在 SWI-Prolog 中打开和检查 Pem 文件 [英] Opening and checking a Pem file in SWI-Prolog
问题描述
如何打开 Pem 文件以检查 a) 'Not before' 和 'Not after' 日期是否正常,以及 b) pem 文件中是否有一系列证书指向路由证书颁发机构?
我试过了:
:-use_module(library(http/http_client)).url('http://fm4dd.com/openssl/source/PEM/certs/512b-rsa-example-cert.pem').url_data(Url,D):-http_get(Url,D,[to(string)]).url_data1(网址,证书):-http_get(Url,D,[to(stream(Stream))]),加载证书(流,证书),关闭(流).url_data/1 的作用是将 pem 文件作为字符串返回.但是 url_data1/1 不起作用.它旨在将每个证书作为术语列表返回.
* 更新 *
我有:
url_data1(Url,Certs):-http_open(Url,Stream,[]),all_certs(Stream,Certs),forall(member(C,Certs),my_validate(C)),关闭(流).all_certs(Stream,[C1|Certs]):-捕获(负载证书(流,C1),_,失败),all_certs(Stream,Certs),!.all_certs(_Stream,[]).my_validate(C):-memberchk(to_be_signed(Signed),C),memberchk(key(Key),C),成员chk(签名(签名),C),memberchk(signature_algorithm(A),C),算法代码(A,代码),rsa_verify(Key,Signed,Signature,[type(Code)]).算法代码('RSA-SHA256',sha256).算法代码('RSA-SHA1',sha1).哪个失败了.正确的论据是什么?
您可以将 http_open/3 与 load_certificate/2 结合使用:
产量:
<预>版本(0).之前(1345613214).之后(1503293214).串行('0DFA').主题(['C'='JP','ST'='东京','O'='Frank4DD','CN'='www.example.com']).哈希(071CB94F0CC8514D024124708EE8B2687BD7D9D5").签名( 14B64CBB817933E671A4DA516FCB081D8D60ECBC18C7734759B1F22048BB61FAFC4DAD898DD121EBD5D8E5BAD6A636FD745083B60FC71DDF7DE52E817F45E09FE23E79EED73031C72072D9582E2AFE125A3445A119087C89475F4A95BE23214A5372DA2A052F2EC970F65BFAFDDFB431B2C14A9C062543A1E6B41E7F869B1640").签名算法('RSA-SHA1').等等.检查 issuer_name/1 元素以获取颁发者.您可以再次使用 load_certificate/2 从文件中读取更多证书.
请注意,验证证书链的更典型方法是建立安全连接(通过 HTTPS),然后使用 ssl_peer_certificate/2 或ssl_peer_certificate_chain/2 获取对等证书和证书链.
要验证链,您必须验证 signature/1 字段,其中包含证书的 to_be_signed/1 部分的数字签名,由各自的签名;发行人.
您可以使用library(crypto) 以验证签名.
How do I open a Pem file to check a) That the 'Not before' and 'Not after' dates are okay and b) That there is a chain of certs in the pem file to a route certificate authority?
I have tried:
:-use_module(library(http/http_client)).
url('http://fm4dd.com/openssl/source/PEM/certs/512b-rsa-example-cert.pem').
url_data(Url,D):-
http_get(Url,D,[to(string)]).
url_data1(Url,Certificate):-
http_get(Url,D,[to(stream(Stream))]),
load_certificate(Stream, Certificate),
close(Stream).
url_data/1 works in that it returns the pem file as a string. But url_data1/1 does not work. It is intended to return each certificate(s) as a list of terms.
* Update *
I have:
url_data1(Url,Certs):-
http_open(Url,Stream,[]),
all_certs(Stream,Certs),
forall(member(C,Certs),my_validate(C)),
close(Stream).
all_certs(Stream,[C1|Certs]):-
catch(load_certificate(Stream,C1),_,fail),
all_certs(Stream,Certs),!.
all_certs(_Stream,[]).
my_validate(C):-
memberchk(to_be_signed(Signed),C),
memberchk(key(Key),C),
memberchk(signature(Signature),C),
memberchk(signature_algorithm(A),C),
algo_code(A,Code),
rsa_verify(Key,Signed,Signature,[type(Code)]).
algo_code('RSA-SHA256',sha256).
algo_code('RSA-SHA1',sha1).
Which fails. What are the correct arguments?
You can use http_open/3 in combination with load_certificate/2:
?- url(Url), http_open(Url, Stream, []), load_certificate(Stream, Certificate), maplist(portray_clause, Certificate).
Yielding:
version(0).
notbefore(1345613214).
notafter(1503293214).
serial('0DFA').
subject(['C'='JP', 'ST'='Tokyo', 'O'='Frank4DD', 'CN'='www.example.com']).
hash("071CB94F0CC8514D024124708EE8B2687BD7D9D5").
signature("14B64CBB817933E671A4DA516FCB081D8D60ECBC18C7734759B1F22048BB61FAFC4DAD898DD121EBD5D8E5BAD6A636FD745083B60FC71DDF7DE52E817F45E09FE23E79EED73031C72072D9582E2AFE125A3445A119087C89475F4A95BE23214A5372DA2A052F2EC970F65BFAFDDFB431B2C14A9C062543A1E6B41E7F869B1640").
signature_algorithm('RSA-SHA1').
etc.
Check the issuer_name/1 element to obtain the issuer. You can use load_certificate/2 again to read further certificates from the file.
Note that a much more typical way to validate the certificate chain is to establish a secure connection (via HTTPS), and then to use ssl_peer_certificate/2 or ssl_peer_certificate_chain/2 on the stream to obtain the peer certificate and certificate chain.
To validate the chain, you must verify the signature/1 fields, which contain the digital signatures of the to_be_signed/1 portions of the certificate, signed by the respective issuer.
You can use library(crypto) to verify the signatures.
这篇关于在 SWI-Prolog 中打开和检查 Pem 文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
