如何使用 m2crypto 中的 CA 证书正确签署 x.509 证书?
我正在为在 Twisted Web 和 M2Crypto 上运行的内部基础设施开发一个自动化 CA。 CA 有它的密钥。其他机器可以发送以 CSR 作为正文的 GET 请求。假设一切顺利,Helios 服务器应在正文中使用相应的证书进行响应。
该应用程序的完整源代码和测试文件位于:
当前一切正常(通过证书回复的 CSR 请求),除了验证证书:
root@helios:~/helios-ca# openssl verify -CAfile ca.crt test.pem
test.pem: /C=US/ST=California/L=San Francisco/O=Pantheon Systems, Inc./OU=Infrastructure/CN=one.com/[email protected]
error 7 at 0 depth lookup:certificate signature failure
4280:error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:255:
4280:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:173:
如果我使用 OpenSSL 从 shell 签署测试证书,则事情会验证正确。 Helios 中的签名代码肯定有问题。
这是一个相关的问题:
不幸的是,从上一个问题链接的资源都对 CA 和最终证书使用相同的密钥对。出于显而易见的原因,这是愚蠢的,并且它使得这些示例对于现实世界的 PKI 毫无帮助。
I'm working on an automated CA for internal infrastructure that runs on Twisted Web and M2Crypto. The CA has its key. Other machines can send GET requests with the CSR as the body. Assuming things validate, the Helios server should respond in the body with the corresponding certificate.
The complete source and test files for the application are here:
Everything currently works (CSR request through certificate reply) except for validating the certificate:
root@helios:~/helios-ca# openssl verify -CAfile ca.crt test.pem
test.pem: /C=US/ST=California/L=San Francisco/O=Pantheon Systems, Inc./OU=Infrastructure/CN=one.com/[email protected]
error 7 at 0 depth lookup:certificate signature failure
4280:error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:255:
4280:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:173:
If I use OpenSSL to sign the test certificate from the shell, things validate correctly. There must be something wrong with the signing code in Helios.
This is a related question:
Unfortunately, the resources linked from that previous question both use the same key pair for the CA and final certificate. This is silly for obvious reasons, and it makes those examples quite unhelpful for real-world PKI.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论