验证证书链(ecdsa)

时间:2019-10-02 20:56:57

标签: openssl certificate chain ecdsa

我需要验证证书链,而我只有证书,这可能吗?

我正在尝试使用命令verify在OpenSSL中运行,所以当我运行时:

OpenSSL> verify -CAfile testeroot.cer testesub.cer

testesub.cer:好的

但是,当我尝试使用终止证书时,会出现错误:

OpenSSL> verify -CAfile testeroot.cer testesub.cer testeapp.cer
testesub.cer: OK
CN = ecc-crypto-services-encipherment_UC6-InMemory, OU = ApplePay, O = Apple Inc., C = US
error 20 at 0 depth lookup: unable to get local issuer certificate
error testeapp.cer: verification failed
error in verify

这是证书:

要验证(最后一个-testeapp.cer):

-----BEGIN CERTIFICATE-----
MIIEEzCCA7igAwIBAgIIEvD9KtxTuV0wCgYIKoZIzj0EAwIwgYExOzA5BgNVBAMM
MlRlc3QgQXBwbGUgV29ybGR3aWRlIERldmVsb3BlcnMgUmVsYXRpb25zIENBIC0g
RUNDMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwK
QXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMTcwNTIwMDQxNTU3WhcNMTkwNjE5
MDQxNTU3WjBtMTYwNAYDVQQDDC1lY2MtY3J5cHRvLXNlcnZpY2VzLWVuY2lwaGVy
bWVudF9VQzYtSW5NZW1vcnkxETAPBgNVBAsMCEFwcGxlUGF5MRMwEQYDVQQKDApB
cHBsZSBJbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
BC4+XM9rmrBL56IvP6zP3nPIfocVU5SjSBVAiolsoYo3TaxmmvO/YiD8hjdn9K9H
UHxbwiH8ShmHTa85tAdOPrijggIrMIICJzBPBggrBgEFBQcBAQRDMEEwPwYIKwYB
BQUHMAGGM2h0dHA6Ly9vY3NwLXVhdC5jb3JwLmFwcGxlLmNvbS9vY3NwMDQtdGVz
dHd3ZHJjYWVjYzAdBgNVHQ4EFgQUrS6jy340wu3uQ2hOJxEfzEkzOdAwDAYDVR0T
AQH/BAIwADAfBgNVHSMEGDAWgBTW1tVa5f/9wnw0w0PevWh2XDapvjCCAR0GA1Ud
IASCARQwggEQMIIBDAYJKoZIhvdjZAUBMIH+MIHDBggrBgEFBQcCAjCBtgyBs1Jl
bGlhbmNlIG9uIHRoaXMgY2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMg
YWNjZXB0YW5jZSBvZiB0aGUgdGhlbiBhcHBsaWNhYmxlIHN0YW5kYXJkIHRlcm1z
IGFuZCBjb25kaXRpb25zIG9mIHVzZSwgY2VydGlmaWNhdGUgcG9saWN5IGFuZCBj
ZXJ0aWZpY2F0aW9uIHByYWN0aWNlIHN0YXRlbWVudHMuMDYGCCsGAQUFBwIBFipo
dHRwOi8vd3d3LmFwcGxlLmNvbS9jZXJ0aWZpY2F0ZWF1dGhvcml0eS8wQQYDVR0f
BDowODA2oDSgMoYwaHR0cDovL2NybC11YXQuY29ycC5hcHBsZS5jb20vYXBwbGV3
d2RyY2FlY2MuY3JsMA4GA1UdDwEB/wQEAwIDKDASBgkqhkiG92NkBicBAf8EAgUA
MAoGCCqGSM49BAMCA0kAMEYCIQCMvUq2YUxY/RqTWE4FqsPTr9zGyilCunIU3FSo
btep7gIhAN7Vdx3B0p7DTCqXHd05IPsZGLdIDG1NTxOk2Oj/N7GG
-----END CERTIFICATE-----

================================================ ======================

中间体(testesub.cer)

-----BEGIN CERTIFICATE-----
MIIC5zCCAoygAwIBAgIIR1pCSszYnvcwCgYIKoZIzj0EAwIwZzEhMB8GA1UEAwwY
VGVzdCBBcHBsZSBSb290IENBIC0gRUNDMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9u
IEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcN
MTQwMjA2MTYxODI5WhcNMjQwMjA0MTYxODI5WjCBgTE7MDkGA1UEAwwyVGVzdCBB
cHBsZSBXb3JsZHdpZGUgRGV2ZWxvcGVycyBSZWxhdGlvbnMgQ0EgLSBFQ0MxIDAe
BgNVBAsMF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJ
bmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDzb9Lsn
a4XrUdRwIjl36m9hTGhxQrW5Ls3wYr07kaZ/5tMOEG5jOBeHtI+x8YHmkgp0Ry43
nmZTik3vosay+6ajggEFMIIBATBUBggrBgEFBQcBAQRIMEYwRAYIKwYBBQUHMAGG
OGh0dHA6Ly9vY3NwLXVhdC5jb3JwLmFwcGxlLmNvbS9vY3NwMDQtdGVzdGFwcGxl
cm9vdGNhZWNjMB0GA1UdDgQWBBTW1tVa5f/9wnw0w0PevWh2XDapvjASBgNVHRMB
Af8ECDAGAQH/AgEAMB8GA1UdIwQYMBaAFNJH4sU0ccYQjZPuBEMf4RsP4c0RMEUG
A1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jcmwtdWF0LmNvcnAuYXBwbGUuY29tL3Rl
c3RhcHBsZXJvb3RjYWVjYy5jcmwwDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMC
A0kAMEYCIQCd4eDjSiTu55mDKWCaD7Tqe4hp86pJ1Fsw7SlPKmH+bQIhAJ5coaJ3
uarz81Im19NGcrU45h1A8hNDTz55QPEHujS5
-----END CERTIFICATE-----

