當中間 CA 妨礙時,根據 CRL 檢查 SSL 證書
我試圖了解如何檢查 SSL 證書,並在證書鏈如下時考慮任何相關的已發布 CRL:
根 CA(沒有 CRL 分發點)
中間 CA(通告由根 CA 簽名的 CRL 分發點)
- 網站證書(宣傳由中間 CA 簽署的 CRL DP)
因此,需要檢查兩個 CRL 列表。
碰巧BBC的網站配置如上所示,我們以此為例。我使用的文件在這個問題的末尾。
當我嘗試在不檢查 CRL 的情況下驗證證書時,沒關係:
$ openssl verify -CAfile intermediate_fullchain.pem bbc.pem bbc.pem: OK
當我嘗試從證書中給出的 CRL URL 檢查 CRL 時,我收到一個錯誤:
$ openssl verify -crl_download -crl_check_all -CAfile intermediate_fullchain.pem bbc.pem Error loading CRL from http://crl.globalsign.com/gsrsaovsslca2018.crl C = GB, ST = London, L = London, O = British Broadcasting Corporation, CN = www.bbc.com error 3 at 0 depth lookup: unable to get certificate CRL error bbc.pem: verification failed
這對我來說很有意義,因為 crl 文件是 DER 格式,而 openssl 需要 PEM 格式,所以讓我們下載 CRL 並將它們轉換為 PEM。可以使用以下方法找到 CRL URL:
$ openssl x509 -in bbc.pem -text -noout $ openssl x509 -in intermediate_fullchain.pem -text -noout
然後,我做了:
$ wget -O intermediate_crl.der http://crl.globalsign.com/gsrsaovsslca2018.crl $ openssl crl -inform DER -in intermediate_crl.der -outform PEM -out intermediate_crl.pem $ wget -O root_crl.der http://crl.globalsign.com/root-r3.crl $ openssl crl -inform DER -in root_crl.der -outform PEM -out root_crl.pem
現在,我認為我擁有驗證證書所需的一切:
$ openssl verify -crl_check_all -CRLfile intermediate_crl.pem -CRLfile root_crl.pem -CAfile intermediate_fullchain.pem bbc.pem OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign error 3 at 2 depth lookup: unable to get certificate CRL error bbc.pem: verification failed
但不是!驗證仍然失敗。我的問題:
- 上面命令中的問題到底是什麼?這是否意味著 OpenSSL 期望根 CA 具有 CRL?
- 根據 CA 鏈中公佈的兩個 CRL 檢查證書的正確方法是什麼?
文件
bbc.pem
:網路伺服器證書:-----BEGIN CERTIFICATE----- MIIGQTCCBSmgAwIBAgIMcaxXcd68D+KtpOdTMA0GCSqGSIb3DQEBCwUAMFAxCzAJ BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yMDA3MjIwNjE2MTJaFw0y MTA5MDUwOTM2MDRaMHAxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24xDzAN BgNVBAcTBkxvbmRvbjEpMCcGA1UEChMgQnJpdGlzaCBCcm9hZGNhc3RpbmcgQ29y cG9yYXRpb24xFDASBgNVBAMTC3d3dy5iYmMuY29tMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEArtLH/eDBkXjRKaXAqNlitSr2AX7dcSxnbfVoUf54aw+B e216fMXbZIDA6GUL4fcX3vOvl3PKZ4N1dy0dKsFUrnDpbhx8pY6kGk3lSbCnkGxl BF8upikv8zaoYoCIvDa23u+ySrp36X8AObjYUKTWoMol7LZWVG7CpnI7JT0cqhUM gxv2kBGhVjMkE+m0CUBj0/iLkgLb+3aUIs3d9Q1OwIvRJ/UFepEcYtejzx5M5RSy llF4O9C8Cmmhpv04uUH8uAT1itIsvgZeYa00Cdy7cP1Hi7K7tsgZKn6uilN7B49N NmBDusKuVHrP8v0F2lcTkDOmJ+Zw2c0gJ67wALa9iwIDAQABo4IC+TCCAvUwDgYD VR0PAQH/BAQDAgWgMIGOBggrBgEFBQcBAQSBgTB/MEQGCCsGAQUFBzAChjhodHRw Oi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc3JzYW92c3NsY2EyMDE4 LmNydDA3BggrBgEFBQcwAYYraHR0cDovL29jc3AuZ2xvYmFsc2lnbi5jb20vZ3Ny c2FvdnNzbGNhMjAxODBWBgNVHSAETzBNMEEGCSsGAQQBoDIBFDA0MDIGCCsGAQUF BwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAIBgZn gQwBAgIwCQYDVR0TBAIwADA/BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vY3JsLmds