSL_ASN1_Buffer * extItem,HITLS_X509_CrlEntry * crlEntry)277 int32_t HITLS_CRL_ParseCrlEntry(BSL_ASN1_Buffer *extItem, HITLS_X509_CrlEntry *crlEntry)
278 {
279 uint8_t *temp = extItem->buff;
280 uint32_t tempLen = extItem->len;
281 BSL_ASN1_Buffer asnArr[HITLS_X509_CRLENTRY_MAX_IDX] = {0};
282 BSL_ASN1_Template templ = {g_crlEntryTempl, sizeof(g_crlEntryTempl) / sizeof(g_crlEntryTempl[0])};
283 int32_t ret = BSL_ASN1_DecodeTemplate(&templ, HITLS_X509_CrlEntryChoiceCheck,
284 &temp, &tempLen, asnArr, HITLS_X509_CRLENTRY_MAX_IDX);
285 if (tempLen != 0) {
286 ret = HITLS_X509_ERR_CRL_ENTRY;
287 }
288 if (ret != BSL_SUCCESS) {
289 BSL_ERR_PUSH_ERROR(ret);
290 return ret;
291 }
292 crlEntry->serialNumber = asnArr[HITLS_X509_CRLENTRY_NUM_IDX];
293
294 ret = BSL_ASN1_DecodePrimitiveItem(&asnArr[HITLS_X509_CRLENTRY_TIME_IDX], &crlEntry->time);
295 if (ret != BSL_SUCCESS) {
296 BSL_ERR_PUSH_ERROR(ret);
297 return ret;
298 }
299 if (asnArr[HITLS_X509_CRLENTRY_TIME_IDX].tag == BSL_ASN1_TAG_GENERALIZEDTIME) {
300 crlEntry->flag |= BSL_TIME_REVOKE_TIME_IS_GMT;
301 }
302 ret = DecodeCrlRevokeExt(&asnArr[HITLS_X509_CRLENTRY_EXT_IDX], crlEntry);
303 if (ret != HITLS_PKI_SUCCESS) {
304 BSL_ERR_PUSH_ERROR(ret);
305 }
306
307 return ret;
308 }
309
HITLS_CRL_ParseCrlAsnItem(uint32_t layer,BSL_ASN1_Buffer * asn,void * param,BSL_ASN1_List * list)310 int32_t HITLS_CRL_ParseCrlAsnItem(uint32_t layer, BSL_ASN1_Buffer *asn, void *param, BSL_ASN1_List *list)
311 {
312 (void) param;
313 (void) layer;
314 HITLS_X509_CrlEntry crlEntry = {0};
315 int32_t ret = HITLS_CRL_ParseCrlEntry(asn, &crlEntry);
316 if (ret != HITLS_PKI_SUCCESS) {
317 BSL_ERR_PUSH_ERROR(ret);
318 return ret;
319 }
320 crlEntry.flag |= HITLS_X509_CRL_PARSE_FLAG;
321 return HITLS_X509_AddListItemDefault(&crlEntry, sizeof(HITLS_X509_CrlEntry), list);
322 }
323
HITLS_X509_ParseCrlList(BSL_ASN1_Buffer * crl,BSL_ASN1_List * list)324 int32_t HITLS_X509_ParseCrlList(BSL_ASN1_Buffer *crl, BSL_ASN1_List *list)
325 {
326 // crl is optional
327 if (crl->tag == 0) {
328 return HITLS_PKI_SUCCESS;
329 }
330
331 uint8_t expTag = (BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE);
332 BSL_ASN1_DecodeListParam listParam = {1, &expTag};
333 int32_t ret = BSL_ASN1_DecodeListItem(&listParam, crl, &HITLS_CRL_ParseCrlAsnItem, NULL, list);
334 if (ret != BSL_SUCCESS) {
335 BSL_LIST_DeleteAll(list, NULL);
336 }
337 return ret;
338 }
339
HITLS_X509_ParseCrlTbs(BSL_ASN1_Buffer * asnArr,HITLS_X509_Crl * crl)340 int32_t HITLS_X509_ParseCrlTbs(BSL_ASN1_Buffer *asnArr, HITLS_X509_Crl *crl)
341 {
342 int32_t ret;
343 if (asnArr[HITLS_X509_CRL_VERSION_IDX].tag != 0) {
344 ret = BSL_ASN1_DecodePrimitiveItem(&asnArr[HITLS_X509_CRL_VERSION_IDX], &crl->tbs.version);
345 if (ret != BSL_SUCCESS) {
346 BSL_ERR_PUSH_ERROR(ret);
347 return ret;
348 }
349 } else {
350 crl->tbs.version = 0;
351 }
352
353 // sign alg
354 ret = HITLS_X509_ParseSignAlgInfo(&asnArr[HITLS_X509_CRL_TBS_SIGNALG_OID_IDX],
355 &asnArr[HITLS_X509_CRL_TBS_SIGNALG_ANY_IDX], &crl->tbs.signAlgId);
356 if (ret != HITLS_PKI_SUCCESS) {
357 BSL_ERR_PUSH_ERROR(ret);
358 return ret;
359 }
360
361 // issuer name
362 ret = HITLS_X509_ParseNameList(&asnArr[HITLS_X509_CRL_ISSUER_IDX], crl->tbs.issuerName);
363 if (ret != HITLS_PKI_SUCCESS) {
364 BSL_ERR_PUSH_ERROR(ret);
365 return ret;
366 }
367
368 // validity
369 ret = HITLS_X509_ParseTime(&asnArr[HITLS_X509_CRL_BEFORE_VALID_IDX], &asnArr[HITLS_X509_CRL_AFTER_VALID_IDX],
370 &crl->tbs.validTime);
371 if (ret != BSL_SUCCESS) {
372 BSL_ERR_PUSH_ERROR(ret);
373 goto ERR;
374 }
375
376 // crl list
377 ret = HITLS_X509_ParseCrlList(&asnArr[HITLS_X509_CRL_CRL_LIST_IDX], crl->tbs.revokedCerts);
378 if (ret != HITLS_PKI_SUCCESS) {
379 BSL_ERR_PUSH_ERROR(ret);
380 return ret;
381 }
382 // ext
383 ret = HITLS_X509_ParseCrlExt(&asnArr[HITLS_X509_CRL_EXT_IDX], crl);
384 if (ret != BSL_SUCCESS) {
385 BSL_ERR_PUSH_ERROR(ret);
386 goto ERR;
387 }
388
389 return ret;
390 ERR:
391
392 BSL_LIST_DeleteAll(crl->tbs.issuerName, NULL);
393 BSL_LIST_DeleteAll(crl->tbs.revokedCerts, NULL);
394 return ret;
395 }
396 #endif // HITLS_PKI_X509_CRL_PARSE
397
398 #ifdef HITLS_PKI_X509_CRL_GEN
X509_EncodeCrlValidTime(HITLS_X509_ValidTime * crlTime,BSL_ASN1_Buffer * validTime)399 static void X509_EncodeCrlValidTime(HITLS_X509_ValidTime *crlTime, BSL_ASN1_Buffer *validTime)
400 {
401 validTime[0].tag = (crlTime->flag & BSL_TIME_BEFORE_IS_UTC) != 0 ? BSL_ASN1_TAG_UTCTIME :
402 BSL_ASN1_TAG_GENERALIZEDTIME;
403 validTime[0].len = sizeof(BSL_TIME);
404 validTime[0].buff = (uint8_t *)&(crlTime->start);
405
406 validTime[1].tag = (crlTime->flag & BSL_TIME_AFTER_IS_UTC) != 0 ? BSL_ASN1_TAG_UTCTIME :
407 BSL_ASN1_TAG_GENERALIZEDTIME;
408 if ((crlTime->flag & BSL_TIME_AFTER_SET) != 0) {
409 validTime[1].len = sizeof(BSL_TIME);
410 validTime[1].buff = (uint8_t *)&(crlTime->end);
411 } else {
412 validTime[1].len = 0;
413 validTime[1].buff = NULL;
414 }
415 }
416
X509_EncodeCrlEntry(HITLS_X509_CrlEntry * crlEntry,BSL_ASN1_Buffer * asnBuf)417 static int32_t X509_EncodeCrlEntry(HITLS_X509_CrlEntry *crlEntry, BSL_ASN1_Buffer *asnBuf)
418 {
419 asnBuf[0].tag = crlEntry->serialNumber.tag;
420 asnBuf[0].buff = crlEntry->serialNumber.buff;
421 asnBuf[0].len = crlEntry->serialNumber.len;
422 asnBuf[1].tag = (crlEntry->flag & BSL_TIME_REVOKE_TIME_IS_GMT) != 0 ?
