|
|
Posted on 2010-07-02 08:23 S.l.e!ep.¢% 閱讀(3705) 評(píng)論(0) 編輯 收藏 引用 所屬分類: OpenSSL
Link:http://blog.csdn.net/rabbit729/archive/2009/02/06/3866525.aspx
項(xiàng)
目中遇到使用Openssl驗(yàn)證證書(shū)鏈的問(wèn)題,在網(wǎng)上找了很長(zhǎng)時(shí)間,發(fā)現(xiàn)這方面的資料很少,通過(guò)多方努力,總算實(shí)現(xiàn)了基本功能,為了給大家提供一下參考,
本人實(shí)現(xiàn)了一個(gè)驗(yàn)證證書(shū)鏈的類,以供參考,由于本人也是剛剛接觸Openssl,如果有不正確的地方,請(qǐng)大家多多指導(dǎo)
-
/************************************************************************/??
-
/*??????????????????????????VerifyDCChain.h?????????????????????????????*/??
-
/************************************************************************/??
-
#ifndef?VERIFYDCCHAIN_H_??
-
#define?VERIFYDCCHAIN_H_??
- ??
-
#include?<openssl/bio.h>??
-
#include?<openssl/err.h>??
-
#include?<openssl/x509.h>??
-
#include?<openssl/x509v3.h>??
-
#include?<openssl/pem.h>??
-
#include?<openssl/crypto.h>??
-
#include?<string>??
-
#include?<iostream>??
-
using?namespace?std;??
- ??
-
class?VerifyDCChain??
- {??
-
public:??
- ????VerifyDCChain();??
- ????~VerifyDCChain();??
- ??
- ????/*?
-
????*?初
始化證書(shū)鏈堆棧m_chain?
-
????*?@param[in]?certChains?證書(shū)鏈中各個(gè)證
書(shū)文件名數(shù)組?
-
????*?@param[in]?num?證書(shū)鏈中證書(shū)個(gè)數(shù)?
-
????*/??
- ????int?Init(const?string*?certChains,?const?int?num);??
- ??
- ????/*?
-
????*?使
用給定的證書(shū)鏈驗(yàn)證葉子證書(shū)?
-
????*?@param[in]?certFile?需要驗(yàn)證的葉子證書(shū)文
件名?
-
????*/??
- ????int?verify(const?char*?certFile);??
-
private:??
- ??
- ????/*?
-
????*?加
載證書(shū)文件?
-
????*?@param[in]?certFile?需要加載的證書(shū)文件名?
-
????*/??
- ????X509*?load_certfile(const?char*?certFile);??
-
private:??
- ????X509*?m_leaf;??
- ????STACK_OF(X509)*?m_chain;??????
- };??
- ??
-
#endif??
- ??
-
/************************************************************************/??
-
/*??????????????????????????VerifyDCChain.cpp???????????????????????????*/??
-
/************************************************************************/??
- ??
-
#include?"VerifyDCChain.h"??
- ??
- VerifyDCChain::VerifyDCChain():m_leaf(NULL),?m_chain(NULL)??
- {??
- ????CRYPTO_malloc_init();???
- ????OpenSSL_add_all_algorithms();??
- }??
- ??
- VerifyDCChain::~VerifyDCChain()??
- {??
- ????if(m_leaf?!=?NULL)???
- ????{??
- ????????X509_free(m_leaf);??
- ????}??
- ????if?(m_chain?!=NULL)??
- ????{??
- ????????sk_X509_free(m_chain);??
- ????}??
- }??
- ??
-
int?VerifyDCChain::Init(const?string*?certChains,?const?int?num)??
- {??
- ????int?ret?=?0;??
- ????X509*?temp?=?new?X509;??
- ????m_chain?=?sk_X509_new_null();??
- ??
- ????//?注
意此處加載證書(shū)鏈中證書(shū)的順序沒(méi)有要求,因?yàn)??
- ????//?在X509_verify_cert()函
數(shù)中會(huì)對(duì)證書(shū)鏈中的證書(shū)??
- ????//?進(jìn)行排序??
- ????for?(int?i?=?0;?i?<?num;?i++)??
- ????{??
- ????????temp?=?load_certfile(certChains[i].c_str());??