b2JhbHNpZ24uY29tL2dzcnNhb3Zzc2xjYTIwMTguY3JsMEgGA1UdEQRBMD+CC3d3 dy5iYmMuY29tgg1maWcuYmJjLmNvLnVrggliYmMuY28udWuCDXd3dy5iYmMuY28u dWuCB2JiYy5jb20wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1Ud IwQYMBaAFPjvf/LNeGeo3m+PJI2I8YcDArPrMB0GA1UdDgQWBBSvGSL6A6GbUeKH HwdxKEWAudpPEDCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AG9Tdqwx8DEZ2JkA pFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABc3UqVeQAAAQDAEYwRAIgF7brqFHI/uEo a+COjDTXQC2V3XozhL8D4mI/IntAF+wCIGf6iKNfKHXWnD0HLYOQCWqkJuoF1yp5 r90GJ8lbjev3AHYAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAFz dSpV8gAABAMARzBFAiEAwkwvvC397cnYRM8FzZ7XoG1L/c/266q+NO+lbiqYStoC IE6s0LO8vXbbRF+J7DUOoBILKnsIQeTJM058Gf00Q1fAMA0GCSqGSIb3DQEBCwUA A4IBAQBKUGAEnhZYx0Tb3k1OUXZ2v+/xdVq90bWTJIV6lk7586Cdd88HOR2MzVtX eKu3fgfGiNXcu6p2DQXPu64pB3np0s5BrRGzMFdH8XyjHocNOa7IsBJCQWj7Vrro TD3Y01Lafq2LkHl5VFTHGitMK2Ecsxw/CLiBp/pEBcWeE1mp7KRTraT7UptqdLJC 1CVoLhADvK8Ww8LiOE2ka8UZrMY6qGbjCrgBFnnAypa7gbv46iJFJ8uqPnR7+4dq amxUCPW1nI7MOzZBjHZ9D3KIp+msmtgaJu7/KSEq2Eimp0PBzolbxiIBvmTJ0G9N EeXysI6nG1L/j5+RWaQIS+r5xRsj -----END CERTIFICATE-----
intermediate_fullchain.pem
: 中間 CA 證書,帶有指向根 CA 的鏈:-----BEGIN CERTIFICATE----- MIIETjCCAzagAwIBAgINAe5fIh38YjvUMzqFVzANBgkqhkiG9w0BAQsFADBMMSAw HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFs U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xODExMjEwMDAwMDBaFw0yODEx MjEwMDAwMDBaMFAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52 LXNhMSYwJAYDVQQDEx1HbG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdaydUMGCEAI9WXD+uu3Vxoa2uP UGATeoHLl+6OimGUSyZ59gSnKvuk2la77qCk8HuKf1UfR5NhDW5xUTolJAgvjOH3 idaSz6+zpz8w7bXfIa7+9UQX/dhj2S/TgVprX9NHsKzyqzskeU8fxy7quRU6fBhM abO1IFkJXinDY+YuRluqlJBJDrnw9UqhCS98NE3QvADFBlV5Bs6i0BDxSEPouVq1 lVW9MdIbPYa+oewNEtssmSStR8JvA+Z6cLVwzM0nLKWMjsIYPJLJLnNvBhBWk0Cq o8VS++XFBdZpaFwGue5RieGKDkFNm5KQConpFmvv73W+eka440eKHRwup08CAwEA AaOCASkwggElMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G A1UdDgQWBBT473/yzXhnqN5vjySNiPGHAwKz6zAfBgNVHSMEGDAWgBSP8Et/qC5F JK5NUPpjmove4t0bvDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6 Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjMwNgYDVR0fBC8wLTAroCmgJ4Yl aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIzLmNybDBHBgNVHSAEQDA+ MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j b20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAJmQyC1fQorUC2bbmANz EdSIhlIoU4r7rd/9c446ZwTbw1MUcBQJfMPg+NccmBqixD7b6QDjynCy8SIwIVbb 0615XoFYC20UgDX1b10d65pHBf9ZjQCxQNqQmJYaumxtf4z1s4DfjGRzNpZ5eWl0 6r/4ngGPoJVpjemEuunl1Ig423g7mNA2eymw0lIYkN5SQwCuaifIFJ6GlazhgDEw fpolu4usBCOmmQDo8dIm7A9+O4orkjgTHY+GzYZSR+Y0fFukAj6KYXwidlNalFMz hriSqHKvoflShx8xpfywgVcvzfTO3PYkz6fiNJBonf6q8amaEsybwMbDqKWwIX7e SPY= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIETjCCAzagAwIBAgINAe5fFp3/lzUrZGXWajANBgkqhkiG9w0BAQsFADBXMQsw CQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UECxMH Um9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTE4MDkxOTAw MDAwMFoXDTI4MDEyODEyMDAwMFowTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290 IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNp Z24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMJXaQeQZ4Ihb1wIO2 hMoonv0FdhHFrYhy/EYCQ8eyip0EXyTLLkvhYIJG4VKrDIFHcGzdZNHr9SyjD4I9 DCuul9e2FIYQebs7E4B3jAjhSdJqYi8fXvqWaN+JJ5U4nwbXPsnLJlkNc96wyOkm DoMVxu9bi9IEYMpJpij2aTv2y8gokeWdimFXN6x0FNx04Druci8unPvQu7/1PQDh BjPogiuuU6Y6FnOM3UEOIDrAtKeh6bJPkC4yYOlXy7kEkmho5TgmYHWyn3f/kRTv riBJ/K1AFUjRAjFhGV64l++td7dkmnq/X8ET75ti+w1s4FRpFqkD2m7pg5NxdsZp hYIXAgMBAAGjggEiMIIBHjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB /zAdBgNVHQ4EFgQUj/BLf6guRSSuTVD6Y5qL3uLdG7wwHwYDVR0jBBgwFoAUYHtm GkUNl8qJUC99BM00qP/8/UswPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFo dHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290cjEwMwYDVR0fBCwwKjAooCag JIYiaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LmNybDBHBgNVHSAEQDA+ MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j b20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBACNw6c/ivvVZrpRCb8RD M6rNPzq5ZBfyYgZLSPFAiAYXof6r0V88xjPy847dHx0+zBpgmYILrMf8fpqHKqV9 D6ZX7qw7aoXW3r1AY/itpsiIsBL89kHfDwmXHjjqU5++BfQ+6tOfUBJ2vgmLwgtI fR4uUfaNU9OrH0Abio7tfftPeVZwXwzTjhuzp3ANNyuXlava4BJrHEDOxcd+7cJi WOx37XMiwor1hkOIreoTbv3Y/kIvuX1erRjvlJDKPSerJpSZdcfL03v3ykzTr1Eh kluEfSufFT90y1HonoMOFm8b50bOI7355KKL0jlrqnkckSziYSQtjipIcJDEHsXo 4HA= -----END CERTIFICATE-----
該
intermediate_fullchain.pem
文件不包含自簽名根。我必須從 GlobalSign下載正確的文件,儘管您的機器可能已經安裝了它,在這種情況下,您只需從上述鏈文件中刪除錯誤的中間文件。您可以通過以下方式查看您的中間體:
openssl crl2pkcs7 -nocrl -certfile intermediate_chain.pem | openssl pkcs7 -print_certs -noout
這使:
subject=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018 issuer=/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign subject=/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign issuer=/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
您需要將鏈中的第二個證書替換為 Root CA 證書,或者如果您的系統安裝了 Root,則將其刪除。正是這個導致
openssl verify
找不到 CRL 並因此給您錯誤。您可以使用主題和授權密鑰標識符擴展來確認鏈。證書的授權密鑰標識符 (AKI) 應該是其簽名者 (CA) 的主題密鑰標識符 (SKI)。所以頂級BBC證書的AKI就是中間CA
F8:EF:7F:F2:CD:78:67:A8:DE:6F:8F:24:8D:88:F1:87:03:02:B3:EB
的SKI。C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018
該 CA 證書的 AKI 是上面第一段中連結的根 CA8F:F0:4B:7F:A8:2E:45:24:AE:4D:50:FA:63:9A:8B:DE:E2:DD:1B:BC
的 SKI 。OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
但是,為了混淆問題,您文件中的第二個中間證書也有一個 SKI 和 Subject 與上面連結的根相同,但不是自簽名的。該證書的 AKI 是您的信任錨儲存中可能擁有的另一個根 CA 證書的 AKI(我的舊測試系統沒有它,因此它對我來說失敗了)。在不下載連結的根 CA 證書的情況下,您的路徑因此有 4 個證書長(1 個最終實體、2 個中間體和一個根),因此需要三個 CRL——根和一個由每個中間體頒發。
使用正確的連結根,我得到:
openssl verify -crl_check_all -CRLfile all_crl.pem -CAfile intermediate_fullchain.pem bbc.pem bbc.pem: OK
如果您要找到第三個 CRL,那麼您應該得到相同的結果。