当前位置: 文江博客话题详情

签名工具吊销问题?

发布于 2024-10-25 21:33:00 字数 260 浏览 4 评论 0原文

我有两个二进制文件,其中一个是在第一个二进制文件约 4 天后构建的,并使用相同的证书(相同的序列号,由 Thawte 颁发)进行签名,但是,当我检查证书时,其中一个出现错误消息 吊销状态:吊销功能无法检查吊销,因为吊销服务器离线。,第二个效果很好。是否有可能吊销服务器在签名时处于离线状态,从而导致此问题?我不确定是否还有其他方法可以让一个证书拥有不同的吊销服务器。

我可能想到的另一个想法是,第二个证书是在证书到期前几天(<一个月)签署的。可能是这样吗?

原文

I've got two binaries, one builded ~4 days after first, and signed with the same certificate (same Serial number, issued by Thawte), but, when I'm checking the certificate, on one there is error message Revocation Status : The revocation function was unable to check revocation because the revocation server was offline.
, the second works well. Is it possible, that the revocation server was offline at the time of signing, and that causes this problem? I'm not sure if there is other way how one certificate could have different revocation servers.

Another think I may think of is, that the second one was signed few days (< month) before certificate's expiration. Could this be the case?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

未央 2024-11-01 21:33:00

证书是什么格式的?如果您可以输入合适的格式,则可以使用“openssl”命令行unix工具来调查证书。 Openssl 也适用于 Windows。

这是一个示例运行:

openssl x509 -in usertrust.pem -inform PEM -noout -text

这是输出:

Version: 3 (0x2)
Serial Number:
    07:74:8d:73:00:00:00:00:00:94
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network
Validity
    Not Before: Apr  5 18:35:06 2005 GMT
    Not After : Mar  6 03:22:04 2007 GMT
Subject:C=US, ST=UT, L=Salt Lake City, O=USERTRUST, CN=www.usertrust.com
Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
    Modulus (2048 bit):
        00:d7:21:6d:f8:58:e7:ed:52:5a:3e:fe:e5:bf:92:
        32:41:38:f1:ee:61:6f:da:6c:83:39:c8:b4:b1:fd:
        77:4a:35:a8:e8:3f:0b:bf:ff:2d:0b:b5:ed:56:80:
        d7:ca:89:c3:63:8b:a5:06:ed:b0:22:82:8d:a1:c6:
        ed:c8:d4:06:8d:be:d1:69:83:31:a7:13:2b:17:27:
        72:a4:85:97:55:fc:f7:ca:eb:c9:af:be:19:78:67:
        35:d1:7f:af:2d:3c:d3:86:c4:1e:fd:02:e4:ab:10:
        ea:d1:bb:63:19:fb:9a:61:ed:30:7e:88:0e:1a:1e:
        a7:a6:d5:8d:02:20:af:be:b0:0e:f5:30:44:e0:d5:
            b9:ab:b1:76:65:94:03:fc:c8:55:80:6d:a8:fa:b1:
        94:38:be:e2:78:45:8d:b5:7e:cf:e7:de:a1:09:46:
        a3:8b:ab:76:50:85:50:5d:58:91:78:21:a3:a2:dd:
        1d:c3:dc:0b:18:9d:fc:84:b2:17:f8:a7:48:e5:aa:
        c1:d3:43:83:49:ea:35:5f:e1:28:6c:33:a9:2f:ac:
        62:22:1d:6f:44:94:bb:09:be:7d:fd:c5:e4:fc:ff:
        92:4c:63:97:56:53:fe:77:5c:53:5b:ae:ab:7d:8b:
        af:74:ac:ea:30:80:b1:6e:08:57:85:01:7d:b4:3d:
        26:65
    Exponent: 65537 (0x10001)
X509v3 extensions:
    X509v3 Key Usage: 
        Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
    X509v3 Extended Key Usage: 
        TLS Web Server Authentication
    X509v3 Subject Key Identifier: 
        A0:3C:DC:84:FF:51:06:AC:C6:CB:21:EB:CB:05:07:D7:10:C2:68:E6
    X509v3 Authority Key Identifier: 
        keyid:75:01:28:97:C6:46:1B:34:6E:E8:A0:91:15:71:92:79:EE:B7:03:CE
        serial:15:6C:27:1A:54:FE:B3:82:BE:AF:54:FE:F4:A2:8B    
    X509v3 Basic Constraints: critical
        CA:FALSE
    X509v3 CRL Distribution Points: 
        URI:http://crl.usertrust.com/USERTRUST-ServerAuthentication.crl
        URI:http://www.utnsecurity.com/USERTRUST-ServerAuthentication.crl
    X509v3 Certificate Policies: 
        Policy: 1.2.840.114015.1.1
          CPS: http://www.usertrust.com/CPS
          User Notice: Explicit Text: ...

