X509_verify_cert返回0(ZERO)

时间:2012-10-22 08:50:39

标签: openssl certificate verification x509 pkcs#7

我正在实现以下代码(请参阅注释)::

#include <stdio.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/rand.h>

#pragma comment(lib, "ssleay32.lib")
#pragma comment(lib, "libeay32.lib")

void verifyCertificate() ;
X509 *loadCert(char*) ;
void loadToStore(char*, X509_STORE*&) ;

void verifyCertificate()
{
    int i = 0 ;
    char argv[50] = "C:\\My\\CA.pem" ;  /* Details:: Issuer = Verisign Inc & Subject = Verisign Inc
    char argv1[50] = "C:\\My\\mid1.pem" ;   /* Details:: Issuer = Thawte & Subject = Verisign Inc
    char argv2[50] = "C:\\My\\mid2.pem" ;   /* Details:: Issuer = Verisign Inc & Subject = Verisign Inc
    char argv3[50] = "C:\\My\\Signer.pem" ; /* Details:: Issuer = Verisign Inc & Subject = SignerOrganisation

    X509 *cert = loadCert(argv3);
    X509_STORE *store = X509_STORE_new();

    loadToStore(argv, store);
    loadToStore(argv1, store);
    loadToStore(argv2, store);

    X509_STORE_CTX *ctx = X509_STORE_CTX_new();

    X509_STORE_CTX_init(ctx, store, cert, NULL);

    i = X509_verify_cert(ctx);
    printf("i = %d\n", i) ; // Returns i = 0
    if (i != 1)
      printf("%s", X509_verify_cert_error_string(ctx->error));
           // Returns "Certificate Signature Failure"

    X509_STORE_CTX_cleanup(ctx);
    X509_STORE_CTX_free(ctx);
    X509_STORE_free(store);
    ctx = NULL;
    store = NULL;
}

void loadToStore(char* file, X509_STORE *&store)
{
    X509 *cert = loadCert(file);
    if (cert != NULL)
        X509_STORE_add_cert(store, cert);
    else
        printf("Can not load certificate");
}

X509 *loadCert(char* file)
{
    FILE *fp = fopen(file, "rb");
    X509 *cert = PEM_read_X509(fp, NULL, NULL, NULL);
    fclose(fp);
    return cert;
}

int main(int argc, char** argv)
{
    verifyCertificate() ;
    return 0 ;
}

我已经提取了所有包含的证书,然后将它们加载到商店中。

问题:: X509_verify_cert返回零(0)。有什么建议吗?

1 个答案:

答案 0 :(得分:1)

X509_verify_cert仅对有效证书链返回成功,即每个下一个证书必须由前一个证书签名(必须自签名的第一个除外)。要确定您是否拥有有效链,应提供有关您的pems的完整信息。但考虑到你的意见,我发现CA.pem没有签署mid1.pem,因为CA.pem的主题(Verisign Inc)不等于mid1.pem的发行者(Thawte)