C++/OpenSSL:使用来自缓冲区而不是文件的根 CA (SSL_CTX_load_verify_locations) [英] C++/OpenSSL: Use root CA from buffer rather than file (SSL_CTX_load_verify_locations)

问题描述

我正在使用 OpenSSL 来验证服务器的证书.由于 OpenSSL 没有任何内置的根 CA，因此我们必须自己与我们的软件一起分发根 CA 证书(我们静态链接 OpenSSL).通常，这样做的方法是分发 PEM 格式的证书文件并调用 SSL_CTX_load_verify_locations.

I am using OpenSSL to verify a server's certificate. Since OpenSSL is shipped without any built-in root CAs, we must distribute the root CA certificate ourselves with our software (we statically-link OpenSSL). Ordinarily, the way to do this is to distribute a certificate file in PEM format and call SSL_CTX_load_verify_locations.

但是，此函数采用文件/目录路径并直接从文件系统读取根证书文件.我们真的希望能够将证书硬编码到我们的二进制文件中，而不是将其保存到文件系统中.

However, this function takes a file/directory path and reads the root certificate file(s) directly from the filesystem. We would really like to be able to hard-code the certificate into our binary instead of saving it to the filesystem.

换句话说，我们真的希望有一个像 SSL_CTX_load_verify_locations 这样的函数，它接受 X509* 而不是文件路径.

In other words, we would really like to have a function like SSL_CTX_load_verify_locations that takes an X509* instead of a file-path.

这样的东西存在吗?还是有一种简单的方法可以自己破解它?我们似乎找不到太多关于此的信息.

Does something like this exist? or is there an easy way to hack it together ourselves? We can't seem to find much information about this.

非常感谢您的任何建议！

Thank you very much for any suggestions!

推荐答案

函数SSL_CTX_get_cert_store()可用于获取用于验证的证书存储的句柄(X509_STORE *)，然后可以使用 X509_STORE_add_cert() 函数(在 openssl/x509_vfy.h 中)将证书直接添加到该证书存储区.

The function SSL_CTX_get_cert_store() can be used to get a handle to the certificate store used for verification (X509_STORE *), and the X509_STORE_add_cert() function (in openssl/x509_vfy.h) can then be used to add a certificate directly to that certificate store.

这篇关于C++/OpenSSL:使用来自缓冲区而不是文件的根 CA (SSL_CTX_load_verify_locations)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！