Signature Algorithm: sha1WithRSAEncryption
    cf:66:95:18:8b:a3:73:e7:04:a8:fa:16:f3:62:60:4a:26:f1:
    b5:37:b3:cd:7a:d4:9d:63:3f:a1:ee:52:30:29:9e:7a:b2:e7:
    ba:a0:f9:bf:4f:95:63:63:bb:a9:cf:c5:b9:18:bd:6a:e5:82:
    cd:3a:bf:37:ea:9c:57:bc:d8:20:d8:be:1a:8c:f5:00:9e:ad:
    c4:66:d3:60:92:dd:22:66:61:88:49:0c:05:72:05:03:9d:82:
    78:2f:9e:9c:f3:8b:d7:96:b7:8b:4b:6c:40:0f:7a:cb:f9:77:
    88:13:f7:74:f0:e7:31:2e:94:81:b9:d4:0a:7c:d1:1d:f3:8b:
    4c:e7:ae:21:12:40:f9:6a:1f:7d:a8:96:dc:90:11:6a:44:d7:
    fc:f5:98:a3:5b:bc:4f:51:ab:db:84:64:ad:69:e6:82:bd:d9:
    65:7a:44:43:65:8b:69:a7:01:8c:94:0d:4b:c3:be:29:ef:81:
    a9:80:0c:33:46:d7:37:be:4c:9a:e0:bb:3f:15:9e:dd:ef:f4:
    7f:70:e9:0b:5f:e3:18:a7:a4:80:8b:e1:ac:1c:46:33:e7:90:
    02:11:43:61:15:4e:97:ea:c2:24:84:58:31:a8:37:b4:84:bf:
    c0:70:a0:95:f9:64:c9:d2:94:86:5c:21:5d:51:b3:c6:b0:f4:
    02:cb:77:24

特别要注意这些:

X509v3 CRL Distribution Points: 
    URI:http://crl.usertrust.com/USERTRUST-ServerAuthentication.crl
    URI:http://www.utnsecurity.com/USERTRUST-ServerAuthentication.crl

这些是 CRL(针对此特定证书),您可以使用常规浏览器访问它们以查看问题所在!注意:某些证书使用 OCSP 进行吊销,因此请在输出中查找 OCSP 和 CRL。

What format is the certificate in? If you can get into a suitable format, you can use the "openssl" command line unix tool to investigate the certificate. Openssl works on windows, too.

Here's a sample run:

openssl x509 -in usertrust.pem -inform PEM -noout -text

And here's the output:

Version: 3 (0x2)
Serial Number:
    07:74:8d:73:00:00:00:00:00:94
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network
Validity
    Not Before: Apr  5 18:35:06 2005 GMT
    Not After : Mar  6 03:22:04 2007 GMT
Subject:C=US, ST=UT, L=Salt Lake City, O=USERTRUST, CN=www.usertrust.com
Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
    Modulus (2048 bit):
        00:d7:21:6d:f8:58:e7:ed:52:5a:3e:fe:e5:bf:92:
        32:41:38:f1:ee:61:6f:da:6c:83:39:c8:b4:b1:fd:
        77:4a:35:a8:e8:3f:0b:bf:ff:2d:0b:b5:ed:56:80:
        d7:ca:89:c3:63:8b:a5:06:ed:b0:22:82:8d:a1:c6:
        ed:c8:d4:06:8d:be:d1:69:83:31:a7:13:2b:17:27:
        72:a4:85:97:55:fc:f7:ca:eb:c9:af:be:19:78:67:
        35:d1:7f:af:2d:3c:d3:86:c4:1e:fd:02:e4:ab:10:
        ea:d1:bb:63:19:fb:9a:61:ed:30:7e:88:0e:1a:1e:
        a7:a6:d5:8d:02:20:af:be:b0:0e:f5:30:44:e0:d5:
            b9:ab:b1:76:65:94:03:fc:c8:55:80:6d:a8:fa:b1:
        94:38:be:e2:78:45:8d:b5:7e:cf:e7:de:a1:09:46:
        a3:8b:ab:76:50:85:50:5d:58:91:78:21:a3:a2:dd:
        1d:c3:dc:0b:18:9d:fc:84:b2:17:f8:a7:48:e5:aa:
        c1:d3:43:83:49:ea:35:5f:e1:28:6c:33:a9:2f:ac:
        62:22:1d:6f:44:94:bb:09:be:7d:fd:c5:e4:fc:ff:
        92:4c:63:97:56:53:fe:77:5c:53:5b:ae:ab:7d:8b:
        af:74:ac:ea:30:80:b1:6e:08:57:85:01:7d:b4:3d:
        26:65
    Exponent: 65537 (0x10001)
X509v3 extensions:
    X509v3 Key Usage: 
        Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
    X509v3 Extended Key Usage: 
        TLS Web Server Authentication
    X509v3 Subject Key Identifier: 
        A0:3C:DC:84:FF:51:06:AC:C6:CB:21:EB:CB:05:07:D7:10:C2:68:E6
    X509v3 Authority Key Identifier: 
        keyid:75:01:28:97:C6:46:1B:34:6E:E8:A0:91:15:71:92:79:EE:B7:03:CE
        serial:15:6C:27:1A:54:FE:B3:82:BE:AF:54:FE:F4:A2:8B    
    X509v3 Basic Constraints: critical
        CA:FALSE
    X509v3 CRL Distribution Points: 
        URI:http://crl.usertrust.com/USERTRUST-ServerAuthentication.crl
        URI:http://www.utnsecurity.com/USERTRUST-ServerAuthentication.crl
    X509v3 Certificate Policies: 
        Policy: 1.2.840.114015.1.1
          CPS: http://www.usertrust.com/CPS
          User Notice: Explicit Text: ...

