使用openssl库验证自签名/过期证书不会返回错误
[英]Verifying self-signed/expired certificate with openssl library does not return error
问题描述
I am trying to write a certificate validation function in C using the openssl library. 
我正在尝试使用openssl库在C中编写证书验证函数。 Since the certificate I am validating is self-signed and expired, I expect the X509_verify_cert() to return error (the return value is 1 and the store_ctx->error is set to X509_V_OK instead). 由于我验证的证书是自签名和过期的,我希望X509_verify_cert()返回错误(返回值为1,而store_ctx->错误设置为X509_V_OK)。 ' openssl verify my_pem_cert_file ' outputs: ' openssl verify my_pem_cert_file '输出:
error 18 at 0 depth lookup:self signed certificate
error 10 at 0 depth lookup:certificate has expired
What I am doing wrong? 我做错了什么? Here is my code: 这是我的代码:
static int cert_verify_callback(int ok, X509_STORE_CTX *ctx)
{
/* Tolerate self-signed certificate */
if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) {
return 1;
}
/* Otherwise don't override */
return ok;
}
int cert_validate(const char* certFileName)
{
BIO *pBio = NULL;
X509 *pX509 = NULL;
X509 *CA = NULL;
X509_STORE *cert_store = NULL;
X509_STORE_CTX *store_ctx = NULL;
STACK_OF(X509) *stack_of_x509 = NULL;
time_t check_time;
int store_ctx_error;
int store_ctx_error_depth;
pBio = BIO_new( BIO_s_file_internal() );
if(pBio == NULL)
/* error handling */
if(BIO_read_filename(pBio, certFileName) <= 0)
/* error handling */
pX509 = PEM_read_bio_X509(pBio, NULL, NULL, NULL);
if (pX509 == NULL)
/* error handling */
if( (cert_store= X509_STORE_new()) == NULL)
/* error handling */
if( (store_ctx= X509_STORE_CTX_new()) == NULL)
/* error handling */
/* edit1: this was wrong: don't add the certificate being verified to the trusted cert list */
/* if( !X509_STORE_add_cert(cert_store, pX509) ) */
/* error handling */
if( !X509_STORE_CTX_init(store_ctx, cert_store, CA, stack_of_x509) )
/* error handling */
X509_STORE_CTX_set_cert(store_ctx, pX509);
/* edit1: this was missing: set the verify time in order to check the certificate for expiry */
time(&check_time);
X509_STORE_CTX_set_time(store_ctx, 0, check_time);
X509_STORE_CTX_set_flags(store_ctx, X509_V_FLAG_USE_CHECK_TIME);
/* edit1: add callback function for ignoring self-signed error
* now, I'd like the validation to fail because of the expiry */
X509_STORE_set_verify_cb_func(store_ctx, cert_verify_callback);
switch( X509_verify_cert(store_ctx) ) {
/* the certificate is valid */
case 1:
printf("The certificate is valid\n");
break;
/* the certificate cannot be validated */
case -1:
case 0:
printf("The certificate is not valid\n");
store_ctx_error= X509_STORE_CTX_get_error(store_ctx);
store_ctx_error_depth= X509_STORE_CTX_get_error_depth(store_ctx);
printf("Error %d at %d depth: %s\n", store_ctx_error, store_ctx_error_depth, X509_verify_cert_error_string(store_ctx->error));
default:
break;
}
/* free data ... */
}
When validating the self-signed and expired certificate, my function prints: Error 0 at 0 depth: ok 验证自签名和过期证书时,我的函数会打印:0深度处的错误0:确定
1 个解决方案
解决方案1
6 已采纳 2012-11-28 22:03:24
The function X509_STORE_add_cert() adds the corresponding certificate as a trusted certificate for verification, so this line: 函数X509_STORE_add_cert()将相应的证书添加为可信证书以进行验证,因此,此行:
X509_STORE_add_cert(cert_store, pX509)
says that your pX509 certificate is trusted for verification - but that's the certificate you want to test, so that's why a self-signed certificate is passing verification. 说您的pX509证书是可信赖的验证 - 但这是您要测试的证书,这就是自签名证书通过验证的原因。
You also aren't setting a verification time - that's why an expired certificate is not being detected. 您也没有设置验证时间 - 这就是未检测到过期证书的原因。 Set the verification time with X509_STORE_CTX_set_time() . 使用X509_STORE_CTX_set_time()设置验证时间。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.