x509 证书链验证

x509_test.cc
static int Verify(X509 *leaf, const std::vector<X509 *> &roots,
                   const std::vector<X509 *> &intermediates,
                   const std::vector<X509_CRL *> &crls,
                   unsigned long flags,
                   bool use_additional_untrusted) {
  bssl::UniquePtr<STACK_OF(X509)> roots_stack(CertsToStack(roots));
  bssl::UniquePtr<STACK_OF(X509)> intermediates_stack(
      CertsToStack(intermediates));
  bssl::UniquePtr<STACK_OF(X509_CRL)> crls_stack(CRLsToStack(crls));

  if (!roots_stack ||
      !intermediates_stack ||
      !crls_stack) {
    return X509_V_ERR_UNSPECIFIED;
  }

  bssl::UniquePtr<X509_STORE_CTX> ctx(X509_STORE_CTX_new());
  bssl::UniquePtr<X509_STORE> store(X509_STORE_new());
  if (!ctx ||
      !store) {
    return X509_V_ERR_UNSPECIFIED;
  }

  if (use_additional_untrusted) {
    X509_STORE_set0_additional_untrusted(store.get(),
                                         intermediates_stack.get());
  }

  if (!X509_STORE_CTX_init(
          ctx.get(), store.get(), leaf,
          use_additional_untrusted ? nullptr : intermediates_stack.get())) {
    return X509_V_ERR_UNSPECIFIED;
  }

  X509_STORE_CTX_trusted_stack(ctx.get(), roots_stack.get());
  X509_STORE_CTX_set0_crls(ctx.get(), crls_stack.get());

  X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
  if (param == nullptr) {
    return X509_V_ERR_UNSPECIFIED;
  }
  X509_VERIFY_PARAM_set_time(param, 1474934400 /* Sep 27th, 2016 */);
  X509_VERIFY_PARAM_set_depth(param, 16);
  if (flags) {
    X509_VERIFY_PARAM_set_flags(param, flags);
  }
  X509_STORE_CTX_set0_param(ctx.get(), param);

  ERR_clear_error();
  if (X509_verify_cert(ctx.get()) != 1) {
    return X509_STORE_CTX_get_error(ctx.get());
  }

  return X509_V_OK;

 ssl_x509.cc

static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,
                                                     SSL *ssl,
                                                     uint8_t *out_alert) {
  *out_alert = SSL_AD_INTERNAL_ERROR;
  STACK_OF(X509) *const cert_chain = session->x509_chain;
  if (cert_chain == NULL || sk_X509_num(cert_chain) == 0) {
    return 0;
  }

  X509_STORE *verify_store = ssl->ctx->cert_store;
  if (ssl->cert->verify_store != NULL) {
    verify_store = ssl->cert->verify_store;
  }

  X509 *leaf = sk_X509_value(cert_chain, 0);
  ScopedX509_STORE_CTX ctx;
  if (!X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain)) {
    OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
    return 0;
  }
  if (!X509_STORE_CTX_set_ex_data(ctx.get(),
                                  SSL_get_ex_data_X509_STORE_CTX_idx(), ssl)) {
    return 0;
  }

  // We need to inherit the verify parameters. These can be determined by the
  // context: if its a server it will verify SSL client certificates or vice
  // versa.
  X509_STORE_CTX_set_default(ctx.get(),
                             ssl->server ? "ssl_client" : "ssl_server");

  // Anything non-default in "param" should overwrite anything in the ctx.
  X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx.get()), ssl->param);

  if (ssl->verify_callback) {
    X509_STORE_CTX_set_verify_cb(ctx.get(), ssl->verify_callback);
  }

  int verify_ret;
  if (ssl->ctx->app_verify_callback != NULL) {
    verify_ret =
        ssl->ctx->app_verify_callback(ctx.get(), ssl->ctx->app_verify_arg);
  } else {
    verify_ret = X509_verify_cert(ctx.get());
  }

  session->verify_result = ctx->error;

  // If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result.
  if (verify_ret <= 0 && ssl->verify_mode != SSL_VERIFY_NONE) {
    *out_alert = ssl_verify_alarm_type(ctx->error);
    return 0;
  }

  ERR_clear_error();
  return 1;
}
#ifndef OPENSSL_ZHI_CUST
    SSLInfo ssl_info;
    bool has_ssl_info = ssl_socket_->GetSSLInfo(&ssl_info);
    DCHECK(has_ssl_info);
        uint16_t cipher_suite =
        SSLConnectionStatusToCipherSuite(ssl_info.connection_status);
        

LOAD_IGNORE_ALL_CERT_ERRORS
  SSLInfo ssl_info1;
  bool has_ssl_info1 = ssl_socket_->GetSSLInfo(&ssl_info1);
  DCHECK(has_ssl_info1);
  uint16_t cipher_suite1 =
      SSLConnectionStatusToCipherSuite(ssl_info1.connection_status);
  if ( cipher_suite1 == 0xe013 || 

 

 
上一篇:密码技术--国密证书及go语言生成自签国密证书


下一篇:java实现解析x509数字证书DN的各项属性,并校验DN是否符合标准