大于2层中间证书增加层级判断

大于2层中间证书增加密钥标识符判断
2020-12-04 09:50:04 +08:00
parent 1aa39ca8d5
commit 2d35bd4164
1 changed files with 55 additions and 4 deletions
--- a/src/x509.c
+++ b/src/x509.c
@@ -712,6 +712,44 @@ int X509_check_valid_date(X509 *x509)
    return 0;
 }

+int x509_check_level(STACK_OF(X509) *stack_ca, X509 *x509_node)
+{
+#define MAX_LEVEL 8
+    int i=0, j=0;
+    X509 *x509[MAX_LEVEL];
+    X509 *x509_issue=NULL, *x509_sub=NULL;
+
+    for (i = 0; i < sk_X509_num(stack_ca); i++,j++)
+    {
+        x509[j] = sk_X509_value(stack_ca, i);
+    }
+
+    for(i=0; i<j; i++)
+    {
+        if(i==0)
+        {
+            x509_sub=x509_node;
+        }
+        else
+        {
+            x509_sub=x509[i-1];
+        }
+        x509_issue=x509[i];
+        if(X509_NAME_cmp(X509_get_issuer_name(x509_sub), X509_get_subject_name(x509_issue)) != 0)
+        {
+            return -1;
+        }
+
+        x509_sub->akid = X509_get_ext_d2i(x509_sub, NID_authority_key_identifier, NULL, NULL);
+        x509_issue->skid = X509_get_ext_d2i(x509_issue, NID_subject_key_identifier, NULL, NULL);
+        if (x509_sub->akid != NULL && x509_issue->skid != NULL && X509_check_akid(x509_issue, x509_sub->akid) != X509_V_OK)
+        {
+            return -2;
+        }
+    }
+    return 0;
+}
+
 int x509_parse_cert(char *certfile, char *host)
 {
    int xret = -1;
@@ -727,14 +765,27 @@ int x509_parse_cert(char *certfile, char *host)
    printf("Successful certificate conversion\n");
    printf("Ca Format      : %s\n", val_to_str(informat, format_vals));
    printf("Ca Constraints : %s\n", (x509_get_ExtBasicConstraints(x509) != NULL)?x509_get_ExtBasicConstraints(x509): "NULL");
-    if (informat == LOCAL_USER_P12 || informat == LOCAL_USER_PEN){
+    if (informat == LOCAL_USER_P12 || informat == LOCAL_USER_PEN)
+    {
        if (stack_ca){
-           printf("Chain Length   : %d\n", sk_X509_num(stack_ca) + 1);
-
+            printf("Chain Length   : %d\n", sk_X509_num(stack_ca) + 1);
+            /*certificate level check**/
+            xret = x509_check_level(stack_ca, x509);
+            switch(xret)
+            {
+                case -1:
+                    printf("x509 chain level is error\n");
+                    break;
+                case -2:
+                    printf("x509 key identifier error\n");
+                    break;
+                default:
+                    break;
+            }
        }else{
           printf("Chain Length   : %d\n", 1);
        }
-    }	
+    }
    printf("Ca Version     : %s\n", (x509_get_version(x509) != NULL)?x509_get_version(x509) : "NULL");
    printf("Ca Serial      : %s\n", (x509_get_sn(x509) != NULL)?x509_get_sn(x509) : "NULL");
    printf("Ca Issuer      : ");