开发者

How to verify the password of a pkcs#12 certificate (.PXF) with openssl C API?

问答 作者:

I have an .pxf (AFAIK PKCS#12) certificate. How can I confirm a given password for this certificate usi开发者_如何学JAVAng the openssl C API?

One approach to finding answers like this is to find an OpenSSL utility that performs the same functionality as what you are trying to do. In this case, you can use the pkcs12 utility that comes with OpenSSL to verify the password.

The command to verify a pfx file is the following:

openssl pkcs12 -in mypfx.pfx -noout

With that information, you can then look at its source code ({openssl_src}/apps/pkcs12.c) to see how they do it.

The source code shows that it calls PKCS12_verify_mac to verify the password. First to verify that there is no password:

if( PKCS12_verify_mac(p12, NULL, 0) )
{
    printf("PKCS12 has no password.\n");
}

And then if there is a password, verify it by passing it as an argument:

if( PKCS12_verify_mac(p12, password, -1) )
{
    printf("PKCS12 password matches.\n");
}

OpenSSL also has demos for working with PKCS12 in openssl/demos/pkcs12. The pkread.c demo provides an example for parsing a pfx file with a password.

EVP_PKEY *pkey;
X509 *cert;
STACK_OF(X509) *ca = NULL;

if (!PKCS12_parse(p12, password, &pkey, &cert, &ca)) {
    fprintf(stderr, "Error parsing PKCS#12 file\n");
    ERR_print_errors_fp(stderr);
    exit(1);
}

Full example, compiled with gcc -std=c99 verifypfx.c -o verifypfx -lcrypto:

#include <stdio.h>
#include <errno.h>
#include <openssl/pkcs12.h>
#include <openssl/err.h>

int main(int argc, char *argv[])
{
        const char *password = "mypassword";
        PKCS12 *p12;

        // Load the pfx file.
        FILE *fp = fopen("mypfx.pfx", "rb");
        if( fp == NULL ) { perror("fopen"); return 1; }
        p12 = d2i_PKCS12_fp(fp, NULL);
        fclose(fp);

        OpenSSL_add_all_algorithms();
        ERR_load_PKCS12_strings();

        if( p12 == NULL ) { ERR_print_errors_fp(stderr); exit(1); }

        // Note:  No password is not the same as zero-length password.  Check for both.
        if( PKCS12_verify_mac(p12, NULL, 0) )
        {
                printf("PKCS12 has no password.\n");
        }
        else if( PKCS12_verify_mac(p12, password, -1) )
        {
                printf("PKCS12 password matches.\n");
        }
        else
        {
                printf("Password not correct.\n");
        }

        return 0;
}

Use PKCS12_verify_mac(). eg.

FILE* f = fopen("myfile.pfx", "rb");
PKCS12* p12 = d2i_PKCS12_fp(f, NULL);
fclose(f);
if (!PKCS12_verify_mac(p12, (char*)"mypassword", strlen("mypassword")))
{
   // handle failure
}

继续阅读:copensslpkcs#12

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9