在 Linux 上验证 X.509 证书

发布于 2024-09-10 13:55:18 字数 226 浏览 9 评论 0原文

我刚刚开始使用 X.509 证书。谁能告诉我如何在 Linux 上验证证书?用例是我的应用程序在上一个会话中下载了证书,我必须在开始新会话之前检查它是否仍然有效(即,自存储以来没有过期或撤销)。我知道这里不可能提供完整的示例,但任何指针都会有用。

编辑:进一步调查发现了另一个名为网络安全服务(NSS)的实用程序。就可用性而言,它与 OpenSSL 相比如何?另外,我正在寻找编程解决方案,因为我将无法启动命令行实用程序。

I have just started working with X.509 certificates. Can any one tell me how to go about validating a certificate on linux? The use case is that my app had downloaded a certificate in a previous session and I have to check if it is still valid (i.e., not expired or revoked since it was stored) before starting a new session. I understand a full sample will not be possible here, but any pointers will be useful.

EDIT: Further investigation revealed another utility called Network Security Services (NSS). How does that compare to OpenSSL in terms of usability? Also, I am looking for programmatic solutions as I will not be able to launch command line utilities.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

小糖芽 2024-09-17 13:55:18

正如其他人提到的,您可以使用 openssl verify。根据文档,它还会检查有效期。

从编程角度来说,这可能意味着要花几个小时搜索有点糟糕(或丢失)的文档,在网络上阅读代码示例,并且可能会让人头疼。

为了正确验证证书,您需要通知所有中间证书。通常您还会通知撤销列表 (CRL),但这不是必需的。

因此,您需要在代码方面执行以下操作(OpenSSL):

  1. X509_STORE_new - 创建证书存储区;
  2. X509_STORE_CTX_new - 创建商店上下文;
  3. X509_STORE_add_cert - 将 CA(和所有中间)证书添加到证书存储的受信任列表中(注意:有一个查找/加载列表的功能);
  4. X509_STORE_add_crl - 将吊销的证书添加到您的证书存储的 CRL 中(注意:同上);
  5. X509_STORE_CTX_init - 初始化您的存储上下文,通知您的证书存储;
  6. X509_STORE_CTX_set_ Purpose - 如果需要,定义目的;
  7. X509_STORE_CTX_set_cert- 告诉上下文您要验证哪个证书;
  8. X509_verify_cert - 最后,验证它;
  9. X509_STORE_CTX_cleanup - 如果您想重用上下文来验证另一个证书,请清理它并跳回 (5);
  10. 最后但并非最不重要的一点是,释放(1)和(2);

或者,可以使用 X509_verify 进行快速验证。但是,请注意它仅比较签名。

当我需要的时候,我花了一天的时间进行搜索、阅读和测试。然后我发现我需要的一切都在 OpenSSL 源代码中。因此,如果您需要示例,请直接访问openssl-xxx/apps/verify.c

重要提示:切勿使用 MD5。要了解原因,请阅读创建恶意 CA 证书

As others mentioned, you can use openssl verify. According to the documentation, it also checks the validity period.

Programmatically, it could mean hours of searching for kinda bad (or missing) documentation, reading code examples all over the web, and probably a headache.

To properly validate a certificate, you need to inform all the intermediate certificates. Normally you'd also inform the revocation list (CRL), but it's not required.

So, here's what you need to do in terms of code (OpenSSL):

  1. X509_STORE_new - Create a certificate store;
  2. X509_STORE_CTX_new - Create a store context;
  3. X509_STORE_add_cert - Add the CA (and all intermediary) certificate(s) to the trusted list of your certificate store (note: there's a function to lookup/load a list);
  4. X509_STORE_add_crl - Add the revoked certificates to the CRL of your certificate store (note: same as above);
  5. X509_STORE_CTX_init - Initialize your store context informing your certificate store;
  6. X509_STORE_CTX_set_purpose - Define the purpose if you need so;
  7. X509_STORE_CTX_set_cert- Tell the context which certificate you're going to validate;
  8. X509_verify_cert - Finally, validate it;
  9. X509_STORE_CTX_cleanup - If you want to reuse the context to validate another certificate, you clean it up and jump back to (5);
  10. Last but not least, deallocate (1) and (2);

Alternatively, a quick validation can be done with X509_verify. However, be aware that it compares signatures solely.

When I needed it, took me a day of searching, reading and testing. Then I figured out everything I needed was right in the OpenSSL source-code. So, if you need an example, go straight to openssl-xxx/apps/verify.c.

