Support SM2 certificate verification (8267becb) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

apps/verify.c

+40 −5

Original line number	Diff line number	Diff line
		@@ -21,7 +21,8 @@
		static int cb(int ok, X509_STORE_CTX *ctx);
		static int check(X509_STORE ctx, const char file,
		STACK_OF(X509) uchain, STACK_OF(X509) tchain,
		STACK_OF(X509_CRL) *crls, int show_chain);
		STACK_OF(X509_CRL) *crls, int show_chain,
		unsigned char *sm2id, size_t sm2idlen);
		static int v_verbose = 0, vflags = 0;

		typedef enum OPTION_choice {
		@@ -29,7 +30,7 @@ typedef enum OPTION_choice {
		OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE,
		OPT_UNTRUSTED, OPT_TRUSTED, OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN,
		OPT_V_ENUM, OPT_NAMEOPT,
		OPT_VERBOSE
		OPT_VERBOSE, OPT_SM2ID, OPT_SM2HEXID
		} OPTION_CHOICE;

		const OPTIONS verify_options[] = {
		@@ -56,6 +57,12 @@ const OPTIONS verify_options[] = {
		OPT_V_OPTIONS,
		#ifndef OPENSSL_NO_ENGINE
		{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
		#endif
		#ifndef OPENSSL_NO_SM2
		{"sm2-id", OPT_SM2ID, 's',
		"Specify an ID string to verify an SM2 certificate"},
		{"sm2-hex-id", OPT_SM2HEXID, 's',
		"Specify a hex ID string to verify an SM2 certificate"},
		#endif
		{NULL}
		};
		@@ -71,6 +78,8 @@ int verify_main(int argc, char **argv)
		int noCApath = 0, noCAfile = 0;
		int vpmtouched = 0, crl_download = 0, show_chain = 0, i = 0, ret = 1;
		OPTION_CHOICE o;
		unsigned char *sm2_id = NULL;
		size_t sm2_idlen = 0;

		if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
		goto end;
		@@ -158,6 +167,19 @@ int verify_main(int argc, char **argv)
		case OPT_VERBOSE:
		v_verbose = 1;
		break;
		case OPT_SM2ID:
		/* we assume the input is not a hex string */
		sm2_id = (unsigned char *)opt_arg();
		sm2_idlen = strlen((const char *)sm2_id);
		break;
		case OPT_SM2HEXID:
		/* try to parse the input as hex string first */
		sm2_id = OPENSSL_hexstr2buf(opt_arg(), (long *)&sm2_idlen);
		if (sm2_id == NULL) {
		BIO_printf(bio_err, "Invalid hex string input\n");
		goto end;
		}
		break;
		}
		}
		argc = opt_num_rest();
		@@ -183,12 +205,13 @@ int verify_main(int argc, char **argv)

		ret = 0;
		if (argc < 1) {
		if (check(store, NULL, untrusted, trusted, crls, show_chain) != 1)
		if (check(store, NULL, untrusted, trusted, crls, show_chain,
		sm2_id, sm2_idlen) != 1)
		ret = -1;
		} else {
		for (i = 0; i < argc; i++)
		if (check(store, argv[i], untrusted, trusted, crls,
		show_chain) != 1)
		show_chain, sm2_id, sm2_idlen) != 1)
		ret = -1;
		}

		@@ -204,7 +227,8 @@ int verify_main(int argc, char **argv)

		static int check(X509_STORE ctx, const char file,
		STACK_OF(X509) uchain, STACK_OF(X509) tchain,
		STACK_OF(X509_CRL) *crls, int show_chain)
		STACK_OF(X509_CRL) *crls, int show_chain,
		unsigned char *sm2id, size_t sm2idlen)
		{
		X509 *x = NULL;
		int i = 0, ret = 0;
		@@ -216,6 +240,17 @@ static int check(X509_STORE ctx, const char file,
		if (x == NULL)
		goto end;

		if (sm2id != NULL) {
		#ifndef OPENSSL_NO_SM2
		ASN1_OCTET_STRING v;

		v.data = sm2id;
		v.length = sm2idlen;

		X509_set_sm2_id(x, &v);
		#endif
		}

		csc = X509_STORE_CTX_new();
		if (csc == NULL) {
		printf("error %s: X.509 store context allocation failed\n",

crypto/asn1/a_verify.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -94,7 +94,7 @@ int ASN1_item_verify(const ASN1_ITEM it, X509_ALGOR a,
		int mdnid, pknid;
		size_t inll = 0;

		if (!pkey) {
		if (pkey == NULL) {
		ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_PASSED_NULL_PARAMETER);
		return -1;
		}
		@@ -150,7 +150,6 @@ int ASN1_item_verify(const ASN1_ITEM it, X509_ALGOR a,
		ret = 0;
		goto err;
		}

