因此,我尝试手动验证来 self 正在开发的 Alexa Skill 的请求,但无法“验证链中的所有证书是否组合在一起创建到受信任根 CA 证书的信任链”。如 documentation 的步骤 3.c 所示.
处理这些证书对我来说是全新的领域,因为我已经在没有使用亚马逊建议的ask-sdk的情况下构建了这项技能,所以我认为手动实现验证会比调整我的技能来使用 SDK 更快。但现在我陷入困境,需要帮助。
我不太明白 caStore 是如何工作的,并且认为我可能错误地初始化了它。我尝试使用技能请求中提供的亚马逊签名证书和两个根证书(代码中的 URL),但没有成功。
这是代码
const rp = require('request-promise')
const pki = require('node-forge').pki
const AlexaSkill = {
validate: async (request) => {
if (request.headers) {
const signature = request.headers.signature
const signatureCertChainUrl = request.headers.signaturecertchainurl
if (signature && signatureCertChainUrl) {
let urlPieces = signatureCertChainUrl.replace('../', '').split('echo.api/')
if (urlPieces.length > 1) {
const normalizedUrl = `${urlPieces[0]}echo.api/${urlPieces[urlPieces.length - 1]}`
if (normalizedUrl.startsWith('https://s3.amazonaws.com:443/echo.api/') || normalizedUrl.startsWith('https://s3.amazonaws.com/echo.api/')) {
const pem = await rp(signatureCertChainUrl)
const amazonSigningPem = pem.substring(0, pem.indexOf('END CERTIFICATE-----\n') + 21)
const amazonSigningCert = pki.certificateFromPem(amazonSigningPem)
const pem1 = await rp('https://www.amazontrust.com/repository/AmazonRootCA1.pem')
const amazonRootCert1 = pki.certificateFromPem(pem1)
const pem2 = await rp('https://www.amazontrust.com/repository/AmazonRootCA2.pem')
const amazonRootCert2 = pki.certificateFromPem(pem2)
// const pem3 = await rp('https://www.amazontrust.com/repository/AmazonRootCA3.pem')
// const amazonRootCert3 = pki.certificateFromPem(pem3)
// const pem4 = await rp('https://www.amazontrust.com/repository/AmazonRootCA4.pem')
// const amazonRootCert4 = pki.certificateFromPem(pem4)
const caStore = pki.createCaStore([ amazonSigningCert ])
const caStore1 = pki.createCaStore([ amazonRootCert1 ])
const caStore2 = pki.createCaStore([ amazonRootCert2 ])
// const caStore3 = pki.createCaStore([ amazonRootCert3 ])
// const caStore4 = pki.createCaStore([ amazonRootCert4 ])
const certChain = pem.substring(pem.indexOf('END CERTIFICATE-----\n') + 21)
.split('-----END CERTIFICATE-----\n')
.filter(cert => cert.length > 0)
.map(cert => pki.certificateFromPem(`${cert}-----END CERTIFICATE-----\n`))
try {
const v = pki.verifyCertificateChain(caStore, certChain)
console.log('Passed!', v)
} catch (e) {
console.log('Error!', JSON.stringify(e))
}
try {
const v1 = pki.verifyCertificateChain(caStore1, certChain)
console.log('Passed!', v1)
} catch (e) {
console.log('Error!', JSON.stringify(e))
}
try {
const v2 = pki.verifyCertificateChain(caStore2, certChain)
console.log('Passed!', v2)
} catch (e) {
console.log('Error!', JSON.stringify(e))
}
}
}
}
}
return false
}
}
和输出
Error! {"message":"Certificate is not trusted.","error":"forge.pki.UnknownCertificateAuthority"}
Error! {"message":"Certificate is not trusted.","error":"forge.pki.UnknownCertificateAuthority"}
Error! {"message":"Certificate is not trusted.","error":"forge.pki.UnknownCertificateAuthority"}
提前致谢。
最佳答案
关于javascript - 如何验证链中的所有证书是否组合在一起创建受信任的根 CA 证书的信任链?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59099872/