在OpenSSL中验证证书的域 [英] Verifying the domain of a certificate in OpenSSL

问题描述

我需要使用C-land OpenSSL验证X509证书的域.

I need to verify the domain of an X509 certificate using C-land OpenSSL.

我的理解是该库不会为我执行此操作，因此我必须大致实现以下算法:

My understanding is that the library doesn't do this for me, and that I have to implement roughly the following algorithm:

1. 如果存在subjectAlternativeName扩展名的dnsName字段，请将name设置为该值.
2. 否则，将name设置为主题的CN字段.
3. 将name与请求的主机名进行比较，允许每个星号都匹配[A-Za-z0-9 _] +，但不能匹配点"(.).

1. If the dnsName field of the subjectAlternativeName extension is present, set name to that value.
2. Otherwise, set name to the CN field of the subject.
3. Compare name against the requested hostname, allowing each asterisk to match [A-Za-z0-9_]+, but not 'dot' (.).

在我看来，应该有很多代码可以执行此操作，但是我还没有找到任何代码.

It seems to me that there should be plenty of code kicking around to do this, but I haven't found any.

有人能找到这样的例子吗?还是可以选择健全性检查我的算法?

Can anyone find an example of this? Or alternatively, sanity-check my algorithm?

这是我想出的: https://gist.github.com/2821083. OpenSSL将其留给调用代码似乎真的很奇怪.

This is what I came up with: https://gist.github.com/2821083. It seems really strange that OpenSSL would leave this up to calling code.

推荐答案

尽管注意主题备用名称"，原始IP地址和FQDN，但您的位置很多.您可能想偷

You are pretty much spot on - though beware of subject Alternative names and raw IP addresses and FQDNs. You may want to steal

BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)

和 http://svn的相关朋友. apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c 和ssl_engine_init.c中的被调用方(通过服务器端)以获取所有选项.

and related friends from http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c and the callee in ssl_engine_init.c (which is by the way the server side) for all the options.

在处理openssl回调时-还请考虑日期&时间和时间链(如果您尚未在CTX中提供时间和时间链的话).

As you are acting on the openssl callback - also consider the date & time and the chain if you've not provided that already in the CTX.

Dw.

这篇关于在OpenSSL中验证证书的域的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！