验证 SSL/X.509 证书是否由另一个证书签名 [英] Verify SSL/X.509 certificate is signed by another certificate

问题描述

问题

如何使用 PyOpenSSL 或 Twisted 验证 X.509 证书是否由另一个证书签名?我希望客户端验证收到的服务器证书是否是签署其客户端证书的证书.

How can I verify that an X.509 certificate is signed by another certificate using PyOpenSSL or Twisted? I want a client to verify that the received server certificate is the one that signed its client certificate.

我已经浏览了 PyOpenSSL 文档，但似乎找不到任何关于如何在建立 SSL 连接之外单独验证证书的信息.

I've looked through the PyOpenSSL documentation and can't seem to find anything on how to verify a certificate separately from the establishing the SSL connection.

我在 twisted.internet._sslverify:PublicKey.verifyCertificate() 中找到了对 OpenSSL.crypto:X509.verify() 的引用，但对twisted 方法进行了注释out(在 Twisted 13.0 中)并且 X509 方法不存在(在 PyOpenSSL 0.13 中).

I found a reference to OpenSSL.crypto:X509.verify() in twisted.internet._sslverify:PublicKey.verifyCertificate() , but the twisted method is commented out (in Twisted 13.0) and the X509 method does not exist (in PyOpenSSL 0.13).

pyOpenSSL 不支持验证证书 描述了无法验证的错误手动验证证书链，但我不完全确定这是否是我想要做的.

pyOpenSSL has no support for verifying a certificate describes a bug for not being able to manually verify a certificate chain, but I'm not entirely sure if that's what I'm trying to do.

用例

证书:

• 使用 openssl 生成自签名 CA 证书.

• Generated self-signed CA certificate with openssl.

生成的由 CA 证书签署的服务器证书.

Generated server certificate signed by CA certificate.

生成的由服务器证书签名的客户端证书.

Generated client certificate signed by server certificate.

设置:

• 服务器正在使用 Twisted 的 CertificateOptions 使用其服务器证书.CA 证书是 CA 和服务器证书，用于设置链，其中服务器证书验证收到的客户端证书，CA 证书验证服务器证书(所有内置功能).

• The server is using Twisted's CertificateOptions with its server cert. The CA certs are the CA and server certs to setup a chain where the server cert verifies the received client cert, and the CA cert verifies the server cert (all built-in functionality).

客户端也将 CertificateOptions 用于客户端证书.CA 证书仅包含 CA 证书.

The client is also using CertificateOptions for the client cert. The CA certs only contains the CA cert.

这一切正常(双方相互验证)，但我想执行一个额外的步骤:

This all works fine (both sides verify each other) but I want to perform an additional step:

• 在客户端 set_verify() 回调中，验证客户端证书是否由服务器证书签名.

• In the client set_verify() callback, verify that the client cert is signed by the server cert.

推荐答案

你应该可以用这里写的东西来做到这一点:http://www.yothenberg.com/validate-x509-certificate-in-python/基本上是:

You should be able to do it with something like written here: http://www.yothenberg.com/validate-x509-certificate-in-python/ which is basically:

1. 使用 load_certificate()
在 PyOpenSSL 中加载您的证书
2. 创建一个 X509Store() 对象
3. 使用 add_cert() 在商店中添加您的中间证书
4. 创建一个 X509StoreContext() 对象，使用您的商店对象和您的最终证书对其进行初始化
5. 在您的商店上下文对象上调用 verify_certificate()

1. load your certificates in PyOpenSSL with load_certificate()
2. create a X509Store() object
3. use add_cert() to add your intermediate certificate in the store
4. create a X509StoreContext() object, initializing it with both your store object and your end certificate
5. call verify_certificate() on your store context object

在实践中，我无法制作那部分，我认为这是由于此处解释的原因:https://mail.python.org/pipermail/cryptography-dev/2016-August/000676.html

In practice, I was unable to make that part, and I think it is for the reasons explained here: https://mail.python.org/pipermail/cryptography-dev/2016-August/000676.html

总之，即使到了2016年，在PyOpenSSL中似乎仍然没有正确的等待来检查证书，这很令人伤心.请注意，共识似乎是，如果您在 TLS 连接内操作，则最好通过连接例程而不是通过 check_certificate()

In short, even in 2016, there still does not seem to be a correct wait to check certificates in PyOpenSSL, which is very sad. Note that the consensus seem to be that if you operate inside a TLS connection, the things are better checked by the connection routine instead of offline through check_certificate()

这篇关于验证 SSL/X.509 证书是否由另一个证书签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！