您的位置: 首页  >  技术问答  >  使用OpenSSL API以编程方式验证证书链

使用OpenSSL API以编程方式验证证书链

分类: 技术问答 2022-09-26 23:55:05
问题描述:

这与其他问题非常相似,但我所查看的问题要么没有答案,要么没有提出相同的问题。我有一个自签名的CA证书和两个使用该CA证书签名的证书。我相当肯定的证书是正确的,因为“OpenSSL的核实”的工作原理:使用OpenSSL API以编程方式验证证书链

$ openssl verify -CAfile ca.pem server.pem 
server.pem: OK

(以上是从内存中,我没有让他们在我面前,所以它可能会稍微偏离)。

现在我想以编程方式验证证书。我有一个效用函数下面伪代码:

int verify_cert(X509 *cert, X509 *cacert) 
{ 
    int ret; 
    X509_STORE *store; 
    X509_STORE_CTX *ctx; 

    store = X509_STORE_new(); 
    X590_STORE_add_cert(store, cacert); 

    ctx = X509_STORE_CTX_new(); 
    X509_STORE_CTX_init(ctx, store, cert, NULL); 

    ret = X590_verify_cert(ctx); 

    /* check for errors and clean up */ 
}

我的问题是,上面的代码总是返回“未能找到颁发者证书”。我做错了什么?我相信我正在创建一个新的商店,添加cacert,创建一个新的上下文,并将一个指向包含CA的商店的指针添加到上下文中。我很明显做错了什么,但我不确定是什么。

任何想法?

更新:我知道我可以将这些证书保存到磁盘并使用类似X509_LOOKUP_file或类似的东西。我正在寻找一种不会不必要地接触磁盘的解决方案。

+0

我面临同样的问题 - 你有没有找到任何解决方案呢? – 2013-05-13 09:53:16

+0

@ koch.trier不,不幸的不是。现在我已经把它放在了后台,专注于其他事情。我仍然在这里寻找答案。 – clemej 2013-05-14 02:08:44

+0

可能重复的[x509证书验证在C](http://*.com/questions/2756553/x509-certificate-verification-in-c) – jww 2014-03-03 05:21:16

您可以使用正常的验证例程(请参阅How do you verify a public key was issued by your private CA?),例如OpenSSL中的-verify函数。您需要创建一个像X509_LOOKUP_file()一样的查找方法(X509_LOOKUP_METHOD),但它使用字符串而不是文件名。 X509_LOOKUP_buffer()的代码如下。

头文件by_buffer.h:

/* File: by_buffer.h */ 

#ifndef BY_BUFFER_H 
#define BY_BUFFER_H 

#include <openssl/x509.h> 

#ifdef __cplusplus 
extern "C" { 
#endif 
#define X509_L_BUF_LOAD 1 
#define X509_LOOKUP_load_buf(x,name,type) \ 
     X509_LOOKUP_ctrl((x),X509_L_BUF_LOAD,(name),(long)(type),NULL) 
X509_LOOKUP_METHOD *X509_LOOKUP_buffer(void); 

#ifdef __cplusplus 
} 
#endif 

#endif /* BY_BUFFER_H */

C程序by_buffer.c:

/* by_buffer.c - copied and modified from crypto/x509/by_file.c */ 
/* Copyright (C) - should be the same as for OpenSSL 
*/ 
#include "by_buffer.h" 

#include <stdio.h> 
#include <time.h> 
#include <errno.h> 

#include "../crypto/cryptlib.h" 
#include <openssl/lhash.h> 
#include <openssl/buffer.h> 
#include <openssl/pem.h> 
#include <openssl/err.h> 

static int by_buffer_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, 
    long argl, char **ret); 
X509_LOOKUP_METHOD x509_buffer_lookup= 
    { 
    "Load buffer into cache", 
    NULL,  /* new */ 
    NULL,  /* free */ 
    NULL,   /* init */ 
    NULL,  /* shutdown */ 
    by_buffer_ctrl, /* ctrl */ 
    NULL,  /* get_by_subject */ 
    NULL,  /* get_by_issuer_serial */ 
    NULL,  /* get_by_fingerprint */ 
    NULL,  /* get_by_alias */ 
    }; 