================================================ ======================

根(CA)-testeroot.cer:

-----BEGIN CERTIFICATE-----
MIICJzCCAc2gAwIBAgIIWdHsEJJBx8QwCgYIKoZIzj0EAwIwZzEhMB8GA1UEAwwY
VGVzdCBBcHBsZSBSb290IENBIC0gRUNDMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9u
IEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcN
MTQwMTMxMjE0NjQ2WhcNMzQwMTI2MjE0NjQ2WjBnMSEwHwYDVQQDDBhUZXN0IEFw
cGxlIFJvb3QgQ0EgLSBFQ0MxIDAeBgNVBAsMF0NlcnRpZmljYXRpb24gQXV0aG9y
aXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABHs4ENAKoxt8HST7OdZrHAqXSDD/THBJPSFmT/WJAK+T
73Sa6EwnPb6VUFI9U5DzMquDtl5zyOcXixgJk5+X1RajYzBhMB0GA1UdDgQWBBTS
R+LFNHHGEI2T7gRDH+EbD+HNETAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaA
FNJH4sU0ccYQjZPuBEMf4RsP4c0RMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQD
AgNIADBFAiEA3AYrcocg7PfcyPL4iQpXY5qSSoRu3RdQ7m8BTKGgdNECIB81erUL
eYDUnJ8x3DYcxv1lckBnuvxvWV7v6l6HrDAN
-----END CERTIFICATE-----

我已经尝试过将证书串联起来,但似乎它只是在验证串联出口的第一个证书。

1 个答案:

答案 0 :(得分:0)

在这里我们需要考虑两种可能的情况。

1)中间证书受验证者信任

2)验证者不信任中间证书

在第一种情况下,中间证书位于验证者的信任库中。实现此目的的最简单方法是将根文件和子文件连接在一起:

$ cat testeroot.cer testesub.cer >testerootandsub.cer

接下来,我们将像这样进行验证:

$ openssl verify -CAfile testerootandsub.cer testeapp.cer

不幸的是,当我尝试此操作时,出现一些错误:

CN = ecc-crypto-services-encipherment_UC6-InMemory, OU = ApplePay, O = Apple Inc., C = US
error 34 at 0 depth lookup: unhandled critical extension
CN = ecc-crypto-services-encipherment_UC6-InMemory, OU = ApplePay, O = Apple Inc., C = US
error 10 at 0 depth lookup: certificate has expired
error testeapp.cer: verification failed

因此,第一个是“未处理的关键扩展名”,第二个是“证书已过期”。让我们看一下证书:

$ openssl x509 -in testeapp.cer -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1364869047620188509 (0x12f0fd2adc53b95d)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = Test Apple Worldwide Developers Relations CA - ECC, OU = Certification Authority, O = Apple Inc., C = US
        Validity
            Not Before: May 20 04:15:57 2017 GMT
            Not After : Jun 19 04:15:57 2019 GMT
        Subject: CN = ecc-crypto-services-encipherment_UC6-InMemory, OU = ApplePay, O = Apple Inc., C = US
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:2e:3e:5c:cf:6b:9a:b0:4b:e7:a2:2f:3f:ac:cf:
                    de:73:c8:7e:87:15:53:94:a3:48:15:40:8a:89:6c:
                    a1:8a:37:4d:ac:66:9a:f3:bf:62:20:fc:86:37:67:
                    f4:af:47:50:7c:5b:c2:21:fc:4a:19:87:4d:af:39:
                    b4:07:4e:3e:b8
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            Authority Information Access: 
                OCSP - URI:http://ocsp-uat.corp.apple.com/ocsp04-testwwdrcaecc

            X509v3 Subject Key Identifier: 
                AD:2E:A3:CB:7E:34:C2:ED:EE:43:68:4E:27:11:1F:CC:49:33:39:D0
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:D6:D6:D5:5A:E5:FF:FD:C2:7C:34:C3:43:DE:BD:68:76:5C:36:A9:BE

            X509v3 Certificate Policies: 
                Policy: 1.2.840.113635.100.5.1
                  User Notice:
                    Explicit Text: Reliance on this certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certificate policy and certification practice statements.
                  CPS: http://www.apple.com/certificateauthority/

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl-uat.corp.apple.com/applewwdrcaecc.crl

            X509v3 Key Usage: critical
                Key Encipherment, Key Agreement
            1.2.840.113635.100.6.39: critical
                ..
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:8c:bd:4a:b6:61:4c:58:fd:1a:93:58:4e:05:
         aa:c3:d3:af:dc:c6:ca:29:42:ba:72:14:dc:54:a8:6e:d7:a9:
         ee:02:21:00:de:d5:77:1d:c1:d2:9e:c3:4c:2a:97:1d:dd:39:
         20:fb:19:18:b7:48:0c:6d:4d:4f:13:a4:d8:e8:ff:37:b1:86

首先,我们可以看到证书确实已经过期(“ Not After”是“ GMT 19 Jun 19 04:15:57 2019”)。其次,有一个OpenSSL无法识别的关键扩展:

            1.2.840.113635.100.6.39: critical
                ..

我们可以让OpenSSL忽略这两个错误:

$ openssl verify -ignore_critical -no_check_time -CAfile testerootandsub.cer testeapp.cer 
testeapp.cer: OK

我讨论的第二种情况是验证者不信任中间证书。在这种情况下,假定验证者在其信任库中拥有根,并且将向他们提供中间和最终实体证书。在这种情况下,验证命令如下所示:

$ openssl verify -ignore_critical -no_check_time -CAfile testeroot.cer -untrusted testesub.cer testeapp.cer 
testeapp.cer: OK
相关问题
最新问题