From 2d35bd4164fd28e34de23bdde479d94083346e14 Mon Sep 17 00:00:00 2001
From: fengweihao <fengweihao@iie.ac.cn>
Date: Fri, 4 Dec 2020 09:50:04 +0800
Subject: [PATCH] =?UTF-8?q?=E5=A4=A7=E4=BA=8E2=E5=B1=82=E4=B8=AD=E9=97=B4?=
 =?UTF-8?q?=E8=AF=81=E4=B9=A6=E5=A2=9E=E5=8A=A0=E5=B1=82=E7=BA=A7=E5=88=A4?=
 =?UTF-8?q?=E6=96=AD=20=E5=A4=A7=E4=BA=8E2=E5=B1=82=E4=B8=AD=E9=97=B4?=
 =?UTF-8?q?=E8=AF=81=E4=B9=A6=E5=A2=9E=E5=8A=A0=E5=AF=86=E9=92=A5=E6=A0=87?=
 =?UTF-8?q?=E8=AF=86=E7=AC=A6=E5=88=A4=E6=96=AD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/x509.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 55 insertions(+), 4 deletions(-)

diff --git a/src/x509.c b/src/x509.c
index 008c56c..0763f68 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -712,6 +712,44 @@ int X509_check_valid_date(X509 *x509)
     return 0;
 }
 
+int x509_check_level(STACK_OF(X509) *stack_ca, X509 *x509_node)
+{
+#define MAX_LEVEL 8
+    int i=0, j=0;
+    X509 *x509[MAX_LEVEL];
+    X509 *x509_issue=NULL, *x509_sub=NULL;
+
+    for (i = 0; i < sk_X509_num(stack_ca); i++,j++)
+    {
+        x509[j] = sk_X509_value(stack_ca, i);
+    }
+
+    for(i=0; i<j; i++)
+    {
+        if(i==0)
+        {
+            x509_sub=x509_node;
+        }
+        else
+        {
+            x509_sub=x509[i-1];
+        }
+        x509_issue=x509[i];
+        if(X509_NAME_cmp(X509_get_issuer_name(x509_sub), X509_get_subject_name(x509_issue)) != 0)
+        {
+            return -1;
+        }
+
+        x509_sub->akid = X509_get_ext_d2i(x509_sub, NID_authority_key_identifier, NULL, NULL);
+        x509_issue->skid = X509_get_ext_d2i(x509_issue, NID_subject_key_identifier, NULL, NULL);
+        if (x509_sub->akid != NULL && x509_issue->skid != NULL && X509_check_akid(x509_issue, x509_sub->akid) != X509_V_OK)
+        {
+            return -2;
+        }
+    }
+    return 0;
+}
+
 int x509_parse_cert(char *certfile, char *host)
 {
     int xret = -1;
@@ -727,14 +765,27 @@ int x509_parse_cert(char *certfile, char *host)
     printf("Successful certificate conversion\n");
     printf("Ca Format      : %s\n", val_to_str(informat, format_vals));
     printf("Ca Constraints : %s\n", (x509_get_ExtBasicConstraints(x509) != NULL)?x509_get_ExtBasicConstraints(x509): "NULL");
-    if (informat == LOCAL_USER_P12 || informat == LOCAL_USER_PEN){
+    if (informat == LOCAL_USER_P12 || informat == LOCAL_USER_PEN)
+    {
         if (stack_ca){
-           printf("Chain Length   : %d\n", sk_X509_num(stack_ca) + 1);
-
+            printf("Chain Length   : %d\n", sk_X509_num(stack_ca) + 1);
+            /*certificate level check**/
+            xret = x509_check_level(stack_ca, x509);
+            switch(xret)
+            {
+                case -1:
+                    printf("x509 chain level is error\n");
+                    break;
+                case -2:
+                    printf("x509 key identifier error\n");
+                    break;
+                default:
+                    break;
+            }
         }else{
            printf("Chain Length   : %d\n", 1);
         }
-    }	
+    }
     printf("Ca Version     : %s\n", (x509_get_version(x509) != NULL)?x509_get_version(x509) : "NULL");
     printf("Ca Serial      : %s\n", (x509_get_sn(x509) != NULL)?x509_get_sn(x509) : "NULL");
     printf("Ca Issuer      : ");