在OpenSSL中验证证书的域 [英] Verifying the domain of a certificate in OpenSSL
问题描述
我需要使用C-land OpenSSL验证X509证书的域.
I need to verify the domain of an X509 certificate using C-land OpenSSL.
我的理解是该库不会为我执行此操作,因此我必须大致实现以下算法:
My understanding is that the library doesn't do this for me, and that I have to implement roughly the following algorithm:
- 如果存在subjectAlternativeName扩展名的dnsName字段,请将
name
设置为该值. - 否则,将
name
设置为主题的CN字段. - 将
name
与请求的主机名进行比较,允许每个星号都匹配[A-Za-z0-9 _] +,但不能匹配点"(.).
- If the dnsName field of the subjectAlternativeName extension is present, set
name
to that value. - Otherwise, set
name
to the CN field of the subject. - Compare
name
against the requested hostname, allowing each asterisk to match [A-Za-z0-9_]+, but not 'dot' (.).
在我看来,应该有很多代码可以执行此操作,但是我还没有找到任何代码.
It seems to me that there should be plenty of code kicking around to do this, but I haven't found any.
有人能找到这样的例子吗?还是可以选择健全性检查我的算法?
Can anyone find an example of this? Or alternatively, sanity-check my algorithm?
这是我想出的: https://gist.github.com/2821083. OpenSSL将其留给调用代码似乎真的很奇怪.
This is what I came up with: https://gist.github.com/2821083. It seems really strange that OpenSSL would leave this up to calling code.
推荐答案
尽管注意主题备用名称",原始IP地址和FQDN,但您的位置很多.您可能想偷
You are pretty much spot on - though beware of subject Alternative names and raw IP addresses and FQDNs. You may want to steal
BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
和 http://svn的相关朋友. apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c 和ssl_engine_init.c中的被调用方(通过服务器端)以获取所有选项.
and related friends from http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c and the callee in ssl_engine_init.c (which is by the way the server side) for all the options.
在处理openssl回调时-还请考虑日期&时间和时间链(如果您尚未在CTX中提供时间和时间链的话).
As you are acting on the openssl callback - also consider the date & time and the chain if you've not provided that already in the CTX.
Dw.
这篇关于在OpenSSL中验证证书的域的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!