423 BSL_ASN1_TAG_GENERALIZEDTIME : BSL_ASN1_TAG_UTCTIME;
424 asnBuf[1].buff = (uint8_t *)&(crlEntry->time);
425 asnBuf[1].len = sizeof(BSL_TIME);
426 if (crlEntry->extList != NULL && BSL_LIST_COUNT(crlEntry->extList) > 0) {
427 return HITLS_X509_EncodeExtEntry(crlEntry->extList, &asnBuf[2]); // 2: extensions
428 } else {
429 asnBuf[2].tag = 0; // 2: extensions
430 asnBuf[2].buff = NULL; // 2: extensions
431 asnBuf[2].len = 0; // 2: extensions
432 return HITLS_PKI_SUCCESS;
433 }
434 }
435
436 #define X509_CRLENTRY_ELEM_NUMBER 3
HITLS_X509_EncodeRevokeCrlList(BSL_ASN1_List * crlList,BSL_ASN1_Buffer * revokeBuf)437 int32_t HITLS_X509_EncodeRevokeCrlList(BSL_ASN1_List *crlList, BSL_ASN1_Buffer *revokeBuf)
438 {
439 int32_t count = BSL_LIST_COUNT(crlList);
440 if (count <= 0) {
441 revokeBuf->buff = NULL;
442 revokeBuf->len = 0;
443 revokeBuf->tag = BSL_ASN1_TAG_SEQUENCE;
444 return HITLS_PKI_SUCCESS;
445 }
446 BSL_ASN1_Buffer *asnBuf = BSL_SAL_Malloc((uint32_t)count * sizeof(BSL_ASN1_Buffer) * X509_CRLENTRY_ELEM_NUMBER);
447 if (asnBuf == NULL) {
448 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
449 return BSL_MALLOC_FAIL;
450 }
451 (void)memset_s(asnBuf, (uint32_t)count * sizeof(BSL_ASN1_Buffer) * X509_CRLENTRY_ELEM_NUMBER, 0,
452 (uint32_t)count * sizeof(BSL_ASN1_Buffer) * X509_CRLENTRY_ELEM_NUMBER);
453 HITLS_X509_CrlEntry *crlEntry = NULL;
454 uint32_t iter = 0;
455 int32_t ret;
456 for (crlEntry = BSL_LIST_GET_FIRST(crlList); crlEntry != NULL; crlEntry = BSL_LIST_GET_NEXT(crlList)) {
457 ret = X509_EncodeCrlEntry(crlEntry, &asnBuf[iter]);
458 if (ret != HITLS_PKI_SUCCESS) {
459 BSL_ERR_PUSH_ERROR(ret);
460 goto EXIT;
461 }
462 iter += X509_CRLENTRY_ELEM_NUMBER;
463 }
464 BSL_ASN1_TemplateItem crlEntryTempl[] = {
465 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, BSL_ASN1_FLAG_SAME | BSL_ASN1_FLAG_OPTIONAL, 0},
466 {BSL_ASN1_TAG_INTEGER, 0, 1},
467 {BSL_ASN1_TAG_CHOICE, 0, 1},
468 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, BSL_ASN1_FLAG_OPTIONAL, 1}
469 };
470 BSL_ASN1_Template templ = {crlEntryTempl, sizeof(crlEntryTempl) / sizeof(crlEntryTempl[0])};
471 ret = BSL_ASN1_EncodeListItem(BSL_ASN1_TAG_SEQUENCE, (uint32_t)count, &templ, asnBuf, iter, revokeBuf);
472 EXIT:
473 for (int32_t i = 0; i < count; i++) {
474 /**
475 * The memory for the extension in CRLentry needs to be freed up.
476 * The subscript 2 corresponds to the extension.
477 */
478 BSL_SAL_Free(asnBuf[i * X509_CRLENTRY_ELEM_NUMBER + 2].buff);
479 }
480 BSL_SAL_Free(asnBuf);
481 return ret;
482 }
483
484 BSL_ASN1_TemplateItem g_crlTbsTempl[] = {
485 /* 1: version */
486 {BSL_ASN1_TAG_INTEGER, BSL_ASN1_FLAG_DEFAULT, 0},
487 /* 2: signature info */
488 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, BSL_ASN1_FLAG_HEADERONLY, 0},
489 /* 3: issuer */
490 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, BSL_ASN1_FLAG_HEADERONLY | BSL_ASN1_FLAG_SAME, 0},
491 /* 4-5: validity */
492 {BSL_ASN1_TAG_CHOICE, 0, 0},
493 {BSL_ASN1_TAG_CHOICE, BSL_ASN1_FLAG_OPTIONAL, 0},
494 /* 6: revoked crl list */
495 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE,
496 BSL_ASN1_FLAG_HEADERONLY | BSL_ASN1_FLAG_SAME | BSL_ASN1_FLAG_OPTIONAL, 0},
497 /* 7: extension */
498 {BSL_ASN1_CLASS_CTX_SPECIFIC | BSL_ASN1_TAG_CONSTRUCTED | HITLS_CRL_CTX_SPECIFIC_TAG_EXTENSION,
499 BSL_ASN1_FLAG_OPTIONAL | BSL_ASN1_FLAG_HEADERONLY | BSL_ASN1_FLAG_SAME, 0}, // 11
500 };
501
HITLS_X509_EncodeCrlExt(HITLS_X509_Ext * crlExt,BSL_ASN1_Buffer * ext)502 int32_t HITLS_X509_EncodeCrlExt(HITLS_X509_Ext *crlExt, BSL_ASN1_Buffer *ext)
503 {
504 return HITLS_X509_EncodeExt(
505 BSL_ASN1_CLASS_CTX_SPECIFIC | BSL_ASN1_TAG_CONSTRUCTED | HITLS_CRL_CTX_SPECIFIC_TAG_EXTENSION,
506 crlExt->extList, ext);
507 }
508 /**
509 * RFC 5280 sec 5.1.2.1
510 * This optional field describes the version of the encoded CRL. When
511 * extensions are used, as required by this profile, this field MUST be
512 * present and MUST specify version 2 (the integer value is 1).
513 */
X509_EncodeVersion(uint8_t * version,BSL_ASN1_Buffer * asn)514 static void X509_EncodeVersion(uint8_t *version, BSL_ASN1_Buffer *asn)
515 {
516 if (*version == 1) {
517 asn->tag = BSL_ASN1_TAG_INTEGER;
518 asn->len = 1;
519 asn->buff = version;
520 } else {
521 asn->tag = BSL_ASN1_TAG_INTEGER;
522 asn->len = 0;
523 asn->buff = NULL;
524 }
525 }
526
527 #define X509_CRLTBS_ELEM_NUMBER 7
HITLS_X509_EncodeCrlTbsRaw(HITLS_X509_CrlTbs * crlTbs,BSL_ASN1_Buffer * asn)528 int32_t HITLS_X509_EncodeCrlTbsRaw(HITLS_X509_CrlTbs *crlTbs, BSL_ASN1_Buffer *asn)
529 {
530 BSL_ASN1_Buffer asnArr[X509_CRLTBS_ELEM_NUMBER] = {0};
531 uint8_t version = (uint8_t)crlTbs->version;
532 X509_EncodeVersion(&version, asnArr); // 0 is version
533 BSL_ASN1_Buffer *signAlgAsn = &asnArr[1]; // 1 is signAlg
534 BSL_ASN1_Buffer *issuerAsn = &asnArr[2]; // 2 is issuer name
535 BSL_ASN1_Buffer *revokeBuf = &asnArr[5]; // 5 is revoke list
536 BSL_ASN1_Buffer *crlExt = &asnArr[6]; // 6 is crl extension
537
538 int32_t ret = HITLS_X509_EncodeSignAlgInfo(&crlTbs->signAlgId, signAlgAsn);
539 if (ret != HITLS_PKI_SUCCESS) {
540 BSL_ERR_PUSH_ERROR(ret);
541 return ret;
542 }
543 ret = HITLS_X509_EncodeNameList(crlTbs->issuerName, issuerAsn);
544 if (ret != HITLS_PKI_SUCCESS) {
545 BSL_ERR_PUSH_ERROR(ret);
546 goto EXIT;
547 }
548 X509_EncodeCrlValidTime(&crlTbs->validTime, &asnArr[3]); // 3 is valid time
549 ret = HITLS_X509_EncodeRevokeCrlList(crlTbs->revokedCerts, revokeBuf);
550 if (ret != HITLS_PKI_SUCCESS) {
551 BSL_ERR_PUSH_ERROR(ret);
552 goto EXIT;
553 }
554 ret = HITLS_X509_EncodeCrlExt(&(crlTbs->crlExt), crlExt);
555 if (ret != HITLS_PKI_SUCCESS) {
556 BSL_ERR_PUSH_ERROR(ret);
557 goto EXIT;
558 }
559 BSL_ASN1_Template templ = {g_crlTbsTempl, sizeof(g_crlTbsTempl) / sizeof(g_crlTbsTempl[0])};
560 ret = BSL_ASN1_EncodeTemplate(&templ, asnArr, X509_CRLTBS_ELEM_NUMBER, &(asn->buff), &(asn->len));
561 if (ret != HITLS_PKI_SUCCESS) {
562 goto EXIT;
563 }
564 asn->tag = BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE;
565 EXIT:
566 BSL_SAL_Free(signAlgAsn->buff);
567 if (issuerAsn->buff != NULL) {
568 BSL_SAL_Free(issuerAsn->buff);
569 }
570 if (revokeBuf->buff != NULL) {
571 BSL_SAL_Free(revokeBuf->buff);
572 }
573 if (crlExt->buff != NULL) {
574 BSL_SAL_Free(crlExt->buff);
575 }
576 return ret;
577 }
578