IMPORTANT: NEVER use MD5. To understand the reason, read Creating a rogue CA certificate.

单身狗的梦 2024-09-17 13:55:18

如果您想要一个简单的工具,openssl verify 将执行您想要的操作:

从运行中:

cd /usr/share/ca-certificates
find . -type f -exec openssl -verify {} \;

这是输出的选择:

./telesec.de/deutsche-telekom-root-ca-2.crt: OK
./brasil.gov.br/brasil.gov.br.crt: OK
./cacert.org/cacert.org.crt: OK
./spi-inc.org/spi-ca-2003.crt: /C=US/ST=Indiana/L=Indianapolis/O=Software in the Public Interest/OU=hostmaster/CN=Certification Authority/[email protected]
error 10 at 0 depth lookup:certificate has expired
OK
./spi-inc.org/spi-cacert-2008.crt: OK
./signet.pl/signet_ocspklasa3_pem.crt: /C=PL/O=TP Internet Sp. z o.o./CN=CC Signet - CA Klasa 3/serialNumber=Numer wpisu: 4
error 2 at 1 depth lookup:unable to get issuer certificate
./signet.pl/signet_ca3_pem.crt: /C=PL/O=TP Internet Sp. z o.o./CN=CC Signet - CA Klasa 3/serialNumber=Numer wpisu: 4
error 20 at 0 depth lookup:unable to get local issuer certificate

如果您希望在更大的程序中获得结果,也许 gnutls_x509_crt_verify(3)gnutls_x509_crt_get_key_usage(3)gnutls_x509_crt_check_replication(3) 接口比 OpenSSL 更易于使用。 (我从未使用过 gnutls,但我使用过 OpenSSL。)

openssl verify will do what you want, if you want a simple tool:

From running:

cd /usr/share/ca-certificates
find . -type f -exec openssl -verify {} \;

Here's a selection of the output:

./telesec.de/deutsche-telekom-root-ca-2.crt: OK
./brasil.gov.br/brasil.gov.br.crt: OK
./cacert.org/cacert.org.crt: OK
./spi-inc.org/spi-ca-2003.crt: /C=US/ST=Indiana/L=Indianapolis/O=Software in the Public Interest/OU=hostmaster/CN=Certification Authority/[email protected]
error 10 at 0 depth lookup:certificate has expired
OK
./spi-inc.org/spi-cacert-2008.crt: OK
./signet.pl/signet_ocspklasa3_pem.crt: /C=PL/O=TP Internet Sp. z o.o./CN=CC Signet - CA Klasa 3/serialNumber=Numer wpisu: 4
error 2 at 1 depth lookup:unable to get issuer certificate
./signet.pl/signet_ca3_pem.crt: /C=PL/O=TP Internet Sp. z o.o./CN=CC Signet - CA Klasa 3/serialNumber=Numer wpisu: 4
error 20 at 0 depth lookup:unable to get local issuer certificate

If you'd rather have the results in a larger program, perhaps the gnutls_x509_crt_verify(3), gnutls_x509_crt_get_key_usage(3), gnutls_x509_crt_check_revocation(3) interfaces are easier to use than OpenSSL. (I've never used gnutls, but I have used OpenSSL.)

活雷疯 2024-09-17 13:55:18

OCSP 是一种检查证书吊销的协议。 Openssl 提供证书链验证和签名验证 API。它需要一定量的编码。所以我建议您查看 Openssl 文档。

您必须传递证书链并对其进行验证,直到到达应已保存在您的计算机上的根证书。这是由称为根 CA(证书颁发机构)的实体颁发的自签名证书。

除了 OCSP 之外,还有一种过时的方法,您必须获取吊销列表(即 CRL)并解析该列表以获取证书 ID。

编辑:
我忘了提及 openssl 命令行实用程序,它具有相同的功能。

OCSP is a protocol to check revocation of certificates. Openssl provides certificate chain validation and signature verification APIs. It requires some amount of coding. So i would suggest you to look into Openssl Documentation.

You have to pass the certificate chain and validate it until you reach a root certificate which should be already saved on your machine. This is self signed certificate issued by entities called Root CAs(Certificate authority)

Apart from OCSP there is a outdated method where you have to fetch revocation list namely CRLs and parse that list for the certificate id.

EDIT:
I forgot to mention the openssl command line utility which does the same functionality.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文