我已经听过关于此问题的许多其他问题的建议,并把一些东西放在一起,但我的代码不起作用。它在X509_verify_cert()失败,ERR_error_string(ERR_get_error(), NULL)导致:
error:0B07F069:x509 certificate routines:X509_verify_cert:no cert set for us to verify
这是我的代码:
int tallis_ssl_verify(tallis_t *tallis, X509 *cert, X509 *CA)
{
int rv;
X509_VERIFY_PARAM_set_hostflags(
tallis->param,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
X509_VERIFY_PARAM_set1_host(tallis->param, tallis->host, 0);
SSL_CTX_set_verify(tallis->ssl_context, SSL_VERIFY_PEER, NULL);
SSL_set_verify(tallis->ssl_connection, SSL_VERIFY_PEER, NULL);
ERR_clear_error();
rv = SSL_get_verify_result(tallis->ssl_connection);
if (rv != X509_V_OK)
return 1;
ERR_clear_error();
X509_STORE_CTX *ctx = X509_STORE_CTX_new();
X509_STORE *store = X509_STORE_new();
X509_STORE_CTX_init(ctx, store, cert, NULL);
X509_STORE_set_flags(store, X509_V_FLAG_CB_ISSUER_CHECK);
X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
X509_STORE_load_locations(
store,
"/etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem",
NULL);
X509_STORE_set_default_paths(store);
X509_LOOKUP_load_file(
lookup,
"/etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem",
X509_FILETYPE_PEM);
X509_STORE_add_cert(store, cert);
if (!store)
{
X509_STORE_free(store);
return 1;
}
SSL_CTX_set_default_verify_paths(tallis->ssl_context);
ERR_clear_error();
rv = SSL_CTX_load_verify_locations(
tallis->ssl_context,
"/etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem",
"/etc/ssl/certs");
if (!rv)
{
fprintf(stderr, ERR_error_string(ERR_get_error(), NULL));
return 1;
}
ERR_clear_error();
rv = X509_verify_cert(ctx);
if (rv != 1)
{
fprintf(
stderr,
"%s\n%s\n",
ERR_error_string(ERR_get_error(), NULL),
X509_verify_cert_error_string(ctx->error));
return 1;
}
return 0;
}