579 #define X509_CRL_ELEM_NUMBER 3
EncodeAsn1Crl(HITLS_X509_Crl * crl)580 int32_t EncodeAsn1Crl(HITLS_X509_Crl *crl)
581 {
582 if (crl->signature.buff == NULL || crl->signature.len == 0 ||
583 crl->tbs.tbsRawData == NULL || crl->tbs.tbsRawDataLen == 0) {
584 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CRL_NOT_SIGNED);
585 return HITLS_X509_ERR_CRL_NOT_SIGNED;
586 }
587 BSL_ASN1_Buffer asnArr[X509_CRL_ELEM_NUMBER] = {
588 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, crl->tbs.tbsRawDataLen, crl->tbs.tbsRawData},
589 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, NULL},
590 {BSL_ASN1_TAG_BITSTRING, sizeof(BSL_ASN1_BitString), (uint8_t *)&crl->signature},
591 };
592 uint32_t valLen = 0;
593 int32_t ret = BSL_ASN1_DecodeTagLen(asnArr[0].tag, &asnArr[0].buff, &asnArr[0].len, &valLen); // 0 is tbs
594 if (ret != HITLS_PKI_SUCCESS) {
595 BSL_ERR_PUSH_ERROR(ret);
596 return ret;
597 }
598 ret = HITLS_X509_EncodeSignAlgInfo(&crl->signAlgId, &asnArr[1]); // 1 is signAlg
599 if (ret != HITLS_PKI_SUCCESS) {
600 BSL_ERR_PUSH_ERROR(ret);
601 return ret;
602 }
603
604 BSL_ASN1_TemplateItem crlTempl[] = {
605 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, 0}, /* crl */
606 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, BSL_ASN1_FLAG_HEADERONLY, 1}, /* tbs */
607 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, BSL_ASN1_FLAG_HEADERONLY, 1}, /* signAlg */
608 {BSL_ASN1_TAG_BITSTRING, 0, 1} /* sig */
609 };
610 BSL_ASN1_Template templ = {crlTempl, sizeof(crlTempl) / sizeof(crlTempl[0])};
611 ret = BSL_ASN1_EncodeTemplate(&templ, asnArr, X509_CRL_ELEM_NUMBER, &crl->rawData, &crl->rawDataLen);
612 BSL_SAL_Free(asnArr[1].buff);
613 return ret;
614 }
615
616 /**
617 * @brief Encode ASN.1 crl
618 *
619 * @param crl [IN] Pointer to the crl structure
620 * @param buff [OUT] Pointer to the buffer.
621 * If NULL, only the ASN.1 crl is encoded.
622 * If non-NULL, the DER encoding content of the crl is stored in buff
623 * @return int32_t Return value, 0 means success, other values mean failure
624 */
HITLS_X509_EncodeAsn1Crl(HITLS_X509_Crl * crl,BSL_Buffer * buff)625 int32_t HITLS_X509_EncodeAsn1Crl(HITLS_X509_Crl *crl, BSL_Buffer *buff)
626 {
627 int32_t ret;
628 if ((crl->flag & HITLS_X509_CRL_GEN_FLAG) != 0) {
629 if (crl->state != HITLS_X509_CRL_STATE_SIGN && crl->state != HITLS_X509_CRL_STATE_GEN) {
630 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CRL_NOT_SIGNED);
631 return HITLS_X509_ERR_CRL_NOT_SIGNED;
632 }
633 if (crl->state == HITLS_X509_CRL_STATE_SIGN) {
634 ret = EncodeAsn1Crl(crl);
635 if (ret != HITLS_PKI_SUCCESS) {
636 BSL_ERR_PUSH_ERROR(ret);
637 return ret;
638 }
639 crl->state = HITLS_X509_CRL_STATE_GEN;
640 }
641 }
642 if (crl->rawData == NULL || crl->rawDataLen == 0) {
643 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CRL_NOT_SIGNED);
644 return HITLS_X509_ERR_CRL_NOT_SIGNED;
645 }
646 if (buff == NULL) {
647 return HITLS_PKI_SUCCESS;
648 }
649 buff->data = BSL_SAL_Dump(crl->rawData, crl->rawDataLen);
650 if (buff->data == NULL) {
651 BSL_ERR_PUSH_ERROR(BSL_DUMP_FAIL);
652 return BSL_DUMP_FAIL;
653 }
654 buff->dataLen = crl->rawDataLen;
655 return HITLS_PKI_SUCCESS;
656 }
657
658 #ifdef HITLS_BSL_PEM
HITLS_X509_EncodePemCrl(HITLS_X509_Crl * crl,BSL_Buffer * buff)659 int32_t HITLS_X509_EncodePemCrl(HITLS_X509_Crl *crl, BSL_Buffer *buff)
660 {
661 int32_t ret = HITLS_X509_EncodeAsn1Crl(crl, NULL);
662 if (ret != HITLS_PKI_SUCCESS) {
663 BSL_ERR_PUSH_ERROR(ret);
664 return ret;
665 }
666 BSL_PEM_Symbol symbol = {BSL_PEM_CRL_BEGIN_STR, BSL_PEM_CRL_END_STR};
667 return BSL_PEM_EncodeAsn1ToPem(crl->rawData, crl->rawDataLen, &symbol, (char **)&buff->data, &buff->dataLen);
668 }
669 #endif // HITLS_BSL_PEM
670
X509_CheckCrlRevoke(HITLS_X509_Crl * crl)671 static int32_t X509_CheckCrlRevoke(HITLS_X509_Crl *crl)
672 {
673 BSL_ASN1_List *revokedCerts = crl->tbs.revokedCerts;
674 if (revokedCerts != NULL) {
675 HITLS_X509_CrlEntry *entry = NULL;
676 for (entry = BSL_LIST_GET_FIRST(revokedCerts); entry != NULL; entry = BSL_LIST_GET_NEXT(revokedCerts)) {
677 // Check serial number
678 if (entry->serialNumber.buff == NULL || entry->serialNumber.len == 0) {
679 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CRL_ENTRY);
680 return HITLS_X509_ERR_CRL_ENTRY;
681 }
682
683 // Check revocation time
684 if (!BSL_DateTimeCheck(&entry->time)) {
685 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CRL_TIME_INVALID);
686 return HITLS_X509_ERR_CRL_TIME_INVALID;
687 }
688
689 // If entry has extensions and CRL version is v1, that's an error
690 if (entry->extList != NULL && BSL_LIST_COUNT(entry->extList) > 0 && crl->tbs.version == 0) {
691 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CRL_INACCURACY_VERSION);
692 return HITLS_X509_ERR_CRL_INACCURACY_VERSION;
693 }
694 }
695 }
696 return HITLS_PKI_SUCCESS;
697 }
698
X509_CheckCrlTbs(HITLS_X509_Crl * crl)699 static int32_t X509_CheckCrlTbs(HITLS_X509_Crl *crl)
700 {
701 int32_t ret;
702 if (crl->tbs.version != 0 && crl->tbs.version != 1) {
703 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CRL_INACCURACY_VERSION);
704 return HITLS_X509_ERR_CRL_INACCURACY_VERSION;
705 }
706 if (crl->tbs.crlExt.extList != NULL && BSL_LIST_COUNT(crl->tbs.crlExt.extList) > 0) {
707 if (crl->tbs.version != 1) {
708 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CRL_INACCURACY_VERSION);
709 return HITLS_X509_ERR_CRL_INACCURACY_VERSION;
710 }
711 }
712
713 // Check issuer name
714 if (crl->tbs.issuerName == NULL || BSL_LIST_COUNT(crl->tbs.issuerName) <= 0) {
715 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CRL_ISSUER_EMPTY);
716 return HITLS_X509_ERR_CRL_ISSUER_EMPTY;
717 }
718
719 // Check validity time
720 if ((crl->tbs.validTime.flag & BSL_TIME_BEFORE_SET) == 0) {
721 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CRL_THISUPDATE_UNEXIST);
722 return HITLS_X509_ERR_CRL_THISUPDATE_UNEXIST;
723 }
724
725 // If nextUpdate is set, check it's after thisUpdate
726 if ((crl->tbs.validTime.flag & BSL_TIME_AFTER_SET) != 0) {
727 ret = BSL_SAL_DateTimeCompare(&crl->tbs.validTime.start, &crl->tbs.validTime.end, NULL);
728 if (ret != BSL_TIME_DATE_BEFORE) {
729 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CRL_TIME_INVALID);
730 return HITLS_X509_ERR_CRL_TIME_INVALID;
731 }
732 }
733 ret = X509_CheckCrlRevoke(crl);
