x509 证书链验证
x509_test.cc
static int Verify(X509 *leaf, const std::vector<X509 *> &roots, const std::vector<X509 *> &intermediates, const std::vector<X509_CRL *> &crls, unsigned long flags, bool use_additional_untrusted) { bssl::UniquePtr<STACK_OF(X509)> roots_stack(CertsToStack(roots)); bssl::UniquePtr<STACK_OF(X509)> intermediates_stack( CertsToStack(intermediates)); bssl::UniquePtr<STACK_OF(X509_CRL)> crls_stack(CRLsToStack(crls)); if (!roots_stack || !intermediates_stack || !crls_stack) { return X509_V_ERR_UNSPECIFIED; } bssl::UniquePtr<X509_STORE_CTX> ctx(X509_STORE_CTX_new()); bssl::UniquePtr<X509_STORE> store(X509_STORE_new()); if (!ctx || !store) { return X509_V_ERR_UNSPECIFIED; } if (use_additional_untrusted) { X509_STORE_set0_additional_untrusted(store.get(), intermediates_stack.get()); } if (!X509_STORE_CTX_init( ctx.get(), store.get(), leaf, use_additional_untrusted ? nullptr : intermediates_stack.get())) { return X509_V_ERR_UNSPECIFIED; } X509_STORE_CTX_trusted_stack(ctx.get(), roots_stack.get()); X509_STORE_CTX_set0_crls(ctx.get(), crls_stack.get()); X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); if (param == nullptr) { return X509_V_ERR_UNSPECIFIED; } X509_VERIFY_PARAM_set_time(param, 1474934400 /* Sep 27th, 2016 */); X509_VERIFY_PARAM_set_depth(param, 16); if (flags) { X509_VERIFY_PARAM_set_flags(param, flags); } X509_STORE_CTX_set0_param(ctx.get(), param); ERR_clear_error(); if (X509_verify_cert(ctx.get()) != 1) { return X509_STORE_CTX_get_error(ctx.get()); } return X509_V_OK;
ssl_x509.cc
static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session, SSL *ssl, uint8_t *out_alert) { *out_alert = SSL_AD_INTERNAL_ERROR; STACK_OF(X509) *const cert_chain = session->x509_chain; if (cert_chain == NULL || sk_X509_num(cert_chain) == 0) { return 0; } X509_STORE *verify_store = ssl->ctx->cert_store; if (ssl->cert->verify_store != NULL) { verify_store = ssl->cert->verify_store; } X509 *leaf = sk_X509_value(cert_chain, 0); ScopedX509_STORE_CTX ctx; if (!X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain)) { OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB); return 0; } if (!X509_STORE_CTX_set_ex_data(ctx.get(), SSL_get_ex_data_X509_STORE_CTX_idx(), ssl)) { return 0; } // We need to inherit the verify parameters. These can be determined by the // context: if its a server it will verify SSL client certificates or vice // versa. X509_STORE_CTX_set_default(ctx.get(), ssl->server ? "ssl_client" : "ssl_server"); // Anything non-default in "param" should overwrite anything in the ctx. X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx.get()), ssl->param); if (ssl->verify_callback) { X509_STORE_CTX_set_verify_cb(ctx.get(), ssl->verify_callback); } int verify_ret; if (ssl->ctx->app_verify_callback != NULL) { verify_ret = ssl->ctx->app_verify_callback(ctx.get(), ssl->ctx->app_verify_arg); } else { verify_ret = X509_verify_cert(ctx.get()); } session->verify_result = ctx->error; // If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. if (verify_ret <= 0 && ssl->verify_mode != SSL_VERIFY_NONE) { *out_alert = ssl_verify_alarm_type(ctx->error); return 0; } ERR_clear_error(); return 1; }
#ifndef OPENSSL_ZHI_CUST SSLInfo ssl_info; bool has_ssl_info = ssl_socket_->GetSSLInfo(&ssl_info); DCHECK(has_ssl_info); uint16_t cipher_suite = SSLConnectionStatusToCipherSuite(ssl_info.connection_status);
LOAD_IGNORE_ALL_CERT_ERRORS
SSLInfo ssl_info1; bool has_ssl_info1 = ssl_socket_->GetSSLInfo(&ssl_info1); DCHECK(has_ssl_info1); uint16_t cipher_suite1 = SSLConnectionStatusToCipherSuite(ssl_info1.connection_status); if ( cipher_suite1 == 0xe013 ||