X509_LOOKUP_METHOD *X509_LOOKUP_buffer(void) 
    { 
    return(&x509_buffer_lookup); 
    } 

static int by_buffer_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, 
     char **ret) 
    { 
    int ok=0; 
    char *certBuf; 

    switch (cmd) 
     { 
    case X509_L_BUF_LOAD: 
     if (argl == X509_FILETYPE_DEFAULT) 
      { 
      X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS); 
      } 
     else 
      { 
      if(argl == X509_FILETYPE_PEM) 
       ok = (X509_load_cert_crl_buf(ctx,argp, 
        X509_FILETYPE_PEM) != 0); 
      else 
       ok = (X509_load_cert_buf(ctx,argp,(int)argl) != 0); 
      } 
     break; 
     } 
    return(ok); 
    } 

int X509_load_cert_buf(X509_LOOKUP *ctx, const char *certBuf, int type) 
    { 
    int ret=0; 
    BIO *in=NULL; 
    int i,count=0; 
    X509 *x=NULL; 

    if (certBuf == NULL) return(1); 
     in=BIO_new(BIO_s_mem()); 
     if(in==NULL) goto err; 

    if (type == X509_FILETYPE_PEM) 
     { 
     for (;;) 
      { 
      x=PEM_read_bio_X509_AUX(in,NULL,NULL,NULL); 
      if (x == NULL) 
       { 
       if ((ERR_GET_REASON(ERR_peek_last_error()) == 
        PEM_R_NO_START_LINE) && (count > 0)) 
        { 
        ERR_clear_error(); 
        break; 
        } 
       else 
        { 
        X509err(X509_F_X509_LOAD_CERT_FILE, 
         ERR_R_PEM_LIB); 
        goto err; 
        } 
       } 
      i=X509_STORE_add_cert(ctx->store_ctx,x); 
      if (!i) goto err; 
      count++; 
      X509_free(x); 
      x=NULL; 
      } 
     ret=count; 
     } 
    else if (type == X509_FILETYPE_ASN1) 
     { 
     x=d2i_X509_bio(in,NULL); 
     if (x == NULL) 
      { 
      X509err(X509_F_X509_LOAD_CERT_FILE,ERR_R_ASN1_LIB); 
      goto err; 
      } 
     i=X509_STORE_add_cert(ctx->store_ctx,x); 
     if (!i) goto err; 
     ret=i; 
     } 
    else 
     { 
     X509err(X509_F_X509_LOAD_CERT_FILE,X509_R_BAD_X509_FILETYPE); 
     goto err; 
     } 
err: 
    if (x != NULL) X509_free(x); 
    if (in != NULL) BIO_free(in); 
    return(ret); 
    } 

int X509_load_crl_buf(X509_LOOKUP *ctx, const char *certBuf, int type) 
    { 
    int ret=0; 
    BIO *in=NULL; 
    int i,count=0; 
    X509_CRL *x=NULL; 

    if (certBuf == NULL) return(1); 
    //in=BIO_new(BIO_s_file_internal()); 
     in=BIO_new(BIO_s_mem()); 

     if(in==NULL) goto err; 

    if (type == X509_FILETYPE_PEM) 
     { 
     for (;;) 
      { 
      x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL); 
      if (x == NULL) 
       { 
       if ((ERR_GET_REASON(ERR_peek_last_error()) == 
        PEM_R_NO_START_LINE) && (count > 0)) 
        { 
        ERR_clear_error(); 
        break; 
        } 
       else 
        { 
        X509err(X509_F_X509_LOAD_CRL_FILE, 
         ERR_R_PEM_LIB); 
        goto err; 
        } 
       } 
      i=X509_STORE_add_crl(ctx->store_ctx,x); 
      if (!i) goto err; 
      count++; 
      X509_CRL_free(x); 
      x=NULL; 
      } 
     ret=count; 
     } 
    else if (type == X509_FILETYPE_ASN1) 
     { 
     x=d2i_X509_CRL_bio(in,NULL); 
     if (x == NULL) 
      { 
      X509err(X509_F_X509_LOAD_CRL_FILE,ERR_R_ASN1_LIB); 
      goto err; 
      } 
     i=X509_STORE_add_crl(ctx->store_ctx,x); 
     if (!i) goto err; 
     ret=i; 
     } 
    else 
     { 
     X509err(X509_F_X509_LOAD_CRL_FILE,X509_R_BAD_X509_FILETYPE); 
     goto err; 
     } 
err: 
    if (x != NULL) X509_CRL_free(x); 
    if (in != NULL) BIO_free(in); 
    return(ret); 
    } 

int X509_load_cert_crl_buf(X509_LOOKUP *ctx, const char *certBuf, int type) 
{ 
    STACK_OF(X509_INFO) *inf; 
    X509_INFO *itmp; 
    BIO *in; 
    int i, count = 0; 
    if(type != X509_FILETYPE_PEM) 
     return X509_load_cert_buf(ctx, certBuf, type); 
     in = BIO_new(BIO_s_mem()); 
    if(!in) { 
     X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_SYS_LIB); 
     return 0; 
    } 
     BIO_write(in, certBuf, strlen(certBuf)); 
    inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL); 
    BIO_free(in); 
    if(!inf) { 
     X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_PEM_LIB); 
     return 0; 
    } 
    for(i = 0; i < sk_X509_INFO_num(inf); i++) { 
     itmp = sk_X509_INFO_value(inf, i); 
     if(itmp->x509) { 
      X509_STORE_add_cert(ctx->store_ctx, itmp->x509); 
      count++; 
     } 
     if(itmp->crl) { 
      X509_STORE_add_crl(ctx->store_ctx, itmp->crl); 
      count++; 
     } 
    } 
    sk_X509_INFO_pop_free(inf, X509_INFO_free); 
    return count; 
}

