我用C++写了一个安卓APK的认证。
主要就是解析里面的CERT.RSA
解析:
PKCS7 *p7 = NULL;
BIO *in = BIO_new(BIO_s_file());
STACK_OF(X509) *certs = NULL;
int i;
BIO_read_filename(in, rsa_path);
p7 = d2i_PKCS7_bio(in, NULL);
if(p7) {
i = OBJ_obj2nid(p7->type);
} else {
BIO_free(in);
break;
}
if(i == NID_pkcs7_signed) {
certs = p7->d.sign->cert;
} else if(i == NID_pkcs7_signedAndEnveloped) {
certs = p7->d.signed_and_enveloped->cert;
}
BIO_free(in);
if(sk_X509_num(certs) != 1) {
PKCS7_free(p7);
break;
}
认证:
BIO *p7bio = NULL;
int res = 0;
char buf[1024*4] = {0};
STACK_OF(PKCS7_SIGNER_INFO) *sk;
PKCS7_SIGNER_INFO *si;
X509 * x509;
int i;
PKCS7 *pkcs7 = (PKCS7 *)m_pkcs7;
p7bio = PKCS7_dataDecode(pkcs7, 0, 0, 0);
//这里得到的p7bio是空的!!!!为什么
//这段代码是我从网上面找到的
for (;;)
{
i=BIO_read(p7bio,buf,sizeof(buf));
if (i <= 0)
break;
}
// We can now verify signatures
sk = PKCS7_get_signer_info(pkcs7);
if (sk == NULL)
{
goto end;
}
else
{
if (sk_PKCS7_SIGNER_INFO_num(sk) == 0)
{
goto end;
}
/* Ok, first we need to, for each subject entry,
* see if we can verify */
for (i=0; i<sk_PKCS7_SIGNER_INFO_num(sk); i++)
{
si = sk_PKCS7_SIGNER_INFO_value(sk, i);
x509 = X509_find_by_issuer_and_serial(pkcs7->d.sign->cert,si->issuer_and_serial->issuer,si->issuer_and_serial->serial);
int ret;
ret = PKCS7_signatureVerify(p7bio, pkcs7, si, x509);
if (ret <= 0)
goto end;
}
}
res = 1;
end:
if (p7bio)
BIO_free_all(p7bio);
return res;
m_pkcs7数据是否正确。
获取m_pkcs7
bool Certificate::parse(const char *rsa_path) {
bool ret = false;
do {
if(m_pkcs7) {
clear();
}
PKCS7 *p7 = NULL;
BIO *in = BIO_new(BIO_s_file());
STACK_OF(X509) *certs = NULL;
int i;
BIO_read_filename(in, rsa_path);
p7 = d2i_PKCS7_bio(in, NULL);
if(p7) {
i = OBJ_obj2nid(p7->type);
} else {
BIO_free(in);
break;
}
if(i == NID_pkcs7_signed) {
certs = p7->d.sign->cert;
} else if(i == NID_pkcs7_signedAndEnveloped) {
certs = p7->d.signed_and_enveloped->cert;
}
BIO_free(in);
if(sk_X509_num(certs) != 1) {
PKCS7_free(p7);
break;
}
m_rsa_path = rsa_path;
m_certs = certs;
m_pkcs7 = p7;
ret = true;
}while(0);
return ret;
}
验证:
bool Certificate::VerifyPkcs7Signature() {
if(m_pkcs7 == NULL) {
return false;
}
BIO *p7bio = NULL;
int res = 0;
char buf[1024*4] = {0};
STACK_OF(PKCS7_SIGNER_INFO) *sk;
PKCS7_SIGNER_INFO *si;
X509 * x509;
int i;
PKCS7 *pkcs7 = (PKCS7 *)m_pkcs7;
// p7bio = PKCS7_dataInit(pkcs7,NULL);
p7bio = PKCS7_dataDecode(pkcs7, 0, 0, 0);
// We now have to 'read' from p7bio to calculate digests etc.
do {
i = BIO_read(p7bio, buf, sizeof(buf));
//we can now verify signatures
sk = PKCS7_get_signer_info(pkcs7);
if(sk == NULL) {
break;
}
if(0 == sk_PKCS7_SIGNER_INFO_num(sk)) {
break;
}
for(i = 0; i < sk_PKCS7_SIGNER_INFO_num(sk); i++) {
si = sk_PKCS7_SIGNER_INFO_value(sk, i);
x509 = X509_find_by_issuer_and_serial(pkcs7->d.sign->cert,
si->issuer_and_serial->issuer,
si->issuer_and_serial->serial);
int ret = PKCS7_signatureVerify(p7bio, pkcs7, si, x509);
if(ret < 0) {
res = -1;
break;
}
}
}while(0);
if(p7bio) {
BIO_free_all(p7bio);
}
return res != 1;
}
你看看有什么问题
现在是能用了,但是不知道为什么PKCS7_dataDecode仍然是空。
如果你了解怎么用PKCS7来得到签名的话,我就真的谢谢你了!!!!