734 if (ret != HITLS_PKI_SUCCESS) {
735 BSL_ERR_PUSH_ERROR(ret);
736 }
737 return ret;
738 }
739
HITLS_X509_CrlGenBuff(int32_t format,HITLS_X509_Crl * crl,BSL_Buffer * buff)740 int32_t HITLS_X509_CrlGenBuff(int32_t format, HITLS_X509_Crl *crl, BSL_Buffer *buff)
741 {
742 if (crl == NULL || buff == NULL || buff->data != NULL) {
743 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
744 return HITLS_X509_ERR_INVALID_PARAM;
745 }
746 switch (format) {
747 case BSL_FORMAT_ASN1:
748 return HITLS_X509_EncodeAsn1Crl(crl, buff);
749 #ifdef HITLS_BSL_PEM
750 case BSL_FORMAT_PEM:
751 return HITLS_X509_EncodePemCrl(crl, buff);
752 #endif // HITLS_BSL_PEM
753 default:
754 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
755 return HITLS_X509_ERR_INVALID_PARAM;
756 }
757 }
758
759 #ifdef HITLS_BSL_SAL_FILE
HITLS_X509_CrlGenFile(int32_t format,HITLS_X509_Crl * crl,const char * path)760 int32_t HITLS_X509_CrlGenFile(int32_t format, HITLS_X509_Crl *crl, const char *path)
761 {
762 if (path == NULL) {
763 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
764 return HITLS_X509_ERR_INVALID_PARAM;
765 }
766 BSL_Buffer buff = {0};
767 int32_t ret = HITLS_X509_CrlGenBuff(format, crl, &buff);
768 if (ret != HITLS_PKI_SUCCESS) {
769 BSL_ERR_PUSH_ERROR(ret);
770 return ret;
771 }
772 ret = BSL_SAL_WriteFile(path, buff.data, buff.dataLen);
773 BSL_SAL_Free(buff.data);
774 if (ret != HITLS_PKI_SUCCESS) {
775 BSL_ERR_PUSH_ERROR(ret);
776 }
777 return ret;
778 }
779 #endif // HITLS_BSL_SAL_FILE
780 #endif // HITLS_PKI_X509_CRL_GEN
781
782 #ifdef HITLS_PKI_X509_CRL_PARSE
HITLS_X509_ParseAsn1Crl(uint8_t * encode,uint32_t encodeLen,HITLS_X509_Crl * crl)783 int32_t HITLS_X509_ParseAsn1Crl(uint8_t *encode, uint32_t encodeLen, HITLS_X509_Crl *crl)
784 {
785 uint8_t *temp = encode;
786 uint32_t tempLen = encodeLen;
787 crl->rawData = encode; // crl takes over the encode immediately.
788 if ((crl->flag & HITLS_X509_CRL_GEN_FLAG) != 0) {
789 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
790 return HITLS_X509_ERR_INVALID_PARAM;
791 }
792 // template parse
793 BSL_ASN1_Buffer asnArr[HITLS_X509_CRL_MAX_IDX] = {0};
794 BSL_ASN1_Template templ = {g_crlTempl, sizeof(g_crlTempl) / sizeof(g_crlTempl[0])};
795 int32_t ret = BSL_ASN1_DecodeTemplate(&templ, HITLS_X509_CrlTagGetOrCheck,
796 &temp, &tempLen, asnArr, HITLS_X509_CRL_MAX_IDX);
797 if (ret != BSL_SUCCESS) {
798 BSL_ERR_PUSH_ERROR(ret);
799 return ret;
800 }
801 // parse tbs raw data
802 ret = HITLS_X509_ParseTbsRawData(encode, encodeLen, &crl->tbs.tbsRawData, &crl->tbs.tbsRawDataLen);
803 if (ret != HITLS_PKI_SUCCESS) {
804 BSL_ERR_PUSH_ERROR(ret);
805 return ret;
806 }
807 // parse tbs
808 ret = HITLS_X509_ParseCrlTbs(asnArr, crl);
809 if (ret != HITLS_PKI_SUCCESS) {
810 return ret;
811 }
812 // parse sign alg
813 ret = HITLS_X509_ParseSignAlgInfo(&asnArr[HITLS_X509_CRL_SIGNALG_IDX],
814 &asnArr[HITLS_X509_CRL_SIGNALG_ANY_IDX], &crl->signAlgId);
815 if (ret != HITLS_PKI_SUCCESS) {
816 BSL_ERR_PUSH_ERROR(ret);
817 goto ERR;
818 }
819 // parse signature
820 ret = BSL_ASN1_DecodePrimitiveItem(&asnArr[HITLS_X509_CRL_SIGN_IDX], &crl->signature);
821 if (ret != BSL_SUCCESS) {
822 BSL_ERR_PUSH_ERROR(ret);
823 goto ERR;
824 }
825 crl->rawDataLen = encodeLen - tempLen;
826 crl->flag |= HITLS_X509_CRL_PARSE_FLAG;
827 return HITLS_PKI_SUCCESS;
828 ERR:
829 BSL_LIST_DeleteAll(crl->tbs.issuerName, NULL);
830 BSL_LIST_DeleteAll(crl->tbs.revokedCerts, NULL);
831 BSL_LIST_DeleteAll(crl->tbs.crlExt.extList, NULL);
832 return ret;
833 }
834
HITLS_X509_CrlParseBundleBuff(int32_t format,const BSL_Buffer * encode,HITLS_X509_List ** crlList)835 int32_t HITLS_X509_CrlParseBundleBuff(int32_t format, const BSL_Buffer *encode, HITLS_X509_List **crlList)
836 {
837 if (encode == NULL || encode->data == NULL || encode->dataLen == 0 || crlList == NULL) {
838 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
839 return HITLS_X509_ERR_INVALID_PARAM;
840 }
841
842 X509_ParseFuncCbk crlCbk = {
843 .asn1Parse = (HITLS_X509_Asn1Parse)HITLS_X509_ParseAsn1Crl,
844 .x509New = (HITLS_X509_New)HITLS_X509_CrlNew,
845 .x509Free = (HITLS_X509_Free)HITLS_X509_CrlFree,
846 };
847 HITLS_X509_List *list = BSL_LIST_New(sizeof(HITLS_X509_Crl));
848 if (list == NULL) {
849 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
850 return BSL_MALLOC_FAIL;
851 }
852 int32_t ret = HITLS_X509_ParseX509(NULL, NULL, format, encode, false, &crlCbk, list);
853 if (ret != HITLS_PKI_SUCCESS) {
854 BSL_LIST_FREE(list, (BSL_LIST_PFUNC_FREE)HITLS_X509_CrlFree);
855 BSL_ERR_PUSH_ERROR(ret);
856 return ret;
857 }
858 *crlList = list;
859 return HITLS_PKI_SUCCESS;
860 }
861
HITLS_X509_CrlParseBuff(int32_t format,const BSL_Buffer * encode,HITLS_X509_Crl ** crl)862 int32_t HITLS_X509_CrlParseBuff(int32_t format, const BSL_Buffer *encode, HITLS_X509_Crl **crl)
863 {
864 HITLS_X509_List *list = NULL;
865 if (crl == NULL || *crl != NULL) {
866 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
867 return HITLS_X509_ERR_INVALID_PARAM;
868 }
869 int32_t ret = HITLS_X509_CrlParseBundleBuff(format, encode, &list);
870 if (ret != HITLS_PKI_SUCCESS) {
871 BSL_ERR_PUSH_ERROR(ret);
872 return ret;
873 }
874 HITLS_X509_Crl *tmp = BSL_LIST_GET_FIRST(list);
875 int ref;
876 ret = HITLS_X509_CrlCtrl(tmp, HITLS_X509_REF_UP, &ref, sizeof(int));
877 BSL_LIST_FREE(list, (BSL_LIST_PFUNC_FREE)HITLS_X509_CrlFree);
878 if (ret != HITLS_PKI_SUCCESS) {
879 return ret;
880 }
881 *crl = tmp;
882 return HITLS_PKI_SUCCESS;
883 }
884
885 #ifdef HITLS_BSL_SAL_FILE
HITLS_X509_CrlParseFile(int32_t format,const char * path,HITLS_X509_Crl ** crl)886 int32_t HITLS_X509_CrlParseFile(int32_t format, const char *path, HITLS_X509_Crl **crl)
887 {
888 uint8_t *data = NULL;
889 uint32_t dataLen = 0;
890 int32_t ret = BSL_SAL_ReadFile(path, &data, &dataLen);
891 if (ret != BSL_SUCCESS) {
892 return ret;
893 }
894
895 BSL_Buffer encode = {data, dataLen};
896 ret = HITLS_X509_CrlParseBuff(format, &encode, crl);
897 BSL_SAL_Free(data);
898 return ret;
899 }
900
HITLS_X509_CrlParseBundleFile(int32_t format,const char * path,HITLS_X509_List ** crlList)901 int32_t HITLS_X509_CrlParseBundleFile(int32_t format, const char *path, HITLS_X509_List **crlList)
902 {
903 uint8_t *data = NULL;
904 uint32_t dataLen = 0;
905 int32_t ret = BSL_SAL_ReadFile(path, &data, &dataLen);
