问题描述
我在C语言编写我自己的回调函数执行额外的证书检查时( preverify_ok
参数 1
)。不过,我想执行的检查仅的为叶证书(深度= 0)。
I'm writing my own callback function in C for SSL_CTX_set_verify()
to perform additional certificate checks (when the preverify_ok
parameter is 1
). However, I want to perform the checks only for the leaf certificate (depth = 0).
有是函数,获取错误的深度;但我想目前的深度,即使没有错误,所以我可以完成我的其他检查,只有当深度= 0。 (注意函数 SSL_CTX_get_verify_depth()
返回深度的限制的和的不的当前深度。)
There is the function X509_STORE_CTX_get_error_depth()
that gets the depth of the error; but I want the current depth even when there is no error so I can perform my additional checks only when depth=0. (Note that the function SSL_CTX_get_verify_depth()
returns the depth limit and not the current depth.)
有没有办法做我想做什么?
Is there any way to do what I want?
推荐答案
尽管名称,的在验证过程的 error_depth
确正在检查的当前证书。请参阅的
在,而
循环internal_verify 加密/ X509 / x509_vfy.c
。如果任何回调或任何内建的检查 - 在这里签名或过期,在其他地方在 X509_verify_cert
撤销,政策等 - 决定一个证书是坏的,验证逻辑返回与 error_depth
留在引起验证返回证书,并从上面的后续调用发现它标识'错误'证书的价值。
In spite of the name, during the verify process error_depth
is indeed the current certificate being checked. See the while
loop in internal_verify
in crypto/x509/x509_vfy.c
. If either the callback or any builtin check -- here signature or expired, in other places in X509_verify_cert
revocation, policy, etc. -- decides a cert is bad, verify logic returns with error_depth
left at the cert that caused verify to return, and a subsequent call from 'above' finds that value which identifies the 'error' cert.
这篇关于SSL_CTX_set_verify()回调和当前深度的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!