我如何知道在SSL上下文中加载的CA主题名称列表

时间:2016-07-14 08:04:36

标签: ssl openssl

我想从加载的SSL_CTX()中取回ca证书名称列表 openSSL是否提供了返回名称的API?

1 个答案:

答案 0 :(得分:1)

  

我想从加载的SSL_CTX()中取回ca证书名称列表是否有openSSL提供的API来取回名称?

有点儿。证书具有发行人和主题。当你说" CA Name"你问的是发行人。它通常在SSL*;而不是CTX*

您可以执行以下操作。您必须弄清楚如何获得要打印的证书。下面介绍如何使用对等证书进行操作。

/* Drops out of a handshake */
SSL* ssl = ...;

/* Get the certificate from the session object */
X509* cert = SSL_get_peer_certificate(ssl);

/* Get the issuer name */
X509_NAME* iname = cert ? X509_get_issuer_name(cert) : NULL;

/* Get the subject name */
X509_NAME* sname = cert ? X509_get_subject_name(cert) : NULL;

if (iname)
    print_cn_name("Issuer name", iname);

if (sname)
    print_cn_name("Subject name", sname);

X509_free(cert);

然后:

/* This prints the Common Name (CN), which is the "friendly" */
/*   name displayed to users in many tools                   */
void print_cn_name(const char* label, X509_NAME* const name)
{
    int idx = -1, success = 0;
    unsigned char *utf8 = NULL;

    do
    {
        if(!name) break; /* failed */

        idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
        if(!(idx > -1))  break; /* failed */

        X509_NAME_ENTRY* entry = X509_NAME_get_entry(name, idx);
        if(!entry) break; /* failed */

        ASN1_STRING* data = X509_NAME_ENTRY_get_data(entry);
        if(!data) break; /* failed */

        int length = ASN1_STRING_to_UTF8(&utf8, data);
        if(!utf8 || !(length > 0))  break; /* failed */

        fprintf(stdout, "%s: %s\n", label, utf8);
        success = 1;

    } while (0);

    if(utf8)
        OPENSSL_free(utf8);

    if(!success)
        fprintf(stdout, "  %s: <not available>\n", label);
}

IF 您想要服务器证书的主管备用名称(SAN),那么您可能会执行以下操作:

void print_san_name(const char* label, X509* const cert)
{
    int success = 0;
    GENERAL_NAMES* names = NULL;
    unsigned char* utf8 = NULL;

    do
    {
        if(!cert) break; /* failed */

        names = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0 );
        if(!names) break;

        int i = 0, count = sk_GENERAL_NAME_num(names);
        if(!count) break; /* failed */

        for( i = 0; i < count; ++i )
        {
            GENERAL_NAME* entry = sk_GENERAL_NAME_value(names, i);
            if(!entry) continue;

            if(GEN_DNS == entry->type)
            {
                int len1 = 0, len2 = -1;

                len1 = ASN1_STRING_to_UTF8(&utf8, entry->d.dNSName);
                if(utf8) {
                    len2 = (int)strlen((const char*)utf8);
                }

                if(len1 != len2) {
                    fprintf(stderr, "  Strlen and ASN1_STRING size do not match (embedded null?): %d vs %d\n", len2, len1);
                }

                /* If there's a problem with string lengths, then     */
                /* we skip the candidate and move on to the next.     */
                /* Another policy would be to fails since it probably */
                /* indicates the client is under attack.              */
                if(utf8 && len1 && len2 && (len1 == len2)) {
                    fprintf(stdout, "  %s: %s\n", label, utf8);
                    success = 1;
                }

                if(utf8) {
                    OPENSSL_free(utf8), utf8 = NULL;
                }
            }
            else
            {
                fprintf(stderr, "  Unknown GENERAL_NAME type: %d\n", entry->type);
            }
        }

    } while (0);

    if(names)
        GENERAL_NAMES_free(names);

    if(utf8)
        OPENSSL_free(utf8);

    if(!success)
        fprintf(stdout, "  %s: <not available>\n", label);    
}

以上内容取自OpenSSL在其维基上的TLS client示例。它还向您展示了如何在验证回调中打印链。