gfwleak/tango-certstore
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加对证书和公钥算法检查

Browse Source
This commit is contained in:
fengweihao
2020-02-26 15:03:28 +08:00
parent 781547b17c
commit bef2c2d58e
1 changed files with 149 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

151
src/x509.c
View File

@@ -44,6 +44,7 @@ enum x509_input_file{
INPUT_FILE_LIST, INPUT_FILE_LIST,
INPUT_FILE_CHECK, INPUT_FILE_CHECK,
INPUT_FILE_HOST, INPUT_FILE_HOST,
INPUT_FILE_ALGO,
INPUT_FILE_CHAIN, INPUT_FILE_CHAIN,
}; };
@@ -70,7 +71,8 @@ static void help()
" -incrl | input certificate revocation list\n" " -incrl | input certificate revocation list\n"
" -inlist | input certificate list file,format = pem\n" " -inlist | input certificate list file,format = pem\n"
" -incheck | input certificate file and intpu key file\n" " -incheck | input certificate file and intpu key file\n"
" -inhost | input san file and intpu fqdn file\n"); " -inhost | input san file and intpu fqdn file\n"
" -inalgo | input certificate file and public key algorithm\n");
} }
static X509* base_load_pkcs12(BIO *in, EVP_PKEY **pkey, X509 **x, STACK_OF(X509) **ca) static X509* base_load_pkcs12(BIO *in, EVP_PKEY **pkey, X509 **x, STACK_OF(X509) **ca)
@@ -473,6 +475,108 @@ finish:
return csSubName; return csSubName;
} }
#define R_RSA_ALGO_1024 1024
#define R_RSA_ALGO_2048 2048
#define R_RSA_ALGO_4096 4096
typedef struct {
const char *name; /* NIST Name of curve */
int nid; /* Curve NID */
} x509_algo_name;
static x509_algo_name algo_name[] = {
{"rsa1024", R_RSA_ALGO_1024},
{"rsa2048", R_RSA_ALGO_2048},
{"rsa4096", R_RSA_ALGO_4096},
{"secp256r1", NID_X9_62_prime256v1},
{"secp384r1",NID_secp384r1}
};
static size_t x509_algo_str2idx(const char *public_algo)
{
size_t i = 0;
if(public_algo == NULL)
{
goto finish;
}
for (i = 0; i < sizeof(algo_name) / sizeof(x509_algo_name); i++)
{
if (0 == strcasecmp(public_algo, algo_name[i].name))
{
return algo_name[i].nid;
}
}
finish:
return R_RSA_ALGO_2048;
}
int x509_check_pubKeytype(X509 *x509, const char *algo)
{
int xret = 1, nid = 0;
EVP_PKEY *pkey = NULL;
pkey = X509_get_pubkey(x509);
if (pkey == NULL)
{
printf("Unable to load Public Key\n");
}
switch(pkey->type)
{
case EVP_PKEY_RSA:
xret = 1;
break;
case EVP_PKEY_EC:
nid = x509_algo_str2idx(algo);
switch(nid)
{
case R_RSA_ALGO_1024:
case R_RSA_ALGO_2048:
case R_RSA_ALGO_4096:
xret = 0;
break;
case NID_X9_62_prime256v1:
case NID_secp384r1:
xret = 1;
break;
default:
xret = 0;
break;
}
break;
default:
xret = 0;
break;
}
return xret;
}
void x509_get_pubKeytype(X509 *x509)
{
EVP_PKEY *pkey = NULL;
pkey = X509_get_pubkey(x509);
if (pkey == NULL)
{
printf("Unable to load Public Key\n");
}
const char *type = OBJ_nid2ln(pkey->type);
printf("PKey Algorithm : %s\n", type);
if (pkey->type == EVP_PKEY_EC)
{
EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
int nid;
const char *cname, *asnl;
nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
EC_KEY_free(ec);
cname = EC_curve_nid2nist(nid);
asnl = OBJ_nid2sn(nid);
printf("ASN1 OID : %s\n", cname);
printf("NIST CURVE : %s\n", asnl);
}
}
char* x509_get_ExtBasicConstraints(X509 *x509) char* x509_get_ExtBasicConstraints(X509 *x509)
{ {
int crit = 0; int crit = 0;
@@ -630,7 +734,7 @@ int x509_parse_cert(char *certfile, char *host)
printf("Ca Fingerprint : %s\n", x509_get_fingerprint(x509)); printf("Ca Fingerprint : %s\n", x509_get_fingerprint(x509));
x509_get_ValidDate(x509); x509_get_ValidDate(x509);
printf("Ca valid date : %s\n", (X509_check_valid_date(x509) == 0)?"valid":"expire"); printf("Ca valid date : %s\n", (X509_check_valid_date(x509) == 0)?"valid":"expire");
x509_get_pubKeytype(x509);
/* self testing***/ /* self testing***/
if (host != NULL) if (host != NULL)
{ {
@@ -837,6 +941,14 @@ decoder_argv_parser(int argc, char **argv, char **infile, char **infile2)
iformat = INPUT_FILE_HOST; iformat = INPUT_FILE_HOST;
break; break;
} }
if (STRCMP(argv[i], "-inalgo") == 0){
if (--argc < 1)
goto help;
*infile = argv[i+1];
*infile2 = argv[i+2];
iformat = INPUT_FILE_ALGO;
break;
}
} }
goto finish; goto finish;
help: help:
@@ -1045,6 +1157,38 @@ finish:
return 0; return 0;
} }
int x509_check_algo(char *certfile, const char *algo)
{
X509 *x509 = NULL;
int informat = 0, xret = NULL;
STACK_OF(X509) *stack_ca = NULL;
if (certfile == NULL || algo == NULL)
{
goto help;
}
x509 = cert_load_x509(certfile, &informat, &stack_ca);
if (!x509){
printf("unable to load certificate\n");
goto finish;
}
xret = x509_check_pubKeytype(x509, algo);
if(xret == 0)
{
printf("Matching failure\n");
}
else
{
printf("Successful matching\n");
}
goto finish;
help:
help();
finish:
return 0;
}
int x509_check_format(int argc, char **argv) int x509_check_format(int argc, char **argv)
{ {
int iformat = -1; int iformat = -1;
@@ -1073,6 +1217,9 @@ int x509_check_format(int argc, char **argv)
case INPUT_FILE_HOST: case INPUT_FILE_HOST:
x509_check_host(infile, infile2); x509_check_host(infile, infile2);
break; break;
case INPUT_FILE_ALGO:
x509_check_algo(infile, infile2);
break;
default: default:
goto help; goto help;
} }