C中的x509证书验证 [英] x509 certificate verification in C

问题描述

我确实有 DER 和 PEM 格式的证书，我的目标是检索颁发者和主题的字段并使用 CA 公钥验证证书，同时使用根公钥验证 CA 证书.我能够检索颁发者和主题的所有详细信息，但无法验证证书.
使用的 API:

I do have certificates in DER and PEM format, my goal is to retrieve the fields of Issuer and Subject and verify the certificate with the CA public key and simultaneously verify CA certificate with the root public key. I am able to retrieve all the details of issuer and subject but unable to verify the certificate.
The API used:

x509 = d2i_X509_fp (fp, &x509); //READING DER Format
x509 = PEM_read_X509 (fp, &x509, NULL, NULL); //READING PEM Format
//to retrieve the Subject:
X509_NAME_oneline(X509_get_subject_name(x509), subject, sizeof (subject));
//to retrieve the Issuer:
X509_NAME_oneline(X509_get_issuer_name(x509), issuer, sizeof (issuer));

//To store the CA public key (in unsigned char *key) that will be used to verify the 
//certificate (in my case always sha1WithRSAEncryption):
RSA *x = X509_get_pubkey(x509)->pkey.rsa;
bn = x->n;
//extracts the bytes from public key & convert into unsigned char buffer
buf_len = (size_t) BN_num_bytes (bn);
stored_CA_pubKey = (unsigned char *)malloc (buf_len);
i_n = BN_bn2bin (bn, (unsigned char *)stored_CA_pubKey);
if (i_n != buf_len)
  LOG(ERROR," : key error
");
if (key[0] & 0x80)
  LOG(DEBUG, "00
");

stored_CA_pubKeyLen = EVP_PKEY_size(X509_get_pubkey(x509));

对于验证，我采用了不同的方法，但无法验证:

For Verification I went through different approaches but I am unable to verify:

a)

i_x509_verify = X509_verify(cert_x509, ca_pubkey);

b)

/* verify the signature */
int iRet1, iRet2, iReason;
iRet1 = EVP_VerifyInit(&md_ctx, EVP_sha1());
iRet2 = EVP_VerifyUpdate(&md_ctx, cert_code, cert_code_len);
rv = EVP_VerifyFinal(&md_ctx, (const unsigned char *)stored_CA_pubKey,
     stored_CA_pubKeyLen, cert_pubkey);

注意:cert_code 和 stored_CA_pubKey 是无符号字符缓冲区.

NOTE : cert_code and stored_CA_pubKey are unsigned char buffers.

推荐答案

我使用以下代码验证证书

I use following code for verifying a certificate

初始化证书存储:

X509_STORE* m_store = X509_STORE_new();
X509_LOOKUP* m_lookup = X509_STORE_add_lookup(m_store,X509_LOOKUP_file());    
X509_STORE_load_locations(m_store, "CAFile.pem", NULL);
X509_STORE_set_default_paths(m_store);
X509_LOOKUP_load_file(m_lookup,"CAFile.pem",X509_FILETYPE_PEM)
// alternative lookup by hashdir
// X509_LOOKUP* m_lookup=X509_STORE_add_lookup(m_store,X509_LOOKUP_hash_dir());

验证证书:

X509_STORE_CTX *storeCtx = X509_STORE_CTX_new();
X509_STORE_CTX_init(storeCtx,m_store,cert,NULL);
X509_STORE_CTX_set_flags(storeCtx, X509_V_FLAG_CB_ISSUER_CHECK);
if (X509_verify_cert(storeCtx) == 1)
{
  printf("success");
}
else
{
  printf("Verificatione rror: %s",X509_verify_cert_error_string(storeCtx->error));
}
X509_STORE_CTX_free(storeCtx);

你还需要清理m_store

you also need to cleanup m_store

if(m_store != NULL)
{
   X509_STORE_free(m_store);
   m_store = NULL;
}

这篇关于C中的x509证书验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！