找出哪个 CA 证书验证了 CRL 文件的真实性
给定某个 CRL,例如:
http://crl.verisign.com/pca1.crl
下载它,然后要求 openssl 验证它并显示其内容就像一个魅力:
wget http://crl.verisign.com/pca1.crl
openssl crl -in ./pca1.crl -inform DER -text
verify OK
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
Last Update: Nov 22 00:00:00 2011 GMT
Next Update: Mar 21 23:59:59 2012 GMT
...
[truncated]
有没有办法找出哪个 CA 证书已验证该 CRL 的真实性?
或者是循环证书存储中的证书并逐一尝试直到匹配的唯一方法?
Given a certain CRL, for example:
http://crl.verisign.com/pca1.crl
Downloading it, and asking openssl to verify it and show its contents works like a charm:
wget http://crl.verisign.com/pca1.crl
openssl crl -in ./pca1.crl -inform DER -text
verify OK
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
Last Update: Nov 22 00:00:00 2011 GMT
Next Update: Mar 21 23:59:59 2012 GMT
...
[truncated]
Is there a way to find out which CA certificate validated that this CRL's authenticity?
Or is the only way to loop over the certificates in the certificate store, and try them one by one until a match is hit?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
简单的方法是检查以下内容的输出:
类似于:
因为这会告诉您颁发者,即签署 CRL 的实体,不一定是颁发已撤销证书的实体(尽管通常是这样)。
您可以更进一步并通过以下方式验证这一点:
并检查您是否看到了
或者 - 如果您有证书存储 - 查找 DN 与您在发行人处找到的 DN 相同的发行人;然后检查签名(比较 DN 还不够好 - 有人可能插入了带有该 DN 的假/自签名)。
我认为您不能做得更好,因为许多 CA(包括 Verisign)不使用标识符来装饰其 CRL(您可以使用curl --silent http://crl.verisign.com/ 来确认这一点) pca1.crl |openssl asn1parse -通知 DER)。因此,您确实需要提取 DN,通过存储中的字符串比较找到 DN,然后检查签名。理想情况下,尽可能与实际由签名签名的 DN 部分进行实际比较;因为理论上,恶意条目可以使 DN 的签名很少(例如仅国家/地区)(从而允许最后一刻的更改/匹配)。
Easy way is to check the output of:
which will be something like:
as that will tell you the issuer, i.e., the entity which signed the CRL, not necessarily the entity which issued the certs which where revoked (though usually it is).
You can go a step further and verify this with:
and check that you see a
Or alternatively - if you have a cert store - look for an Issuer with a DN identical to the one you found with the issuer; and then check the signature (comparing the DNs is not good enough - someone could have inserted a fake/self-signed with that DN).
I do not think you can do much better than that as a lot of CAs, including Verisign, do not decorate their CRL with identifiers (you can confirm this with
curl --silent http://crl.verisign.com/pca1.crl |openssl asn1parse -inform DER). So you are really down to extracting the DN, find a DN by string comparison on your stash and then check the signature. And ideally go as far as actually comparing against the part of the DN which is actually signed by the signature; as a nefarious entry could in theory make DNs of which little (e.g. just the country) is signed (and thus allowing last minute changes/matchings).