906 if (ret != BSL_SUCCESS) {
907 return ret;
908 }
909
910 BSL_Buffer encode = {data, dataLen};
911 ret = HITLS_X509_CrlParseBundleBuff(format, &encode, crlList);
912 BSL_SAL_Free(data);
913 return ret;
914 }
915 #endif // HITLS_BSL_SAL_FILE
916
917 #endif // HITLS_PKI_X509_CRL_PARSE
918
X509_CrlRefUp(HITLS_X509_Crl * crl,int32_t * val,uint32_t valLen)919 static int32_t X509_CrlRefUp(HITLS_X509_Crl *crl, int32_t *val, uint32_t valLen)
920 {
921 if (val == NULL || valLen != sizeof(int32_t)) {
922 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
923 return HITLS_X509_ERR_INVALID_PARAM;
924 }
925 return BSL_SAL_AtomicUpReferences(&crl->references, val);
926 }
927
X509_CrlGetThisUpdate(HITLS_X509_Crl * crl,BSL_TIME * val,uint32_t valLen)928 static int32_t X509_CrlGetThisUpdate(HITLS_X509_Crl *crl, BSL_TIME *val, uint32_t valLen)
929 {
930 if (valLen != sizeof(BSL_TIME)) {
931 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
932 return HITLS_X509_ERR_INVALID_PARAM;
933 }
934 if ((crl->tbs.validTime.flag & BSL_TIME_BEFORE_SET) == 0) {
935 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CRL_THISUPDATE_UNEXIST);
936 return HITLS_X509_ERR_CRL_THISUPDATE_UNEXIST;
937 }
938 *val = crl->tbs.validTime.start;
939 return HITLS_PKI_SUCCESS;
940 }
941
X509_CrlGetNextUpdate(HITLS_X509_Crl * crl,BSL_TIME * val,uint32_t valLen)942 static int32_t X509_CrlGetNextUpdate(HITLS_X509_Crl *crl, BSL_TIME *val, uint32_t valLen)
943 {
944 if (valLen != sizeof(BSL_TIME)) {
945 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
946 return HITLS_X509_ERR_INVALID_PARAM;
947 }
948 if ((crl->tbs.validTime.flag & BSL_TIME_AFTER_SET) == 0) {
949 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CRL_NEXTUPDATE_UNEXIST);
950 return HITLS_X509_ERR_CRL_NEXTUPDATE_UNEXIST;
951 }
952 *val = crl->tbs.validTime.end;
953 return HITLS_PKI_SUCCESS;
954 }
955
X509_CrlGetVersion(HITLS_X509_Crl * crl,int32_t * val,uint32_t valLen)956 static int32_t X509_CrlGetVersion(HITLS_X509_Crl *crl, int32_t *val, uint32_t valLen)
957 {
958 if (valLen != sizeof(int32_t)) {
959 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
960 return HITLS_X509_ERR_INVALID_PARAM;
961 }
962
963 // CRL version is stored as v2(1), v1(0)
964 *val = crl->tbs.version;
965
966 return HITLS_PKI_SUCCESS;
967 }
968
X509_CrlGetRevokeList(HITLS_X509_Crl * crl,BSL_ASN1_List ** val,uint32_t valLen)969 static int32_t X509_CrlGetRevokeList(HITLS_X509_Crl *crl, BSL_ASN1_List **val, uint32_t valLen)
970 {
971 if (valLen != sizeof(BSL_ASN1_List *)) {
972 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
973 return HITLS_X509_ERR_INVALID_PARAM;
974 }
975
976 if (crl->tbs.revokedCerts == NULL) {
977 *val = NULL;
978 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CRL_REVOKELIST_UNEXIST);
979 return HITLS_X509_ERR_CRL_REVOKELIST_UNEXIST;
980 }
981
982 *val = crl->tbs.revokedCerts;
983 return HITLS_PKI_SUCCESS;
984 }
985
X509_CrlGetCtrl(HITLS_X509_Crl * crl,int32_t cmd,void * val,uint32_t valLen)986 static int32_t X509_CrlGetCtrl(HITLS_X509_Crl *crl, int32_t cmd, void *val, uint32_t valLen)
987 {
988 if (val == NULL) {
989 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
990 return HITLS_X509_ERR_INVALID_PARAM;
991 }
992 switch (cmd) {
993 case HITLS_X509_GET_VERSION:
994 return X509_CrlGetVersion(crl, val, valLen);
995 case HITLS_X509_GET_BEFORE_TIME:
996 return X509_CrlGetThisUpdate(crl, val, valLen);
997 case HITLS_X509_GET_AFTER_TIME:
998 return X509_CrlGetNextUpdate(crl, val, valLen);
999 case HITLS_X509_GET_ISSUER_DN:
1000 return HITLS_X509_GetList(crl->tbs.issuerName, val, valLen);
1001 case HITLS_X509_GET_REVOKELIST:
1002 return X509_CrlGetRevokeList(crl, val, valLen);
1003 default:
1004 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1005 return HITLS_X509_ERR_INVALID_PARAM;
1006 }
1007 }
1008
1009 #ifdef HITLS_PKI_X509_CRL_GEN
CrlSetTime(void * dest,uint8_t * val,uint32_t valLen)1010 static int32_t CrlSetTime(void *dest, uint8_t *val, uint32_t valLen)
1011 {
1012 if (valLen != sizeof(BSL_TIME) || !BSL_DateTimeCheck((BSL_TIME *)val)) {
1013 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1014 return HITLS_X509_ERR_INVALID_PARAM;
1015 }
1016 (void)memcpy_s(dest, valLen, val, valLen);
1017 return HITLS_PKI_SUCCESS;
1018 }
1019
CrlSetThisUpdateTime(HITLS_X509_ValidTime * time,uint8_t * val,uint32_t valLen)1020 static int32_t CrlSetThisUpdateTime(HITLS_X509_ValidTime *time, uint8_t *val, uint32_t valLen)
1021 {
1022 int32_t ret = CrlSetTime(&(time->start), val, valLen);
1023 if (ret != HITLS_PKI_SUCCESS) {
1024 return ret;
1025 }
1026 time->flag |= BSL_TIME_BEFORE_SET;
1027 return HITLS_PKI_SUCCESS;
1028 }
1029
CrlSetNextUpdateTime(HITLS_X509_ValidTime * time,uint8_t * val,uint32_t valLen)1030 static int32_t CrlSetNextUpdateTime(HITLS_X509_ValidTime *time, uint8_t *val, uint32_t valLen)
1031 {
1032 int32_t ret = CrlSetTime(&(time->end), val, valLen);
1033 if (ret != HITLS_PKI_SUCCESS) {
1034 return ret;
1035 }
1036 time->flag |= BSL_TIME_AFTER_SET;
1037 return HITLS_PKI_SUCCESS;
1038 }
1039
X509_CrlEntryDup(const HITLS_X509_CrlEntry * src)1040 static HITLS_X509_CrlEntry *X509_CrlEntryDup(const HITLS_X509_CrlEntry *src)
1041 {
1042 HITLS_X509_CrlEntry *dest = (HITLS_X509_CrlEntry *)BSL_SAL_Malloc(sizeof(HITLS_X509_CrlEntry));
1043 if (dest == NULL) {
1044 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
1045 return NULL;
1046 }
1047 (void)memset_s(dest, sizeof(HITLS_X509_CrlEntry), 0, sizeof(HITLS_X509_CrlEntry));
1048
1049 dest->serialNumber.buff = BSL_SAL_Dump(src->serialNumber.buff, src->serialNumber.len);
1050 if (dest->serialNumber.buff == NULL) {
1051 BSL_SAL_Free(dest);
1052 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
1053 return NULL;
1054 }
1055
1056 dest->serialNumber.len = src->serialNumber.len;
1057 dest->serialNumber.tag = src->serialNumber.tag;
1058
1059 dest->time = src->time;
1060 dest->flag = src->flag;
1061 dest->flag &= ~HITLS_X509_CRL_PARSE_FLAG;
1062 dest->flag |= HITLS_X509_CRL_GEN_FLAG;
1063
1064 if (src->extList != NULL) {
1065 dest->extList = BSL_LIST_Copy(src->extList, (BSL_LIST_PFUNC_DUP)X509_DupExtEntry,
1066 (BSL_LIST_PFUNC_FREE)HITLS_X509_ExtEntryFree);
1067 if (dest->extList == NULL) {
1068 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_EXT_SET);
1069 goto ERR;
1070 }
1071 }
1072 return dest;
