[openssl] master update

yang.yang at baishancloud.com yang.yang at baishancloud.com
Fri Mar 29 23:35:22 UTC 2019


The branch master has been updated
       via  875c9a9a342383b3c3fd74a5c872bbf3fe9cdbd3 (commit)
       via  7eba43e837eb3669d6b32d4ba27c3e93db29b8c3 (commit)
       via  317ba78fe16380dbcd16f846794e58f498e975a4 (commit)
      from  3a8269b3194f7528e3657cef70fe2db1ed38b755 (commit)


- Log -----------------------------------------------------------------
commit 875c9a9a342383b3c3fd74a5c872bbf3fe9cdbd3
Author: Paul Yang <yang.yang at baishancloud.com>
Date:   Wed Mar 13 18:04:05 2019 +0800

    Fix a memleak in apps/verify
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/8465)

commit 7eba43e837eb3669d6b32d4ba27c3e93db29b8c3
Author: Paul Yang <yang.yang at baishancloud.com>
Date:   Wed Mar 13 17:22:31 2019 +0800

    Add documents for SM2 cert verification
    
    This follows #8321 which added the SM2 certificate verification feature.
    This commit adds the related docs - the newly added 2 APIs and options
    in apps/verify.
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/8465)

commit 317ba78fe16380dbcd16f846794e58f498e975a4
Author: Paul Yang <yang.yang at baishancloud.com>
Date:   Wed Mar 13 16:54:11 2019 +0800

    Add test cases for SM2 cert verification
    
    This follows #8321 which added the SM2 certificate verification feature.
    This commit adds some test cases for #8321.
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/8465)

-----------------------------------------------------------------------

Summary of changes:
 apps/verify.c                   |  4 ++++
 doc/man1/verify.pod             | 16 ++++++++++++++-
 doc/man3/X509_get0_sm2_id.pod   | 43 +++++++++++++++++++++++++++++++++++++++++
 test/certs/sm2-ca-cert.pem      | 14 ++++++++++++++
 test/certs/{sm2.crt => sm2.pem} |  0
 test/recipes/20-test_pkeyutl.t  |  6 +++---
 test/recipes/25-test_verify.t   | 14 +++++++++++++-
 7 files changed, 92 insertions(+), 5 deletions(-)
 create mode 100644 doc/man3/X509_get0_sm2_id.pod
 create mode 100644 test/certs/sm2-ca-cert.pem
 rename test/certs/{sm2.crt => sm2.pem} (100%)

diff --git a/apps/verify.c b/apps/verify.c
index fcd10dd..67d3276 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -80,6 +80,7 @@ int verify_main(int argc, char **argv)
     OPTION_CHOICE o;
     unsigned char *sm2_id = NULL;
     size_t sm2_idlen = 0;
+    int sm2_free = 0;
 
     if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
         goto end;
@@ -174,6 +175,7 @@ int verify_main(int argc, char **argv)
             break;
         case OPT_SM2HEXID:
             /* try to parse the input as hex string first */
+            sm2_free = 1;
             sm2_id = OPENSSL_hexstr2buf(opt_arg(), (long *)&sm2_idlen);
             if (sm2_id == NULL) {
                 BIO_printf(bio_err, "Invalid hex string input\n");
@@ -216,6 +218,8 @@ int verify_main(int argc, char **argv)
     }
 
  end:
+    if (sm2_free)
+        OPENSSL_free(sm2_id);
     X509_VERIFY_PARAM_free(vpm);
     X509_STORE_free(store);
     sk_X509_pop_free(untrusted, X509_free);
diff --git a/doc/man1/verify.pod b/doc/man1/verify.pod
index 6465fd8..10fd848 100644
--- a/doc/man1/verify.pod
+++ b/doc/man1/verify.pod
@@ -50,6 +50,8 @@ B<openssl> B<verify>
 [B<-verify_name name>]
 [B<-x509_strict>]
 [B<-show_chain>]
+[B<-sm2-id string>]
+[B<-sm2-hex-id hex-string>]
 [B<->]
 [certificates]
 
@@ -316,6 +318,16 @@ Display information about the certificate chain that has been built (if
 successful). Certificates in the chain that came from the untrusted list will be
 flagged as "untrusted".
 
+=item B<-sm2-id>
+
+Specify the ID string to use when verifying an SM2 certificate. The ID string is
+required by the SM2 signature algorithm for signing and verification.
+
+=item B<-sm2-hex-id>
+
+Specify a binary ID string to use when signing or verifying using an SM2
+certificate. The argument for this option is string of hexadecimal digits.
+
 =item B<->
 
 Indicates the last option. All arguments following this are assumed to be
@@ -767,9 +779,11 @@ The B<-show_chain> option was added in OpenSSL 1.1.0.
 The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and
 is silently ignored.
 
