fuk*_*chi 7 openssl common-lisp cffi
我正在尝试从Common Lisp中的PKCS#12加密的客户端证书中提取信息.
我尝试过以下步骤:
BIO与d2i_PKCS12_bioPKCS12_verify_macPKCS12_parse这是实际的CFFI代码:
(defun load-pkcs12 (file &optional passphrase)
(openssl-add-all-digests)
(pkcs12-pbe-add)
;; 1. Load the given p12 file
(let ((content (slurp-file file)))
(cffi:with-pointer-to-vector-data (data-sap content)
(let* ((bio (bio-new-mem-buf data-sap (length content)))
(p12 (d2i-pkcs12-bio bio (cffi:null-pointer)))
(pkey (evp-pkey-new))
(cert (x509-new)))
(unwind-protect
(progn
;; 2. Verify the passphrase
(let ((res (pkcs12-verify-mac p12 (or passphrase (cffi:null-pointer)) (length passphrase))))
(when (zerop res)
(error (format nil "Error while verifying mac~%~A" (get-errors)))))
;; 3. Parse the file
(cffi:with-foreign-objects ((*pkey :pointer)
(*cert :pointer))
(setf (cffi:mem-ref *pkey :pointer) pkey
(cffi:mem-ref *cert :pointer) cert)
(let ((res
(pkcs12-parse p12
(or passphrase (cffi:null-pointer))
*pkey
*cert
(cffi:null-pointer))))
(when (zerop res)
(error "Error in pkcs12-parse~%~A" (get-errors)))))
(pkcs12-free p12)
;; 4. Show the result
(let ((bio (cl+ssl::bio-new (bio-s-mem))))
(unwind-protect
(progn
(x509-print-ex bio cert 0 0)
(bio-to-string bio))
(bio-free bio))))
(evp-pkey-free pkey)
(x509-free cert))))))
但是,结果X509_print_ex总是毫无意义:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 0 (0x0)
Signature Algorithm: itu-t
Issuer:
Validity
Not Before: Bad time value
当我用openssl命令尝试它时看起来很好,所以我假设p12文件没问题:
$ openssl pkcs12 -in sslcert.p12 -clcerts -nokeys
Enter Import Password: <input passphrase>
MAC verified OK
Bag Attributes
localKeyID: 31 0E 0D 31 05 8D 20 13 BA B3 81 85 57 AD 28 52 9F D0 19 BE
subject=/C=JP/ST=Tokyo/L=Minato/O=<company>/OU=Development/CN=<user>/emailAddress=admin@example.co.jp
issuer=/C=JP/ST=Tokyo/O=<company>/OU=Development/CN=SuperUser Intermediate CA/emailAddress=admin@example.co.jp
-----BEGIN CERTIFICATE-----
...PEM-encoded certificate...
-----END CERTIFICATE-----
mime的完整片段是基于gist的.主要功能是load-pkcs12在文件的底部.
(load-pkcs12 #P"/path/to/sslcert.p12" "password")
有人可以帮忙吗?
小智 0
我认为该代码的问题在于分别将 和pkey分配cert为空对象。evp-pkey-newx509-new
下面的代码完成了类似的事情;cffi:foreign-alloc请注意和的使用cffi:mem-ref。
(define-condition ssl-pkcs12-error (error)
((texto :initarg :texto :initform nil :reader ssl-pkcs12-error-texto)))
(defun ssl-pkcs12-descifra (archivo contra salida)
(let ((fp (cffi:foreign-funcall "fopen" :string archivo :string "rb" :pointer)))
(when (cffi:null-pointer-p fp)
(error 'ssl-pkcs12-error :texto (format nil "No pudo abrise el archivo: ~s" archivo)))
(let ((p12 (d2i-pkcs12-fp fp (cffi:null-pointer))))
(cffi:foreign-funcall "fclose" :pointer fp :int)
(when (cffi:null-pointer-p p12)
(error 'ssl-pkcs12-error :texto "Error leyendo el archivo PKCS#12"))
(let* ((pkey (cffi:foreign-alloc :pointer))
(cert (cffi:foreign-alloc :pointer))
(res (pkcs12-parse p12 contra pkey cert (cffi:null-pointer))))
(pkcs12-free p12)
(when (zerop res)
(error 'ssl-pkcs12-error :texto "Error interpretando el archivo PKCS#12"))
(let ((fp (cffi:foreign-funcall "fopen" :string salida :string "w" :pointer)))
(when (cffi:null-pointer-p fp)
(error 'ssl-pkcs12-error
:texto (format nil "No pudo crearse el archivo: ~s" salida)))
(unless (cffi:null-pointer-p (cffi:mem-ref pkey :pointer))
(pem-write-privatekey fp (cffi:mem-ref pkey :pointer)
(cffi:null-pointer) (cffi:null-pointer)
0 (cffi:null-pointer) (cffi:null-pointer))
(evp-pkey-free (cffi:mem-ref pkey :pointer)))
(unless (null-pointer-p (cffi:mem-ref cert :pointer))
(pem-write-x509 fp (cffi:mem-ref cert :pointer))
(x509-free (cffi:mem-ref cert :pointer)))
(cffi:foreign-free pkey)
(cffi:foreign-free cert)
(cffi:foreign-funcall "fclose" :pointer fp :int))))))
| 归档时间: |
|
| 查看次数: |
241 次 |
| 最近记录: |