我被困在围绕 OpenSSL 中的 CMS_verify() 方法演变的非常奇怪的问题上。我正在开发一种使用 OpenSSL 对 C++ 中的数据进行签名和验证的方法,但是验证会引发一个非常奇怪的错误,如以下代码存根所示:
// Sign
BIO_puts(in, "My test string.");
cms = CMS_sign(serverCert, privateKey, recips, in, CMS_BINARY);
if (!cms) {
cout << ERR_error_string(ERR_get_error(), NULL) << endl;
} else {
cout << "Successfully signed!" << endl;
}
// Verify
if (!CMS_verify(cms, certs, st, NULL, out, 0)) {
cout << ERR_error_string(ERR_get_error(), NULL) << endl;
} else {
cout << "Successfully verified!" << endl;
}
size = BIO_get_mem_data(out, &outString);
cout << "Verified string: " << string(outString, size) << endl;
BIO_ctrl(out, BIO_CTRL_RESET, 0, NULL);
// Verify without certificate verification
if (!CMS_verify(cms, certs, st, NULL, out, CMS_NO_SIGNER_CERT_VERIFY)) {
cout << ERR_error_string(ERR_get_error(), NULL) << endl;
} else {
cout << "Successfully verified!" << endl;
}
signers = CMS_get0_signers(cms);
for (int i = 0; i < sk_X509_num(signers); i++) {
X509_STORE_CTX_init(storeCtx, st, sk_X509_value(signers, i), NULL);
if (!X509_verify_cert(storeCtx)) {
cout << X509_verify_cert_error_string(storeCtx->error) << endl;
} else {
cout << "Signer certificate has been verified." << endl;
}
}
size = BIO_get_mem_data(out, &outString);
cout << "Verified string: " << string(outString, size) << endl;
适当的输出:
Successfully signed!
error:2E099064:CMS routines:CMS_SIGNERINFO_VERIFY_CERT:certificate verify error
Verified string:
Successfully verified!
Signer certificate has been verified.
Verified string: My test string.
因此可以看出,我使用的证书是有效的,但不知何故 CMS_Verify() 方法无法验证我的 CMS 结构中的封装证书。
我的解决方法似乎有效,但我真的很想知道我做错了什么。
那么有人可以帮助我吗?