Openssl

當中間 CA 妨礙時,根據 CRL 檢查 SSL 證書

  • August 18, 2020

我試圖了解如何檢查 SSL 證書,並在證書鏈如下時考慮任何相關的已發布 CRL:

  • 根 CA(沒有 CRL 分發點)

    • 中間 CA(通告由根 CA 簽名的 CRL 分發點)

      • 網站證書(宣傳由中間 CA 簽署的 CRL DP)

因此,需要檢查兩個 CRL 列表。

碰巧BBC的網站配置如上所示,我們以此為例。我使用的文件在這個問題的末尾。

當我嘗試在不檢查 CRL 的情況下驗證證書時,沒關係:

$ openssl verify -CAfile intermediate_fullchain.pem bbc.pem
bbc.pem: OK

當我嘗試從證書中給出的 CRL URL 檢查 CRL 時,我收到一個錯誤:

$ openssl verify -crl_download -crl_check_all -CAfile intermediate_fullchain.pem bbc.pem
Error loading CRL from http://crl.globalsign.com/gsrsaovsslca2018.crl
C = GB, ST = London, L = London, O = British Broadcasting Corporation, CN = www.bbc.com
error 3 at 0 depth lookup: unable to get certificate CRL
error bbc.pem: verification failed

這對我來說很有意義,因為 crl 文件是 DER 格式,而 openssl 需要 PEM 格式,所以讓我們下載 CRL 並將它們轉換為 PEM。可以使用以下方法找到 CRL URL:

$ openssl x509 -in bbc.pem -text -noout
$ openssl x509 -in intermediate_fullchain.pem -text -noout

然後,我做了:

$ wget -O intermediate_crl.der http://crl.globalsign.com/gsrsaovsslca2018.crl
$ openssl crl -inform DER -in intermediate_crl.der -outform PEM -out intermediate_crl.pem
$ wget -O root_crl.der http://crl.globalsign.com/root-r3.crl
$ openssl crl -inform DER -in root_crl.der -outform PEM -out root_crl.pem

現在,我認為我擁有驗證證書所需的一切:

$ openssl verify -crl_check_all -CRLfile intermediate_crl.pem -CRLfile root_crl.pem -CAfile intermediate_fullchain.pem bbc.pem
OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
error 3 at 2 depth lookup: unable to get certificate CRL
error bbc.pem: verification failed

但不是!驗證仍然失敗。我的問題:

  • 上面命令中的問題到底是什麼?這是否意味著 OpenSSL 期望根 CA 具有 CRL?
  • 根據 CA 鏈中公佈的兩個 CRL 檢查證書的正確方法是什麼?

文件

bbc.pem:網路伺服器證書:

-----BEGIN CERTIFICATE-----
MIIGQTCCBSmgAwIBAgIMcaxXcd68D+KtpOdTMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yMDA3MjIwNjE2MTJaFw0y
MTA5MDUwOTM2MDRaMHAxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24xDzAN
BgNVBAcTBkxvbmRvbjEpMCcGA1UEChMgQnJpdGlzaCBCcm9hZGNhc3RpbmcgQ29y
cG9yYXRpb24xFDASBgNVBAMTC3d3dy5iYmMuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEArtLH/eDBkXjRKaXAqNlitSr2AX7dcSxnbfVoUf54aw+B
e216fMXbZIDA6GUL4fcX3vOvl3PKZ4N1dy0dKsFUrnDpbhx8pY6kGk3lSbCnkGxl
BF8upikv8zaoYoCIvDa23u+ySrp36X8AObjYUKTWoMol7LZWVG7CpnI7JT0cqhUM
gxv2kBGhVjMkE+m0CUBj0/iLkgLb+3aUIs3d9Q1OwIvRJ/UFepEcYtejzx5M5RSy
llF4O9C8Cmmhpv04uUH8uAT1itIsvgZeYa00Cdy7cP1Hi7K7tsgZKn6uilN7B49N
NmBDusKuVHrP8v0F2lcTkDOmJ+Zw2c0gJ67wALa9iwIDAQABo4IC+TCCAvUwDgYD
VR0PAQH/BAQDAgWgMIGOBggrBgEFBQcBAQSBgTB/MEQGCCsGAQUFBzAChjhodHRw
Oi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc3JzYW92c3NsY2EyMDE4
LmNydDA3BggrBgEFBQcwAYYraHR0cDovL29jc3AuZ2xvYmFsc2lnbi5jb20vZ3Ny
c2FvdnNzbGNhMjAxODBWBgNVHSAETzBNMEEGCSsGAQQBoDIBFDA0MDIGCCsGAQUF
BwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAIBgZn
gQwBAgIwCQYDVR0TBAIwADA/BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vY3JsLmds
b2JhbHNpZ24uY29tL2dzcnNhb3Zzc2xjYTIwMTguY3JsMEgGA1UdEQRBMD+CC3d3
dy5iYmMuY29tgg1maWcuYmJjLmNvLnVrggliYmMuY28udWuCDXd3dy5iYmMuY28u
dWuCB2JiYy5jb20wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1Ud
IwQYMBaAFPjvf/LNeGeo3m+PJI2I8YcDArPrMB0GA1UdDgQWBBSvGSL6A6GbUeKH
HwdxKEWAudpPEDCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AG9Tdqwx8DEZ2JkA
pFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABc3UqVeQAAAQDAEYwRAIgF7brqFHI/uEo
a+COjDTXQC2V3XozhL8D4mI/IntAF+wCIGf6iKNfKHXWnD0HLYOQCWqkJuoF1yp5
r90GJ8lbjev3AHYAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAFz
dSpV8gAABAMARzBFAiEAwkwvvC397cnYRM8FzZ7XoG1L/c/266q+NO+lbiqYStoC
IE6s0LO8vXbbRF+J7DUOoBILKnsIQeTJM058Gf00Q1fAMA0GCSqGSIb3DQEBCwUA
A4IBAQBKUGAEnhZYx0Tb3k1OUXZ2v+/xdVq90bWTJIV6lk7586Cdd88HOR2MzVtX
eKu3fgfGiNXcu6p2DQXPu64pB3np0s5BrRGzMFdH8XyjHocNOa7IsBJCQWj7Vrro
TD3Y01Lafq2LkHl5VFTHGitMK2Ecsxw/CLiBp/pEBcWeE1mp7KRTraT7UptqdLJC
1CVoLhADvK8Ww8LiOE2ka8UZrMY6qGbjCrgBFnnAypa7gbv46iJFJ8uqPnR7+4dq
amxUCPW1nI7MOzZBjHZ9D3KIp+msmtgaJu7/KSEq2Eimp0PBzolbxiIBvmTJ0G9N
EeXysI6nG1L/j5+RWaQIS+r5xRsj
-----END CERTIFICATE-----

intermediate_fullchain.pem: 中間 CA 證書,帶有指向根 CA 的鏈:

-----BEGIN CERTIFICATE-----
MIIETjCCAzagAwIBAgINAe5fIh38YjvUMzqFVzANBgkqhkiG9w0BAQsFADBMMSAw
HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFs
U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xODExMjEwMDAwMDBaFw0yODEx
MjEwMDAwMDBaMFAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52
LXNhMSYwJAYDVQQDEx1HbG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdaydUMGCEAI9WXD+uu3Vxoa2uP
UGATeoHLl+6OimGUSyZ59gSnKvuk2la77qCk8HuKf1UfR5NhDW5xUTolJAgvjOH3
idaSz6+zpz8w7bXfIa7+9UQX/dhj2S/TgVprX9NHsKzyqzskeU8fxy7quRU6fBhM
abO1IFkJXinDY+YuRluqlJBJDrnw9UqhCS98NE3QvADFBlV5Bs6i0BDxSEPouVq1
lVW9MdIbPYa+oewNEtssmSStR8JvA+Z6cLVwzM0nLKWMjsIYPJLJLnNvBhBWk0Cq
o8VS++XFBdZpaFwGue5RieGKDkFNm5KQConpFmvv73W+eka440eKHRwup08CAwEA
AaOCASkwggElMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdDgQWBBT473/yzXhnqN5vjySNiPGHAwKz6zAfBgNVHSMEGDAWgBSP8Et/qC5F
JK5NUPpjmove4t0bvDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6
Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjMwNgYDVR0fBC8wLTAroCmgJ4Yl
aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIzLmNybDBHBgNVHSAEQDA+
MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j
b20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAJmQyC1fQorUC2bbmANz
EdSIhlIoU4r7rd/9c446ZwTbw1MUcBQJfMPg+NccmBqixD7b6QDjynCy8SIwIVbb
0615XoFYC20UgDX1b10d65pHBf9ZjQCxQNqQmJYaumxtf4z1s4DfjGRzNpZ5eWl0
6r/4ngGPoJVpjemEuunl1Ig423g7mNA2eymw0lIYkN5SQwCuaifIFJ6GlazhgDEw
fpolu4usBCOmmQDo8dIm7A9+O4orkjgTHY+GzYZSR+Y0fFukAj6KYXwidlNalFMz
hriSqHKvoflShx8xpfywgVcvzfTO3PYkz6fiNJBonf6q8amaEsybwMbDqKWwIX7e
SPY=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIETjCCAzagAwIBAgINAe5fFp3/lzUrZGXWajANBgkqhkiG9w0BAQsFADBXMQsw
CQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UECxMH
Um9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTE4MDkxOTAw
MDAwMFoXDTI4MDEyODEyMDAwMFowTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290
IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNp
Z24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMJXaQeQZ4Ihb1wIO2
hMoonv0FdhHFrYhy/EYCQ8eyip0EXyTLLkvhYIJG4VKrDIFHcGzdZNHr9SyjD4I9
DCuul9e2FIYQebs7E4B3jAjhSdJqYi8fXvqWaN+JJ5U4nwbXPsnLJlkNc96wyOkm
DoMVxu9bi9IEYMpJpij2aTv2y8gokeWdimFXN6x0FNx04Druci8unPvQu7/1PQDh
BjPogiuuU6Y6FnOM3UEOIDrAtKeh6bJPkC4yYOlXy7kEkmho5TgmYHWyn3f/kRTv
riBJ/K1AFUjRAjFhGV64l++td7dkmnq/X8ET75ti+w1s4FRpFqkD2m7pg5NxdsZp
hYIXAgMBAAGjggEiMIIBHjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQUj/BLf6guRSSuTVD6Y5qL3uLdG7wwHwYDVR0jBBgwFoAUYHtm
GkUNl8qJUC99BM00qP/8/UswPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFo
dHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290cjEwMwYDVR0fBCwwKjAooCag
JIYiaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LmNybDBHBgNVHSAEQDA+
MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j
b20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBACNw6c/ivvVZrpRCb8RD
M6rNPzq5ZBfyYgZLSPFAiAYXof6r0V88xjPy847dHx0+zBpgmYILrMf8fpqHKqV9
D6ZX7qw7aoXW3r1AY/itpsiIsBL89kHfDwmXHjjqU5++BfQ+6tOfUBJ2vgmLwgtI
fR4uUfaNU9OrH0Abio7tfftPeVZwXwzTjhuzp3ANNyuXlava4BJrHEDOxcd+7cJi
WOx37XMiwor1hkOIreoTbv3Y/kIvuX1erRjvlJDKPSerJpSZdcfL03v3ykzTr1Eh
kluEfSufFT90y1HonoMOFm8b50bOI7355KKL0jlrqnkckSziYSQtjipIcJDEHsXo
4HA=
-----END CERTIFICATE-----

intermediate_fullchain.pem文件不包含自簽名根。我必須從 GlobalSign下載正確的文件,儘管您的機器可能已經安裝了它,在這種情況下,您只需從上述鏈文件中刪除錯誤的中間文件。

您可以通過以下方式查看您的中間體:

openssl crl2pkcs7 -nocrl -certfile intermediate_chain.pem | openssl pkcs7 -print_certs -noout

這使:

subject=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
issuer=/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign

subject=/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
issuer=/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

您需要將鏈中的第二個證書替換為 Root CA 證書,或者如果您的系統安裝了 Root,則將其刪除。正是這個導致openssl verify找不到 CRL 並因此給您錯誤。

您可以使用主題和授權密鑰標識符擴展來確認鏈。證書的授權密鑰標識符 (AKI) 應該是其簽名者 (CA) 的主題密鑰標識符 (SKI)。所以頂級BBC證書的AKI就是中間CAF8:EF:7F:F2:CD:78:67:A8:DE:6F:8F:24:8D:88:F1:87:03:02:B3:EB的SKI。C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018該 CA 證書的 AKI 是上面第一段中連結的根 CA8F:F0:4B:7F:A8:2E:45:24:AE:4D:50:FA:63:9A:8B:DE:E2:DD:1B:BC的 SKI 。OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign

但是,為了混淆問題,您文件中的第二個中間證書也有一個 SKI 和 Subject 與上面連結的根相同,但不是自簽名的。該證書的 AKI 是您的信任錨儲存中可能擁有的另一個根 CA 證書的 AKI(我的舊測試系統沒有它,因此它對我來說失敗了)。在不下載連結的根 CA 證書的情況下,您的路徑因此有 4 個證書長(1 個最終實體、2 個中間體和一個根),因此需要三個 CRL——根和一個由每個中間體頒發。

使用正確的連結根,我得到:

openssl verify -crl_check_all -CRLfile all_crl.pem -CAfile intermediate_fullchain.pem bbc.pem
bbc.pem: OK

如果您要找到第三個 CRL,那麼您應該得到相同的結果。

引用自:https://serverfault.com/questions/1030611