Certificate 通过OpenSSL根据CRL验证证书:无法获取证书CRL
我在根据CRL验证证书时遇到问题,CRL是由创建证书的同一CA创建的 我已经创建了自己的证书颁发机构(CA)和一个中间CA。通过使用这个中间CA,我创建了多个证书并吊销了其中的一些证书。我在吊销证书后更新了证书吊销列表(CRL)。然后,我将CRL附加到链证书(根CA证书和中间CA证书的连接)。我想用这个文件来检查证书是否被吊销。我正在运行的C代码按预期返回已吊销证书,同时显示有效证书的意外消息:无法获取证书CRL。此外,当我删除CRL检查时,它会返回预期结果。这是什么原因呢 下面给出了我正在运行的代码Certificate 通过OpenSSL根据CRL验证证书:无法获取证书CRL,certificate,openssl,certificate-authority,certificate-revocation,Certificate,Openssl,Certificate Authority,Certificate Revocation,我在根据CRL验证证书时遇到问题,CRL是由创建证书的同一CA创建的 我已经创建了自己的证书颁发机构(CA)和一个中间CA。通过使用这个中间CA,我创建了多个证书并吊销了其中的一些证书。我在吊销证书后更新了证书吊销列表(CRL)。然后,我将CRL附加到链证书(根CA证书和中间CA证书的连接)。我想用这个文件来检查证书是否被吊销。我正在运行的C代码按预期返回已吊销证书,同时显示有效证书的意外消息:无法获取证书CRL。此外,当我删除CRL检查时,它会返回预期结果。这是什么原因呢 下面给出了我正在运行
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include <openssl/x509_vfy.h>
int main() {
const char ca_bundlestr[] = "./ca-chain.crl.pem";//"./ca-chain.cert.pem";//"./ca-chain.crl.pem";
const char cert_filestr[] = "./RasPi3B-10.1.1.10.crt.pem";//"./ToBeRevoked3.crt.pem";
BIO *certbio = NULL;
BIO *outbio = NULL;
X509 *error_cert = NULL;
X509 *cert = NULL;
X509_NAME *certsubject = NULL;
X509_STORE *store = NULL;
X509_STORE_CTX *vrfy_ctx = NULL;
int ret;
/* ---------------------------------------------------------- *
* These function calls initialize openssl for correct work. *
* ---------------------------------------------------------- */
OpenSSL_add_all_algorithms();
ERR_load_BIO_strings();
ERR_load_crypto_strings();
X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
/* ---------------------------------------------------------- *
* Create the Input/Output BIO's. *
* ---------------------------------------------------------- */
certbio = BIO_new(BIO_s_file());
outbio = BIO_new_fp(stdout, BIO_NOCLOSE);
/* ---------------------------------------------------------- *
* Initialize the global certificate validation store object. *
* ---------------------------------------------------------- */
if (!(store=X509_STORE_new()))
BIO_printf(outbio, "Error creating X509_STORE_CTX object\n");
/* ---------------------------------------------------------- *
* Create the context structure for the validation operation. *
* ---------------------------------------------------------- */
vrfy_ctx = X509_STORE_CTX_new();
/* ---------------------------------------------------------- *
* Load the certificate and cacert chain from file (PEM). *
* ---------------------------------------------------------- */
ret = BIO_read_filename(certbio, cert_filestr);
if (! (cert = PEM_read_bio_X509(certbio, NULL, 0, NULL))) {
BIO_printf(outbio, "Error loading cert into memory\n");
exit(-1);
}
ret = X509_STORE_load_locations(store, ca_bundlestr, NULL);
if (ret != 1)
BIO_printf(outbio, "Error loading CA cert or chain file\n");
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
//X509_VERIFY_PARAM_set_depth(param, 1);
//X509_STORE_CTX_set0_param(vrfy_ctx, param);
/* ---------------------------------------------------------- *
* Initialize the ctx structure for a verification operation: *
* Set the trusted cert store, the unvalidated cert, and any *
* potential certs that could be needed (here we set it NULL) *
* ---------------------------------------------------------- */
X509_STORE_CTX_init(vrfy_ctx, store, cert, NULL);
/* ---------------------------------------------------------- *
* Check the complete cert chain can be build and validated. *
* Returns 1 on success, 0 on verification failures, and -1 *
* for trouble with the ctx object (i.e. missing certificate) *
* ---------------------------------------------------------- */
ret = X509_verify_cert(vrfy_ctx);
BIO_printf(outbio, "Verification return code: %d\n", ret);
if(ret == 0 || ret == 1)
BIO_printf(outbio, "Verification result text: %s\n",
X509_verify_cert_error_string(vrfy_ctx->error));