+The B<-sm2-id> and B<-sm2-hex-id> options were added in OpenSSL 3.0.0.
+
 =head1 COPYRIGHT
 
-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/X509_get0_sm2_id.pod b/doc/man3/X509_get0_sm2_id.pod
new file mode 100644
index 0000000..84da71e
--- /dev/null
+++ b/doc/man3/X509_get0_sm2_id.pod
@@ -0,0 +1,43 @@
+=pod
+
+=head1 NAME
+
+X509_get0_sm2_id, X509_set_sm2_id - get or set SM2 ID for certificate operations
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ ASN1_OCTET_STRING *X509_get0_sm2_id(X509 *x);
+ void X509_set_sm2_id(X509 *x, ASN1_OCTET_STRING *sm2_id);
+
+=head1 DESCRIPTION
+
+X509_get0_sm2_id() gets the ID value of an SM2 certificate B<x> by returning an
+B<ASN1_OCTET_STRING> object which should not be freed by the caller.
+X509_set_sm2_id() sets the B<sm2_id> value to an SM2 certificate B<x>.
+
+=head1 NOTES
+
+SM2 signature algorithm requires an ID value when generating and verifying a
+signature. The functions described in this manual provide the user with the
+ability to set and retrieve the SM2 ID value.
+
+=head1 RETURN VALUES
+
+X509_set_sm2_id() does not return a value.
+
+=head1 SEE ALSO
+
+L<X509_verify(3)>, L<SM2(7)>
+
+=head1 COPYRIGHT
+
+Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/test/certs/sm2-ca-cert.pem b/test/certs/sm2-ca-cert.pem
new file mode 100644
index 0000000..5677ac6
--- /dev/null
+++ b/test/certs/sm2-ca-cert.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICJDCCAcqgAwIBAgIJAOlkpDpSrmVbMAoGCCqBHM9VAYN1MGgxCzAJBgNVBAYT
+AkNOMQswCQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRl
+c3QgT3JnMRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTAe
+Fw0xOTAyMTkwNzA1NDhaFw0yMzAzMzAwNzA1NDhaMGgxCzAJBgNVBAYTAkNOMQsw
+CQYDVQQIDAJMTjERMA8GA1UEBwwIU2hlbnlhbmcxETAPBgNVBAoMCFRlc3QgT3Jn
+MRAwDgYDVQQLDAdUZXN0IE9VMRQwEgYDVQQDDAtUZXN0IFNNMiBDQTBZMBMGByqG
+SM49AgEGCCqBHM9VAYItA0IABHRYnqErofBdXPptvvO7+BSVJxcpHuTGnZ+UPrbU
+5kVEUMaUnNOeMJZl/vRGimZCm/AkReJmRfnb15ESHR+ssp6jXTBbMB0GA1UdDgQW
+BBTFjcWu/zJgSZ5SKUlU5Vx4/0W5dDAfBgNVHSMEGDAWgBTFjcWu/zJgSZ5SKUlU
+5Vx4/0W5dDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqgRzPVQGDdQNI
+ADBFAiEAs6byi1nSQtFELOw/2tQIv5AEsZFR5MJ/oB2ztXzs2LYCIEfIw4xlUH6X
+YFhs4RnIa0K9Ng1ebsGPrifYkudwBIk3
+-----END CERTIFICATE-----
diff --git a/test/certs/sm2.crt b/test/certs/sm2.pem
similarity index 100%
rename from test/certs/sm2.crt
rename to test/certs/sm2.pem
diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t
index 21f4e62..5dbed98 100644
--- a/test/recipes/20-test_pkeyutl.t
+++ b/test/recipes/20-test_pkeyutl.t
@@ -25,14 +25,14 @@ SKIP: {
 
     # SM2
     ok(run(app(([ 'openssl', 'pkeyutl', '-sign',
-                      '-in', srctop_file('test', 'certs', 'sm2.crt'),
+                      '-in', srctop_file('test', 'certs', 'sm2.pem'),
                       '-inkey', srctop_file('test', 'certs', 'sm2.key'),
                       '-out', 'signature.dat', '-rawin',
                       '-digest', 'sm3', '-pkeyopt', 'sm2_id:someid']))),
                       "Sign a piece of data using SM2");
     ok(run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin',
-                      '-in', srctop_file('test', 'certs', 'sm2.crt'),
-                      '-inkey', srctop_file('test', 'certs', 'sm2.crt'),
+                      '-in', srctop_file('test', 'certs', 'sm2.pem'),
+                      '-inkey', srctop_file('test', 'certs', 'sm2.pem'),
                       '-sigfile', 'signature.dat', '-rawin',
                       '-digest', 'sm3', '-pkeyopt', 'sm2_id:someid']))),
                       "Verify an SM2 signature against a piece of data");
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index 9ddf2c9..e493947 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -27,7 +27,7 @@ sub verify {
     run(app([@args]));
 }
 
-plan tests => 135;
+plan tests => 137;
 
 # Canonical success
 ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -373,3 +373,15 @@ SKIP: {
        "ED25519 signature");
 
 }
+
+SKIP: {
+    skip "SM2 is not supported by this OpenSSL build", 1
+	      if disabled("sm2");
+
+   # Test '-sm2-id' and '-sm2-hex-id'  option
+   ok(verify("sm2", "any", ["sm2-ca-cert"], [], "-sm2-id", "1234567812345678"),
+       "SM2 ID test");
+   ok(verify("sm2", "any", ["sm2-ca-cert"], [], "-sm2-hex-id",
+             "31323334353637383132333435363738"),
+       "SM2 hex ID test");
+}


More information about the openssl-commits mailing list