验证Linux上的X.509证书 [英] validating X.509 certificate on linux

问题描述

我刚开始使用X.509证书的工作。任何一个可以告诉我如何去验证Linux上的证书？用例是，我的应用程序已经下载了previous会话证书，我开始一个新的会议之前，检查它是否仍然有效（因为它是存储，即没有过期或撤销）。我明白了一个完整的样本是不可能在这里，但任何指针将是有益的。

I have just started working with X.509 certificates. Can any one tell me how to go about validating a certificate on linux? The use case is that my app had downloaded a certificate in a previous session and I have to check if it is still valid (i.e., not expired or revoked since it was stored) before starting a new session. I understand a full sample will not be possible here, but any pointers will be useful.

编辑：进一步的调查显示所谓的网络安全服务（NSS）其他实用程序。那怎么比较的OpenSSL在可用性方面？另外，我要寻找程序化解决方案，因为我将无法启动命令行工具。

Further investigation revealed another utility called Network Security Services (NSS). How does that compare to OpenSSL in terms of usability? Also, I am looking for programmatic solutions as I will not be able to launch command line utilities.

推荐答案

正如其他人所提到的，你可以使用 OpenSSL的验证。按照文档，它还会检查有效期。

As others mentioned, you can use openssl verify. According to the documentation, it also checks the validity period.

编程，这可能意味着搜索有点坏（或丢失）的文档，阅读code例子都在网上，也许头疼小时。

Programmatically, it could mean hours of searching for kinda bad (or missing) documentation, reading code examples all over the web, and probably a headache.

要正确地验证证书，则需要通知所有中间证书。通常你想也告知吊销列表（CRL），但它不是必需的。

To properly validate a certificate, you need to inform all the intermediate certificates. Normally you'd also inform the revocation list (CRL), but it's not required.

所以，在这里您需要在code而言（OpenSSL的）做什么：

So, here's what you need to do in terms of code (OpenSSL):

1. X509_STORE_new - 创建一个证书存储区;


2. X509_STORE_CTX_new - 创建一个存储环境;


3. X509_STORE_add_cert - 添加CA（以及所有中介）证书（S）到您的证书商店的信任列表（注：有查找/加载列表的功能）;


4. X509_STORE_add_crl - 吊销证书添加到您的证书存储区的CRL（注：同上）;


5. X509_STORE_CTX_init - 初始化您的商店的上下文，告知您的证书存储区;


6. X509_STORE_CTX_set_purpose - 定义的目的，如果你需要这样;


7. X509_STORE_CTX_set_cert - 告诉你要验证的证书范围内;


8. X509_verify_cert - 最后，验证它;


9. X509_STORE_CTX_cleanup - 如果你想重用的背景下，以验证另一个证书，你清理，跳回（5）;


10. 最后但并非最不重要的，解除分配（1）和（2）;

1. X509_STORE_new - Create a certificate store;
2. X509_STORE_CTX_new - Create a store context;
3. X509_STORE_add_cert - Add the CA (and all intermediary) certificate(s) to the trusted list of your certificate store (note: there's a function to lookup/load a list);
4. X509_STORE_add_crl - Add the revoked certificates to the CRL of your certificate store (note: same as above);
5. X509_STORE_CTX_init - Initialize your store context informing your certificate store;
6. X509_STORE_CTX_set_purpose - Define the purpose if you need so;
7. X509_STORE_CTX_set_cert- Tell the context which certificate you're going to validate;
8. X509_verify_cert - Finally, validate it;
9. X509_STORE_CTX_cleanup - If you want to reuse the context to validate another certificate, you clean it up and jump back to (5);
10. Last but not least, deallocate (1) and (2);

另外，快速验证可与 X509_verify 完成。但是，要知道，这只是比较签名。

Alternatively, a quick validation can be done with X509_verify. However, be aware that it compares signatures solely.

当我需要的时候，把我的搜索，阅读和测试的日子。后来我想通了，我需要的一切是正确的，在OpenSSL源 - code。所以，如果你需要一个例子，直行的的OpenSSL XXX /应用/ verify.c 的

When I needed it, took me a day of searching, reading and testing. Then I figured out everything I needed was right in the OpenSSL source-code. So, if you need an example, go straight to openssl-xxx/apps/verify.c.

重要：不要使用MD5。要了解原因，请阅读创建流氓CA证书。

IMPORTANT: NEVER use MD5. To understand the reason, read Creating a rogue CA certificate.

这篇关于验证Linux上的X.509证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！