Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
709e8595
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
1 年多 前同步成功
通知
10
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
709e8595
编写于
9月 08, 2000
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Update verify docs.
New option to verify program to print out diagnostics.
上级
84b65340
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
63 addition
and
4 deletion
+63
-4
apps/verify.c
apps/verify.c
+5
-1
doc/apps/verify.pod
doc/apps/verify.pod
+58
-3
未找到文件。
apps/verify.c
浏览文件 @
709e8595
...
...
@@ -72,7 +72,7 @@
static
int
MS_CALLBACK
cb
(
int
ok
,
X509_STORE_CTX
*
ctx
);
static
int
check
(
X509_STORE
*
ctx
,
char
*
file
,
STACK_OF
(
X509
)
*
uchain
,
STACK_OF
(
X509
)
*
tchain
,
int
purpose
);
static
STACK_OF
(
X509
)
*
load_untrusted
(
char
*
file
);
static
int
v_verbose
=
0
;
static
int
v_verbose
=
0
,
issuer_checks
=
0
;
int
MAIN
(
int
,
char
**
);
...
...
@@ -139,6 +139,8 @@ int MAIN(int argc, char **argv)
}
else
if
(
strcmp
(
*
argv
,
"-help"
)
==
0
)
goto
end
;
else
if
(
strcmp
(
*
argv
,
"-issuer_checks"
)
==
0
)
issuer_checks
=
1
;
else
if
(
strcmp
(
*
argv
,
"-verbose"
)
==
0
)
v_verbose
=
1
;
else
if
(
argv
[
0
][
0
]
==
'-'
)
...
...
@@ -258,6 +260,8 @@ static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X
X509_STORE_CTX_init
(
csc
,
ctx
,
x
,
uchain
);
if
(
tchain
)
X509_STORE_CTX_trusted_stack
(
csc
,
tchain
);
if
(
purpose
>=
0
)
X509_STORE_CTX_set_purpose
(
csc
,
purpose
);
if
(
issuer_checks
)
X509_STORE_CTX_set_flags
(
csc
,
X509_V_FLAG_CB_ISSUER_CHECK
);
i
=
X509_verify_cert
(
csc
);
X509_STORE_CTX_free
(
csc
);
...
...
doc/apps/verify.pod
浏览文件 @
709e8595
...
...
@@ -12,6 +12,7 @@ B<openssl> B<verify>
[B<-purpose purpose>]
[B<-untrusted file>]
[B<-help>]
[B<-issuer_checks>]
[B<-verbose>]
[B<->]
[certificates]
...
...
@@ -57,6 +58,14 @@ prints out a usage message.
print extra information about the operations being performed.
=item B<-issuer_checks>
print out diagnostics relating to searches for the issuer certificate
of the current certificate. This shows why each candidate issuer
certificate was rejected. However the presence of rejection messages
does not itself imply that anything is wrong: during the normal
verify process several rejections may take place.
=item B<->
marks the last option. All arguments following this are assumed to be
...
...
@@ -88,9 +97,21 @@ The verify operation consists of a number of separate steps.
Firstly a certificate chain is built up starting from the supplied certificate
and ending in the root CA. It is an error if the whole chain cannot be built
up. The chain is built up by looking up a certificate whose subject name
matches the issuer name of the current certificate. If a certificate is found
whose subject and issuer names are identical it is assumed to be the root CA.
up. The chain is built up by looking up the issuers certificate of the current
certificate. If a certificate is found which is its own issuer it is assumed
to be the root CA.
The process of 'looking up the issuers certificate' itself involves a number
of steps. In versions of OpenSSL before 0.9.5a the first certificate whose
subject name matched the issuer of the current certificate was assumed to be
the issuers certificate. In OpenSSL 0.9.6 and later all certificates
whose subject name matches the issuer name of the current certificate are
subject to further tests. The relevant authority key identifier components
of the current certificate (if present) must match the subject key identifier
(if present) and issuer and serial number of the candidate issuer, in addition
the keyUsage extension of the candidate issuer (if present) must permit
certificate signing.
The lookup first looks in the list of untrusted certificates and if no match
is found the remaining lookups are from the trusted certificates. The root CA
is always looked up in the trusted certificate list: if the certificate to
...
...
@@ -260,12 +281,46 @@ the root CA is not marked as trusted for the specified purpose.
the root CA is marked to reject the specified purpose.
=item B<29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch>
the current candidate issuer certificate was rejected because its subject name
did not match the issuer name of the current certificate. Only displayed when
the B<-issuer_checks> option is set.
=item B<30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch>
the current candidate issuer certificate was rejected because its subject key
identifier was present and did not match the authority key identifier current
certificate. Only displayed when the B<-issuer_checks> option is set.
=item B<31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch>
the current candidate issuer certificate was rejected because its issuer name
and serial number was present and did not match the authority key identifier
of the current certificate. Only displayed when the B<-issuer_checks> option is set.
=item B<32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing>
the current candidate issuer certificate was rejected because its keyUsage extension
does not permit certificate signing.
=item B<50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure>
an application specific error. Unused.
=back
=head1 BUGS
Although the issuer checks are a considerably improvement over the old technique they still
suffer from limitations in the underlying X509_LOOKUP API. One consequence of this is that
trusted certificates with matching subject name must either appear in a file (as specified by the
B<-CAfile> option) or a directory (as specified by B<-CApath>. If they occur in both then only
the certificates in the file will be recognised.
Previous versions of OpenSSL assume certificates with matching subject name are identical and
mishandled them.
=head1 SEE ALSO
L<x509(1)|x509(1)>
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录