标签:
1 // TestOpensslP7Verify.cpp : 定义控制台应用程序的入口点。 2 // 3 4 #include <stdio.h> 5 #include <string.h> 6 7 #include <stdio.h> 8 #include <string.h> 9 #include <openssl/bio.h> 10 #include <openssl/asn1.h> 11 #include <openssl/x509.h> 12 #include <openssl/pem.h> 13 #include <openssl/err.h> 14 #include "example.h" 15 16 17 int verify_callback(int ok, X509_STORE_CTX *ctx); 18 19 BIO *bio_err=NULL; 20 BIO *bio_out=NULL; 21 22 23 int main(int argc, char* argv[]) 24 { 25 PKCS7 *p7; 26 PKCS7_SIGNER_INFO *si; 27 X509_STORE_CTX cert_ctx; 28 X509_STORE *cert_store=NULL; 29 BIO *data,*detached=NULL,*p7bio=NULL; 30 char buf[1024*4]; 31 char *pp; 32 int i,printit=0; 33 STACK_OF(PKCS7_SIGNER_INFO) *sk; 34 35 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); 36 bio_out=BIO_new_fp(stdout,BIO_NOCLOSE); 37 38 //EVP_add_digest(EVP_md2()); 39 //EVP_add_digest(EVP_md5()); 40 //EVP_add_digest(EVP_mdc2()); 41 42 EVP_add_digest(EVP_sha1()); 43 44 data=BIO_new(BIO_s_file()); 45 46 pp=NULL; 47 while (argc > 1) 48 { 49 argc--; 50 argv++; 51 if (strcmp(argv[0],"-p") == 0) 52 { 53 printit=1; 54 } 55 else if ((strcmp(argv[0],"-d") == 0) && (argc >= 2)) 56 { 57 detached=BIO_new(BIO_s_file()); 58 if (!BIO_read_filename(detached,argv[1])) 59 goto err; 60 argc--; 61 argv++; 62 } 63 else 64 { 65 pp=argv[0]; 66 if (!BIO_read_filename(data,argv[0])) 67 goto err; 68 } 69 } 70 71 if (pp == NULL) 72 BIO_set_fp(data,stdin,BIO_NOCLOSE); 73 74 75 /* Load the PKCS7 object from a file */ 76 if ((p7=PEM_read_bio_PKCS7(data,NULL,NULL,NULL)) == NULL) goto err; 77 78 /* This stuff is being setup for certificate verification. 79 * When using SSL, it could be replaced with a 80 * cert_stre=SSL_CTX_get_cert_store(ssl_ctx); */ 81 cert_store=X509_STORE_new(); 82 X509_STORE_set_default_paths(cert_store); 83 X509_STORE_load_locations(cert_store,NULL,"../../certs"); 84 X509_STORE_set_verify_cb_func(cert_store,verify_callback); 85 86 ERR_clear_error(); 87 88 /* We need to process the data */ 89 if ((PKCS7_get_detached(p7) || detached)) 90 { 91 if (detached == NULL) 92 { 93 printf("no data to verify the signature on\n"); 94 exit(1); 95 } 96 else 97 p7bio=PKCS7_dataInit(p7,detached); 98 } 99 else 100 { 101 p7bio=PKCS7_dataInit(p7,NULL); 102 } 103 104 /* We now have to ‘read‘ from p7bio to calculate digests etc. */ 105 for (;;) 106 { 107 i=BIO_read(p7bio,buf,sizeof(buf)); 108 /* print it? */ 109 if (i <= 0) break; 110 } 111 112 /* We can now verify signatures */ 113 sk=PKCS7_get_signer_info(p7); 114 if (sk == NULL) 115 { 116 printf("there are no signatures on this data\n"); 117 exit(1); 118 } 119 120 /* Ok, first we need to, for each subject entry, see if we can verify */ 121 for (i=0; i<sk_PKCS7_SIGNER_INFO_num(sk); i++) 122 { 123 ASN1_UTCTIME *tm; 124 char *str1,*str2; 125 int rc; 126 127 si=sk_PKCS7_SIGNER_INFO_value(sk,i); 128 rc=PKCS7_dataVerify(cert_store,&cert_ctx,p7bio,p7,si); 129 if (rc <= 0) 130 goto err; 131 printf("signer info\n"); 132 if ((tm=get_signed_time(si)) != NULL) 133 { 134 BIO_printf(bio_out,"Signed time:"); 135 ASN1_UTCTIME_print(bio_out,tm); 136 ASN1_UTCTIME_free(tm); 137 BIO_printf(bio_out,"\n"); 138 } 139 if (get_signed_seq2string(si,&str1,&str2)) 140 { 141 BIO_printf(bio_out,"String 1 is %s\n",str1); 142 BIO_printf(bio_out,"String 2 is %s\n",str2); 143 } 144 145 } 146 147 X509_STORE_free(cert_store); 148 149 printf("done\n"); 150 exit(0); 151 err: 152 ERR_load_crypto_strings(); 153 ERR_print_errors_fp(stderr); 154 exit(1); 155 return 0; 156 } 157 158 159 /* should be X509 * but we can just have them as char *. */ 160 int verify_callback(int ok, X509_STORE_CTX *ctx) 161 { 162 char buf[256]; 163 X509 *err_cert; 164 int err,depth; 165 166 err_cert=X509_STORE_CTX_get_current_cert(ctx); 167 err= X509_STORE_CTX_get_error(ctx); 168 depth= X509_STORE_CTX_get_error_depth(ctx); 169 170 X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256); 171 BIO_printf(bio_err,"depth=%d %s\n",depth,buf); 172 if (!ok) 173 { 174 BIO_printf(bio_err,"verify error:num=%d:%s\n",err, 175 X509_verify_cert_error_string(err)); 176 if (depth < 6) 177 { 178 ok=1; 179 X509_STORE_CTX_set_error(ctx,X509_V_OK); 180 } 181 else 182 { 183 ok=0; 184 X509_STORE_CTX_set_error(ctx,X509_V_ERR_CERT_CHAIN_TOO_LONG); 185 } 186 } 187 switch (ctx->error) 188 { 189 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: 190 X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256); 191 BIO_printf(bio_err,"issuer= %s\n",buf); 192 break; 193 case X509_V_ERR_CERT_NOT_YET_VALID: 194 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: 195 BIO_printf(bio_err,"notBefore="); 196 ASN1_UTCTIME_print(bio_err,X509_get_notBefore(ctx->current_cert)); 197 BIO_printf(bio_err,"\n"); 198 break; 199 case X509_V_ERR_CERT_HAS_EXPIRED: 200 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: 201 BIO_printf(bio_err,"notAfter="); 202 ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ctx->current_cert)); 203 BIO_printf(bio_err,"\n"); 204 break; 205 } 206 BIO_printf(bio_err,"verify return:%d\n",ok); 207 return(ok); 208 }
标签:
原文地址:http://www.cnblogs.com/ggxxjj123/p/4515712.html
