Chinaunix首页 | 论坛 | 博客
  • 博客访问: 680307
  • 博文数量: 404
  • 博客积分: 10
  • 博客等级: 民兵
  • 技术积分: 1237
  • 用 户 组: 普通用户
  • 注册时间: 2011-03-03 10:45
文章分类

全部博文(404)

文章存档

2017年(1)

2016年(27)

2015年(39)

2014年(55)

2013年(66)

2012年(216)

分类: 云计算

2016-10-16 21:24:30

原文地址:OPENSSL X509证书验证 作者:ckelsel

步骤:
1)初始化环境
a.新建证书存储区X509_STORE_new()
b.新建证书校验上下文X509_STORE_CTX_new()

2)导入根证书
a.读取CA证书,从DER编码格式化为X509结构d2i_X509()
b.将CA证书导入证书存储区X509_STORE_add_cert()

3)导入要校验的证书test
a.读取证书test,从DER编码格式化为X509结构d2i_X509()
b.在证书校验上下文初始化证书test,X509_STORE_CTX_init()
c.校验X509_verify_cert


  1. include <stdio.h>
  2. #include <string.h>
  3. #include <stdlib.h>

  4. #include <openssl/evp.h>
  5. #include <openssl/x509.h>

  6. #define CERT_PATH "/home/ckelsel/work/rc4/cert"
  7. #define ROOT_CERT "ca.cer"
  8. #define WIN71H "win71h.cer"
  9. #define WIN71Y "win71y.cer"


  10. #define GET_DEFAULT_CA_CERT(str) sprintf(str, "%s/%s", CERT_PATH, ROOT_CERT)
  11. #define GET_CUSTOM_CERT(str, path, name) sprintf(str, "%s/%s", path, name)

  12. #define MAX_LEGTH 4096


  13. int my_load_cert(unsigned char *str, unsigned long *str_len,
  14.               const char *verify_cert, const unsigned int cert_len)
  15. {
  16.     FILE *fp;
  17.     fp = fopen(verify_cert, "rb");
  18.     if ( NULL == fp)
  19.     {
  20.         fprintf(stderr, "fopen fail\n");
  21.         return -1;
  22.     }

  23.     *str_len = fread(str, 1, cert_len, fp);
  24.     fclose(fp);
  25.     return 0;
  26. }

  27. X509 *der_to_x509(const unsigned char *der_str, unsigned int der_str_len)
  28. {
  29.     X509 *x509;
  30.     x509 = d2i_X509(NULL, &der_str, der_str_len);
  31.     if ( NULL == x509 )
  32.     {
  33.         fprintf(stderr, "d2i_X509 fail\n");

  34.         return NULL;
  35.     }
  36.     return x509;
  37. }
  38. int x509_verify()
  39. {
  40.     int ret;
  41.     char cert[MAX_LEGTH];

  42.     unsigned char user_der[MAX_LEGTH];
  43.     unsigned long user_der_len;
  44.     X509 *user = NULL;

  45.     unsigned char ca_der[MAX_LEGTH];
  46.     unsigned long ca_der_len;
  47.     X509 *ca = NULL;

  48.     X509_STORE *ca_store = NULL;
  49.     X509_STORE_CTX *ctx = NULL;
  50.     STACK_OF(X509) *ca_stack = NULL;

  51.     /* x509初始化 */
  52.     ca_store = X509_STORE_new();
  53.     ctx = X509_STORE_CTX_new();

  54.     /* root ca*/
  55.     GET_DEFAULT_CA_CERT(cert);
  56.     /* 从文件中读取 */
  57.     my_load_cert(ca_der, &ca_der_len, cert, MAX_LEGTH);
  58.     /* DER编码转X509结构 */
  59.     ca = der_to_x509(ca_der, ca_der_len);
  60.     /* 加入证书存储区 */
  61.     ret = X509_STORE_add_cert(ca_store, ca);
  62.     if ( ret != 1 )
  63.     {
  64.         fprintf(stderr, "X509_STORE_add_cert fail, ret = %d\n", ret);
  65.         goto EXIT;
  66.     }

  67.     /* 需要校验的证书 */
  68.     GET_CUSTOM_CERT(cert, CERT_PATH, WIN71H);
  69.     my_load_cert(user_der, &user_der_len, cert, MAX_LEGTH);
  70.     user = der_to_x509(user_der, user_der_len);

  71.     ret = X509_STORE_CTX_init(ctx, ca_store, user, ca_stack);
  72.     if ( ret != 1 )
  73.     {
  74.         fprintf(stderr, "X509_STORE_CTX_init fail, ret = %d\n", ret);
  75.         goto EXIT;
  76.     }

  77.     //openssl-1.0.1c/crypto/x509/x509_vfy.h
  78.     ret = X509_verify_cert(ctx);
  79.     if ( ret != 1 )
  80.     {
  81.         fprintf(stderr, "X509_verify_cert fail, ret = %d, error id = %d, %s\n",
  82.                 ret, ctx->error, X509_verify_cert_error_string(ctx->error));
  83.         goto EXIT;
  84.     }
  85. EXIT:
  86.     X509_free(user);
  87.     X509_free(ca);

  88.     X509_STORE_CTX_cleanup(ctx);
  89.     X509_STORE_CTX_free(ctx);

  90.     X509_STORE_free(ca_store);

  91.     return ret == 1 ? 0 : -1;
  92. }

  93. int main()
  94. {
  95.     OpenSSL_add_all_algorithms();
  96.     x509_verify();
  97.     return 0;
  98. }


阅读(6648) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~