I am looking for a node.js way to verify a client certificate in X509 format with a CA certificate which was given to me (none of those are created/managed by me, my software only has to verify what is beeing sent to it).
我在找一个节点。js方法通过一个CA证书来验证X509格式的客户端证书(这些都不是由我创建/管理的,我的软件只需要验证发送到它的是什么)。
I have found several modules for this job, however I am having issues with each of them:
我已经为这份工作找了几个模块,但是我每个模块都有问题:
-
X509 is able to do it using
x509.verify(cert, CABundlePath, cb)
, however it needs to read the certificates from FS, and I am having them in memory already. This is cumbersome as it will be done with each web request which reaches my app. - X509可以使用X509。验证(cert、CABundlePath、cb),但是它需要从FS读取证书,我已经将它们存储在内存中。这很麻烦,因为它将在每个到达我的应用的web请求中完成。
- It seems like PKI.js is able to do it, however their examples don't work for me but complain about missing files, so I can't even try it out.
- 它看起来像PKI。js可以这样做,但是他们的示例对我不起作用,而是抱怨缺少文件,所以我甚至不能尝试它。
- I tried node-forge, but while I am unsure if I use it correctly (they don't have any API documentation) its throwing a
forge.pki.BadCertificate
error fromforge.pki.verifyCertificateChain(caStore, [ cer ], cb)
. - 我尝试了node-forge,但是我不确定我是否正确地使用它(他们没有任何API文档),它抛出了一个forge.pki。从forge.pki BadCertificate错误。verifyCertificateChain(caStore, [cer], cb)
- When trying pem, using a simple
pem.verifySigningChain(cer, [ ca ], cb)
would throw some error complaining about loading a file from/var/...
. Even if it would work, I would avoid using this lib as its relying on the openssl command line tool, which I would like to avoid - 当尝试pem时,使用一个简单的pem。verifySigningChain(cer、(ca)、cb)会把一些错误从/var/....抱怨加载文件即使它可以工作,我也会避免使用这个lib作为它依赖于openssl命令行工具的工具,我希望避免使用这个工具
Now I feel pretty stupid because I failed to get this simple task done with any of the above modules. Could someone point me to a simple solution which will allow me to verify the signature/validity of a X509 certificate using a given CA certificate? :s
现在我觉得很愚蠢,因为我没有完成上面任何一个模块的简单任务。是否有人可以给我一个简单的解决方案,让我使用给定的CA证书来验证X509证书的签名/有效性?:年代
[edit] Basically I would need openssl verify -verbose -CAfile ca-crt.pem client1-crt.pem
in Node.js
but without dependencies to the openssl command line tool and without temporarily saving the certs to disk.
[编辑]基本上我需要openssl验证-verbose -CAfile ca-crt。pem client1-crt。pem的节点。但不依赖于openssl命令行工具,也不临时将证书保存到磁盘。
[edit2] Would it be possible to just use https://nodejs.org/api/crypto.html#crypto_verify_verify_object_signature_signatureformat?
是否可能只使用https://nodejs.org/api/crypto.html# crypto_verify_verify_object_signature_signature_signatureformat ?
1 个解决方案
#1
2
I finally managed to do it using node-forge
. Heres a working code example:
我终于用node-forge做到了。这里有一个工作代码示例:
let pki = require('node-forge').pki;
let caCert;
let caStore;
try {
caCert = fs.readFileSync('path/to/ca-cert.pem').toString();
caStore = pki.createCaStore([ caCert ]);
} catch (e) {
log.error('Failed to load CA certificate (' + e + ')');
return....;
}
try {
pki.verifyCertificateChain(caStore, [ cert ]);
} catch (e) {
return handleResponse(new Error('Failed to verify certificate (' + e.message || e + ')'));
}
Both certificates shall be given in base64 encoded PEM format/js string.
两个证书都应该以base64编码的PEM格式/js字符串形式提供。
verifyCertificateChain
checks the certifitate validity (notBefore
/notAfter
) as well as verifies the given CA chain.
verifyCertificateChain检查fitcertiate有效性(不是before /notAfter),并验证给定的CA链。
I am not 100% sure if this is the best approach, or if this library is doing a good job, since their source code of verifyCertificateChain
is full of #TODO
s, so maybe this is not ready for production? But at least I have a somewhat working solution. Probably it would be better to create a node module which wraps the libssl
c calls, but thats just a lot of effort for this small task.
我不能100%确定这是否是最好的方法,或者这个库是否做得很好,因为他们的verifyCertificateChain的源代码中满是#TODOs,所以这可能还没有准备好用于生产?但至少我有一个可行的解决方案。创建一个包含libssl c调用的节点模块可能会更好,但对于这个小任务来说,这只是很大的工作量。
#1
2
I finally managed to do it using node-forge
. Heres a working code example:
我终于用node-forge做到了。这里有一个工作代码示例:
let pki = require('node-forge').pki;
let caCert;
let caStore;
try {
caCert = fs.readFileSync('path/to/ca-cert.pem').toString();
caStore = pki.createCaStore([ caCert ]);
} catch (e) {
log.error('Failed to load CA certificate (' + e + ')');
return....;
}
try {
pki.verifyCertificateChain(caStore, [ cert ]);
} catch (e) {
return handleResponse(new Error('Failed to verify certificate (' + e.message || e + ')'));
}
Both certificates shall be given in base64 encoded PEM format/js string.
两个证书都应该以base64编码的PEM格式/js字符串形式提供。
verifyCertificateChain
checks the certifitate validity (notBefore
/notAfter
) as well as verifies the given CA chain.
verifyCertificateChain检查fitcertiate有效性(不是before /notAfter),并验证给定的CA链。
I am not 100% sure if this is the best approach, or if this library is doing a good job, since their source code of verifyCertificateChain
is full of #TODO
s, so maybe this is not ready for production? But at least I have a somewhat working solution. Probably it would be better to create a node module which wraps the libssl
c calls, but thats just a lot of effort for this small task.
我不能100%确定这是否是最好的方法,或者这个库是否做得很好,因为他们的verifyCertificateChain的源代码中满是#TODOs,所以这可能还没有准备好用于生产?但至少我有一个可行的解决方案。创建一个包含libssl c调用的节点模块可能会更好,但对于这个小任务来说,这只是很大的工作量。