使用节点。用CA cert验证X509证书

I am looking for a node.js way to verify a client certificate in X509 format with a CA certificate which was given to me (none of those are created/managed by me, my software only has to verify what is beeing sent to it).

我在找一个节点。js方法通过一个CA证书来验证X509格式的客户端证书(这些都不是由我创建/管理的，我的软件只需要验证发送到它的是什么)。

I have found several modules for this job, however I am having issues with each of them:

我已经为这份工作找了几个模块，但是我每个模块都有问题:

X509 is able to do it using x509.verify(cert, CABundlePath, cb), however it needs to read the certificates from FS, and I am having them in memory already. This is cumbersome as it will be done with each web request which reaches my app.
X509可以使用X509。验证(cert、CABundlePath、cb)，但是它需要从FS读取证书，我已经将它们存储在内存中。这很麻烦，因为它将在每个到达我的应用的web请求中完成。
It seems like PKI.js is able to do it, however their examples don't work for me but complain about missing files, so I can't even try it out.
它看起来像PKI。js可以这样做，但是他们的示例对我不起作用，而是抱怨缺少文件，所以我甚至不能尝试它。
I tried node-forge, but while I am unsure if I use it correctly (they don't have any API documentation) its throwing a forge.pki.BadCertificate error from forge.pki.verifyCertificateChain(caStore, [ cer ], cb).
我尝试了node-forge，但是我不确定我是否正确地使用它(他们没有任何API文档)，它抛出了一个forge.pki。从forge.pki BadCertificate错误。verifyCertificateChain(caStore， [cer]， cb)
When trying pem, using a simple pem.verifySigningChain(cer, [ ca ], cb) would throw some error complaining about loading a file from /var/.... Even if it would work, I would avoid using this lib as its relying on the openssl command line tool, which I would like to avoid
当尝试pem时，使用一个简单的pem。verifySigningChain(cer、(ca)、cb)会把一些错误从/var/....抱怨加载文件即使它可以工作，我也会避免使用这个lib作为它依赖于openssl命令行工具的工具，我希望避免使用这个工具

Now I feel pretty stupid because I failed to get this simple task done with any of the above modules. Could someone point me to a simple solution which will allow me to verify the signature/validity of a X509 certificate using a given CA certificate? :s

现在我觉得很愚蠢，因为我没有完成上面任何一个模块的简单任务。是否有人可以给我一个简单的解决方案，让我使用给定的CA证书来验证X509证书的签名/有效性?:年代

[edit] Basically I would need openssl verify -verbose -CAfile ca-crt.pem client1-crt.pem in Node.js but without dependencies to the openssl command line tool and without temporarily saving the certs to disk.

[编辑]基本上我需要openssl验证-verbose -CAfile ca-crt。pem client1-crt。pem的节点。但不依赖于openssl命令行工具，也不临时将证书保存到磁盘。

[edit2] Would it be possible to just use https://nodejs.org/api/crypto.html#crypto_verify_verify_object_signature_signatureformat?

是否可能只使用https://nodejs.org/api/crypto.html# crypto_verify_verify_object_signature_signature_signatureformat ?

1 个解决方案

#1

I finally managed to do it using node-forge. Heres a working code example:

我终于用node-forge做到了。这里有一个工作代码示例:

let pki = require('node-forge').pki;

let caCert;
let caStore;

try {
    caCert = fs.readFileSync('path/to/ca-cert.pem').toString();
    caStore = pki.createCaStore([ caCert ]);
} catch (e) {
    log.error('Failed to load CA certificate (' + e + ')');
    return....;
}

try {
    pki.verifyCertificateChain(caStore, [ cert ]);
} catch (e) {
    return handleResponse(new Error('Failed to verify certificate (' + e.message || e + ')'));
}

Both certificates shall be given in base64 encoded PEM format/js string.

两个证书都应该以base64编码的PEM格式/js字符串形式提供。

verifyCertificateChain checks the certifitate validity (notBefore/notAfter) as well as verifies the given CA chain.

verifyCertificateChain检查fitcertiate有效性(不是before /notAfter)，并验证给定的CA链。

I am not 100% sure if this is the best approach, or if this library is doing a good job, since their source code of verifyCertificateChain is full of #TODOs, so maybe this is not ready for production? But at least I have a somewhat working solution. Probably it would be better to create a node module which wraps the libssl c calls, but thats just a lot of effort for this small task.

我不能100%确定这是否是最好的方法，或者这个库是否做得很好，因为他们的verifyCertificateChain的源代码中满是#TODOs，所以这可能还没有准备好用于生产?但至少我有一个可行的解决方案。创建一个包含libssl c调用的节点模块可能会更好，但对于这个小任务来说，这只是很大的工作量。

#1