增加对证书和公钥算法检查

2020-02-26 15:03:28 +08:00
parent 781547b17c
commit bef2c2d58e
1 changed files with 149 additions and 2 deletions
--- a/src/x509.c
+++ b/src/x509.c
@@ -44,6 +44,7 @@ enum x509_input_file{
    INPUT_FILE_LIST,
    INPUT_FILE_CHECK,
    INPUT_FILE_HOST,
+    INPUT_FILE_ALGO,
    INPUT_FILE_CHAIN,
 };

@@ -70,7 +71,8 @@ static void help()
         "  -incrl      | input certificate revocation list\n"
         "  -inlist     | input certificate list file,format = pem\n"
         "  -incheck    | input certificate file and intpu key file\n"
-         "  -inhost     | input san file and intpu fqdn file\n");
+         "  -inhost     | input san file and intpu fqdn file\n"
+         "  -inalgo     | input certificate file and public key algorithm\n");
 }

 static X509* base_load_pkcs12(BIO *in, EVP_PKEY **pkey, X509 **x, STACK_OF(X509) **ca)
@@ -473,6 +475,108 @@ finish:
 	return csSubName;
 }

+#define R_RSA_ALGO_1024 1024
+#define R_RSA_ALGO_2048 2048
+#define R_RSA_ALGO_4096 4096
+
+typedef struct {
+    const char *name;           /* NIST Name of curve */
+    int nid;                    /* Curve NID */
+} x509_algo_name;
+
+static x509_algo_name algo_name[] = {
+    {"rsa1024", R_RSA_ALGO_1024},
+    {"rsa2048", R_RSA_ALGO_2048},
+    {"rsa4096", R_RSA_ALGO_4096},
+    {"secp256r1", NID_X9_62_prime256v1},
+    {"secp384r1",NID_secp384r1}
+};
+
+static size_t x509_algo_str2idx(const char *public_algo)
+{
+	size_t i = 0;
+
+	if(public_algo == NULL)
+	{
+		goto finish;
+	}
+
+	for (i = 0; i < sizeof(algo_name) / sizeof(x509_algo_name); i++)
+	{
+		if (0 == strcasecmp(public_algo, algo_name[i].name))
+		{
+			return algo_name[i].nid;
+		}
+	}
+finish:
+	return R_RSA_ALGO_2048;
+}
+
+int x509_check_pubKeytype(X509 *x509, const char *algo)
+{
+    int xret = 1, nid = 0;
+    EVP_PKEY *pkey = NULL;
+
+    pkey = X509_get_pubkey(x509);
+    if (pkey == NULL)
+    {
+        printf("Unable to load Public Key\n");
+    }
+    switch(pkey->type)
+    {
+        case EVP_PKEY_RSA:
+            xret = 1;
+            break;
+        case EVP_PKEY_EC:
+            nid = x509_algo_str2idx(algo);
+            switch(nid)
+            {
+                case R_RSA_ALGO_1024:
+                case R_RSA_ALGO_2048:
+                case R_RSA_ALGO_4096:
+                    xret = 0;
+                    break;
+                case NID_X9_62_prime256v1:
+                case NID_secp384r1:
+                    xret = 1;
+                    break;
+                default:
+                    xret = 0;
+                    break;
+            }
+            break;
+        default:
+            xret = 0;
+            break;
+    }
+    return xret;
+}
+
+void x509_get_pubKeytype(X509 *x509)
+{
+    EVP_PKEY *pkey = NULL;
+
+    pkey = X509_get_pubkey(x509);
+    if (pkey == NULL)
+    {
+        printf("Unable to load Public Key\n");
+    }
+    const char *type = OBJ_nid2ln(pkey->type);
+    printf("PKey Algorithm : %s\n", type);
+    if (pkey->type == EVP_PKEY_EC)
+    {
+        EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
+        int nid;
+        const char *cname, *asnl;
+        nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+        EC_KEY_free(ec);
+        cname = EC_curve_nid2nist(nid);
+        asnl = OBJ_nid2sn(nid);
+        printf("ASN1 OID       : %s\n", cname);
+        printf("NIST CURVE     : %s\n", asnl);
+    }
+}
+
 char* x509_get_ExtBasicConstraints(X509 *x509)
 {
    int crit = 0;
@@ -630,7 +734,7 @@ int x509_parse_cert(char *certfile, char *host)
    printf("Ca Fingerprint : %s\n", x509_get_fingerprint(x509));
    x509_get_ValidDate(x509);
 	printf("Ca valid date  : %s\n", (X509_check_valid_date(x509) == 0)?"valid":"expire");
-
+    x509_get_pubKeytype(x509);
 	/* self testing***/
 	if (host != NULL)
 	{
@@ -837,6 +941,14 @@ decoder_argv_parser(int argc, char **argv, char **infile, char **infile2)
            iformat = INPUT_FILE_HOST;
            break;
 		}
+        if (STRCMP(argv[i], "-inalgo") == 0){
+            if (--argc < 1)
+                goto help;
+            *infile = argv[i+1];
+            *infile2 = argv[i+2];
+            iformat = INPUT_FILE_ALGO;
+            break;
+        }
    }
    goto finish;
 help:
@@ -1045,6 +1157,38 @@ finish:
 	return 0;
 }

+int x509_check_algo(char *certfile, const char *algo)
+{
+    X509 *x509 = NULL;
+    int informat = 0, xret = NULL;
+    STACK_OF(X509) *stack_ca = NULL;
+
+    if (certfile == NULL || algo == NULL)
+    {
+            goto help;
+    }
+
+    x509 = cert_load_x509(certfile, &informat, &stack_ca);
+    if (!x509){
+        printf("unable to load certificate\n");
+        goto finish;
+    }
+    xret = x509_check_pubKeytype(x509, algo);
+    if(xret == 0)
+    {
+        printf("Matching failure\n");
+    }
+    else
+    {
+        printf("Successful matching\n");
+    }
+    goto finish;
+help:
+  help();
+finish:
+    return 0;
+}
+
 int x509_check_format(int argc, char **argv)
 {
    int iformat = -1;
@@ -1073,6 +1217,9 @@ int x509_check_format(int argc, char **argv)
 		case INPUT_FILE_HOST:
 			x509_check_host(infile, infile2);
 			break;
+        case INPUT_FILE_ALGO:
+            x509_check_algo(infile, infile2);
+            break;
        default:
            goto help;
    }