diff options
author | Paul Yang <yang.yang@baishancloud.com> | 2019-06-05 14:46:48 +0800 |
---|---|---|
committer | Paul Yang <yang.yang@baishancloud.com> | 2019-06-28 18:58:19 +0800 |
commit | bc42bd6298702a1abf70aa6383d36886dd5af4b3 (patch) | |
tree | f75b4cdda42ccc9ebeb01cf9d1d4bc5c0c05764e /apps/req.c | |
parent | 53a11c6da09988efba93eccfdd10bf7edf1d53b2 (diff) |
Support SM2 certificate signing
SM2 certificate signing request can be created and signed by OpenSSL
now, both in library and apps.
Documentation and test cases are added.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9085)
Diffstat (limited to 'apps/req.c')
-rw-r--r-- | apps/req.c | 149 |
1 files changed, 143 insertions, 6 deletions
diff --git a/apps/req.c b/apps/req.c index 67dc0c8c41..ae420d30f5 100644 --- a/apps/req.c +++ b/apps/req.c @@ -90,7 +90,7 @@ typedef enum OPTION_choice { OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8, OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509, OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS, - OPT_REQEXTS, OPT_PRECERT, OPT_MD, + OPT_REQEXTS, OPT_PRECERT, OPT_MD, OPT_SM2ID, OPT_SM2HEXID, OPT_R_ENUM } OPTION_CHOICE; @@ -146,6 +146,12 @@ const OPTIONS req_options[] = { {"keygen_engine", OPT_KEYGEN_ENGINE, 's', "Specify engine to be used for key generation operations"}, #endif +#ifndef OPENSSL_NO_SM2 + {"sm2-id", OPT_SM2ID, 's', + "Specify an ID string to verify an SM2 certificate request"}, + {"sm2-hex-id", OPT_SM2HEXID, 's', + "Specify a hex ID string to verify an SM2 certificate request"}, +#endif {NULL} }; @@ -239,6 +245,9 @@ int req_main(int argc, char **argv) int nodes = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0; long newkey = -1; unsigned long chtype = MBSTRING_ASC, reqflag = 0; + unsigned char *sm2_id = NULL; + size_t sm2_idlen = 0; + int sm2_free = 0; #ifndef OPENSSL_NO_DES cipher = EVP_des_ede3_cbc(); @@ -414,6 +423,29 @@ int req_main(int argc, char **argv) goto opthelp; digest = md_alg; break; + case OPT_SM2ID: + if (sm2_id != NULL) { + BIO_printf(bio_err, + "Use one of the options 'sm2-hex-id' or 'sm2-id'\n"); + goto end; + } + sm2_id = (unsigned char *)opt_arg(); + sm2_idlen = strlen((const char *)sm2_id); + break; + case OPT_SM2HEXID: + if (sm2_id != NULL) { + BIO_printf(bio_err, + "Use one of the options 'sm2-hex-id' or 'sm2-id'\n"); + goto end; + } + /* try to parse the input as hex string first */ + sm2_free = 1; + sm2_id = OPENSSL_hexstr2buf(opt_arg(), (long *)&sm2_idlen); + if (sm2_id == NULL) { + BIO_printf(bio_err, "Invalid hex string input\n"); + goto end; + } + break; } } argc = opt_num_rest(); @@ -844,6 +876,26 @@ int req_main(int argc, char **argv) goto end; } + if (sm2_id != NULL) { +#ifndef OPENSSL_NO_SM2 + ASN1_OCTET_STRING *v; + + v = ASN1_OCTET_STRING_new(); + if (v == NULL) { + BIO_printf(bio_err, "error: SM2 ID allocation failed\n"); + goto end; + } + + if (!ASN1_OCTET_STRING_set(v, sm2_id, sm2_idlen)) { + BIO_printf(bio_err, "error: setting SM2 ID failed\n"); + ASN1_OCTET_STRING_free(v); + goto end; + } + + X509_REQ_set0_sm2_id(req, v); +#endif + } + i = X509_REQ_verify(req, tpubkey); if (i < 0) { @@ -942,6 +994,8 @@ int req_main(int argc, char **argv) } ret = 0; end: + if (sm2_free) + OPENSSL_free(sm2_id); if (ret) { ERR_print_errors(bio_err); } @@ -1596,14 +1650,58 @@ static int genpkey_cb(EVP_PKEY_CTX *ctx) return 1; } +#ifndef OPENSSL_NO_SM2 +static int ec_pkey_is_sm2(EVP_PKEY *pkey) +{ + EC_KEY *eckey = NULL; + const EC_GROUP *group = NULL; + + if (EVP_PKEY_id(pkey) == EVP_PKEY_SM2) + return 