如何验证 x509 证书的签名? [英] How to verify the signature of a x509 certificate?

问题描述

我有两个 X509Certificate 对象 x1 和 x2.

I have two X509Certificate objects x1 and x2.

我想验证 x2 是否由 x1 签名.

I want to verify that x2 was signed by x1.

我认为这是通过 x1 的公钥和 x2 的签名完成的.

I think this is done with the public key of x1 and the signature of x2.

具体怎么做?

我还想知道将 x2 的颁发者与 x1 的主题逐字节进行比较并在它们不同时显示错误是否是常见做法.

I also want to know if it is common practice to compare the issuer of x2 with the subject of x1 byte-by-byte and show an error if they differ.

我发现了这个 12456079 帖子，但我无法弄清楚.

I found this 12456079 post but I can't figure it out.

推荐答案

您正在寻找证书链，这是 PKI(公钥基础设施)中常见的东西.一个证书可以签署另一个证书以表明该证书是可信的.

You are looking for certificate chain which is a common thing in PKI (Public Key Infrastructure). One certificate can sign another certificate to show that this certificate can be trusted.

在简单的示例中，将有一个自签名且受信任的根证书 - 每个人都信任此证书.接下来，您可以要求此证书的所有者使用 Root 的证书私钥对您的证书进行签名.所以如果有人想使用你的证书，他可以检查你的证书是否由根证书签名，如果他信任根证书 - 他也可以信任你.

In simple example there would be a Root certificate which is self signed and is trusted - everyone trusts this certificate. Next you can ask the owner of this certificate to sign your certificate with Root's certificate private key. So if someone wants to use your certificate, he can check that your certificate was signed by Root certificate and if he trusts Root certificate - he can also trust you.

在 Java 中，您可以使用以下方法检查证书是否由相应证书的私钥签名:

In Java you can check if a certificate was signed by the private key of corresponding certificate using something like this :

X509Certificate yourCert = ...
X509Certificate root = ...

try {
    yourCert.verify(root.getPublicKey()); } 
catch (CertificateException | NoSuchAlgorithmException | InvalidKeyException | NoSuchProviderException e) {
    //handle wrong algos
} catch (SignatureException ex) {
    //signature validation error
}

Certificate::verify 用于此目的:

The Certificate::verify serves this purpose :

验证此证书是否使用与指定公钥对应的私钥签名.

Verifies that this certificate was signed using the private key that corresponds to the specified public key.

由于 X509Certificate 扩展了 Certificate，你可以在 X509Certificate 实现上使用这个方法(因为 X509Certificate 是一个 Certificate>抽象类).

Since X509Certificate extends Certificate you can use this method on X509Certificate implementations (since X509Certificate is an abstract class).

你也可以看看 X509Certificate::verify(PublicKey, Provider) 接受 PublicKey 和 Provider 实现.

Also you can have a look at X509Certificate::verify(PublicKey, Provider) which takes PublicKey and Provider implementation.

这篇关于如何验证 x509 证书的签名?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！