我正在实现以下代码(请参阅注释)::
#include <stdio.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/rand.h>
#pragma comment(lib, "ssleay32.lib")
#pragma comment(lib, "libeay32.lib")
void verifyCertificate() ;
X509 *loadCert(char*) ;
void loadToStore(char*, X509_STORE*&) ;
void verifyCertificate()
{
int i = 0 ;
char argv[50] = "C:\\My\\CA.pem" ; /* Details:: Issuer = Verisign Inc & Subject = Verisign Inc
char argv1[50] = "C:\\My\\mid1.pem" ; /* Details:: Issuer = Thawte & Subject = Verisign Inc
char argv2[50] = "C:\\My\\mid2.pem" ; /* Details:: Issuer = Verisign Inc & Subject = Verisign Inc
char argv3[50] = "C:\\My\\Signer.pem" ; /* Details:: Issuer = Verisign Inc & Subject = SignerOrganisation
X509 *cert = loadCert(argv3);
X509_STORE *store = X509_STORE_new();
loadToStore(argv, store);
loadToStore(argv1, store);
loadToStore(argv2, store);
X509_STORE_CTX *ctx = X509_STORE_CTX_new();
X509_STORE_CTX_init(ctx, store, cert, NULL);
i = X509_verify_cert(ctx);
printf("i = %d\n", i) ; // Returns i = 0
if (i != 1)
printf("%s", X509_verify_cert_error_string(ctx->error));
// Returns "Certificate Signature Failure"
X509_STORE_CTX_cleanup(ctx);
X509_STORE_CTX_free(ctx);
X509_STORE_free(store);
ctx = NULL;
store = NULL;
}
void loadToStore(char* file, X509_STORE *&store)
{
X509 *cert = loadCert(file);
if (cert != NULL)
X509_STORE_add_cert(store, cert);
else
printf("Can not load certificate");
}
X509 *loadCert(char* file)
{
FILE *fp = fopen(file, "rb");
X509 *cert = PEM_read_X509(fp, NULL, NULL, NULL);
fclose(fp);
return cert;
}
int main(int argc, char** argv)
{
verifyCertificate() ;
return 0 ;
}
我已经提取了所有包含的证书,然后将它们加载到商店中。
问题:: X509_verify_cert返回零(0)。有什么建议吗?
答案 0 :(得分:1)
X509_verify_cert仅对有效证书链返回成功,即每个下一个证书必须由前一个证书签名(必须自签名的第一个除外)。要确定您是否拥有有效链,应提供有关您的pems的完整信息。但考虑到你的意见,我发现CA.pem没有签署mid1.pem,因为CA.pem的主题(Verisign Inc)不等于mid1.pem的发行者(Thawte)