在常规C++它调用上述例程:

#include "by_buffer.h" 
static int check(X509_STORE *ctx, const char *certBuf); 
static X509 *load_cert(const char *certBuf); 

int validateKey(const char *rsaKeyCA, const char *rsaCertificate) { 
    int ret=0; 
    X509_STORE *cert_ctx=NULL; 
    X509_LOOKUP *lookup=NULL; 

    cert_ctx=X509_STORE_new(); 
    if (cert_ctx == NULL) goto end; 

    OpenSSL_add_all_algorithms(); 

    lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_buffer()); 
    if (lookup == NULL) 
     goto end; 

    if(!X509_LOOKUP_load_buf(lookup,rsaKeyCA,X509_FILETYPE_PEM)) 
     goto end; 

    lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_hash_dir()); 
    if (lookup == NULL) 
     goto end; 

    X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT); 

    ret = check(cert_ctx, rsaCertificate); 
end: 
    if (cert_ctx != NULL) X509_STORE_free(cert_ctx); 

    return ret; 
} 

static X509 *load_cert(const char *certBuf) 
{ 
    X509 *x=NULL; 
    BIO *cert; 

    if ((cert=BIO_new(BIO_s_mem())) == NULL) 
     goto end; 

    BIO_write(cert, certBuf, strlen(certBuf)); 

    x=PEM_read_bio_X509_AUX(cert,NULL, NULL, NULL); 
end: 
    if (cert != NULL) BIO_free(cert); 
    return(x); 
} 

static int check(X509_STORE *ctx, const char *certBuf) 
{ 
    X509 *x=NULL; 
    int i=0,ret=0; 
    X509_STORE_CTX *csc; 

    x = load_cert(certBuf); 
    if (x == NULL) 
     goto end; 

    csc = X509_STORE_CTX_new(); 
    if (csc == NULL) 
     goto end; 
    X509_STORE_set_flags(ctx, 0); 
    if(!X509_STORE_CTX_init(csc,ctx,x,0)) 
     goto end; 
    ////// See crypto/asn1/t_x509.c for ideas on how to access and print the values 
    //printf("X.509 name: %s\n", x->name); 
    i=X509_verify_cert(csc); 
    X509_STORE_CTX_free(csc); 

    ret=0; 
end: 
    ret = (i > 0); 
    if (x != NULL) 
     X509_free(x); 

    return(ret); 
}
+2

这是一个非常多的工作来定义一个全新的回调机制。但它似乎也是唯一的方法。广泛的示例代码的奖励积分。 – clemej 2013-06-10 22:33:26

+6

这段代码是“正确的”,但它都是完全没用的!此代码中的*调用是“X509_STORE_add_cert”,与OP最初使用的API调用完全相同。它已经被封装在'X509_load_cert_buf'函数中,然后通过'X509_LOOKUP_load_buf'以非常间接的方式调用它。这个代码在OP的原始代码中没有任何优势,它直接简单地称为“X509_STORE_add_cert”。 – 2014-11-04 15:10:19

+0

对不起,我提供了“无用的”代码!我想要做的就是复制openssl verify函数,这和我的代码一样。我没有试图优化它比OpenSSL的代码更好。 – 2014-12-29 20:52:07

请看一看SSL_CTX_load_verify_locations()功能:http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html

SSL_CTX_load_verify_locations() specifies the locations for ctx, at which CA certificates for verification purposes are located. The certificates available via CAfile and CApath are trusted.

可以生成同时包含CA证书文件ca.pem server.pem:

#!/bin/sh 
rm CAfile.pem 
for i in ca.pem server.pem ; do 
    openssl x509 -in $i -text >> CAfile.pem 
done

然后设置CAfile变量指向到CAfile.pem文件。

希望它有帮助!

+1

我很困惑,为什么当我使用add_cert显式加载证书时,需要指定一个位置(文件或目录)? – clemej 2013-04-30 12:15:52

+0

我在OpenSSL中找不到任何X590_STORE_add_cert()函数,它来自哪里?通常,您希望使用SSL_CTX_load_verify_locations()函数和PEM文件的路径来验证证书链。 – Paul 2013-04-30 12:51:07

+0

http://www.umich.edu/~x509/ssleay/x509_store.html。但这是蹭。这些文件不在磁盘上。他们已经在x509结构中记忆。我不应该真的需要将它们写到磁盘上来验证它们。是吗? – clemej 2013-04-30 13:36:34

可能答案(没有要点添加评论,对不起):联机帮助页SSL_CTX_load_verify_locations(3)说,

When building its own certificate chain, an OpenSSL client/server will try to fill in 
missing certificates from CAfile/CApath, if the certificate chain was not explicitly 
specified (see SSL_CTX_add_extra_chain_cert(3), SSL_CTX_use_certificate(3).

