如何监控通过请求发送的客户端证书？

如何监控通过请求发送的客户端证书？

How do I monitor client certs that are being sent via the requests?

客户端证书用于建立SSL / TLS连接。 HTTPS请求发生在较高的级别，与较低级别的SSL / TLS通道无关。

Client certificates are used to establish the SSL/TLS connection. HTTPS requests occur at a higher level, and have nothing to do with the lower level SSL/TLS channel.

据说，可能有一个令牌或cookie可以绑定

With that said, there's probably a token or cookie available that binds the user's identity from the client certificate with the HTTP requests.

对我来说，找出一种方法来获得有关通过客户端请求接收的客户端证书的
的信息。如何做
我这样做？

It's imperative for me to figure out a way to get information about the client certs that are received through the client requests. How do I do this?

你没有说你有什么，你想要什么信息。您可能需要更具体。

You did not say what you have, and what information you wanted. You probably need to be more specific.

我想检查两个客户端证书从两个不同的传入
网络请求是相似的或不类似

I want to check if two client certs coming from two different incoming web requests are similar or not

您需要在此上下文中定义类似。

You need to define "similar" in this context. It can be tricky.

天真的，你可以使用 {Subject's Distinguished Name} 或 {Subject's Distinguished Name，Public Key} ，看看两者是否相等。但我不知道如何区分类似（可能是相同的发布者？）。

Naively, you can use the {Subject's Distinguished Name} or {Subject's Distinguished Name, Public Key} to see if two are "equal". But I'm not sure how to distinguish between "similar" (perhaps the same Issuer?).

$ c> {Subject's Distinguished Name} 。这是最新的Android APK签名错误： Android Fake ID Vulnerability允许恶意软件模拟信任应用程序。

Beware of using just {Subject's Distinguished Name}. That's the latest Android APK signing bug: Android Fake ID Vulnerability Lets Malware Impersonate Trusted Applications.

X509证书将公钥绑定到实体。因此，证书基于（1）主题，（2）公共密钥和（3）发行者（在（1）和（2）上应用签名）是唯一的。

An X509 certificate binds a public key to an entity. So a certificate is "unique" based on (1) the subject, (2) the public key and (3) the the issuer (who applies a signature over (1) and (2)).

实体显示在主题中。例如，服务器或用户。服务器通过其DNS名称来识别;而用户通过其电子邮件地址等被识别。您可以通过主题的可分辨名称获取主题名称。

The entity is presented in the Subject. For example, a server or a user. The server is identified through, among others, its DNS name; while the user is identified, among others, by their email address. You can get the subject name through the Subject's Distinguished Name.

您可以从证书中获取主题的公钥。公钥总是可用的，就像主题总是可用的。

You can get the subject's public key from the certificate. A public key will always be available just like a subject will always be available. The trusted authority binds the two, and won't sign the request if either are missing.

签署了主体的证书。它是一个值得信赖的权威，通常是公共CA.您可以从发行人专有名称取得发行人的名称。

The Issuer signed the subject's certificate. Its a trusted authority and often a public CA. You can get the issuer's name from the Issuer Distinguished Name.

如果需要，您可以从权限密钥标识符（AKI）。要获取实际的公钥，您需要检查颁发者的证书。

If needed, you can get a digest of the issuer's public key from the Authority Key Identifier (AKI). To get the actual public key, you need to inspect the issuer's certificate.

当您验证受试者证书上的签名时，您需要颁发者的证书。

When you verify a signature on the subject's certificate, you need the issuer's certificate. You need it because you need the public key from the issuer to verify the certificate on the subject's certificate.

您可以阅读关于可分辨名称（ 和 RFC 4514 中的相对可分辨名称（RDN） a>，轻量级目录访问协议（LDAP）：可分辨名称的字符串表示

You can read about Distinguished Names (and the Relative Distinguished Names (RDNs) that make them up) in RFC 4514, Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names.