支持显示证书的公钥算法

支持签名算法和公钥匹配检查
2020-02-27 15:12:58 +08:00
parent bef2c2d58e
commit 1aa39ca8d5
1 changed files with 59 additions and 6 deletions
--- a/src/x509.c
+++ b/src/x509.c
@@ -478,6 +478,7 @@ finish:
 #define R_RSA_ALGO_1024 1024
 #define R_RSA_ALGO_2048 2048
 #define R_RSA_ALGO_4096 4096
+#define R_DH_ALGO_1024 1

 typedef struct {
    const char *name;           /* NIST Name of curve */
@@ -501,6 +502,11 @@ static size_t x509_algo_str2idx(const char *public_algo)
 		goto finish;
 	}

+    if (0 == strcasecmp(public_algo, "dh1024"))
+	{
+		return R_DH_ALGO_1024;
+	}
+
 	for (i = 0; i < sizeof(algo_name) / sizeof(x509_algo_name); i++)
 	{
 		if (0 == strcasecmp(public_algo, algo_name[i].name))
@@ -528,16 +534,25 @@ int x509_check_pubKeytype(X509 *x509, const char *algo)
            xret = 1;
            break;
        case EVP_PKEY_EC:
+            nid = x509_algo_str2idx(algo);
+            switch(nid)
+            {
+                case NID_X9_62_prime256v1:
+                case NID_secp384r1:
+                    xret = 1;
+                    break;
+                default:
+                    xret = 0;
+                    break;
+            }
+            break;
+        case EVP_PKEY_DH:
            nid = x509_algo_str2idx(algo);
            switch(nid)
            {
                case R_RSA_ALGO_1024:
                case R_RSA_ALGO_2048:
                case R_RSA_ALGO_4096:
-                    xret = 0;
-                    break;
-                case NID_X9_62_prime256v1:
-                case NID_secp384r1:
                    xret = 1;
                    break;
                default:
@@ -1157,6 +1172,44 @@ finish:
 	return 0;
 }

+int x509_check_pubKeytype2(X509 *x509, const char *algo)
+{
+    const char *signature = NULL;
+    int sig_nid = 0, nid = 0, xret = 0;
+
+    sig_nid = OBJ_obj2nid(x509->sig_alg->algorithm);
+    if (sig_nid == NID_undef)
+    {
+        printf("get signature algorithm failed\n");
+    }
+    signature = OBJ_nid2ln(sig_nid);
+    if (signature == NULL)
+    {
+        goto error;
+    }
+    printf("Signature Algorithm  : %s\n", signature);
+    if (strcasestr(signature, "ecdsa"))
+    {
+        nid = x509_algo_str2idx(algo);
+        switch(nid)
+        {
+            case NID_X9_62_prime256v1:
+            case NID_secp384r1:
+                xret = 1;
+                break;
+            default:
+                xret = 0;
+                break;
+        }
+    }
+    if (strcasestr(signature, "RSAEncryption"))
+    {
+        xret = 1;
+    }
+error:
+   return xret;
+}
+
 int x509_check_algo(char *certfile, const char *algo)
 {
    X509 *x509 = NULL;
@@ -1165,7 +1218,7 @@ int x509_check_algo(char *certfile, const char *algo)

    if (certfile == NULL || algo == NULL)
    {
-            goto help;
+        goto help;
    }

    x509 = cert_load_x509(certfile, &informat, &stack_ca);
@@ -1173,7 +1226,7 @@ int x509_check_algo(char *certfile, const char *algo)
        printf("unable to load certificate\n");
        goto finish;
    }
-    xret = x509_check_pubKeytype(x509, algo);
+    xret = x509_check_pubKeytype2(x509, algo);
    if(xret == 0)
    {
        printf("Matching failure\n");