如何确定证书的根?
我的根证书以 ASN.1 格式存储为多个文件。
假设我有一个相同格式的链接最终实体证书。如何高效判断该证书的根证书?
目前,我必须采取暴力方法,提取最终实体证书的公钥并针对所有根证书进行验证,并且第一个匹配项被视为根证书。这是正确的方法吗?
My root certificates are stored as several files in ASN.1 format.
Assume I have a chained end entity certificate in the same format. How do I efficiently determine the root certificate of this certificate?
Currently I have to take a brute force approach which extracts the public key of the end entity certificate and validates that against all root certificates and the first match is considered the root certificate. Is this the right approach??
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
要查找证书的颁发者,您应该使用“颁发者 DN”并将其与 CA 存储中证书的“主题 DN”相匹配。这应该会显着减少签名验证的数量。
不同的 CA 证书可能具有相同的“主题 DN”(具有不同的公钥、有效日期等),因此您的算法应该准备好处理这种情况。 “主题密钥标识符”和“权威密钥标识符”也可以帮助减少候选者的数量。
查找颁发机构只是验证证书的“正确方法”的一小部分。我建议您查看 http://www.ietf.org/rfc/ 的第 6 部分rfc5280.txt“证书路径验证”。有些部分很可能是矫枉过正的(即大多数事情都与政策有关)。
To find the issuer of a certificate, you should use the "Issuer DN" and match it with the "Subject DN" of the certificates in your CA store. This should reduce significantly the number of signature verification.
It is possible to have different CA certificates with the same "Subject DN" (with different public keys, validity dates, etc.), so your algorithm should be prepared to handle that. The "Subject Key Identifier" and "Authority Key Identifier" can also help to reduce the number of candidates.
Finding the issuing authority is only a small part of the "right approach" to validating certificates. I would advise you to look at part 6 of http://www.ietf.org/rfc/rfc5280.txt "Certification Path Validation". Some parts are most probably overkill (i.e. most things having to do with policies).