使用节点。用CA cert验证X509证书

时间:2022-06-21 07:15:08

I am looking for a node.js way to verify a client certificate in X509 format with a CA certificate which was given to me (none of those are created/managed by me, my software only has to verify what is beeing sent to it).

我在找一个节点。js方法通过一个CA证书来验证X509格式的客户端证书(这些都不是由我创建/管理的,我的软件只需要验证发送到它的是什么)。

I have found several modules for this job, however I am having issues with each of them:

我已经为这份工作找了几个模块,但是我每个模块都有问题:

  • X509 is able to do it using x509.verify(cert, CABundlePath, cb), however it needs to read the certificates from FS, and I am having them in memory already. This is cumbersome as it will be done with each web request which reaches my app.
  • X509可以使用X509。验证(cert、CABundlePath、cb),但是它需要从FS读取证书,我已经将它们存储在内存中。这很麻烦,因为它将在每个到达我的应用的web请求中完成。
  • It seems like PKI.js is able to do it, however their examples don't work for me but complain about missing files, so I can't even try it out.
  • 它看起来像PKI。js可以这样做,但是他们的示例对我不起作用,而是抱怨缺少文件,所以我甚至不能尝试它。
  • I tried node-forge, but while I am unsure if I use it correctly (they don't have any API documentation) its throwing a forge.pki.BadCertificate error from forge.pki.verifyCertificateChain(caStore, [ cer ], cb).
  • 我尝试了node-forge,但是我不确定我是否正确地使用它(他们没有任何API文档),它抛出了一个forge.pki。从forge.pki BadCertificate错误。verifyCertificateChain(caStore, [cer], cb)
  • When trying pem, using a simple pem.verifySigningChain(cer, [ ca ], cb) would throw some error complaining about loading a file from /var/.... Even if it would work, I would avoid using this lib as its relying on the openssl command line tool, which I would like to avoid
  • 当尝试pem时,使用一个简单的pem。verifySigningChain(cer、(ca)、cb)会把一些错误从/var/....抱怨加载文件即使它可以工作,我也会避免使用这个lib作为它依赖于openssl命令行工具的工具,我希望避免使用这个工具

Now I feel pretty stupid because I failed to get this simple task done with any of the above modules. Could someone point me to a simple solution which will allow me to verify the signature/validity of a X509 certificate using a given CA certificate? :s

现在我觉得很愚蠢,因为我没有完成上面任何一个模块的简单任务。是否有人可以给我一个简单的解决方案,让我使用给定的CA证书来验证X509证书的签名/有效性?:年代

[edit] Basically I would need openssl verify -verbose -CAfile ca-crt.pem client1-crt.pem in Node.js but without dependencies to the openssl command line tool and without temporarily saving the certs to disk.

[编辑]基本上我需要openssl验证-verbose -CAfile ca-crt。pem client1-crt。pem的节点。但不依赖于openssl命令行工具,也不临时将证书保存到磁盘。

[edit2] Would it be possible to just use https://nodejs.org/api/crypto.html#crypto_verify_verify_object_signature_signatureformat?

是否可能只使用https://nodejs.org/api/crypto.html# crypto_verify_verify_object_signature_signature_signatureformat ?

1 个解决方案

#1


2  

I finally managed to do it using node-forge. Heres a working code example:

我终于用node-forge做到了。这里有一个工作代码示例:

let pki = require('node-forge').pki;

let caCert;
let caStore;

try {
    caCert = fs.readFileSync('path/to/ca-cert.pem').toString();
    caStore = pki.createCaStore([ caCert ]);
} catch (e) {
    log.error('Failed to load CA certificate (' + e + ')');
    return....;
}

try {
    pki.verifyCertificateChain(caStore, [ cert ]);
} catch (e) {
    return handleResponse(new Error('Failed to verify certificate (' + e.message || e + ')'));
}

Both certificates shall be given in base64 encoded PEM format/js string.

两个证书都应该以base64编码的PEM格式/js字符串形式提供。

verifyCertificateChain checks the certifitate validity (notBefore/notAfter) as well as verifies the given CA chain.

verifyCertificateChain检查fitcertiate有效性(不是before /notAfter),并验证给定的CA链。

I am not 100% sure if this is the best approach, or if this library is doing a good job, since their source code of verifyCertificateChain is full of #TODOs, so maybe this is not ready for production? But at least I have a somewhat working solution. Probably it would be better to create a node module which wraps the libssl c calls, but thats just a lot of effort for this small task.

我不能100%确定这是否是最好的方法,或者这个库是否做得很好,因为他们的verifyCertificateChain的源代码中满是#TODOs,所以这可能还没有准备好用于生产?但至少我有一个可行的解决方案。创建一个包含libssl c调用的节点模块可能会更好,但对于这个小任务来说,这只是很大的工作量。

#1


2  

I finally managed to do it using node-forge. Heres a working code example:

我终于用node-forge做到了。这里有一个工作代码示例:

let pki = require('node-forge').pki;

let caCert;
let caStore;

try {
    caCert = fs.readFileSync('path/to/ca-cert.pem').toString();
    caStore = pki.createCaStore([ caCert ]);
} catch (e) {
    log.error('Failed to load CA certificate (' + e + ')');
    return....;
}

try {
    pki.verifyCertificateChain(caStore, [ cert ]);
} catch (e) {
    return handleResponse(new Error('Failed to verify certificate (' + e.message || e + ')'));
}

Both certificates shall be given in base64 encoded PEM format/js string.

两个证书都应该以base64编码的PEM格式/js字符串形式提供。

verifyCertificateChain checks the certifitate validity (notBefore/notAfter) as well as verifies the given CA chain.

verifyCertificateChain检查fitcertiate有效性(不是before /notAfter),并验证给定的CA链。

I am not 100% sure if this is the best approach, or if this library is doing a good job, since their source code of verifyCertificateChain is full of #TODOs, so maybe this is not ready for production? But at least I have a somewhat working solution. Probably it would be better to create a node module which wraps the libssl c calls, but thats just a lot of effort for this small task.

我不能100%确定这是否是最好的方法,或者这个库是否做得很好,因为他们的verifyCertificateChain的源代码中满是#TODOs,所以这可能还没有准备好用于生产?但至少我有一个可行的解决方案。创建一个包含libssl c调用的节点模块可能会更好,但对于这个小任务来说,这只是很大的工作量。