Signature Algorithm: sha1WithRSAEncryption
    cf:66:95:18:8b:a3:73:e7:04:a8:fa:16:f3:62:60:4a:26:f1:
    b5:37:b3:cd:7a:d4:9d:63:3f:a1:ee:52:30:29:9e:7a:b2:e7:
    ba:a0:f9:bf:4f:95:63:63:bb:a9:cf:c5:b9:18:bd:6a:e5:82:
    cd:3a:bf:37:ea:9c:57:bc:d8:20:d8:be:1a:8c:f5:00:9e:ad:
    c4:66:d3:60:92:dd:22:66:61:88:49:0c:05:72:05:03:9d:82:
    78:2f:9e:9c:f3:8b:d7:96:b7:8b:4b:6c:40:0f:7a:cb:f9:77:
    88:13:f7:74:f0:e7:31:2e:94:81:b9:d4:0a:7c:d1:1d:f3:8b:
    4c:e7:ae:21:12:40:f9:6a:1f:7d:a8:96:dc:90:11:6a:44:d7:
    fc:f5:98:a3:5b:bc:4f:51:ab:db:84:64:ad:69:e6:82:bd:d9:
    65:7a:44:43:65:8b:69:a7:01:8c:94:0d:4b:c3:be:29:ef:81:
    a9:80:0c:33:46:d7:37:be:4c:9a:e0:bb:3f:15:9e:dd:ef:f4:
    7f:70:e9:0b:5f:e3:18:a7:a4:80:8b:e1:ac:1c:46:33:e7:90:
    02:11:43:61:15:4e:97:ea:c2:24:84:58:31:a8:37:b4:84:bf:
    c0:70:a0:95:f9:64:c9:d2:94:86:5c:21:5d:51:b3:c6:b0:f4:
    02:cb:77:24

In particular, notice these:

X509v3 CRL Distribution Points: 
    URI:http://crl.usertrust.com/USERTRUST-ServerAuthentication.crl
    URI:http://www.utnsecurity.com/USERTRUST-ServerAuthentication.crl

Those are the CRL's (for this particular certificate), and you can visit them with a regular browser to see what the problem is! Note: some certificates use OCSP for revocation instead, so look for OCSP and CRL in the output.

回复 原文
白鸥掠海 2024-11-01 21:33:00

首先,您应该在此处查看有关如何验证签名二进制文件的 MSDN 文档。错误响应将提供更多信息。

这个博主有一个解决方法,如果您如果您自己的密钥的撤销服务器出现问题,您将知道它是否已被撤销:)。此外,由于该密钥现在已过期,因此配置此设置可能不是什么大问题。

如果您发布详细的错误代码,我可以再看一下,但这现在应该对您有用。

First off you should check the MSDN documentation about how to validate signed binaries here. The error responce will be much more informative.

This blogger has a workaround, and if your having issues with the revokation server for your own keys, you will know if it's been revoked :). Also, as this key is expired now it may not be a big deal to configure this setting.

If you post the detailed error codes I can look at it a bit more but this should work for you for now.

回复 原文
面如桃花 2024-11-01 21:33:00

证书签名不依赖于证书吊销检查,仅依赖于验证。这听起来像是您在验证证书时出现了临时网络故障。这个问题可以重复吗?

Certificate signing is not dependent on checking for certificate revocation, only verification is. This sounds like there was a temporary network glitch when you were verifying the certificates. Is this problem repeatable?

回复 原文
~没有更多了~

关于作者

无声情话

暂无简介

文章
评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

梦里南柯

文章 0 评论 0

不将就、

文章 0 评论 0

alipaysp_ZRaVhH1Dn

文章 0 评论 0

青衫儰鉨ミ守葔

文章 0 评论 0

故事未完

文章 0 评论 0

梦晓ヶ微光ヅ倾城

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文