1; + if (EVP_PKEY_id(pkey) == EVP_PKEY_EC + && (eckey = EVP_PKEY_get0_EC_KEY(pkey)) != NULL + && (group = EC_KEY_get0_group(eckey)) != NULL + && EC_GROUP_get_curve_name(group) == NID_sm2) + return 1; + return 0; +} +#endif + static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) { EVP_PKEY_CTX *pkctx = NULL; - int i, def_nid; +#ifndef OPENSSL_NO_SM2 + EVP_PKEY_CTX *pctx = NULL; +#endif + int i, def_nid, ret = 0; if (ctx == NULL) - return 0; + goto err; +#ifndef OPENSSL_NO_SM2 + if (ec_pkey_is_sm2(pkey)) { + /* initialize some SM2-specific code */ + if (!EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)) { + BIO_printf(bio_err, "Internal error.\n"); + goto err; + } + pctx = EVP_PKEY_CTX_new(pkey, NULL); + if (pctx == NULL) { + BIO_printf(bio_err, "memory allocation failure.\n"); + goto err; + } + /* set SM2 ID from sig options before calling the real init routine */ + for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) { + char *sigopt = sk_OPENSSL_STRING_value(sigopts, i); + if (pkey_ctrl_string(pctx, sigopt) <= 0) { + BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt); + ERR_print_errors(bio_err); + goto err; + } + } + EVP_MD_CTX_set_pkey_ctx(ctx, pctx); + } +#endif /* * EVP_PKEY_get_default_digest_nid() returns 2 if the digest is mandatory * for this algorithm. @@ -1614,16 +1712,23 @@ static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, md = NULL; } if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey)) - return 0; + goto err; for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) { char *sigopt = sk_OPENSSL_STRING_value(sigopts, i); if (pkey_ctrl_string(pkctx, sigopt) <= 0) { BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt); ERR_print_errors(bio_err); - return 0; + goto err; } } - return 1; + + ret = 1; + err: +#ifndef OPENSSL_NO_SM2 + if (!ret) + EVP_PKEY_CTX_free(pctx); +#endif + return ret; } int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md, @@ -1631,10 +1736,20 @@ int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md, { int rv; EVP_MD_CTX *mctx = EVP_MD_CTX_new(); +#ifndef OPENSSL_NO_SM2 + EVP_PKEY_CTX *pctx = NULL; +#endif rv = do_sign_init(mctx, pkey, md, sigopts); if (rv > 0) rv = X509_sign_ctx(x, mctx); +#ifndef OPENSSL_NO_SM2 + /* only in SM2 case we need to free the pctx explicitly */ + if (ec_pkey_is_sm2(pkey)) { + pctx = EVP_MD_CTX_pkey_ctx(mctx); + EVP_PKEY_CTX_free(pctx); + } +#endif EVP_MD_CTX_free(mctx); return rv > 0 ? 1 : 0; } @@ -1644,9 +1759,20 @@ int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, { int rv; EVP_MD_CTX *mctx = EVP_MD_CTX_new(); +#ifndef OPENSSL_NO_SM2 + EVP_PKEY_CTX *pctx = NULL; +#endif + rv = do_sign_init(mctx, pkey, md, sigopts); if (rv > 0) rv = X509_REQ_sign_ctx(x, mctx); +#ifndef OPENSSL_NO_SM2 + /* only in SM2 case we need to free the pctx explicitly */ + if (ec_pkey_is_sm2(pkey)) { + pctx = EVP_MD_CTX_pkey_ctx(mctx); + EVP_PKEY_CTX_free(pctx); + } +#endif EVP_MD_CTX_free(mctx); return rv > 0 ? 1 : 0; } @@ -1656,9 +1782,20 @@ int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, { int rv; EVP_MD_CTX *mctx = EVP_MD_CTX_new(); +#ifndef OPENSSL_NO_SM2 + EVP_PKEY_CTX *pctx = NULL; +#endif + rv = do_sign_init(mctx, pkey, md, sigopts); if (rv > 0) rv = X509_CRL_sign_ctx(x, mctx); +#ifndef OPENSSL_NO_SM2 + /* only in SM2 case we need to free the pctx explicitly */ + if (ec_pkey_is_sm2(pkey)) { + pctx = EVP_MD_CTX_pkey_ctx(mctx); + EVP_PKEY_CTX_free(pctx); + } +#endif EVP_MD_CTX_free(mctx); return rv > 0 ? 1 : 0; } |