		}

		inl = ASN1_item_i2d(asn, &buf_in, it);

crypto/err/openssl.txt

+2 −0

Original line number	Diff line number	Diff line
		@@ -1834,8 +1834,10 @@ X509_F_X509_STORE_NEW:158:X509_STORE_new
		X509_F_X509_TO_X509_REQ:126:X509_to_X509_REQ
		X509_F_X509_TRUST_ADD:133:X509_TRUST_add
		X509_F_X509_TRUST_SET:141:X509_TRUST_set
		X509_F_X509_VERIFY:161:X509_verify
		X509_F_X509_VERIFY_CERT:127:X509_verify_cert
		X509_F_X509_VERIFY_PARAM_NEW:159:X509_VERIFY_PARAM_new
		X509_F_X509_VERIFY_SM2:162:x509_verify_sm2

		#Reason codes
		ASN1_R_ADDING_OBJECT:171:adding object

crypto/include/internal/x509_int.h

+4 −1

Original line number	Diff line number	Diff line
		@@ -183,6 +183,9 @@ struct x509_st {
		X509_CERT_AUX *aux;
		CRYPTO_RWLOCK *lock;
		volatile int ex_cached;
		# ifndef OPENSSL_NO_SM2
		ASN1_OCTET_STRING sm2_id;
		# endif
		} /* X509 */ ;

		/*

crypto/objects/obj_dat.h

+10 −5

Original line number	Diff line number	Diff line
		@@ -10,7 +10,7 @@
		*/

		/* Serialized OID's */
		static const unsigned char so[7767] = {
		static const unsigned char so[7775] = {
		0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 0] OBJ_rsadsi */
		0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 6] OBJ_pkcs */
		0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */
		@@ -1077,9 +1077,10 @@ static const unsigned char so[7767] = {
		0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0C, /* [ 7745] OBJ_hmacWithSHA512_224 */
		0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */
		0x28,0xCC,0x45,0x03,0x04, /* [ 7761] OBJ_gmac */
		0x2A,0x81,0x1C,0xCF,0x55,0x01,0x83,0x75, /* [ 7766] OBJ_SM2_with_SM3 */
		};

		#define NUM_NID 1204
		#define NUM_NID 1205
		static const ASN1_OBJECT nid_objs[NUM_NID] = {
		{"UNDEF", "undefined", NID_undef},
		{"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
		@@ -2285,9 +2286,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
		{"BLAKE2BMAC", "blake2bmac", NID_blake2bmac},
		{"BLAKE2SMAC", "blake2smac", NID_blake2smac},
		{"SSHKDF", "sshkdf", NID_sshkdf},
		{"SM2-SM3", "SM2-with-SM3", NID_SM2_with_SM3, 8, &so[7766]},
		};

		#define NUM_SN 1195
		#define NUM_SN 1196
		static const unsigned int sn_objs[NUM_SN] = {
		364, /* "AD_DVCS" */
		419, /* "AES-128-CBC" */
		@@ -2561,6 +2563,7 @@ static const unsigned int sn_objs[NUM_SN] = {
		1100, /* "SHAKE128" */
		1101, /* "SHAKE256" */
		1172, /* "SM2" */
		1204, /* "SM2-SM3" */
		1143, /* "SM3" */
		1134, /* "SM4-CBC" */
		1137, /* "SM4-CFB" */
		@@ -3486,7 +3489,7 @@ static const unsigned int sn_objs[NUM_SN] = {
		1093, /* "x509ExtAdmission" */
		};

		#define NUM_LN 1195
		#define NUM_LN 1196
		static const unsigned int ln_objs[NUM_LN] = {
		363, /* "AD Time Stamping" */
		405, /* "ANSI X9.62" */
		@@ -3642,6 +3645,7 @@ static const unsigned int ln_objs[NUM_LN] = {
		1119, /* "RSA-SHA3-512" */
		188, /* "S/MIME" */
		167, /* "S/MIME Capabilities" */
		1204, /* "SM2-with-SM3" */
		1006, /* "SNILS" */
		387, /* "SNMPv2" */
		1025, /* "SSH Client" */
		@@ -4685,7 +4689,7 @@ static const unsigned int ln_objs[NUM_LN] = {
		125, /* "zlib compression" */
		};

		#define NUM_OBJ 1072
		#define NUM_OBJ 1073
		static const unsigned int obj_objs[NUM_OBJ] = {
		0, /* OBJ_undef 0 */
		181, /* OBJ_iso 1 */
		@@ -5155,6 +5159,7 @@ static const unsigned int obj_objs[NUM_OBJ] = {
		1139, /* OBJ_sm4_ctr 1 2 156 10197 1 104 7 */
		1172, /* OBJ_sm2 1 2 156 10197 1 301 */
		1143, /* OBJ_sm3 1 2 156 10197 1 401 */
		1204, /* OBJ_SM2_with_SM3 1 2 156 10197 1 501 */
		1144, /* OBJ_sm3WithRSAEncryption 1 2 156 10197 1 504 */
		776, /* OBJ_seed_ecb 1 2 410 200004 1 3 */
		777, /* OBJ_seed_cbc 1 2 410 200004 1 4 */