背景
我有以下链条:
我正在尝试使用发行者(根)的公钥来验证中间证书的签名。我正在使用以下代码段来实现此任务:
int verify_cert_sig(X509 *issuer, X509 *cert){
EVP_PKEY *public_key = X509_get_pubkey(issuer);
if(public_key == NULL){
_log->error("unable to get public key");
return ERROR;
}
int result = X509_verify(cert, public_key);
EVP_PKEY_free(public_key);
if(result <= 0){
return ERROR;
}
return SUCCESS;
}
int verify_sig(const std::string &issuer, const std::string &cert){
X509 *issuer_x509 = load_cert("root.pem", X509_FILETYPE_PEM);
if(issuer_x509 == NULL){
_log->error("unable to load x509 cert: {}", issuer);
return ERROR;
}
X509 *cert_x509 = load_cert("intermediate.pem", X509_FILETYPE_PEM);
if(cert_x509 == NULL){
_log->error("unable to load x509 cert: {}", cert);
return ERROR;
}
auto rv = verify_cert_sig(issuer_x509, cert_x509);
X509_free(issuer_x509);
X509_free(cert_x509);
if(rv <= 0){
return ERROR;
}
return SUCCESS;
}
问题
由于我未知的原因,上一个代码段将返回错误。
但是,如果我使用openssl cli,则可以用root验证中间件:
$:openssl verify -verbose -CAfile root.pem intermediate.pem
subroot.pem: OK
问题