Chinaunix首页 | 论坛 | 博客
  • 博客访问: 561346
  • 博文数量: 375
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 15
  • 用 户 组: 普通用户
  • 注册时间: 2013-09-20 10:21
文章分类

全部博文(375)

文章存档

2015年(1)

2014年(374)

分类: LINUX

2014-08-18 11:25:25

原文地址:[手册] OpenSSL 之 verify 命令 作者:ailms

VERIFY(1)               OpenSSL                VERIFY(1)



NAME
       verify - Utility to verify certificates.
 
# 注释:verify 用于校验一个证书

SYNOPSIS
       openssl verify [-CApath directory] [-CAfile file] [-purpose purpose] [-untrusted file] [-help] [-issuer_checks] [-verbose] [-] [certificates]

DESCRIPTION
       The verify command verifies certificate chains.
 
# 注释 :verify 命令用于验证证书链

COMMAND OPTIONS
       -CApath directory
       A directory of trusted certificates. The certificates should have
       names of the form: hash.0 or have symbolic links to them of this
       form ("hash" is the hashed certificate subject name: see the -hash
       option of the x509 utility). Under Unix the c_rehash script will
       automatically create symbolic links to a directory of certifi-
       cates.
 
        # 注释 :-CApath 指定一个存放受信任证书的目录。

       -CAfile file
       A file of trusted certificates. The file should contain multiple
       certificates in PEM format concatenated together.
 
        # 注释 :-CAfile 指定一个受信任的 CA 的证书文件,它是多个 PEM 格式的 CA 证书合并在一起形成的
 
        # 补充 :该文件就是 /usr/share/ssl/certs/ca-bundles.crt ,它包含了 58 个 CA 的证书

       -untrusted file
       A file of untrusted certificates. The file should contain multiple
       certificates
 
        # 注释 :-untrusted 指定一个不受信任的 CA 证书文件,格式和 -CAfile 一样

       -purpose purpose
       the intended use for the certificate. Without this option no chain
       verification will be done. Currently accepted uses are sslclient,
       sslserver, nssslserver, smimesign, smimeencrypt. See the VERIFY
       OPERATION section for more information.
 
        # 注释 :-purpose 指定你想验证该证书可以用于什么用途,如果没有指定该选项,不会做任何的证书链校验
 
        # 目前支持的用途有 :sslclient、sslserver、nssslserver、smimesign、smimeencrypt

       -help
       prints out a usage message.

       -verbose
       print extra information about the operations being performed.
 
        # 注释 :-verbose 是冗余模式

       -issuer_checks
       print out diagnostics relating to searches for the issuer certifi-
       cate of the current certificate. This shows why each candidate
       issuer certificate was rejected. However the presence of rejection
       messages does not itself imply that anything is wrong: during the
       normal verify process several rejections may take place.
 
        # 注释 :-issuer_checks 打印对证书的 Issuer 的检查过程

       -   marks the last option. All arguments following this are assumed to
       be certificate files. This is useful if the first certificate
       filename begins with a -.
 
        # 注释 :- 表示这是最后一个选项。所有在 “-” 之后都被当成要校验的证书的名称
 
        # 补充 :经过测试,该选项不可用,会报语法错误

       certificates
       one or more certificates to verify. If no certificate filenames
       are included then an attempt is made to read a certificate from
       standard input. They should all be in PEM format.
 
        # 注释:可以是一次指定1个或者多个证书。否则从 stdin 读取输入
 


VERIFY OPERATION
       The verify program uses the same functions as the internal SSL and
       S/MIME verification, therefore this description applies to these ver-
       ify operations too.
 
       There is one crucial difference between the verify operations
       performed by the verify program: wherever possible an attempt is made
       to continue after an error whereas normally the verify operation would
       halt on the first error. This allows all the problems with a certifi-
       cate chain to be determined
.
 
       The verify operation consists of a number of separate steps.
 
        # 注释 :verify 操作由下面几步组成 :
 
       Firstly a certificate chain is built up starting from the supplied
       certificate and ending in the root CA. It is an error if the whole
       chain cannot be built up. The chain is built up by looking up the
       issuers certificate of the current certificate. If a certificate is
       found which is its own issuer it is assumed to be the root CA.
 
        # 注释 :首先一个证书链被建立,从要被校验的证书开始,一直到 root CA 。
 
        # 如果这个证书链无法被建立,则查找要校验的证书的 Issuer ,然后在众多 CA
 
        # 证书中查看,看那个 Subject 等于要校验的证书的 Issuer ,然后把它当成 root CA
 
        # 这是针对对于非商业 CA 来说的情况,例如我们用 CA.sh 生成的 CA
 
       The process of ’looking up the issuers certificate’ itself involves a
       number of steps. In versions of OpenSSL before 0.9.5a the first cer-
       tificate whose subject name matched the issuer of the current certifi-
       cate was assumed to be the issuers certificate
. In OpenSSL 0.9.6 and
       later all certificates whose subject name matches the issuer name of
       the current certificate are subject to further tests
. The relevant
       authority key identifier components of the current certificate (if
       present) must match the subject key identifier (if present) and issuer
       and serial number of the candidate issuer, in addition the keyUsage
       extension of the candidate issuer (if present) must permit certificate
       signing.
 
       The lookup first looks in the list of untrusted certificates and if no
       match is found the remaining lookups are from the trusted certifi-
       cates. The root CA is always looked up in the trusted certificate
       list: if the certificate to verify is a root certificate then an exact
       match must be found in the trusted list.
 
       The second operation is to check every untrusted certificate’s exten-
       sions for consistency with the supplied purpose
. If the -purpose
       option is not included then no checks are done
. The supplied or "leaf"
       certificate must have extensions compatible with the supplied purpose
       and all other certificates must also be valid CA certificates
. The
       precise extensions required are described in more detail in the CER-
       TIFICATE EXTENSIONS section of the x509 utility.
 
