如何使用openssl C API验证pkcs#12证书(.PXF)的密码?
[英]How to verify the password of a pkcs#12 certificate (.PXF) with openssl C API?
问题描述
I have an .pxf (AFAIK PKCS#12) certificate. 
我有.pxf(AFAIK PKCS#12)证书。 How can I confirm a given password for this certificate using the openssl C API? 如何使用openssl C API确认此证书的给定密码?
2 个解决方案
解决方案1
9 已采纳 2011-02-21 16:49:43
One approach to finding answers like this is to find an OpenSSL utility that performs the same functionality as what you are trying to do. 找到这样的答案的一种方法是找到一个OpenSSL实用程序,它执行与您尝试执行的操作相同的功能。 In this case, you can use the pkcs12 utility that comes with OpenSSL to verify the password. 在这种情况下,您可以使用OpenSSL附带的pkcs12实用程序来验证密码。
The command to verify a pfx file is the following: 验证pfx文件的命令如下:
openssl pkcs12 -in mypfx.pfx -noout
With that information, you can then look at its source code ( {openssl_src}/apps/pkcs12.c ) to see how they do it. 有了这些信息,您就可以查看其源代码 ( {openssl_src}/apps/pkcs12.c )以了解它们是如何做到的。
The source code shows that it calls PKCS12_verify_mac to verify the password. 源代码显示它调用PKCS12_verify_mac来验证密码。 First to verify that there is no password: 首先验证没有密码:
if( PKCS12_verify_mac(p12, NULL, 0) )
{
printf("PKCS12 has no password.\n");
}
And then if there is a password, verify it by passing it as an argument: 然后,如果有密码,请通过将其作为参数传递来验证它:
if( PKCS12_verify_mac(p12, password, -1) )
{
printf("PKCS12 password matches.\n");
}
OpenSSL also has demos for working with PKCS12 in openssl/demos/pkcs12 . OpenSSL还有用于在openssl/demos/pkcs12使用PKCS12的openssl/demos/pkcs12 。 The pkread.c demo provides an example for parsing a pfx file with a password. pkread.c演示提供了使用密码解析pfx文件的示例。
EVP_PKEY *pkey;
X509 *cert;
STACK_OF(X509) *ca = NULL;
if (!PKCS12_parse(p12, password, &pkey, &cert, &ca)) {
fprintf(stderr, "Error parsing PKCS#12 file\n");
ERR_print_errors_fp(stderr);
exit(1);
}
Full example, compiled with gcc -std=c99 verifypfx.c -o verifypfx -lcrypto : 完整示例,使用gcc -std=c99 verifypfx.c -o verifypfx -lcrypto :
#include <stdio.h>
#include <errno.h>
#include <openssl/pkcs12.h>
#include <openssl/err.h>
int main(int argc, char *argv[])
{
const char *password = "mypassword";
PKCS12 *p12;
// Load the pfx file.
FILE *fp = fopen("mypfx.pfx", "rb");
if( fp == NULL ) { perror("fopen"); return 1; }
p12 = d2i_PKCS12_fp(fp, NULL);
fclose(fp);
OpenSSL_add_all_algorithms();
ERR_load_PKCS12_strings();
if( p12 == NULL ) { ERR_print_errors_fp(stderr); exit(1); }
// Note: No password is not the same as zero-length password. Check for both.
if( PKCS12_verify_mac(p12, NULL, 0) )
{
printf("PKCS12 has no password.\n");
}
else if( PKCS12_verify_mac(p12, password, -1) )
{
printf("PKCS12 password matches.\n");
}
else
{
printf("Password not correct.\n");
}
return 0;
}
解决方案2
1 2018-02-23 19:01:39
Use PKCS12_verify_mac() . 使用PKCS12_verify_mac() 。 eg. 例如。
FILE* f = fopen("myfile.pfx", "rb");
PKCS12* p12 = d2i_PKCS12_fp(f, NULL);
fclose(f);
if (!PKCS12_verify_mac(p12, (char*)"mypassword", strlen("mypassword")))
{
// handle failure
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.