X509證書驗證-部分驗證
加入技術交流群
openssl verify -partial_chain -CAfile CA.pem CERTIFICATE.pem
可以實現只驗證一級。不用驗證到根證書。
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN);
int x509_verify_chain(char * ca_cert_buf, char *user_cert_buf)
{
cjwt_code_t rv = CJWTE_SIGNATURE_VALIDATION_FAILED;
int ret = 0;
BIO *ca_certbio = NULL;//Gerry
BIO *certbio = NULL;//Gerry
X509 *cert = NULL;
X509 *ca_cert = NULL;
ca_certbio = BIO_new_mem_buf(ca_cert_buf, strlen(ca_cert_buf));
if (!ca_certbio) {
printf("FUN %s LINE %d\n", __FUNCTION__ , __LINE__);
return CJWTE_OUT_OF_MEMORY;
}
ca_cert = PEM_read_bio_X509(ca_certbio,&ca_cert,NULL,NULL);
BIO_free(ca_certbio);
if (!ca_certbio) {
printf("FUN %s LINE %d\n", __FUNCTION__, __LINE__);
return CJWTE_SIGNATURE_INVALID_KEY;
}
certbio = BIO_new_mem_buf(user_cert_buf, strlen(user_cert_buf));
if (!certbio) {
printf("FUN %s LINE %d\n", __FUNCTION__ , __LINE__);
return CJWTE_OUT_OF_MEMORY;
}
cert = PEM_read_bio_X509(certbio,&cert,NULL,NULL);
BIO_free(certbio);
if (!certbio) {
printf("FUN %s LINE %d\n", __FUNCTION__, __LINE__);
return CJWTE_SIGNATURE_INVALID_KEY;
}
X509_STORE *store;
X509_STORE_CTX *ctx;
store = X509_STORE_new();
X509_STORE_set_verify_cb(store, verify_cb);
X509_STORE_add_cert(store, ca_cert);
X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);//);
ctx = X509_STORE_CTX_new();
X509_STORE_CTX_init(ctx, store, cert, NULL);
ret = X509_verify_cert(ctx);
if(ctx != NULL) X509_STORE_CTX_free(ctx);
if(store != NULL) X509_STORE_free(store);
if(cert != NULL) X509_free(cert);
if(ca_cert != NULL) X509_free(ca_cert);
return ret;
}*博客內容為網友個人發布,僅代表博主個人觀點,如有侵權請聯系工作人員刪除。
