在证书验证期间出现错误0x0B07F069和“我们无需验证证书”

时间:2016-09-19 19:19:46

标签: c ssl openssl x509 tls1.2

我已经听过关于此问题的许多其他问题的建议,并把一些东西放在一起,但我的代码不起作用。它在X509_verify_cert()失败,ERR_error_string(ERR_get_error(), NULL)导致:

error:0B07F069:x509 certificate routines:X509_verify_cert:no cert set for us to verify

这是我的代码:

int tallis_ssl_verify(tallis_t *tallis, X509 *cert, X509 *CA)
{
    int rv;

    X509_VERIFY_PARAM_set_hostflags(
            tallis->param,
            X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);

    X509_VERIFY_PARAM_set1_host(tallis->param, tallis->host, 0);
    SSL_CTX_set_verify(tallis->ssl_context, SSL_VERIFY_PEER, NULL);
    SSL_set_verify(tallis->ssl_connection, SSL_VERIFY_PEER, NULL);

    ERR_clear_error();
    rv = SSL_get_verify_result(tallis->ssl_connection);

    if (rv != X509_V_OK)
        return 1;

    ERR_clear_error();
    X509_STORE_CTX *ctx = X509_STORE_CTX_new();
    X509_STORE *store = X509_STORE_new();
    X509_STORE_CTX_init(ctx, store, cert, NULL);
    X509_STORE_set_flags(store, X509_V_FLAG_CB_ISSUER_CHECK);
    X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());

    X509_STORE_load_locations(
            store,
            "/etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem",
            NULL);

    X509_STORE_set_default_paths(store);

    X509_LOOKUP_load_file(
            lookup,
            "/etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem",
            X509_FILETYPE_PEM);

    X509_STORE_add_cert(store, cert);

    if (!store)
    {
        X509_STORE_free(store);
        return 1;
    }

    SSL_CTX_set_default_verify_paths(tallis->ssl_context);

    ERR_clear_error();
    rv = SSL_CTX_load_verify_locations(
            tallis->ssl_context,
            "/etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem",
            "/etc/ssl/certs");

    if (!rv)
    {
        fprintf(stderr, ERR_error_string(ERR_get_error(), NULL));
        return 1;
    }

    ERR_clear_error();
    rv = X509_verify_cert(ctx);

    if (rv != 1)
    {
        fprintf(
                stderr,
                "%s\n%s\n",
                ERR_error_string(ERR_get_error(), NULL),
                X509_verify_cert_error_string(ctx->error));

        return 1;
    }

    return 0;
}

0 个答案:

没有答案