查找证书是否自签名或CA签名。

时间:2023-01-21 11:40:16

I have a web app, which allows user to upload pkcs12. I store the pkcs12 as binary in database. Is there any way for me to know if the certificate in the pkcs12 is self signed or CA signed?

我有一个web应用,允许用户上传pkcs12。我将pkcs12作为二进制存储在数据库中。我是否可以知道pkcs12中的证书是自签名的还是CA签名的?

I am running a Java web app on tomcat and have openssl at my disposal.

我正在tomcat上运行一个Java web应用程序,并且可以使用openssl。

4 个解决方案

#1


9  

It's a bit hacky, but the openssl x509 command can report both the issuer and the subject. If the subject and issuer are the same, it is self-signed; if they are different, then it was signed by a CA. (Strictly speaking, a great many self-signed certificates are also signed by a CA -- themselves.)

这有点陈腐,但是openssl x509命令可以同时报告发行者和主题。若标的物与开证人相同,则为自签名;如果它们不同,则由CA签名(严格地说,许多自签名证书也由CA签名——它们自己签名)。

While testing this theory, I ran a handful of tests; it runs something like:

在测试这个理论时,我做了一些测试;它运行类似:

cd /etc/ssl/certs
for f in *.0 ; do openssl x509 -in $f -issuer | head -1 > /tmp/$f.issuer ; openssl x509 -in $f -subject | head -1 > /tmp/$f.subject ; done
 cd /tmp
 sed -i -e s/issuer=// *.issuer
 sed -i -e s/subject=// *.subject
 cd /etc/ssl/certs/
 for f in *.0 ; do diff -u /tmp/$f.issuer /tmp/$f.subject ; done

Hope this helps.

希望这个有帮助。

#2


11  

Following email thread precisely tells the right way to verify if the base64 encoded certificate (i.e. PEM) is self signed or not: http://marc.info/?l=openssl-users&m=116177485311662&w=4

下面的邮件线程精确地告诉您验证base64编码证书(即PEM)是否自签名的正确方法:http://marc.info/?

Following is the code snippet:

下面是代码片段:

openssl verify -CAfile self_signed_cert.pem self_signed_cert.pem

should return:

应该返回:

self_signed_cert.pem: OK

OR compare the issuer and subject. If they are same, it is self signed

或比较发行者和主体。如果它们是一样的,它就是自签名的

openssl x509 -in cert.pem -inform PEM -noout -subject -issuer

#3


0  

Have you tried the BouncyCastle lib?

你试过蹦蹦跳跳吗?

http://www.bouncycastle.org/wiki/display/JA1/Frequently+Asked+Questions

http://www.bouncycastle.org/wiki/display/JA1/Frequently + +询问

" There are specific example programs for dealing with Attribute Certificates, PKCS12, SMIME and OpenPGP. They can be found in the packages:

有一些特定的示例程序用于处理属性证书、PKCS12、SMIME和OpenPGP。它们可以在包装中找到:

org.bouncycastle.jce.examples org.bouncycastle.mail.smime.examples org.bouncycastle.openpgp.examples Another useful source of examples is the test packages:

org.bouncycastle.jce。org.bouncycastle.mail.smime例子。org.bouncycastle.openpgp例子。例子的另一个有用的例子是测试包:

org.bouncycastle.crypto.test org.bouncycastle.jce.provider.test org.bouncycastle.cms.test org.bouncycastle.mail.smime.test org.bouncycastle.openpgp.test org.bouncycastle.cert.test org.bouncycastle.pkcs.test org.bouncycastle.tsp.test "

org.bouncycastle.crypto。测试org.bouncycastle.jce.provider。测试org.bouncycastle.cms。测试org.bouncycastle.mail.smime。测试org.bouncycastle.openpgp。测试org.bouncycastle.cert。测试org.bouncycastle.pkcs。测试org.bouncycastle.tsp。测试”

#4


0  

Java is unable to analyze PKCS12 so that you have to convert it to keystore using openssl.

