How do I monitor client certs that are being sent via the requests?

好久不见. 提交于 2019-12-12 02:06:15

问题


All the certs are generated using another self signed CA cert right now. I am doing a POC for a project.

It's imperative for me to figure out a way to get information about the client certs that are received through the client requests. How do I do this?

EDIT: More specifically, I want to check if two client certs coming from two different incoming web requests are similar or not


回答1:


How do I monitor client certs that are being sent via the requests?

Client certificates are used to establish the SSL/TLS connection. HTTPS requests occur at a higher level, and have nothing to do with the lower level SSL/TLS channel.

With that said, there's probably a token or cookie available that binds the user's identity from the client certificate with the HTTP requests.


It's imperative for me to figure out a way to get information about the client certs that are received through the client requests. How do I do this?

You did not say what you have, and what information you wanted. You probably need to be more specific.


I want to check if two client certs coming from two different incoming web requests are similar or not

You need to define "similar" in this context. It can be tricky.

Naively, you can use the {Subject's Distinguished Name} or {Subject's Distinguished Name, Public Key} to see if two are "equal". But I'm not sure how to distinguish between "similar" (perhaps the same Issuer?).

Beware of using just {Subject's Distinguished Name}. That's the latest Android APK signing bug: Android Fake ID Vulnerability Lets Malware Impersonate Trusted Applications.

An X509 certificate binds a public key to an entity. So a certificate is "unique" based on (1) the subject, (2) the public key and (3) the the issuer (who applies a signature over (1) and (2)).

The entity is presented in the Subject. For example, a server or a user. The server is identified through, among others, its DNS name; while the user is identified, among others, by their email address. You can get the subject name through the Subject's Distinguished Name.

You can get the subject's public key from the certificate. A public key will always be available just like a subject will always be available. The trusted authority binds the two, and won't sign the request if either are missing.

The Issuer signed the subject's certificate. Its a trusted authority and often a public CA. You can get the issuer's name from the Issuer Distinguished Name.

If needed, you can get a digest of the issuer's public key from the Authority Key Identifier (AKI). To get the actual public key, you need to inspect the issuer's certificate.

When you verify a signature on the subject's certificate, you need the issuer's certificate. You need it because you need the public key from the issuer to verify the certificate on the subject's certificate.

You can read about Distinguished Names (and the Relative Distinguished Names (RDNs) that make them up) in RFC 4514, Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names.



来源:https://stackoverflow.com/questions/25074889/how-do-i-monitor-client-certs-that-are-being-sent-via-the-requests

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!