如何使用受信任的中间 CA 证书验证客户端证书? [英] how to validate a client Certificate using the trusted internediate CA certificate?

问题描述

我拥有由 CA1 证书签名的客户端证书A".CA1 证书由根证书签名.

I am having client Certificate "A" which is signed by the CA1 certificate. CA1 certificate is signed by the Root certificate.

现在我有了 CA1 证书(受信任)并收到了客户端证书(不受信任).在验证期间，我只需要使用 CA1(受信任)验证客户端证书的信任路径.我没有/receive 根证书.

Now I have the CA1 certificate (trusted ) and received Client certificate (non trusted ) . during validation I need to verify the trust path of the client certificate using CA1 (trusted) only .. I dont have /receive the Root certificate.

是否可以进行此验证?

我正在使用 Openssl 1.0.0g 版本库.如果有人知道如何做到这一点，请与我分享.

I am using Openssl 1.0.0g version library. If any one know how to do that please share with me .

推荐答案

既然你已经给出了标签 ssl-certificate，我假设你在 SSL 连接期间需要这样的验证服务器证书验证或客户端证书验证.

Since, you have given the Tag, ssl-certificate, I assume that you need such a validation during an SSL connection for either Server Cert Validation or Client Cert Validation.

实现此目的的简单方法是使用 OpenSSL API SSL_CTX_set_verify 设置验证回调.

A simple way of achieving this, by setting the verification callback using the OpenSSL API SSL_CTX_set_verify.

要点是，每次在证书验证过程中遇到错误时都会调用此回调，因此在您的情况下，当找不到 root 时，将调用此回调并显示错误 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT.您还可以访问 X509_STORE_CTX *，从中可以获取到目前为止已验证的证书的详细信息.使用此机制，您可以在代码中实现适当的逻辑，以查看您的最终实体和中间 CA 证书是否正确，如果发现正确，您可以从回调中返回成功，这将向 OpenSSL 发出信号以继续进行验证没有失败的验证.

The gist is that, this callback will be called everytime an error is encountered during the certificate validation, so in your case, when root could not be found, then this callback will be called with the error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT. You will also have access to X509_STORE_CTX * from which you can get the details of the certificates verified so far. Using this mechanism, you can implement appropriate logic in your code to see if your End Entity and intermediate CA certs are correct and if found to be fine, you can return success from the callback, which will signal to the OpenSSL to continue with the Validation without failing the verification.

更多细节来自 OpenSSL 文档:

verify_callback 函数用于控制设置 SSL_VERIFY_PEER 标志时的行为.它必须由应用程序提供并接收两个参数:preverify_ok 指示是否通过了相关证书的验证(preverify_ok=1)或未通过(preverify_ok=0).x509_ctx 是指向用于证书链验证的完整上下文的指针.

The verify_callback function is used to control the behaviour when the SSL_VERIFY_PEER flag is set. It must be supplied by the application and receives two arguments: preverify_ok indicates, whether the verification of the certificate in question was passed (preverify_ok=1) or not (preverify_ok=0). x509_ctx is a pointer to the complete context used for the certificate chain verification.

从最深的嵌套级别(根 CA 证书)开始检查证书链，并向上工作到对等方的证书.在每个级别检查签名和颁发者属性.每当发现验证错误时，错误号都会存储在 x509_ctx 中，并在 preverify_ok=0 时调用 verify_callback.通过应用 X509_CTX_store_* 函数 verify_callback 可以找到有问题的证书并执行其他步骤(参见示例).如果没有发现证书错误，则在进入下一个级别之前调用 verify_callback 并设置 preverify_ok=1.

The certificate chain is checked starting with the deepest nesting level (the root CA certificate) and worked upward to the peer's certificate. At each level signatures and issuer attributes are checked. Whenever a verification error is found, the error number is stored in x509_ctx and verify_callback is called with preverify_ok=0. By applying X509_CTX_store_* functions verify_callback can locate the certificate in question and perform additional steps (see EXAMPLES). If no error is found for a certificate, verify_callback is called with preverify_ok=1 before advancing to the next level.

verify_callback 的返回值控制着进一步验证过程的策略.如果 verify_callback 返回 0，则验证过程立即以验证失败"状态停止.如果设置了 SSL_VERIFY_PEER，则会向对等方发送验证失败警报​​，并终止 TLS/SSL 握手.如果 verify_callback 返回 1，则继续验证过程.如果 verify_callback 始终返回 1，则 TLS/SSL 握手不会因验证失败而终止，并且将建立连接.然而，调用进程可以使用 SSL_get_verify_result(3) 或通过维护自己的由 verify_callback 管理的错误存储来检索最后一个验证错误的错误代码.

The return value of verify_callback controls the strategy of the further verification process. If verify_callback returns 0, the verification process is immediately stopped with ``verification failed'' state. If SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and the TLS/SSL handshake is terminated. If verify_callback returns 1, the verification process is continued. If verify_callback always returns 1, the TLS/SSL handshake will not be terminated with respect to verification failures and the connection will be established. The calling process can however retrieve the error code of the last verification error using SSL_get_verify_result(3) or by maintaining its own error storage managed by verify_callback.

如果没有指定 verify_callback，将使用默认回调.它的返回值与 preverify_ok 相同，因此如果设置了 SSL_VERIFY_PEER，任何验证失败都将导致 TLS/SSL 握手终止并发出警报消息.

If no verify_callback is specified, the default callback will be used. Its return value is identical to preverify_ok, so that any verification failure will lead to a termination of the TLS/SSL handshake with an alert message, if SSL_VERIFY_PEER is set.

这篇关于如何使用受信任的中间 CA 证书验证客户端证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！