1073 ERR:
1074 BSL_SAL_Free(dest->serialNumber.buff);
1075 BSL_SAL_Free(dest);
1076 return NULL;
1077 }
1078
X509_CrlEntryFree(HITLS_X509_CrlEntry * entry)1079 static void X509_CrlEntryFree(HITLS_X509_CrlEntry *entry)
1080 {
1081 if (entry == NULL) {
1082 return;
1083 }
1084 BSL_SAL_Free(entry->serialNumber.buff);
1085 BSL_LIST_FREE(entry->extList, (BSL_LIST_PFUNC_FREE)HITLS_X509_ExtEntryFree);
1086 BSL_SAL_Free(entry);
1087 }
1088
HITLS_X509_CrlAddRevokedCert(HITLS_X509_Crl * crl,void * val)1089 int32_t HITLS_X509_CrlAddRevokedCert(HITLS_X509_Crl *crl, void *val)
1090 {
1091 HITLS_X509_CrlEntry *entry = (HITLS_X509_CrlEntry *)val;
1092
1093 if (entry->serialNumber.buff == NULL || entry->serialNumber.len == 0) {
1094 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CRL_ENTRY);
1095 return HITLS_X509_ERR_CRL_ENTRY;
1096 }
1097
1098 if (!BSL_DateTimeCheck(&entry->time)) {
1099 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CRL_ENTRY);
1100 return HITLS_X509_ERR_CRL_ENTRY;
1101 }
1102
1103 if (crl->tbs.revokedCerts == NULL) {
1104 crl->tbs.revokedCerts = BSL_LIST_New(sizeof(HITLS_X509_CrlEntry));
1105 if (crl->tbs.revokedCerts == NULL) {
1106 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
1107 return BSL_MALLOC_FAIL;
1108 }
1109 }
1110 HITLS_X509_CrlEntry *newEntry = X509_CrlEntryDup(entry);
1111 if (newEntry == NULL) {
1112 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
1113 return BSL_MALLOC_FAIL;
1114 }
1115
1116 int32_t ret = BSL_LIST_AddElement(crl->tbs.revokedCerts, newEntry, BSL_LIST_POS_END);
1117 if (ret != BSL_SUCCESS) {
1118 X509_CrlEntryFree(newEntry);
1119 BSL_ERR_PUSH_ERROR(ret);
1120 return ret;
1121 }
1122
1123 // If the CRL version is v1 and an extended revocation certificate is added, it needs to be upgraded to v2
1124 if (crl->tbs.version == 0 && entry->extList != NULL) {
1125 crl->tbs.version = 1; // v2
1126 }
1127
1128 return HITLS_PKI_SUCCESS;
1129 }
1130
X509_CrlSetVersion(HITLS_X509_Crl * crl,int32_t * val,uint32_t valLen)1131 static int32_t X509_CrlSetVersion(HITLS_X509_Crl *crl, int32_t *val, uint32_t valLen)
1132 {
1133 if (valLen != sizeof(int32_t)) {
1134 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1135 return HITLS_X509_ERR_INVALID_PARAM;
1136 }
1137 int32_t version = *val;
1138 if (version != 0 && version != 1) {
1139 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1140 return HITLS_X509_ERR_INVALID_PARAM;
1141 }
1142 crl->tbs.version = version;
1143 return HITLS_PKI_SUCCESS;
1144 }
1145
X509_CrlSetCtrl(HITLS_X509_Crl * crl,int32_t cmd,void * val,uint32_t valLen)1146 static int32_t X509_CrlSetCtrl(HITLS_X509_Crl *crl, int32_t cmd, void *val, uint32_t valLen)
1147 {
1148 if (val == NULL) {
1149 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1150 return HITLS_X509_ERR_INVALID_PARAM;
1151 }
1152 if ((crl->flag & HITLS_X509_CRL_PARSE_FLAG) != 0) {
1153 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_SET_AFTER_PARSE);
1154 return HITLS_X509_ERR_SET_AFTER_PARSE;
1155 }
1156 crl->flag |= HITLS_X509_CRL_GEN_FLAG;
1157 crl->state = HITLS_X509_CRL_STATE_SET;
1158 switch (cmd) {
1159 case HITLS_X509_SET_VERSION:
1160 return X509_CrlSetVersion(crl, val, valLen);
1161 case HITLS_X509_SET_ISSUER_DN:
1162 return HITLS_X509_SetNameList(&crl->tbs.issuerName, val, valLen);
1163 case HITLS_X509_SET_BEFORE_TIME:
1164 return CrlSetThisUpdateTime(&crl->tbs.validTime, val, valLen);
1165 case HITLS_X509_SET_AFTER_TIME:
1166 return CrlSetNextUpdateTime(&crl->tbs.validTime, val, valLen);
1167 case HITLS_X509_CRL_ADD_REVOKED_CERT:
1168 return HITLS_X509_CrlAddRevokedCert(crl, val);
1169 default:
1170 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1171 return HITLS_X509_ERR_INVALID_PARAM;
1172 }
1173 }
1174 #endif // HITLS_PKI_X509_CRL_GEN
1175
HITLS_X509_CrlCtrl(HITLS_X509_Crl * crl,int32_t cmd,void * val,uint32_t valLen)1176 int32_t HITLS_X509_CrlCtrl(HITLS_X509_Crl *crl, int32_t cmd, void *val, uint32_t valLen)
1177 {
1178 if (crl == NULL) {
1179 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1180 return HITLS_X509_ERR_INVALID_PARAM;
1181 }
1182 if (cmd == HITLS_X509_REF_UP) {
1183 return X509_CrlRefUp(crl, val, valLen);
1184 #ifdef HITLS_CRYPTO_SM2
1185 } else if (cmd == HITLS_X509_SET_VFY_SM2_USER_ID) {
1186 if (crl->signAlgId.algId != BSL_CID_SM2DSAWITHSM3) {
1187 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_VFY_SIGNALG_NOT_MATCH);
1188 return HITLS_X509_ERR_VFY_SIGNALG_NOT_MATCH;
1189 }
1190 return HITLS_X509_SetSm2UserId(&crl->signAlgId.sm2UserId, val, valLen);
1191 #endif
1192 } else if (cmd >= HITLS_X509_GET_ENCODELEN && cmd < HITLS_X509_SET_VERSION) {
1193 return X509_CrlGetCtrl(crl, cmd, val, valLen);
1194 } else if (cmd < HITLS_X509_EXT_SET_SKI) {
1195 #ifdef HITLS_PKI_X509_CRL_GEN
1196 return X509_CrlSetCtrl(crl, cmd, val, valLen);
1197 #else
1198 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_FUNC_UNSUPPORT);
1199 return HITLS_X509_ERR_FUNC_UNSUPPORT;
1200 #endif
1201 } else if (cmd <= HITLS_X509_EXT_CHECK_SKI) {
1202 static int32_t cmdSet[] = {HITLS_X509_EXT_SET_CRLNUMBER, HITLS_X509_EXT_SET_AKI, HITLS_X509_EXT_GET_CRLNUMBER,
1203 HITLS_X509_EXT_GET_AKI, HITLS_X509_EXT_GET_KUSAGE};
1204 if (!X509_CheckCmdValid(cmdSet, sizeof(cmdSet) / sizeof(int32_t), cmd)) {
1205 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_EXT_UNSUPPORT);
1206 return HITLS_X509_ERR_EXT_UNSUPPORT;
1207 }
1208 return X509_ExtCtrl(&crl->tbs.crlExt, cmd, val, valLen);
1209 } else {
1210 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1211 return HITLS_X509_ERR_INVALID_PARAM;
1212 }
1213 }
1214
HITLS_X509_CrlVerify(void * pubkey,const HITLS_X509_Crl * crl)1215 int32_t HITLS_X509_CrlVerify(void *pubkey, const HITLS_X509_Crl *crl)
1216 {
1217 if (pubkey == NULL || crl == NULL) {
1218 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1219 return HITLS_X509_ERR_INVALID_PARAM;
1220 }
1221 if ((crl->flag & HITLS_X509_CRL_GEN_FLAG) != 0 &&
1222 (crl->state != HITLS_X509_CRL_STATE_SIGN) && (crl->state != HITLS_X509_CRL_STATE_GEN)) {
1223 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CRL_NOT_SIGNED);
1224 return HITLS_X509_ERR_CRL_NOT_SIGNED;
1225 }
1226 int32_t ret = HITLS_X509_CheckAlg(pubkey, &(crl->signAlgId));
1227 if (ret != HITLS_PKI_SUCCESS) {
1228 return ret;
1229 }
1230