(否则他们匹配的括号,不是我的。)

这似乎意味着,作为替代SSL_CTX_load_verify_locations(3),应该尽可能使用SSL_CTX_add_extra_chain_cert(3)SSL_CTX_use_certificate(3) - 这两者需要X509 * ARG。从而避免了Ed先生如上所述的解决方案的需要。

我认为,你可以使用“X509_STORE_set_verify_cb”添加一个回调,以确定实际的错误:

static int verify_cb(int ok, X509_STORE_CTX *ctx) 
{ 
    if (!ok) 
    { 
     /* check the error code and current cert*/ 
     X509 *currentCert = X509_STORE_CTX_get_current_cert(ctx); 
     int certError = X509_STORE_CTX_get_error(ctx); 
     int depth = X509_STORE_CTX_get_error_depth(ctx); 
     printCert(currentCert); 
     printf("Error depth %d, certError %d", depth, certError) 
    } 

    return(ok); 
} 

int verify_cert(X509 *cert, X509 *cacert) 
{ 
    int ret; 
    X509_STORE *store; 
    X509_STORE_CTX *ctx; 

    store = X509_STORE_new(); 
    X509_STORE_set_verify_cb(store, verify_cb); 
    X590_STORE_add_cert(store, cacert); 

    ctx = X509_STORE_CTX_new(); 
    X509_STORE_CTX_init(ctx, store, cert, NULL); 

    ret = X590_verify_cert(ctx); 

    /* check for errors and clean up */ 
}

除非我们知道错误代码是很难猜测的实际问题。代码看起来没问题。

我自己遇到了这个问题,并开始使用非常接近OP的代码。我的证书链包括3个证书: 证书1(root-ca)颁发者:root-ca主题:root-ca 证书2(签署ca)颁发者:root-ca主题:签署ca 证书3 :签署ca主题:设备

我想验证设备证书。我的ca.pem等价(包括OP)包含root-ca和signing-ca。

X509_verify_cert函数需要整个证书链一直到X509_store中的根(root-ca & signing-ca)。

下面是我的代码,适合我。检查返回值时省略了代码。

int getIssuerCert(X509_STORE *x509_store){ 
    STACK_OF(X509_INFO) *inf; 
    X509_INFO *itmp; 
    BIO *in; 
    int i, count = 0; 

    in = BIO_new(BIO_s_mem()); 
    BIO_write(in, issuerCertStr, strlen(issuerCertStr)); //string containing root-ca & signing-ca 
    inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL); 
    if(in != NULL) BIO_free(in); 
    for(i = 0; i < sk_X509_INFO_num(inf); i++) { 
     itmp = sk_X509_INFO_value(inf, i); 
     if(itmp->x509) { 
      X509_STORE_add_cert(x509_store, itmp->x509); 
      count++; 
     } 
     if(itmp->crl) { 
      X509_STORE_add_crl(x509_store, itmp->crl); 
      count++; 
     } 
    } 
    sk_X509_INFO_pop_free(inf, X509_INFO_free); 
    return 0; 
} 


int verify_cert(){ 
    int ret = 0; 
    X509 *devCert = NULL; 
    X509_STORE *x509_store = NULL; 
    X509_STORE_CTX *x509_store_ctx = NULL; 

    OpenSSL_add_all_algorithms(); 
    devCert = getDeviceCert(); // Returns X509 pointer 

    x509_store = X509_STORE_new(); 
    X509_STORE_set_verify_cb(x509_store, verify_cb); 
    X509_STORE_set_flags(x509_store, 0); 

    x509_store_ctx = X509_STORE_CTX_new(); 

    X509_STORE_CTX_init(x509_store_ctx, x509_store, devCert, NULL) 

    X509_STORE_CTX_set_purpose(x509_store_ctx, X509_PURPOSE_ANY); 
    ret = X509_verify_cert(x509_store_ctx); 

    if(x509_store_ctx != NULL) X509_STORE_CTX_free(x509_store_ctx); 
    if(x509_store != NULL) X509_STORE_free(x509_store); 
    if(devCert != NULL) X509_free(devCert); 
    EVP_cleanup(); 
    return ret; 
}

我不需要创建任何查找方法。对我来说,关键在于循环访问内存中的字符串中的证书,因此我拥有了完成该链所需的所有证书。该字符串等同于我将输入openssl验证选项-CAfile的内容。

另外,确保您的X509指针在使用时不为空。

相关推荐