       The third operation is to check the trust settings on the root CA. The
       root CA should be trusted for the supplied purpose.
For compatibility
       with previous versions of SSLeay and OpenSSL a certificate with no
       trust settings is considered to be valid for all purposes.
 
       The final operation is to check the validity of the certificate chain.
       The validity period is checked against the current system time and the
       notBefore and notAfter dates in the certificate. The certificate sig-
       natures are also checked at this point.
 
       If all operations complete successfully then certificate is considered
       valid. If any operation fails then the certificate is not valid
.
 
DIAGNOSTICS
       When a verify operation fails the output messages can be somewhat
       cryptic. The general form of the error message is:
 
        # 注释 :如果校验错误,则会出现下面格式的错误信息
 
 server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
 error 24 at 1 depth lookup:invalid CA certificate
 
       The first line contains the name of the certificate being verified
       followed by the subject name of the certificate. The second line con-
       tains the error number and the depth. The depth is number of the cer-
       tificate being verified when a problem was detected starting with zero
       for the certificate being verified itself then 1 for the CA that
       signed the certificate and so on. Finally a text version of the error
       number is presented.
 
# 注释 :第一行是被校验的证书的 subject ,第2行给出错误代码和校验的深度。
 
# depth 是表示出错时检查到第几个证书,从 0 开始编号,1表示对该证书进行签名的 CA ,依次类推。
 
       An exhaustive list of the error codes and messages is shown below,
       this also includes the name of the error code as defined in the header
       file x509_vfy.h Some of the error codes are defined but never
       returned: these are described as "unused".
 
       0 X509_V_OK: ok
    the operation was successful.
 
       2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate
    the issuer certificate could not be found: this occurs if the
    issuer certificate of an untrusted certificate cannot be found.
 
       3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate CRL  the CRL of a certificate could not be found. Unused.
 
       4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate’s signature
    the certificate signature could not be decrypted. This means that
    the actual signature value could not be determined rather than it
    not matching the expected value, this is only meaningful for RSA
    keys.
 
       5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL’s signature
    the CRL signature could not be decrypted: this means that the
    actual signature value could not be determined rather than it not
    matching the expected value. Unused.
 
       6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key
    the public key in the certificate SubjectPublicKeyInfo could not
    be read.
 
       7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure the signature of the certificate is invalid.
 
       8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure the signature of the certificate is invalid. Unused.
 
       9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid the certificate is not yet valid: the notBefore date is after the    current time.
 
       10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired
    the certificate has expired: that is the notAfter date is before
    the current time.
 
       11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid
    the CRL is not yet valid. Unused.
 
       12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired
    the CRL has expired. Unused.
 
       13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate’s notBefore field
    the certificate notBefore field contains an invalid time.
 
       14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate’s notAfter field
    the certificate notAfter field contains an invalid time.
 
       15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL’s lastUpdate field
    the CRL lastUpdate field contains an invalid time. Unused.
 
       16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL’s nextUpdate field
    the CRL nextUpdate field contains an invalid time. Unused.
 
       17 X509_V_ERR_OUT_OF_MEM: out of memory
    an error occurred trying to allocate memory. This should never
    happen.
 
       18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate
    the passed certificate is self signed and the same certificate
    cannot be found in the list of trusted certificates.
 
       19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain
    the certificate chain could be built up using the untrusted cer-
    tificates but the root could not be found locally.
 
       20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
    the issuer certificate of a locally looked up certificate could
    not be found. This normally means the list of trusted certificates
    is not complete.
 
       21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate
    no signatures could be verified because the chain contains only
    one certificate and it is not self signed.
 
       22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long
    the certificate chain length is greater than the supplied maximum
    depth. Unused.
 
       23 X509_V_ERR_CERT_REVOKED: certificate revoked
    the certificate has been revoked. Unused.
 
       24 X509_V_ERR_INVALID_CA: invalid CA certificate
    a CA certificate is invalid. Either it is not a CA or its exten-
    sions are not consistent with the supplied purpose.
 
       25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded
    the basicConstraints pathlength parameter has been exceeded.
 
       26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose
    the supplied certificate cannot be used for the specified purpose.
 
       27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted
    the root CA is not marked as trusted for the specified purpose.
 
       28 X509_V_ERR_CERT_REJECTED: certificate rejected
    the root CA is marked to reject the specified purpose.
 
       29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch
    the current candidate issuer certificate was rejected because its
    subject name did not match the issuer name of the current certifi-
    cate. Only displayed when the -issuer_checks option is set.
 
       30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch
    the current candidate issuer certificate was rejected because its
    subject key identifier was present and did not match the authority
    key identifier current certificate. Only displayed when the
    -issuer_checks option is set.
 
       31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch
    the current candidate issuer certificate was rejected because its
    issuer name and serial number was present and did not match the
    authority key identifier of the current certificate. Only dis-
    played when the -issuer_checks option is set.
 
       32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing
    the current candidate issuer certificate was rejected because its
    keyUsage extension does not permit certificate signing.
 
       50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure
    an application specific error. Unused.
 
BUGS
       Although the issuer checks are a considerably improvement over the old
       technique they still suffer from limitations in the underlying
       X509_LOOKUP API. One consequence of this is that trusted certificates
       with matching subject name must either appear in a file (as specified
       by the -CAfile option) or a directory (as specified by -CApath. If
       they occur in both then only the certificates in the file will be
       recognised.
 
       Previous versions of OpenSSL assume certificates with matching subject
       name are identical and mishandled them.
 
SEE ALSO
       x509(1)
 
 
 
0.9.7a      2001-10-08       VERIFY(1)

 
阅读(3311) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~