任何人都可以告诉我在检查证书及其含义时使用的“目的”值是什么吗?
答案 0 :(得分:3)
有关其含义的概述,请查看OpenSSL的x509手册页中的Certificate Extensions部分。
这就是它们与代码的关系(取自v3_purp.c):
static X509_PURPOSE xstandard[] = {
{X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
{X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
{X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
{X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
{X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
{X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
{X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
{X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
{X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL},
};
以编程方式检查目的时,通常只需处理整数常量,例如X509_PURPOSE_SSL_SERVER。在证书验证期间使用这些目的。验证证书(路径),最后OpenSSL检查手头的证书是否包含ExtendedKeyUsage扩展名,其中包含所请求的“目的”。如果没有,证书将被拒绝。
OpenSSL在可能的情况下应用合理的默认值,但如果您有特殊要求,您可以添加自己的目的,以便在证书验证期间进行检查。如果您愿意,也可以检查自定义ExtendedKeyUsage,但通常预定义的默认值就足够了。