Openssl 验证证书链(ecdsa)
我需要验证一个证书链,我只有证书,这可能吗 我正在使用命令verify在OpenSSL中进行尝试,因此当我运行时:Openssl 验证证书链(ecdsa),openssl,certificate,chain,ecdsa,Openssl,Certificate,Chain,Ecdsa,我需要验证一个证书链,我只有证书,这可能吗 我正在使用命令verify在OpenSSL中进行尝试,因此当我运行时: OpenSSL> verify -CAfile testeroot.cer testesub.cer 测试人员:好的 但是,当我尝试使用结束证书时,我得到一个错误: OpenSSL> verify -CAfile testeroot.cer testesub.cer testeapp.cer testesub.cer: OK CN = ecc-crypto-servi
OpenSSL> verify -CAfile testeroot.cer testesub.cer
测试人员:好的
但是,当我尝试使用结束证书时,我得到一个错误:
OpenSSL> verify -CAfile testeroot.cer testesub.cer testeapp.cer
testesub.cer: OK
CN = ecc-crypto-services-encipherment_UC6-InMemory, OU = ApplePay, O = Apple Inc., C = US
error 20 at 0 depth lookup: unable to get local issuer certificate
error testeapp.cer: verification failed
error in verify
以下是证书:
待验证(最后一个-testeapp.cer):
======================================================================
中间产物(cer子部分)
======================================================================
根目录(CA)-testerRoot.cer:
-----BEGIN CERTIFICATE-----
MIICJzCCAc2gAwIBAgIIWdHsEJJBx8QwCgYIKoZIzj0EAwIwZzEhMB8GA1UEAwwY
VGVzdCBBcHBsZSBSb290IENBIC0gRUNDMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9u
IEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcN
MTQwMTMxMjE0NjQ2WhcNMzQwMTI2MjE0NjQ2WjBnMSEwHwYDVQQDDBhUZXN0IEFw
cGxlIFJvb3QgQ0EgLSBFQ0MxIDAeBgNVBAsMF0NlcnRpZmljYXRpb24gQXV0aG9y
aXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABHs4ENAKoxt8HST7OdZrHAqXSDD/THBJPSFmT/WJAK+T
73Sa6EwnPb6VUFI9U5DzMquDtl5zyOcXixgJk5+X1RajYzBhMB0GA1UdDgQWBBTS
R+LFNHHGEI2T7gRDH+EbD+HNETAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaA
FNJH4sU0ccYQjZPuBEMf4RsP4c0RMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQD
AgNIADBFAiEA3AYrcocg7PfcyPL4iQpXY5qSSoRu3RdQ7m8BTKGgdNECIB81erUL
eYDUnJ8x3DYcxv1lckBnuvxvWV7v6l6HrDAN
-----END CERTIFICATE-----
我已经尝试连接证书,但是它似乎只是验证了级联退出的第一个证书。 这里有两个可能需要考虑的场景。 1) 验证程序信任中间证书 2) 验证程序不信任中间证书 在第一种情况下,中间证书位于验证器的信任存储中。实现这一点的最简单方法是将根文件和子文件连接在一起:
$ cat testeroot.cer testesub.cer >testerootandsub.cer
接下来,我们验证如下:
$ openssl verify -CAfile testerootandsub.cer testeapp.cer
$ openssl verify -ignore_critical -no_check_time -CAfile testerootandsub.cer testeapp.cer
testeapp.cer: OK
$ openssl verify -ignore_critical -no_check_time -CAfile testeroot.cer -untrusted testesub.cer testeapp.cer
testeapp.cer: OK
不幸的是,当我尝试此操作时,会出现一些错误:
CN = ecc-crypto-services-encipherment_UC6-InMemory, OU = ApplePay, O = Apple Inc., C = US
error 34 at 0 depth lookup: unhandled critical extension
CN = ecc-crypto-services-encipherment_UC6-InMemory, OU = ApplePay, O = Apple Inc., C = US
error 10 at 0 depth lookup: certificate has expired
error testeapp.cer: verification failed
因此,第一个是“未处理的关键扩展”,第二个是“证书已过期”。让我们看看证书:
$ openssl x509 -in testeapp.cer -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1364869047620188509 (0x12f0fd2adc53b95d)
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = Test Apple Worldwide Developers Relations CA - ECC, OU = Certification Authority, O = Apple Inc., C = US
Validity
Not Before: May 20 04:15:57 2017 GMT
Not After : Jun 19 04:15:57 2019 GMT
Subject: CN = ecc-crypto-services-encipherment_UC6-InMemory, OU = ApplePay, O = Apple Inc., C = US
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:2e:3e:5c:cf:6b:9a:b0:4b:e7:a2:2f:3f:ac:cf:
de:73:c8:7e:87:15:53:94:a3:48:15:40:8a:89:6c:
a1:8a:37:4d:ac:66:9a:f3:bf:62:20:fc:86:37:67:
f4:af:47:50:7c:5b:c2:21:fc:4a:19:87:4d:af:39:
b4:07:4e:3e:b8
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
Authority Information Access:
OCSP - URI:http://ocsp-uat.corp.apple.com/ocsp04-testwwdrcaecc
X509v3 Subject Key Identifier:
AD:2E:A3:CB:7E:34:C2:ED:EE:43:68:4E:27:11:1F:CC:49:33:39:D0
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:D6:D6:D5:5A:E5:FF:FD:C2:7C:34:C3:43:DE:BD:68:76:5C:36:A9:BE
X509v3 Certificate Policies:
Policy: 1.2.840.113635.100.5.1
User Notice:
Explicit Text: Reliance on this certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certificate policy and certification practice statements.
CPS: http://www.apple.com/certificateauthority/
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl-uat.corp.apple.com/applewwdrcaecc.crl
X509v3 Key Usage: critical
Key Encipherment, Key Agreement
1.2.840.113635.100.6.39: critical
..
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:8c:bd:4a:b6:61:4c:58:fd:1a:93:58:4e:05:
aa:c3:d3:af:dc:c6:ca:29:42:ba:72:14:dc:54:a8:6e:d7:a9:
ee:02:21:00:de:d5:77:1d:c1:d2:9e:c3:4c:2a:97:1d:dd:39:
20:fb:19:18:b7:48:0c:6d:4d:4f:13:a4:d8:e8:ff:37:b1:86
首先,我们可以看到证书确实已经过期(“不在”是“Jun 19 04:15:57 2019 GMT”)。其次,有一个OpenSSL无法识别的关键扩展:
1.2.840.113635.100.6.39: critical
..
我们可以让OpenSSL忽略以下两个错误:
$ openssl verify -CAfile testerootandsub.cer testeapp.cer
$ openssl verify -ignore_critical -no_check_time -CAfile testerootandsub.cer testeapp.cer
testeapp.cer: OK
$ openssl verify -ignore_critical -no_check_time -CAfile testeroot.cer -untrusted testesub.cer testeapp.cer
testeapp.cer: OK
我提到的第二个场景是验证器不信任中间证书。在这种情况下,假设验证器在其信任存储中具有根,并且已向其提供了中间实体和最终实体证书。在这种情况下,验证命令如下所示:
$ openssl verify -CAfile testerootandsub.cer testeapp.cer
$ openssl verify -ignore_critical -no_check_time -CAfile testerootandsub.cer testeapp.cer
testeapp.cer: OK
$ openssl verify -ignore_critical -no_check_time -CAfile testeroot.cer -untrusted testesub.cer testeapp.cer
testeapp.cer: OK
多谢各位