1231 ret = HITLS_X509_CheckSignature(pubkey, crl->tbs.tbsRawData, crl->tbs.tbsRawDataLen,
1232 &(crl->signAlgId), &crl->signature);
1233 if (ret != CRYPT_SUCCESS) {
1234 BSL_ERR_PUSH_ERROR(ret);
1235 }
1236 return ret;
1237 }
1238
HITLS_X509_CrlEntryNew(void)1239 HITLS_X509_CrlEntry *HITLS_X509_CrlEntryNew(void)
1240 {
1241 HITLS_X509_CrlEntry *entry = BSL_SAL_Malloc(sizeof(HITLS_X509_CrlEntry));
1242 if (entry == NULL) {
1243 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
1244 return NULL;
1245 }
1246
1247 (void)memset_s(entry, sizeof(HITLS_X509_CrlEntry), 0, sizeof(HITLS_X509_CrlEntry));
1248
1249 entry->flag |= HITLS_X509_CRL_GEN_FLAG;
1250 return entry;
1251 }
1252
HITLS_X509_CrlEntryFree(HITLS_X509_CrlEntry * entry)1253 void HITLS_X509_CrlEntryFree(HITLS_X509_CrlEntry *entry)
1254 {
1255 if (entry == NULL) {
1256 return;
1257 }
1258 if ((entry->flag & HITLS_X509_CRL_GEN_FLAG) != 0) {
1259 BSL_SAL_Free(entry->serialNumber.buff);
1260 BSL_LIST_FREE(entry->extList, (BSL_LIST_PFUNC_FREE)HITLS_X509_ExtEntryFree);
1261 } else {
1262 BSL_LIST_FREE(entry->extList, NULL);
1263 }
1264 BSL_SAL_Free(entry);
1265 }
1266
X509_CrlGetRevokedRevokeTime(HITLS_X509_CrlEntry * entry,void * val,uint32_t valLen)1267 static int32_t X509_CrlGetRevokedRevokeTime(HITLS_X509_CrlEntry *entry, void *val, uint32_t valLen)
1268 {
1269 if (valLen != sizeof(BSL_TIME)) {
1270 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1271 return HITLS_X509_ERR_INVALID_PARAM;
1272 }
1273 *(BSL_TIME *)val = entry->time;
1274 return HITLS_PKI_SUCCESS;
1275 }
1276
1277 #ifdef HITLS_PKI_X509_CRL_GEN
X509_CrlSetRevokedExt(HITLS_X509_CrlEntry * entry,BslCid cid,BSL_Buffer * buff,uint32_t exceptLen,EncodeExtCb encodeExt)1278 static int32_t X509_CrlSetRevokedExt(HITLS_X509_CrlEntry *entry, BslCid cid, BSL_Buffer *buff, uint32_t exceptLen,
1279 EncodeExtCb encodeExt)
1280 {
1281 if (buff->dataLen != exceptLen) {
1282 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1283 return HITLS_X509_ERR_INVALID_PARAM;
1284 }
1285 if (entry->extList == NULL) {
1286 entry->extList = BSL_LIST_New(sizeof(HITLS_X509_ExtEntry));
1287 if (entry->extList == NULL) {
1288 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
1289 return BSL_MALLOC_FAIL;
1290 }
1291 }
1292
1293 return HITLS_X509_SetExtList(NULL, entry->extList, cid, buff, encodeExt);
1294 }
1295
SetExtInvalidTime(void * param,HITLS_X509_ExtEntry * entry,const void * val)1296 static int32_t SetExtInvalidTime(void *param, HITLS_X509_ExtEntry *entry, const void *val)
1297 {
1298 (void)param;
1299 const HITLS_X509_RevokeExtTime *invalidTime = (const HITLS_X509_RevokeExtTime *)val;
1300 entry->critical = invalidTime->critical;
1301 BSL_ASN1_Buffer asns = {0};
1302 /**
1303 * CRL issuers conforming to this profile MUST encode thisUpdate as UTCTime for dates through the year 2049.
1304 * CRL issuers conforming to this profile MUST encode thisUpdate as GeneralizedTime for dates in the year
1305 * 2050 or later.
1306 */
1307 if (invalidTime->time.year >= 2050) {
1308 asns.tag = BSL_ASN1_TAG_GENERALIZEDTIME;
1309 } else {
1310 asns.tag = BSL_ASN1_TAG_UTCTIME;
1311 }
1312 asns.len = sizeof(BSL_TIME);
1313 asns.buff = (uint8_t *)(uintptr_t)&invalidTime->time;
1314 BSL_ASN1_TemplateItem templItem = {BSL_ASN1_TAG_CHOICE, 0, 0};
1315 BSL_ASN1_Template templ = {&templItem, 1};
1316 int32_t ret = BSL_ASN1_EncodeTemplate(&templ, &asns, 1, &entry->extnValue.buff, &entry->extnValue.len);
1317 if (ret != BSL_SUCCESS) {
1318 BSL_ERR_PUSH_ERROR(ret);
1319 }
1320 return ret;
1321 }
1322
SetExtReason(void * param,HITLS_X509_ExtEntry * extEntry,void * val)1323 static int32_t SetExtReason(void *param, HITLS_X509_ExtEntry *extEntry, void *val)
1324 {
1325 (void)param;
1326 HITLS_X509_RevokeExtReason *reason = (HITLS_X509_RevokeExtReason *)val;
1327 if (reason->reason < HITLS_X509_REVOKED_REASON_UNSPECIFIED ||
1328 reason->reason > HITLS_X509_REVOKED_REASON_AA_COMPROMISE) {
1329 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1330 return HITLS_X509_ERR_INVALID_PARAM;
1331 }
1332 extEntry->critical = reason->critical;
1333 uint8_t tmp = (uint8_t)reason->reason; // int32_t -> uint8_t: avoid value errors in bit-endian scenario
1334 BSL_ASN1_Buffer asns = {BSL_ASN1_TAG_ENUMERATED, sizeof(uint8_t), (uint8_t *)&tmp};
1335 BSL_ASN1_TemplateItem items = {BSL_ASN1_TAG_ENUMERATED, 0, 0};
1336 BSL_ASN1_Template reasonTempl = {&items, 1};
1337
1338 int32_t ret = BSL_ASN1_EncodeTemplate(&reasonTempl, &asns, 1, &extEntry->extnValue.buff, &extEntry->extnValue.len);
1339 if (ret != BSL_SUCCESS) {
1340 BSL_ERR_PUSH_ERROR(ret);
1341 }
1342 return ret;
1343 }
1344 #endif // HITLS_PKI_X509_CRL_GEN
1345
SetExtCertificateIssuer(void * param,HITLS_X509_ExtEntry * extEntry,void * val)1346 static int32_t SetExtCertificateIssuer(void *param, HITLS_X509_ExtEntry *extEntry, void *val)
1347 {
1348 (void)param;
1349 return HITLS_X509_SetGeneralNames(extEntry, val);
1350 }
1351
DecodeExtInvalidTime(HITLS_X509_ExtEntry * extEntry,void * val)1352 static int32_t DecodeExtInvalidTime(HITLS_X509_ExtEntry *extEntry, void *val)
1353 {
1354 uint8_t *temp = extEntry->extnValue.buff;
1355 uint32_t tempLen = extEntry->extnValue.len;
1356 BSL_ASN1_Buffer asn = {0};
1357 BSL_ASN1_TemplateItem item = {BSL_ASN1_TAG_CHOICE, 0, 0};
1358 BSL_ASN1_Template templ = {&item, 1};
1359 int32_t ret = BSL_ASN1_DecodeTemplate(&templ, HITLS_X509_CrlEntryChoiceCheck,
1360 &temp, &tempLen, &asn, 1);
1361 if (ret != BSL_SUCCESS) {
1362 BSL_ERR_PUSH_ERROR(ret);
1363 return ret;
1364 }
1365 ret = BSL_ASN1_DecodePrimitiveItem(&asn, val);
1366 if (ret != BSL_SUCCESS) {
1367 BSL_ERR_PUSH_ERROR(ret);
1368 }
1369
1370 return ret;
1371 }
1372
DecodeExtReason(HITLS_X509_ExtEntry * extEntry,void * val)1373 static int32_t DecodeExtReason(HITLS_X509_ExtEntry *extEntry, void *val)
1374 {
1375 uint8_t *temp = extEntry->extnValue.buff;
1376 uint32_t tempLen = extEntry->extnValue.len;
1377 BSL_ASN1_Buffer asn = {0};
1378 BSL_ASN1_TemplateItem item = {BSL_ASN1_TAG_ENUMERATED, 0, 0};
1379 BSL_ASN1_Template templ = {&item, 1};
1380 int32_t ret = BSL_ASN1_DecodeTemplate(&templ, HITLS_X509_CrlEntryChoiceCheck,
1381 &temp, &tempLen, &asn, 1);
1382 if (ret != BSL_SUCCESS) {
1383 BSL_ERR_PUSH_ERROR(ret);
1384 return ret;
1385 }
1386 ret = BSL_ASN1_DecodePrimitiveItem(&asn, val);
1387 if (ret != BSL_SUCCESS) {
1388 BSL_ERR_PUSH_ERROR(ret);
