The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Интерактивная система просмотра системных руководств (man-ов)

 ТемаНаборКатегория 
 
 [Cписок руководств | Печать]

verify (1)
  • >> verify (1) ( Solaris man: Команды и прикладные программы пользовательского уровня )
  • verify (1) ( Linux man: Команды и прикладные программы пользовательского уровня )
  • verify (8) ( Linux man: Команды системного администрирования )
  • Ключ verify обнаружен в базе ключевых слов.
  • 
    
    

    NAME

         verify - Utility to verify certificates.
    
    
    

    SYNOPSIS

         openssl verify [-CApath directory] [-CAfile file] [-purpose
         purpose] [-untrusted file] [-help] [-issuer_checks]
         [-verbose] [-] [certificates]
    
    
    

    DESCRIPTION

         The verify command verifies certificate chains.
    
    
    

    COMMAND OPTIONS

         -CApath directory
             A directory of trusted certificates. The certificates
             should have names of the form: hash.0 or have symbolic
             links to them of this form ("hash" is the hashed
             certificate subject name: see the -hash option of the
             x509 utility). Under Unix the c_rehash script will
             automatically create symbolic links to a directory of
             certificates.
    
         -CAfile file
             A file of trusted certificates. The file should contain
             multiple certificates in PEM format concatenated
             together.
    
         -untrusted file
             A file of untrusted certificates. The file should
             contain multiple certificates
    
         -purpose purpose
             the intended use for the certificate. Without this
             option no chain verification will be done. Currently
             accepted uses are sslclient, sslserver, nssslserver,
             smimesign, smimeencrypt. See the VERIFY OPERATION
             section for more information.
    
         -help
             prints out a usage message.
    
         -verbose
             print extra information about the operations being
             performed.
    
         -issuer_checks
             print out diagnostics relating to searches for the
             issuer certificate of the current certificate. This
             shows why each candidate issuer certificate was
             rejected. However the presence of rejection messages
             does not itself imply that anything is wrong: during the
             normal verify process several rejections may take place.
    
         -   marks the last option. All arguments following this are
             assumed to be certificate files. This is useful if the
             first certificate filename begins with a -.
    
         certificates
             one or more certificates to verify. If no certificate
             filenames are included then an attempt is made to read a
             certificate from standard input. They should all be in
             PEM format.
    
    
    

    VERIFY OPERATION

         The verify program uses the same functions as the internal
         SSL and S/MIME verification, therefore this description
         applies to these verify operations too.
    
         There is one crucial difference between the verify
         operations performed by the verify program: wherever
         possible an attempt is made to continue after an error
         whereas normally the verify operation would halt on the
         first error. This allows all the problems with a certificate
         chain to be determined.
    
         The verify operation consists of a number of separate steps.
    
         Firstly a certificate chain is built up starting from the
         supplied certificate and ending in the root CA. It is an
         error if the whole chain cannot be built up. The chain is
         built up by looking up the issuers certificate of the
         current certificate. If a certificate is found which is its
         own issuer it is assumed to be the root CA.
    
         The process of 'looking up the issuers certificate' itself
         involves a number of steps. In versions of OpenSSL before
         0.9.5a the first certificate whose subject name matched the
         issuer of the current certificate was assumed to be the
         issuers certificate. In OpenSSL 0.9.6 and later all
         certificates whose subject name matches the issuer name of
         the current certificate are subject to further tests. The
         relevant authority key identifier components of the current
         certificate (if present) must match the subject key
         identifier (if present) and issuer and serial number of the
         candidate issuer, in addition the keyUsage extension of the
         candidate issuer (if present) must permit certificate
         signing.
    
         The lookup first looks in the list of untrusted certificates
         and if no match is found the remaining lookups are from the
         trusted certificates. The root CA is always looked up in the
         trusted certificate list: if the certificate to verify is a
         root certificate then an exact match must be found in the
         trusted list.
    
         The second operation is to check every untrusted
         certificate's extensions for consistency with the supplied
         purpose. If the -purpose option is not included then no
         checks are done. The supplied or "leaf" certificate must
         have extensions compatible with the supplied purpose and all
         other certificates must also be valid CA certificates. The
         precise extensions required are described in more detail in
         the CERTIFICATE EXTENSIONS section of the x509 utility.
    
         The third operation is to check the trust settings on the
         root CA. The root CA should be trusted for the supplied
         purpose. For compatibility with previous versions of SSLeay
         and OpenSSL a certificate with no trust settings is
         considered to be valid for all purposes.
    
         The final operation is to check the validity of the
         certificate chain. The validity period is checked against
         the current system time and the notBefore and notAfter dates
         in the certificate. The certificate signatures are also
         checked at this point.
    
         If all operations complete successfully then certificate is
         considered valid. If any operation fails then the
         certificate is not valid.
    
    
    

    DIAGNOSTICS

         When a verify operation fails the output messages can be
         somewhat cryptic. The general form of the error message is:
    
          server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
          error 24 at 1 depth lookup:invalid CA certificate
    
         The first line contains the name of the certificate being
         verified followed by the subject name of the certificate.
         The second line contains the error number and the depth. The
         depth is number of the certificate being verified when a
         problem was detected starting with zero for the certificate
         being verified itself then 1 for the CA that signed the
         certificate and so on. Finally a text version of the error
         number is presented.
    
