在 linux 上验证 X.509 证书 [英] validating X.509 certificate on linux

问题描述

我刚刚开始使用 X.509 证书.谁能告诉我如何在 linux 上验证证书?用例是我的应用程序在上一个会话中下载了证书，我必须在开始新会话之前检查它是否仍然有效(即，自存储以来没有过期或撤销).我知道这里不可能有完整的样本，但任何指针都会有用.

I have just started working with X.509 certificates. Can any one tell me how to go about validating a certificate on linux? The use case is that my app had downloaded a certificate in a previous session and I have to check if it is still valid (i.e., not expired or revoked since it was stored) before starting a new session. I understand a full sample will not be possible here, but any pointers will be useful.

进一步调查揭示了另一个名为网络安全服务 (NSS) 的实用程序.在可用性方面，它与 OpenSSL 相比如何?此外，我正在寻找编程解决方案，因为我将无法启动命令行实用程序.

Further investigation revealed another utility called Network Security Services (NSS). How does that compare to OpenSSL in terms of usability? Also, I am looking for programmatic solutions as I will not be able to launch command line utilities.

推荐答案

正如其他人提到的，您可以使用 openssl verify.根据文档，它还检查有效期.

As others mentioned, you can use openssl verify. According to the documentation, it also checks the validity period.

以编程方式，这可能意味着要花数小时搜索有点糟糕(或丢失)的文档、阅读网络上的代码示例，而且可能会很头疼.

Programmatically, it could mean hours of searching for kinda bad (or missing) documentation, reading code examples all over the web, and probably a headache.

要正确验证证书，您需要通知所有中间证书.通常，您还会通知撤销列表 (CRL)，但这不是必需的.

To properly validate a certificate, you need to inform all the intermediate certificates. Normally you'd also inform the revocation list (CRL), but it's not required.

因此，您需要在代码 (OpenSSL) 方面执行以下操作:

So, here's what you need to do in terms of code (OpenSSL):

1. X509_STORE_new - 创建证书存储；
2. X509_STORE_CTX_new - 创建商店上下文；
3. X509_STORE_add_cert - 将 CA(和所有中介)证书添加到您的证书存储区的可信列表中(注意:有一个查找/加载列表的功能)；
4. X509_STORE_add_crl - 将撤销的证书添加到您的证书存储的 CRL(注意:同上)；
5. X509_STORE_CTX_init - 初始化您的商店上下文，通知您的证书存储；
6. X509_STORE_CTX_set_purpose - 如果需要，定义目的；
7. X509_STORE_CTX_set_cert- 告诉上下文您要验证哪个证书；
8. X509_verify_cert - 最后验证它；
9. X509_STORE_CTX_cleanup - 如果你想重用上下文来验证另一个证书，你可以清理它并跳回(5)；
10. 最后但并非最不重要的是，解除分配 (1) 和 (2)；

1. X509_STORE_new - Create a certificate store;
2. X509_STORE_CTX_new - Create a store context;
3. X509_STORE_add_cert - Add the CA (and all intermediary) certificate(s) to the trusted list of your certificate store (note: there's a function to lookup/load a list);
4. X509_STORE_add_crl - Add the revoked certificates to the CRL of your certificate store (note: same as above);
5. X509_STORE_CTX_init - Initialize your store context informing your certificate store;
6. X509_STORE_CTX_set_purpose - Define the purpose if you need so;
7. X509_STORE_CTX_set_cert- Tell the context which certificate you're going to validate;
8. X509_verify_cert - Finally, validate it;
9. X509_STORE_CTX_cleanup - If you want to reuse the context to validate another certificate, you clean it up and jump back to (5);
10. Last but not least, deallocate (1) and (2);

或者，可以使用 X509_verify 进行快速验证.但是，请注意它仅比较签名.

Alternatively, a quick validation can be done with X509_verify. However, be aware that it compares signatures solely.

当我需要它时，我花了一天的时间进行搜索、阅读和测试.然后我发现我需要的一切都在 OpenSSL 源代码中.因此，如果您需要示例，请直接访问 openssl-xxx/apps/verify.c.

When I needed it, took me a day of searching, reading and testing. Then I figured out everything I needed was right in the OpenSSL source-code. So, if you need an example, go straight to openssl-xxx/apps/verify.c.

重要提示:切勿使用 MD5.要了解原因，请阅读创建流氓 CA 证书.

IMPORTANT: NEVER use MD5. To understand the reason, read Creating a rogue CA certificate.

这篇关于在 linux 上验证 X.509 证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！