/* ---------------------------------------------------------- *
* The error handling below shows how to get failure details *
* from the offending certificate. *
* ---------------------------------------------------------- */
if(ret == 0) {
/* get the offending certificate causing the failure */
error_cert = X509_STORE_CTX_get_current_cert(vrfy_ctx);
certsubject = X509_NAME_new();
certsubject = X509_get_subject_name(error_cert);
BIO_printf(outbio, "Verification failed cert:\n");
X509_NAME_print_ex(outbio, certsubject, 0, XN_FLAG_MULTILINE);
BIO_printf(outbio, "\n");
}
/* ---------------------------------------------------------- *
* Free up all structures *
* ---------------------------------------------------------- */
X509_STORE_CTX_free(vrfy_ctx);
X509_STORE_free(store);
X509_free(cert);
BIO_free_all(certbio);
BIO_free_all(outbio);
exit(0);
}
#包括
#包括
#包括
#包括
#包括
int main(){
const char ca_bundlestr[]=“/ca-chain.crl.pem”;//“/ca-chain.cert.pem”;//“/ca-chain.crl.pem”;
const char cert_filestr[]=“/RasPi3B-10.1.1.10.crt.pem”/“/ToBeRevoked3.crt.pem”;
BIO*certbio=NULL;
BIO*outbio=NULL;
X509*错误\证书=NULL;
X509*证书=空;
X509_NAME*certsubject=NULL;
X509_STORE*STORE=NULL;
X509_-STORE_-CTX*vrfy_-CTX=NULL;
int ret;
/* ---------------------------------------------------------- *
*这些函数调用初始化openssl以进行正确的工作*
* ---------------------------------------------------------- */
OpenSSL_添加_所有算法();
ERR_load_BIO_strings();
错误加载加密字符串();
X509_VERIFY_PARAM*PARAM=X509_VERIFY_PARAM_new();
/* ---------------------------------------------------------- *
*创建输入/输出BIO*
* ---------------------------------------------------------- */
certbio=BIO_new(BIO_s_file());
outbio=生物新生物fp(stdout、生物NOCLOSE);
/* ---------------------------------------------------------- *
*初始化全局证书验证存储对象*
* ---------------------------------------------------------- */
如果(!(store=X509\u store\u new())
BIO_printf(outbio,“创建X509_存储\u CTX对象时出错\n”);
/* ---------------------------------------------------------- *
*为验证操作创建上下文结构*
* ---------------------------------------------------------- */
vrfy_ctx=X509_STORE_ctx_new();
/* ---------------------------------------------------------- *
*从文件(PEM)加载证书和cacert链*
* ---------------------------------------------------------- */
ret=BIO_read_文件名(certbio,cert_filestr);
如果(!(cert=PEM_read_bio_X509(certbio,NULL,0,NULL))){
BIO_printf(outbio,“将证书加载到内存时出错\n”);
出口(-1);
}
ret=X509\存储\加载\位置(存储,ca\捆绑,空);
如果(ret!=1)
BIO_printf(outbio,“加载CA证书或链文件时出错”);
X509_存储_设置_标志(存储,X509_V_标志_CRL_检查| X509_V_标志_CRL_检查全部);
//X509验证参数设置深度(参数,1);
//X509_存储_CTX_设置0_参数(vrfy_CTX,参数);
/* ---------------------------------------------------------- *
*为验证操作初始化ctx结构:*
*设置受信任的证书存储、未验证的证书以及任何*
*可能需要的潜在证书(此处我们将其设置为空)*
* ---------------------------------------------------------- */
X509_STORE_CTX_init(vrfy_CTX,STORE,cert,NULL);
/* ---------------------------------------------------------- *
*检查是否可以构建和验证完整的证书链*
*成功时返回1,验证失败时返回0,以及-1*
*ctx对象出现问题(即缺少证书)*
* ---------------------------------------------------------- */
ret=X509\u验证\u证书(vrfy\u ctx);
BIO_printf(outbio,“验证返回代码:%d\n”,ret);
如果(ret==0 | | ret==1)
BIO_printf(outbio,“验证结果文本:%s\n”,
X509验证证书错误字符串(vrfy\U ctx->错误);
/* ---------------------------------------------------------- *
*下面的错误处理显示了如何获取故障详细信息*
*从违规证书中删除*
* ---------------------------------------------------------- */
如果(ret==0){
/*获取导致失败的违规证书*/
错误\u证书=X509\u存储\u CTX\u获取\u当前\u证书(vrfy\u CTX);
certsubject=X509_NAME_new();
certsubject=X509\u获取\u主题\u名称(错误\u证书);
BIO_printf(outbio,“验证失败证书:\n”);
X509_NAME_print_ex(outbio、certsubject、0、XN_FLAG_MULTILINE);
BIO_printf(outbio,“\n”);
}
/* ---------------------------------------------------------- *
*释放所有结构*
* ---------------------------------------------------------- */
X509_商店_CTX_免费(vrfy_CTX);
X509商店免费(商店);
X509_免费(证书);
BIO_free_all(certbio);
BIO_free_all(outbio);
出口(0);
}