0

语境

我正在使用 mTLS 来保护 Docusign Webhooks(Docusign Connect 服务)。根据文档,我能够成功建立 mTLS 连接以获取证书指纹。

建议的下一个步骤是通过验证证书指纹和可能的专有名称 (DN) 来进行访问控制,但我很困惑正确的方法应该是什么。

问题

  • 我们如何知道 DocuSign 将在实时环境中将哪个客户端证书发送给我们的侦听器(理论上可以是其中之一,以及使用哪种逻辑来确定发送哪个?我们是否应该验证 DN 发送哪个证书(例如connect.docusign.net)?
  • 我们应该从证书消息中验证哪些信息?指纹,DN,两者还是更多?
  • 综上所述,假设不同的 webhook 消息可以发送不同的客户端证书,我们如何知道所有可能的指纹从服务器端进行验证?我们是否应该计算所有公共连接证书的指纹以获得完整列表?
  • 处理客户端证书过期的最佳方法是什么?
4

1 回答 1

0

Re:

Q. How do we know which client certificate is going to be sent by DocuSign to our listener in live environment (theoretically can be one of these and which logic is used to determine which one is sent? Should we validate which certification is sent by the DN (e.g. connect.docusign.net)?

A. Best is to validate based on the certificate's fingerprint matching a fingerprint of one of the expected certificates. DocuSign uses different certificates depending on the platform. But there's a limited set of certs used, so it should not be a big deal to check to see if the offered cert matches one of the expected certs.

Q. What information should we validate from the certificate message? The fingerprint, DN, both or more?

A. I'd recommend the fingerprint since it is more specific than the DN. With the DN, you're trusting the CAs to not issue a cert with a DocuSign DN to a bad guy. It should never happen but it has in the past (not to DocuSign though). See Rogue certificates

Q. With the above, how can we know all possible fingerprints to validate from server side, assuming different webhooks messages can send different client certificates? Should we compute the fingerprint of all public connect certificates to get a full list?

A. DocuSign uses a limited set of five certificates for webhook notifications, see the list on the trust center in the Connect Certificates section. Checking the incoming certificate against five or ten (see below) fingerprints is not a big deal.

Q. What is the best way to handle expirations of client certificates?

A. When the new certificates are announced, compute their fingerprints and add them to your system.

Then test by switching your DocuSign account to use the new certificates. Once the test succeeds, you can delete the fingerprints of the old certs.

于 2021-09-05T20:08:38.023 回答