- ????????sk_X509_push(m_chain,?temp);??
- ????}??
- ????return?1;??
- }??
- ??
-
int?VerifyDCChain::verify(const?char*?certFile)??
- {??
- ????int?ret?=?0;??
- ????X509_STORE?*store=NULL;??
- ????X509_STORE_CTX?ctx;??
- ????m_leaf?=?new?X509();??
- ??
- ????//
創(chuàng)建X509_store對(duì)象,用來(lái)存儲(chǔ)證書(shū)、撤銷列表等??
- ????store=X509_STORE_new();??
- ??
- ????//?載
入葉子證書(shū)??
- ????m_leaf?=?load_certfile(certFile);??
- ??
- ????//
設(shè)置驗(yàn)證標(biāo)記?都驗(yàn)證那些項(xiàng)?X509_V_FLAG_CRL_CHECK_ALL表示全部驗(yàn)證??
- ????X509_STORE_set_flags(store,X509_V_FLAG_CRL_CHECK_ALL);??
- ????//
初始化CTX?這個(gè)類就是所謂的上下文?該類收集完必要的信息數(shù)據(jù)?可以進(jìn)行驗(yàn)證??
- ????//?此處
X509_STORE_CTX_init最后一個(gè)參數(shù)為NULL,表示不加載證書(shū)撤銷列表CPL??
- ????if(!X509_STORE_CTX_init(&ctx,store?,m_leaf,NULL))??
- ????{??
- ????????ret?=?0;??
- ????????goto?end;??
- ????}??
- ??
- ????if(m_chain?==?NULL)??
- ????{??
- ????????cout<<"
加載證書(shū)鏈?zhǔn)?\n"<<endl;??
- ????????ret?=?0;??
- ????????goto?end;??
- ????}??
- ????else??
- ????{??
- ????????//
將證書(shū)鏈存入CTX??
- ????????X509_STORE_CTX_trusted_stack(&ctx,?m_chain);??
- ????}??
- ??
- ????//
證書(shū)鏈?zhǔn)津?yàn)證??
- ????if(1?==?X509_verify_cert(&ctx))??
- ????????ret?=?1;??
- ????else??
- ????????ret?=?0;??
- end:??
- ????X509_STORE_CTX_cleanup(&ctx);??
- ????if(store)X509_STORE_free(store);??
- ????return?ret;??
- }??
- ??
- X509*?VerifyDCChain::load_certfile(const?char*?certFile)??
- {??
- ????X509*?cert?=?NULL;??
- ????BIO*?in?=?NULL;??
- ??
- ????if(certFile==NULL)??
- ????????goto?end;??
- ????in?=?BIO_new_file(certFile,"r");??
- ????if(in==NULL)??
- ????????goto?end;??
- ????//
將IO中數(shù)據(jù)以PEM格式讀入到X509對(duì)象??
- ????cert?=?PEM_read_bio_X509(in,NULL,NULL,NULL);??
- ????if(cert?==?NULL)??
- ????????goto?end;??
- end:??
- ????if(in)BIO_free(in);??
- ????return?cert;??
- }??
- ??
-
/************************************************************************/??
-
/*?????????????????????????????????test.cpp?????????????????????????????*/??
-
/************************************************************************/??
- ??
-
#include?"VerifyDCChain.h"??
-
#include?<iostream>??
-
using?namespace?std;??
- ??
-
void?main(void)??
- {??
- ????VerifyDCChain?m_check;??
- ??
- ????//?注
意此處加載證書(shū)鏈中證書(shū)文件名的順序沒(méi)有要求,??
- ????//?因?yàn)樵?
X509_verify_cert()函數(shù)中會(huì)對(duì)證書(shū)鏈中的??
- ????//?證書(shū)進(jìn)行排序??
- ????string?certChains[4]?=?{"5.crt",?"4.crt",?"3.crt",?"2.crt"};??
- ????m_check.Init(certChains,?4);??
- ??
- ????if?(1?==?m_check.verify("1.crt"))??
- ????{??
- ????????cout<<"OK!"<<endl;??
- ????}??
- ????else??
- ????{??
- ????????cout<<"ERROR!"<<endl;??
- ????}?????
- }??
|