C ++ / OpenSSL:使用根CA从缓冲区而不是文件(SSL_CTX_load_verify_locations) [英] C++/OpenSSL: Use root CA from buffer rather than file (SSL_CTX_load_verify_locations)
问题描述
我使用OpenSSL验证服务器的证书。由于OpenSSL没有任何内置的根CA,因此我们必须使用我们的软件(我们静态链接OpenSSL)自行分发根CA证书。通常,执行此操作的方法是以PEM格式分发证书文件并调用SSL_CTX_load_verify_locations。
I am using OpenSSL to verify a server's certificate. Since OpenSSL is shipped without any built-in root CAs, we must distribute the root CA certificate ourselves with our software (we statically-link OpenSSL). Ordinarily, the way to do this is to distribute a certificate file in PEM format and call SSL_CTX_load_verify_locations.
但是,此函数需要一个文件/目录路径并读取根证书文件直接从文件系统。我们真的希望能够将证书硬编码为我们的二进制文件而不是保存到文件系统。
However, this function takes a file/directory path and reads the root certificate file(s) directly from the filesystem. We would really like to be able to hard-code the certificate into our binary instead of saving it to the filesystem.
换句话说,我们真的想拥有一个函数像SSL_CTX_load_verify_locations,它采用X509 *而不是文件路径。
In other words, we would really like to have a function like SSL_CTX_load_verify_locations that takes an X509* instead of a file-path.
这样的东西是否存在?或者有一个简单的方法来自己一起攻击它?
Does something like this exist? or is there an easy way to hack it together ourselves? We can't seem to find much information about this.
非常感谢您提出任何建议。
Thank you very much for any suggestions!
推荐答案
函数 SSL_CTX_get_cert_store()可用于获取用于验证的证书存储的句柄( X509_STORE * )和 X509_STORE_add_cert()函数(在 openssl / x509_vfy.h 中)然后可用于将证书直接添加到该证书存储区。
The function SSL_CTX_get_cert_store() can be used to get a handle to the certificate store used for verification (X509_STORE *), and the X509_STORE_add_cert() function (in openssl/x509_vfy.h) can then be used to add a certificate directly to that certificate store.
这篇关于C ++ / OpenSSL:使用根CA从缓冲区而不是文件(SSL_CTX_load_verify_locations)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
