在 Perl 中处理 x509 客户端证书 [英] Process x509 client certificates in Perl

问题描述

我正在使用 Web::ID 和有一些问题.

I am working with Web::ID and have some questions.

来自 FAQ对于 Web::ID:

[...]

否则需要使用Web::ID 直接.假设您已将 Web 服务器配置为从浏览器请求客户端证书，并且您已设法将该客户端证书以 PEM 格式导入 Perl，那么它只是:

Otherwise, you need to use Web::ID directly. Assuming you've configured your web server to request a client certificate from the browser, and you've managed to get that client certificate into Perl in PEM format, then it's just:

my $webid = Web::ID->new(certificate => $pem);

my $uri = $webid->uri;

你有 URI.

无论如何，我被困在 .. 将该客户端证书放入 Perl .. 部分.

Anyway I'm stuck at the .. get that client certificate into Perl .. part.

通过检查 %ENV 环境变量，我可以看到客户端证书正在传递给脚本.但我仍然不确定如何以 Web::ID 的方式实际处理它……比如检查 SAN.

I can see the client certificate is being passed along to the script by examining the %ENVenvironment variable. But I am still unsure how to actually process it in the way that Web::ID does... like examine the SAN.

推荐答案

根据mod_ssl 你会在环境变量SSL_CLIENT_CERT中找到PEM编码的客户端证书，所以你只需要调用

According to the documentation of mod_ssl you will find the PEM encoded client certificate in the environment variable SSL_CLIENT_CERT, so all you need is to call

 my $webid  = Web::ID->new(certificate => $ENV{SSL_CLIENT_CERT});

但是，Apache 默认不设置SSL_CLIENT_CERT 环境变量.这是出于性能原因 - 如果您的 Perl 脚本不使用它们，则在生成 Perl 脚本(通过 mod_perl 或 CGI 或其他方式)之前设置一大堆环境变量是浪费，因此它只设置一小组环境变量默认情况下.你需要正确配置Apache告诉它你想要ALL DA东西.特别是你想要在 .htaccess 中的类似内容，或者你的虚拟主机配置，或者服务器配置文件:

However, Apache does not set the SSL_CLIENT_CERT environment variable by default. This is for performance reasons - setting a whole bunch of environment variables before spawning your Perl script (via mod_perl, or CGI, or whatever) is wasteful if your Perl script doesn't use them, so it only sets a small set of environment variables by default. You need to configure Apache correctly to tell it you want ALL DA STUFFZ. In particular you want something like this in .htaccess, or your virtual host config, or server config file:

SSLOptions +StdEnvVars +ExportCertData

在此过程中，您还需要确保 Apache 配置为要求客户端提供证书.为此，您需要类似的东西:

While you're at it, you also want to make sure Apache is configured to ask clients to present a certificate. For that you want something like:

SSLVerifyClient optional_no_ca

所有这些都是有点涵盖Web::ID 的文档，但不是特别彻底.

All this is kind of covered in the documentation for Web::ID but not especially thoroughly.

这篇关于在 Perl 中处理 x509 客户端证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！