OpenSSL-如何检查证书是否被吊销 [英] Openssl - How to check if a certificate is revoked or not

问题描述

使用OpenSSL库，如何检查对等证书是否被吊销. 根据我的搜索结果:

With OpenSSL library, how do I check if the peer certificate is revoked or not. From what I googled:

1. x509 cerfiticate包含一组crl分发点，即一组url
2. 从这些网址下载crl
3. crl包含已撤销证书的序列号
4. 如果crl列表中存在对等证书序列号，则该证书将被撤销

我使用哪些OpenSSL API来完成此任务?另外，这是检查证书是否被吊销的正确方法吗?

What OpenSSL APIs do I use to accomplish this? Also, is this the right way of checking if the certificate is revoked or not?

推荐答案

不幸的是，OpenSSL中的CRL验证API并不是非常高级，因此您需要代码自己执行许多操作.

Unfortunately the CRL verification API in OpenSSL isn't very high-level, so you have code do many operations yourself.

有关所需内容的简要概述:

For a brief overview of what is needed:

• 从证书中检索CRL URL，以从CRL分发点扩展名进行验证. OpenSSL提供证书解析功能，但没有简单的CRL分发点访问器
• 从URL下载CRL. OpenSSL既不实现此功能，也不实现任何形式的缓存.
• 验证CRL(签名，发行者DN，有效期，主题密钥标识符等). OpenSSL提供了不同的低级功能.
• 验证要检查的证书的序列号是否在CRL中.

当然，应该在检查证书本身是否有效"之后再执行此操作，即证书是由受信任(或可信任)的CA颁发的，具有正确的用法扩展，以及(连同其信任关系)链)在其有效期内. OpenSSL具有一些低级和中级功能来提供帮助.

Of course this should be done after checking that the certificate itself is "valid" in the sense that it is issued by a trusted (or trustworthy) CA, it has the right usage extensions, and that it (along with its trust chain) is within it's validity period. OpenSSL has some low- and mid-level functions to help with that.

一些其他细节可能会使完全通用的实现复杂化:

Some additional details that might complicate things for a completely generic implementation:

• 某些证书可能使用OCSP而不是CRL.
• 某些证书具有LDAP DN或URL作为分发点.
• 某些CRL由委派的CRL签名者签名.
• Delta-CRL或分区的CRL可能会使实现复杂化(尤其是带有高速缓存).
• 等

RFC 5280 描述了完整的PKIX验证算法.您不必实现所有事情，但是对于您不要忘记重要的事情，它是一个很好的参考.您应该查看mod_ssl(包含在Apache httpd服务器中)模块，以实现在本地检查CRL并实现OCSP检查的实现.

The RFC 5280 describes the complete PKIX validation algorithm. You don't have to implement everything, but it's a good reference to check that you don't forget something important. You should look at the mod_ssl (contained in the Apache httpd server) module for an implementation that checks for CRL locally and implements OCSP checking.

如果您事先知道您信任哪些CA(从安全角度考虑，更好)，那么您可以进行cron作业来下载和更新CRL.这样一来，您就不必执行有关在程序内查找/下载/缓存CRL的部分.

If you know in advance which CAs you trust (from a security point of view it's better), then you could have a cron job downloading and updating the CRLs. This would save you from implementing the part about locating/downloading/caching CRLs inside your program.

这篇关于OpenSSL-如何检查证书是否被吊销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！