         An exhaustive list of the error codes and messages is shown
         below, this also includes the name of the error code as
         defined in the header file x509_vfy.h Some of the error
         codes are defined but never returned: these are described as
         "unused".
    
         0 X509_V_OK: ok
             the operation was successful.
    
    
    

    certificate

         2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer
             the issuer certificate could not be found: this occurs
             if the issuer certificate of an untrusted certificate
             cannot be found.
    
         3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate CRL
             the CRL of a certificate could not be found. Unused.
    
    
    

    certificate's signature

         4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt
             the certificate signature could not be decrypted. This
             means that the actual signature value could not be
             determined rather than it not matching the expected
             value, this is only meaningful for RSA keys.
    
    
    

    CRL's signature

         5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt
             the CRL signature could not be decrypted: this means
             that the actual signature value could not be determined
             rather than it not matching the expected value. Unused.
    
    
    

    issuer public key

         6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode
             the public key in the certificate SubjectPublicKeyInfo
             could not be read.
    
    
    

    failure

         7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature
             the signature of the certificate is invalid.
    
         8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure
             the signature of the certificate is invalid. Unused.
    
         9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid
             the certificate is not yet valid: the notBefore date is
             after the current time.
    
         10 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid
             the CRL is not yet valid. Unused.
    
         11 X509_V_ERR_CERT_HAS_EXPIRED: Certificate has expired
             the certificate has expired: that is the notAfter date
             is before the current time.
    
         12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired
             the CRL has expired. Unused.
    
    
    

    certificate's notBefore field

         13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in
             the certificate notBefore field contains an invalid
             time.
    
    
    
    

    certificate's notAfter field

         14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in
             the certificate notAfter field contains an invalid time.
    
    
    

    CRL's lastUpdate field

         15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in
             the CRL lastUpdate field contains an invalid time.
             Unused.
    
    
    

    CRL's nextUpdate field

         16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in
             the CRL nextUpdate field contains an invalid time.
             Unused.
    
         17 X509_V_ERR_OUT_OF_MEM: out of memory
             an error occurred trying to allocate memory. This should
             never happen.
    
    
    

    certificate

         18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed
             the passed certificate is self signed and the same
             certificate cannot be found in the list of trusted
             certificates.
    
    
    

    in certificate chain

         19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate
             the certificate chain could be built up using the
             untrusted certificates but the root could not be found
             locally.
    
    
    

    local issuer certificate

         20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get
             the issuer certificate of a locally looked up
             certificate could not be found. This normally means the
             list of trusted certificates is not complete.
    
    
    

    the first certificate

         21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify
             no signatures could be verified because the chain
             contains only one certificate and it is not self signed.
    
         22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long
             the certificate chain length is greater than the
             supplied maximum depth. Unused.
    
         23 X509_V_ERR_CERT_REVOKED: certificate revoked
             the certificate has been revoked. Unused.
    
         24 X509_V_ERR_INVALID_CA: invalid CA certificate
             a CA certificate is invalid. Either it is not a CA or
             its extensions are not consistent with the supplied
             purpose.
    
    
    

    exceeded

         25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint
             the basicConstraints pathlength parameter has been
             exceeded.
    
         26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose
             the supplied certificate cannot be used for the
             specified purpose.
    
         27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted
             the root CA is not marked as trusted for the specified
             purpose.
    
         28 X509_V_ERR_CERT_REJECTED: certificate rejected
             the root CA is marked to reject the specified purpose.
    
         29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch
             the current candidate issuer certificate was rejected
             because its subject name did not match the issuer name
             of the current certificate. Only displayed when the
             -issuer_checks option is set.
    
    
    

    identifier mismatch

         30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key
             the current candidate issuer certificate was rejected
             because its subject key identifier was present and did
             not match the authority key identifier current
             certificate. Only displayed when the -issuer_checks
             option is set.
    
    
    

    serial number mismatch

         31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer
             the current candidate issuer certificate was rejected
             because its issuer name and serial number was present
             and did not match the authority key identifier of the
             current certificate. Only displayed when the
             -issuer_checks option is set.
    
    
    

    certificate signing

         32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include
             the current candidate issuer certificate was rejected
             because its keyUsage extension does not permit
             certificate signing.
    
    
    

    failure

         50 X509_V_ERR_APPLICATION_VERIFICATION: application verification
             an application specific error. Unused.
    
    
    

    BUGS

         Although the issuer checks are a considerably improvement
         over the old technique they still suffer from limitations in
         the underlying X509_LOOKUP API. One consequence of this is
         that trusted certificates with matching subject name must
         either appear in a file (as specified by the -CAfile option)
         or a directory (as specified by -CApath. If they occur in
         both then only the certificates in the file will be
         recognised.
    
         Previous versions of OpenSSL assume certificates with
         matching subject name are identical and mishandled them.
    
    
    

    SEE ALSO

         x509(1)
    
    
    
    


    Поиск по тексту MAN-ов: 




    Партнёры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2024 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру