tasign 0.2.0

TA ELF signing utilities with CMS/PKCS#7 support
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

//! GmSSL 可执行路径解析;SM2 签名/验签由 **mbedtls-smx** 实现(与 `gmssl sm2sign` / `sm2verify`、默认 ID `1234567812345678` 一致:`pk_md_sm2` + 签名)。
//!
//! [`resolve_gmssl_path`] 解析顺序:
//! 1. 调用方显式传入的路径(例如 CLI `--gmssl`);
//! 2. 环境变量 `GMSSL`(非空则作为可执行路径);
//! 3. `PATH` 中第一个名为 `gmssl` 且可执行的文件;
//! 4. 当前目录下的 [`DEFAULT_GMSSL`],若不存在则沿父目录查找 `GmSSL/build/bin/gmssl`,
//!    仍不存在则返回 [`DEFAULT_GMSSL`] 字面路径(由调用方处理「不存在」)。

use std::fs;
use std::path::{Path, PathBuf};
use std::sync::Arc;

use crate::crypto::hash::MdType;
use crate::crypto::key::{pk_from_cert_der, sm2_pk_from_pkcs8_pem_with_pass};
use crate::crypto::pk::ECDSA_MAX_LEN;
use crate::crypto::rng::{CtrDrbg, OsEntropy};

use crate::error::Error;

pub const DEFAULT_GMSSL: &str = "./GmSSL/build/bin/gmssl";
pub const DEFAULT_SM2_ID: &str = "1234567812345678";

/// 在 `PATH` 目录中查找名为 `program` 的可执行文件(Unix 检查可执行位;Windows 尝试 `.exe`)。
pub fn find_gmssl_in_path(program: &str) -> Option<PathBuf> {
    #[cfg(unix)]
    {
        use std::os::unix::fs::PermissionsExt;
        std::env::var_os("PATH").and_then(|paths| {
            std::env::split_paths(&paths).find_map(|dir| {
                let full = dir.join(program);
                if full.is_file() {
                    if let Ok(m) = fs::metadata(&full) {
                        if m.permissions().mode() & 0o111 != 0 {
                            return Some(full);
                        }
                    }
                }
                None
            })
        })
    }
    #[cfg(windows)]
    {
        std::env::var_os("PATH").and_then(|paths| {
            std::env::split_paths(&paths).find_map(|dir| {
                let with_exe = dir.join(format!("{program}.exe"));
                if with_exe.is_file() {
                    return Some(with_exe);
                }
                let full = dir.join(program);
                if full.is_file() {
                    return Some(full);
                }
                None
            })
        })
    }
    #[cfg(not(any(unix, windows)))]
    {
        let _ = program;
        None
    }
}

/// 按模块文档顺序解析 GmSSL 可执行路径。
pub fn resolve_gmssl_path(cli_override: Option<&Path>) -> PathBuf {
    if let Some(explicit) = cli_override {
        return explicit.to_path_buf();
    }
    if let Ok(s) = std::env::var("GMSSL") {
        let t = s.trim();
        if !t.is_empty() {
            return PathBuf::from(t);
        }
    }
    if let Some(p) = find_gmssl_in_path("gmssl") {
        return p;
    }
    let candidate = PathBuf::from(DEFAULT_GMSSL);
    if candidate.exists() {
        return candidate;
    }
    let mut cwd = std::env::current_dir().unwrap_or_else(|_| PathBuf::from("."));
    loop {
        let c = cwd.join("GmSSL/build/bin/gmssl");
        if c.exists() {
            return c;
        }
        if !cwd.pop() {
            break;
        }
    }
    PathBuf::from(DEFAULT_GMSSL)
}

/// 对 `input` 文件内容做 SM2 签名(SM3 预处理 `pk_md_sm2`,默认用户 ID 与 GmSSL 一致)。
/// `gmssl` 参数保留以兼容旧调用,已忽略。
pub fn sm2_sign(
    _gmssl: &str,
    key_pem: &Path,
    pass: &str,
    input: &Path,
    out_sig_der: &Path,
) -> Result<(), Error> {
    let pem = fs::read_to_string(key_pem)?;
    let mut pk = sm2_pk_from_pkcs8_pem_with_pass(&pem, pass)?;
    let data = fs::read(input)?;
    let entropy = Arc::new(OsEntropy::new());
    let mut rng = CtrDrbg::new(entropy, None)?;
    let mut sig = vec![0u8; ECDSA_MAX_LEN];
    let n = pk.sm2_sign(MdType::SM3, &data, &mut sig, &mut rng)?;
    sig.truncate(n);
    fs::write(out_sig_der, &sig)?;
    Ok(())
}

/// 使用证书公钥验证 SM2 签名(与 `gmssl sm2verify -cert … -id …` 一致)。
/// `gmssl` 参数保留以兼容旧调用,已忽略。
pub fn sm2_verify(
    _gmssl: &str,
    cert_pem: &Path,
    input: &Path,
    sig_der: &Path,
) -> Result<(), Error> {
    let pem = fs::read_to_string(cert_pem)?;
    let der = cert_der_from_pem(&pem)?;
    let mut pk = pk_from_cert_der(&der).map_err(|e| Error::Sm2(e.to_string()))?;
    let data = fs::read(input)?;
    let sig = fs::read(sig_der)?;
    pk.sm2_verify(MdType::SM3, &data, &sig)?;
    Ok(())
}

fn cert_der_from_pem(pem: &str) -> Result<Vec<u8>, Error> {
    use base64::Engine;
    let b64: String = pem
        .lines()
        .filter(|l| !l.starts_with("-----"))
        .collect();
    base64::engine::general_purpose::STANDARD
        .decode(b64)
        .map_err(|e| Error::Sm2(e.to_string()))
}