Java无法分析PKCS12,因此必须使用openssl将其转换为keystore。

Here the keystore has both private key and X509 certificate(or you can choose only to store certificate). Then get the issuer from keystore using standard JAVA API and manually verify issuer.

在这里,密钥存储库同时具有私钥和X509证书(或者您可以选择只存储证书)。然后使用标准JAVA API从keystore获取发行者,并手动验证发行者。

#1


9  

It's a bit hacky, but the openssl x509 command can report both the issuer and the subject. If the subject and issuer are the same, it is self-signed; if they are different, then it was signed by a CA. (Strictly speaking, a great many self-signed certificates are also signed by a CA -- themselves.)

这有点陈腐,但是openssl x509命令可以同时报告发行者和主题。若标的物与开证人相同,则为自签名;如果它们不同,则由CA签名(严格地说,许多自签名证书也由CA签名——它们自己签名)。

While testing this theory, I ran a handful of tests; it runs something like:

在测试这个理论时,我做了一些测试;它运行类似:

cd /etc/ssl/certs
for f in *.0 ; do openssl x509 -in $f -issuer | head -1 > /tmp/$f.issuer ; openssl x509 -in $f -subject | head -1 > /tmp/$f.subject ; done
 cd /tmp
 sed -i -e s/issuer=// *.issuer
 sed -i -e s/subject=// *.subject
 cd /etc/ssl/certs/
 for f in *.0 ; do diff -u /tmp/$f.issuer /tmp/$f.subject ; done

Hope this helps.

希望这个有帮助。

#2


11  

Following email thread precisely tells the right way to verify if the base64 encoded certificate (i.e. PEM) is self signed or not: http://marc.info/?l=openssl-users&m=116177485311662&w=4

下面的邮件线程精确地告诉您验证base64编码证书(即PEM)是否自签名的正确方法:http://marc.info/?

Following is the code snippet:

下面是代码片段:

openssl verify -CAfile self_signed_cert.pem self_signed_cert.pem

should return:

应该返回:

self_signed_cert.pem: OK

OR compare the issuer and subject. If they are same, it is self signed

或比较发行者和主体。如果它们是一样的,它就是自签名的

openssl x509 -in cert.pem -inform PEM -noout -subject -issuer

#3


0  

Have you tried the BouncyCastle lib?

你试过蹦蹦跳跳吗?

http://www.bouncycastle.org/wiki/display/JA1/Frequently+Asked+Questions

http://www.bouncycastle.org/wiki/display/JA1/Frequently + +询问

" There are specific example programs for dealing with Attribute Certificates, PKCS12, SMIME and OpenPGP. They can be found in the packages:

有一些特定的示例程序用于处理属性证书、PKCS12、SMIME和OpenPGP。它们可以在包装中找到:

org.bouncycastle.jce.examples org.bouncycastle.mail.smime.examples org.bouncycastle.openpgp.examples Another useful source of examples is the test packages:

org.bouncycastle.jce。org.bouncycastle.mail.smime例子。org.bouncycastle.openpgp例子。例子的另一个有用的例子是测试包:

org.bouncycastle.crypto.test org.bouncycastle.jce.provider.test org.bouncycastle.cms.test org.bouncycastle.mail.smime.test org.bouncycastle.openpgp.test org.bouncycastle.cert.test org.bouncycastle.pkcs.test org.bouncycastle.tsp.test "

org.bouncycastle.crypto。测试org.bouncycastle.jce.provider。测试org.bouncycastle.cms。测试org.bouncycastle.mail.smime。测试org.bouncycastle.openpgp。测试org.bouncycastle.cert。测试org.bouncycastle.pkcs。测试org.bouncycastle.tsp。测试”

#4


0  

Java is unable to analyze PKCS12 so that you have to convert it to keystore using openssl.

Java无法分析PKCS12,因此必须使用openssl将其转换为keystore。

Here the keystore has both private key and X509 certificate(or you can choose only to store certificate). Then get the issuer from keystore using standard JAVA API and manually verify issuer.

在这里,密钥存储库同时具有私钥和X509证书(或者您可以选择只存储证书)。然后使用标准JAVA API从keystore获取发行者,并手动验证发行者。