如何使用受信任的中间CA证书来验证客户端证书? [英] how to validate a client Certificate using the trusted internediate CA certificate?

问题描述

我有由CA1证书签名的客户端证书"A". CA1证书由根证书签名.

I am having client Certificate "A" which is signed by the CA1 certificate. CA1 certificate is signed by the Root certificate.

现在，我拥有CA1证书(受信任的)并收到了客户端证书(不受信任的).在验证期间，我仅需要使用CA1(受信任的)来验证客户端证书的信任路径..我没有/接收根证书.

Now I have the CA1 certificate (trusted ) and received Client certificate (non trusted ) . during validation I need to verify the trust path of the client certificate using CA1 (trusted) only .. I dont have /receive the Root certificate.

是否可以执行此验证?

我正在使用Openssl 1.0.0g版本库.如果有人知道该怎么做，请与我分享.

I am using Openssl 1.0.0g version library. If any one know how to do that please share with me .

推荐答案

由于您给了标签ssl-certificate，因此我假设在SSL连接期间需要对服务器证书验证或客户端证书验证进行此类验证.

Since, you have given the Tag, ssl-certificate, I assume that you need such a validation during an SSL connection for either Server Cert Validation or Client Cert Validation.

使用OpenSSL API设置验证回调的简单方法 SSL_CTX_set_verify .

A simple way of achieving this, by setting the verification callback using the OpenSSL API SSL_CTX_set_verify.

要点是，每次在证书验证过程中遇到错误时都会调用此回调，因此，在您的情况下，如果找不到root，则将以错误X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT调用此回调.您还可以访问X509_STORE_CTX *，从中可以获取到目前为止已验证的证书的详细信息.使用此机制，您可以在代码中实现适当的逻辑，以查看最终实体和中间CA证书是否正确，并且如果发现还不错，则可以从回调返回成功，这将向OpenSSL发出信号，以继续进行验证而不会使验证失败.

The gist is that, this callback will be called everytime an error is encountered during the certificate validation, so in your case, when root could not be found, then this callback will be called with the error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT. You will also have access to X509_STORE_CTX * from which you can get the details of the certificates verified so far. Using this mechanism, you can implement appropriate logic in your code to see if your End Entity and intermediate CA certs are correct and if found to be fine, you can return success from the callback, which will signal to the OpenSSL to continue with the Validation without failing the verification.

OpenSSL文档中的更多详细信息:

设置SSL_VERIFY_PEER标志时，verify_callback函数用于控制行为.它必须由应用程序提供并接收两个参数:preverify_ok指示是否通过了有关证书的验证(preverify_ok = 1)(preverify_ok = 0). x509_ctx是指向用于证书链验证的完整上下文的指针.

The verify_callback function is used to control the behaviour when the SSL_VERIFY_PEER flag is set. It must be supplied by the application and receives two arguments: preverify_ok indicates, whether the verification of the certificate in question was passed (preverify_ok=1) or not (preverify_ok=0). x509_ctx is a pointer to the complete context used for the certificate chain verification.

从最深的嵌套级别(根CA证书)开始检查证书链，然后向上处理到对等方的证书.在每个级别都检查签名和发行者属性.每当发现验证错误时，错误号就会存储在x509_ctx中，并以preverify_ok = 0调用verify_callback.通过应用X509_CTX_store_ *函数，verify_callback可以找到有问题的证书并执行其他步骤(请参见示例).如果未找到证书错误，则在进入下一个级别之前，将使用preverify_ok = 1调用verify_callback.

The certificate chain is checked starting with the deepest nesting level (the root CA certificate) and worked upward to the peer's certificate. At each level signatures and issuer attributes are checked. Whenever a verification error is found, the error number is stored in x509_ctx and verify_callback is called with preverify_ok=0. By applying X509_CTX_store_* functions verify_callback can locate the certificate in question and perform additional steps (see EXAMPLES). If no error is found for a certificate, verify_callback is called with preverify_ok=1 before advancing to the next level.

verify_callback的返回值控制进一步验证过程的策略.如果verify_callback返回0，则验证过程将立即以``验证失败''状态停止.如果设置了SSL_VERIFY_PEER，则会向对等方发送验证失败警报​​，并终止TLS/SSL握手.如果verify_callback返回1，则继续验证过程.如果verify_callback始终返回1，则不会因验证失败而终止TLS/SSL握手，并且将建立连接.但是，调用过程可以使用SSL_get_verify_result(3)或通过维护自己的由verify_callback管理的错误存储来检索最后一个验证错误的错误代码.

The return value of verify_callback controls the strategy of the further verification process. If verify_callback returns 0, the verification process is immediately stopped with ``verification failed'' state. If SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and the TLS/SSL handshake is terminated. If verify_callback returns 1, the verification process is continued. If verify_callback always returns 1, the TLS/SSL handshake will not be terminated with respect to verification failures and the connection will be established. The calling process can however retrieve the error code of the last verification error using SSL_get_verify_result(3) or by maintaining its own error storage managed by verify_callback.

如果未指定verify_callback，将使用默认回调.它的返回值与preverify_ok相同，因此，如果设置了SSL_VERIFY_PEER，则任何验证失败都将导致带有警报消息的TLS/SSL握手终止.

If no verify_callback is specified, the default callback will be used. Its return value is identical to preverify_ok, so that any verification failure will lead to a termination of the TLS/SSL handshake with an alert message, if SSL_VERIFY_PEER is set.

这篇关于如何使用受信任的中间CA证书来验证客户端证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！