1389 }
1390
1391 return ret;
1392 }
1393
DecodeExtCertIssuer(HITLS_X509_ExtEntry * extEntry,BslList ** val)1394 static int32_t DecodeExtCertIssuer(HITLS_X509_ExtEntry *extEntry, BslList **val)
1395 {
1396 BslList *list = BSL_LIST_New(sizeof(HITLS_X509_GeneralName));
1397 if (list == NULL) {
1398 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_PARSE_AKI);
1399 return HITLS_X509_ERR_PARSE_AKI;
1400 }
1401 int32_t ret = HITLS_X509_ParseGeneralNames(extEntry->extnValue.buff, extEntry->extnValue.len, list);
1402 if (ret != HITLS_PKI_SUCCESS) {
1403 BSL_SAL_Free(list);
1404 BSL_ERR_PUSH_ERROR(ret);
1405 return ret;
1406 }
1407 *val = list;
1408 return HITLS_PKI_SUCCESS;
1409 }
1410
1411 #ifdef HITLS_PKI_X509_CRL_GEN
RevokedSet(HITLS_X509_CrlEntry * revoked,int32_t cmd,void * val,uint32_t valLen)1412 static int32_t RevokedSet(HITLS_X509_CrlEntry *revoked, int32_t cmd, void *val, uint32_t valLen)
1413 {
1414 if ((revoked->flag & HITLS_X509_CRL_PARSE_FLAG) != 0) {
1415 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_EXT_SET_AFTER_PARSE);
1416 return HITLS_X509_ERR_EXT_SET_AFTER_PARSE;
1417 }
1418 BSL_Buffer buff = {val, valLen};
1419 switch (cmd) {
1420 case HITLS_X509_CRL_SET_REVOKED_SERIALNUM:
1421 return HITLS_X509_SetSerial(&revoked->serialNumber, val, valLen);
1422 case HITLS_X509_CRL_SET_REVOKED_REVOKE_TIME:
1423 return CrlSetTime(&revoked->time, val, valLen);
1424 case HITLS_X509_CRL_SET_REVOKED_INVALID_TIME:
1425 return X509_CrlSetRevokedExt(revoked, BSL_CID_CE_INVALIDITYDATE, &buff, sizeof(HITLS_X509_RevokeExtTime),
1426 (EncodeExtCb)SetExtInvalidTime);
1427 case HITLS_X509_CRL_SET_REVOKED_REASON:
1428 return X509_CrlSetRevokedExt(revoked, BSL_CID_CE_CRLREASONS, &buff, sizeof(HITLS_X509_RevokeExtReason),
1429 (EncodeExtCb)SetExtReason);
1430 case HITLS_X509_CRL_SET_REVOKED_CERTISSUER:
1431 return X509_CrlSetRevokedExt(revoked, BSL_CID_CE_CERTIFICATEISSUER, &buff,
1432 sizeof(HITLS_X509_RevokeExtCertIssuer), (EncodeExtCb)SetExtCertificateIssuer);
1433 default:
1434 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1435 return HITLS_X509_ERR_INVALID_PARAM;
1436 }
1437 }
1438 #endif // HITLS_PKI_X509_CRL_GEN
1439
RevokedGet(HITLS_X509_CrlEntry * revoked,int32_t cmd,void * val,uint32_t valLen)1440 static int32_t RevokedGet(HITLS_X509_CrlEntry *revoked, int32_t cmd, void *val, uint32_t valLen)
1441 {
1442 BSL_Buffer buff = {val, valLen};
1443 switch (cmd) {
1444 case HITLS_X509_CRL_GET_REVOKED_REVOKE_TIME:
1445 return X509_CrlGetRevokedRevokeTime(revoked, val, valLen);
1446 case HITLS_X509_CRL_GET_REVOKED_SERIALNUM:
1447 return HITLS_X509_GetSerial(&revoked->serialNumber, val, valLen);
1448 case HITLS_X509_CRL_GET_REVOKED_INVALID_TIME:
1449 return HITLS_X509_GetExt(revoked->extList, BSL_CID_CE_INVALIDITYDATE, &buff, sizeof(BSL_TIME),
1450 (DecodeExtCb)DecodeExtInvalidTime);
1451 case HITLS_X509_CRL_GET_REVOKED_REASON:
1452 return HITLS_X509_GetExt(revoked->extList, BSL_CID_CE_CRLREASONS, &buff, sizeof(int32_t),
1453 (DecodeExtCb)DecodeExtReason);
1454 case HITLS_X509_CRL_GET_REVOKED_CERTISSUER:
1455 return HITLS_X509_GetExt(revoked->extList, BSL_CID_CE_CERTIFICATEISSUER, &buff, sizeof(BslList *),
1456 (DecodeExtCb)DecodeExtCertIssuer);
1457 default:
1458 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1459 return HITLS_X509_ERR_INVALID_PARAM;
1460 }
1461 }
1462
HITLS_X509_CrlEntryCtrl(HITLS_X509_CrlEntry * revoked,int32_t cmd,void * val,uint32_t valLen)1463 int32_t HITLS_X509_CrlEntryCtrl(HITLS_X509_CrlEntry *revoked, int32_t cmd, void *val, uint32_t valLen)
1464 {
1465 if (revoked == NULL || val == NULL) {
1466 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1467 return HITLS_X509_ERR_INVALID_PARAM;
1468 }
1469 #ifdef HITLS_PKI_X509_CRL_GEN
1470 if (cmd < HITLS_X509_CRL_GET_REVOKED_SERIALNUM) {
1471 return RevokedSet(revoked, cmd, val, valLen);
1472 }
1473 #endif
1474 return RevokedGet(revoked, cmd, val, valLen);
1475 }
1476
1477 #ifdef HITLS_PKI_X509_CRL_GEN
CrlSignCb(int32_t mdId,CRYPT_EAL_PkeyCtx * prvKey,HITLS_X509_Asn1AlgId * signAlgId,HITLS_X509_Crl * crl)1478 static int32_t CrlSignCb(int32_t mdId, CRYPT_EAL_PkeyCtx *prvKey, HITLS_X509_Asn1AlgId *signAlgId, HITLS_X509_Crl *crl)
1479 {
1480 BSL_Buffer signBuff = {0};
1481 BSL_ASN1_Buffer tbsCertList = {0};
1482
1483 crl->signAlgId = *signAlgId;
1484 crl->tbs.signAlgId = *signAlgId;
1485
1486 int32_t ret = HITLS_X509_EncodeCrlTbsRaw(&crl->tbs, &tbsCertList);
1487 if (ret != HITLS_PKI_SUCCESS) {
1488 return ret;
1489 }
1490 ret = HITLS_X509_SignAsn1Data(prvKey, mdId, &tbsCertList, &signBuff, &crl->signature);
1491 BSL_SAL_Free(tbsCertList.buff);
1492 if (ret != HITLS_PKI_SUCCESS) {
1493 return ret;
1494 }
1495 crl->tbs.tbsRawData = signBuff.data;
1496 crl->tbs.tbsRawDataLen = signBuff.dataLen;
1497 crl->state = HITLS_X509_CRL_STATE_SIGN;
1498 return HITLS_PKI_SUCCESS;
1499 }
1500
HITLS_X509_CrlSign(int32_t mdId,const CRYPT_EAL_PkeyCtx * prvKey,const HITLS_X509_SignAlgParam * algParam,HITLS_X509_Crl * crl)1501 int32_t HITLS_X509_CrlSign(int32_t mdId, const CRYPT_EAL_PkeyCtx *prvKey, const HITLS_X509_SignAlgParam *algParam,
1502 HITLS_X509_Crl *crl)
1503 {
1504 if (crl == NULL || prvKey == NULL) {
1505 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_INVALID_PARAM);
1506 return HITLS_X509_ERR_INVALID_PARAM;
1507 }
1508 if ((crl->flag & HITLS_X509_CRL_PARSE_FLAG) != 0) {
1509 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_SIGN_AFTER_PARSE);
1510 return HITLS_X509_ERR_SIGN_AFTER_PARSE;
1511 }
1512 if (crl->state == HITLS_X509_CRL_STATE_SIGN || crl->state == HITLS_X509_CRL_STATE_GEN) {
1513 return HITLS_PKI_SUCCESS;
1514 }
1515
1516 int32_t ret = X509_CheckCrlTbs(crl);
1517 if (ret != HITLS_PKI_SUCCESS) {
1518 return ret;
1519 }
1520
1521 BSL_SAL_FREE(crl->signature.buff);
1522 crl->signature.len = 0;
1523 BSL_SAL_FREE(crl->tbs.tbsRawData);
1524 crl->tbs.tbsRawDataLen = 0;
1525 BSL_SAL_FREE(crl->rawData);
1526 crl->rawDataLen = 0;
1527
1528 #ifdef HITLS_CRYPTO_SM2
1529 if (crl->signAlgId.algId == BSL_CID_SM2DSAWITHSM3) {
1530 BSL_SAL_FREE(crl->signAlgId.sm2UserId.data);
1531 crl->signAlgId.sm2UserId.dataLen = 0;
1532 }
1533 #endif
1534 return HITLS_X509_Sign(mdId, prvKey, algParam, crl, (HITLS_X509_SignCb)CrlSignCb);
1535 }
1536 #endif // HITLS_PKI_X509_CRL_GEN
1537 #endif // HITLS_PKI_X509_CRL
1538