Hi, all
I am trying to define my own certificate verification function through
the API "SSL_CTX_set_cert_verify_callback". This own certificate
verification callback will
check the thumbprint of the peer certificate. In this callback the
thumbprint of certificate is calculated through the API
"X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
unsigned int *len)". And the param of "data" to pass in is
X509_STORE_CTX::cert.
I found the calculated result digest was different from what was
calucated by openssl command line. Is there something wrong with my
code? It looks like the following.
static int ssl_certificate_thumbprint_verify_callback(X509_STORE_CTX
*ctx, void *arg)
{
unsigned char *thumbprint = (unsigned char *)arg;
X509 *cert = ctx->cert;
EVP_MD *tempDigest;
unsigned char tempFingerprint[EVP_MAX_MD_SIZE];
unsigned int tempFingerprintLen;
tempDigest = (EVP_MD*)EVP_sha1( );
if ( X509_digest(cert, tempDigest, tempFingerprint,
&tempFingerprintLen ) <= 0)
return 0;
if(!memcmp(tempFingerprint, thumbprint, tempFingerprintLen))
return 1;
return 0;
}
Thanks.
Liang
