openssl cypto库证书验证(含撤销证书验证)

这里是二级证书验证, 注意CRL撤销证书必须由二级证书撤销, 顶级证书可以撤销, 并且命令行不会出错, 但是无法验证出.

/*
 openssl ca -config CM.cfg -revoke badcert.pem
 openssl ca -config CM.cfg -gencrl -out crl.pem
 cat certs/root.pem certs/mfg.pem crl.pem >revoke.pem
 openssl verify -CAfile revoke.pem -crl_check certs/badcert.pem
*/
void static verifyCert()
{
    //error 7 at 1 depth lookup:certificate signature failure
    //error 8 at 0 depth lookup:CRL signature failure
    OpenSSL_add_all_algorithms();
    X509_STORE *store = X509_STORE_new();
    X509_STORE_set_verify_cb(store, cb);

    //error 2 at 1 depth lookup:unable to get issuer certificate
    X509_STORE_add_cert(store, loadX509(PATH"certs/root.der"));
    //error 20 at 0 depth lookup:unable to get local issuer certificate
    X509_STORE_add_cert(store, loadX509(PATH"certs/mfg.pem"));

    //error 23 at 0 depth lookup:certificate revoked
    X509_STORE_add_crl(store, loadX509Crl(PATH"crl.pem"));
    X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);

    X509_STORE_CTX *ctx = X509_STORE_CTX_new();


    X509 *xDevice = loadX509(PATH"certs/device.pem");
    X509_STORE_CTX_init(ctx, store, xdevice, NULL);

    if (X509_verify_cert(ctx) > 0)
    {
        printf("OK\n");
    }

    X509_STORE_CTX_free(ctx);
    X509_STORE_free(store);
}