|
|
Posted on 2010-07-02 08:23 S.l.e!ep.¢% 閱讀(3706) 評論(0) 編輯 收藏 引用 所屬分類: OpenSSL
Link:http://blog.csdn.net/rabbit729/archive/2009/02/06/3866525.aspx
項
目中遇到使用Openssl驗證證書鏈的問題,在網(wǎng)上找了很長時間����,發(fā)現(xiàn)這方面的資料很少�,通過多方努力����,總算實現(xiàn)了基本功能,為了給大家提供一下參考,
本人實現(xiàn)了一個驗證證書鏈的類,以供參考�,由于本人也是剛剛接觸Openssl�,如果有不正確的地方�,請大家多多指導
-
/************************************************************************/??
-
/*??????????????????????????VerifyDCChain.h?????????????????????????????*/??
-
/************************************************************************/??
-
#ifndef?VERIFYDCCHAIN_H_??
-
#define?VERIFYDCCHAIN_H_??
- ??
-
#include?<openssl/bio.h>??
-
#include?<openssl/err.h>??
-
#include?<openssl/x509.h>??
-
#include?<openssl/x509v3.h>??
-
#include?<openssl/pem.h>??
-
#include?<openssl/crypto.h>??
-
#include?<string>??
-
#include?<iostream>??
-
using?namespace?std;??
- ??
-
class?VerifyDCChain??
- {??
-
public:??
- ????VerifyDCChain();??
- ????~VerifyDCChain();??
- ??
- ????/*?
-
????*?初
始化證書鏈堆棧m_chain?
-
????*?@param[in]?certChains?證書鏈中各個證
書文件名數(shù)組?
-
????*?@param[in]?num?證書鏈中證書個數(shù)?
-
????*/??
- ????int?Init(const?string*?certChains,?const?int?num);??
- ??
- ????/*?
-
????*?使
用給定的證書鏈驗證葉子證書?
-
????*?@param[in]?certFile?需要驗證的葉子證書文
件名?
-
????*/??
- ????int?verify(const?char*?certFile);??
-
private:??
- ??
- ????/*?
-
????*?加
載證書文件?
-
????*?@param[in]?certFile?需要加載的證書文件名?
-
????*/??
- ????X509*?load_certfile(const?char*?certFile);??
-
private:??
- ????X509*?m_leaf;??
- ????STACK_OF(X509)*?m_chain;??????
- };??
- ??
-
#endif??
- ??
-
/************************************************************************/??
-
/*??????????????????????????VerifyDCChain.cpp???????????????????????????*/??
-
/************************************************************************/??
- ??
-
#include?"VerifyDCChain.h"??
- ??
- VerifyDCChain::VerifyDCChain():m_leaf(NULL),?m_chain(NULL)??
- {??
- ????CRYPTO_malloc_init();???
- ????OpenSSL_add_all_algorithms();??
- }??
- ??
- VerifyDCChain::~VerifyDCChain()??
- {??
- ????if(m_leaf?!=?NULL)???
- ????{??
- ????????X509_free(m_leaf);??
- ????}??
- ????if?(m_chain?!=NULL)??
- ????{??
- ????????sk_X509_free(m_chain);??
- ????}??
- }??
- ??
-
int?VerifyDCChain::Init(const?string*?certChains,?const?int?num)??
- {??
- ????int?ret?=?0;??
- ????X509*?temp?=?new?X509;??
- ????m_chain?=?sk_X509_new_null();??
- ??
- ????//?注
意此處加載證書鏈中證書的順序沒有要求,因為??
- ????//?在X509_verify_cert()函
數(shù)中會對證書鏈中的證書??
- ????//?進行排序??
- ????for?(int?i?=?0;?i?<?num;?i++)??
- ????{??
- ????????temp?=?load_certfile(certChains[i].c_str());??
- ????????sk_X509_push(m_chain,?temp);??
- ????}??
- ????return?1;??
- }??
- ??
-
int?VerifyDCChain::verify(const?char*?certFile)??
- {??
- ????int?ret?=?0;??
- ????X509_STORE?*store=NULL;??
- ????X509_STORE_CTX?ctx;??
- ????m_leaf?=?new?X509();??
- ??
- ????//
創(chuàng)建X509_store對象,用來存儲證書����、撤銷列表等??
- ????store=X509_STORE_new();??
- ??
- ????//?載
入葉子證書??
- ????m_leaf?=?load_certfile(certFile);??
- ??
- ????//
設(shè)置驗證標記?都驗證那些項?X509_V_FLAG_CRL_CHECK_ALL表示全部驗證??
- ????X509_STORE_set_flags(store,X509_V_FLAG_CRL_CHECK_ALL);??
- ????//
初始化CTX?這個類就是所謂的上下文?該類收集完必要的信息數(shù)據(jù)?可以進行驗證??
- ????//?此處
X509_STORE_CTX_init最后一個參數(shù)為NULL,表示不加載證書撤銷列表CPL??
- ????if(!X509_STORE_CTX_init(&ctx,store?,m_leaf,NULL))??
- ????{??
- ????????ret?=?0;??
- ????????goto?end;??
- ????}??
- ??
- ????if(m_chain?==?NULL)??
- ????{??
- ????????cout<<"
加載證書鏈失敗!\n"<<endl;??
- ????????ret?=?0;??
- ????????goto?end;??
- ????}??
- ????else??
- ????{??
- ????????//
將證書鏈存入CTX??
- ????????X509_STORE_CTX_trusted_stack(&ctx,?m_chain);??
- ????}??
- ??
- ????//
證書鏈式驗證??
- ????if(1?==?X509_verify_cert(&ctx))??
- ????????ret?=?1;??
- ????else??
- ????????ret?=?0;??
- end:??
- ????X509_STORE_CTX_cleanup(&ctx);??
- ????if(store)X509_STORE_free(store);??
- ????return?ret;??
- }??
- ??
- X509*?VerifyDCChain::load_certfile(const?char*?certFile)??
- {??
- ????X509*?cert?=?NULL;??
- ????BIO*?in?=?NULL;??
- ??
- ????if(certFile==NULL)??
- ????????goto?end;??
- ????in?=?BIO_new_file(certFile,"r");??
- ????if(in==NULL)??
- ????????goto?end;??
- ????//
將IO中數(shù)據(jù)以PEM格式讀入到X509對象??
- ????cert?=?PEM_read_bio_X509(in,NULL,NULL,NULL);??
- ????if(cert?==?NULL)??
- ????????goto?end;??
- end:??
- ????if(in)BIO_free(in);??
- ????return?cert;??
- }??
- ??
-
/************************************************************************/??
-
/*?????????????????????????????????test.cpp?????????????????????????????*/??
-
/************************************************************************/??
- ??
-
#include?"VerifyDCChain.h"??
-
#include?<iostream>??
-
using?namespace?std;??
- ??
-
void?main(void)??
- {??
- ????VerifyDCChain?m_check;??
- ??
- ????//?注
意此處加載證書鏈中證書文件名的順序沒有要求,??
- ????//?因為在
X509_verify_cert()函數(shù)中會對證書鏈中的??
- ????//?證書進行排序??
- ????string?certChains[4]?=?{"5.crt",?"4.crt",?"3.crt",?"2.crt"};??
- ????m_check.Init(certChains,?4);??
- ??
- ????if?(1?==?m_check.verify("1.crt"))??
- ????{??
- ????????cout<<"OK!"<<endl;??
- ????}??
- ????else??
- ????{??
- ????????cout<<"ERROR!"<<endl;??
- ????}?????
- }??
|