新手问题 关于 OpenSSL 的 verify_callback 的疑惑

deathking · 2015年07月30日 · 3326 次阅读

verify_callback 指定的回调函数,是用于验证的,还是验证后处理的?下面的文档抄录自 OpenSSL 文档 set peer certificate verification parameters ,Ruby Doc 关于这个问题描述地不是很详细。

The actual verification procedure is performed either using the built-in verification procedure or using another application provided verification function set with SSL_CTX_set_cert_verify_callback. ... The verify_callback function is used to control the behaviour when the SSL_VERIFY_PEER flag is set.

  1. 如果是验证后处理的,但在读 Puppet 源码的时候,发现即使 preverify_oktrue 也要再检查 peerpreverify_ok = valid_peer? 不太明白为什么要这样做。
  2. 如果是这个回调函数负责 peer 的验证,那么这个 preverify_ok 的值是怎么确定的?
def call(preverify_ok, store_context)
  # We must make a copy since the scope of the store_context will be lost
  # across invocations of this method.
  if preverify_ok
    current_cert = store_context.current_cert
    @peer_certs << Puppet::SSL::Certificate.from_instance(current_cert)

    # If we've copied all of the certs in the chain out of the SSL library
    if @peer_certs.length == store_context.chain.length
      # (#20027) The peer cert must be issued by a specific authority
      preverify_ok = valid_peer?
    end
  else
    error = store_context.error || 0
    error_string = store_context.error_string || "OpenSSL error #{error}"

    case error
    when OpenSSL::X509::V_ERR_CRL_NOT_YET_VALID
      # current_crl can be nil
      # https://github.com/ruby/ruby/blob/ruby_1_9_3/ext/openssl/ossl_x509store.c#L501-L510
      crl = store_context.current_crl
      if crl
        if crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS
          Puppet.debug("Ignoring CRL not yet valid, current time #{Time.now.utc}, CRL last updated #{crl.last_update.utc}")
          preverify_ok = true
        else
          @verify_errors << "#{error_string} for #{crl.issuer}"
        end
      else
        @verify_errors << error_string
      end
    else
      current_cert = store_context.current_cert
      @verify_errors << "#{error_string} for #{current_cert.subject}"
    end
  end
  preverify_ok
rescue => ex
  @verify_errors << ex.message
  false
end
暂无回复。
需要 登录 后方可回复, 如果你还没有账号请 注册新账号