Openssl - 如何检查证书是否被吊销 [英] Openssl - How to check if a certificate is revoked or not

问题描述

使用 OpenSSL 库，我如何检查对等证书是否被撤销.从我用谷歌搜索:

With OpenSSL library, how do I check if the peer certificate is revoked or not. From what I googled:

1. x509 证书包含一组 crl 分发点，即一组 url
2. 从这些网址下载 crl
3. crl 包含被撤销证书的序列号
4. 如果对等证书序列号存在于 crl 列表中，则它被撤销

我使用哪些 OpenSSL API 来实现这一点?另外，这是检查证书是否被吊销的正确方法吗?

What OpenSSL APIs do I use to accomplish this? Also, is this the right way of checking if the certificate is revoked or not?

推荐答案

遗憾的是 OpenSSL 中的 CRL 验证 API 不是很高级，因此您需要代码自己完成很多操作.

Unfortunately the CRL verification API in OpenSSL isn't very high-level, so you have code do many operations yourself.

有关所需内容的简要概述:

For a brief overview of what is needed:

• 从证书中检索 CRL URL 以从 CRL 分发点扩展中进行验证.OpenSSL 提供证书解析功能，但没有对 CRL 分发点的简单访问器
• 从 URL 下载 CRL.OpenSSL 没有实现这一点，也没有实现任何形式的缓存.
• 验证 CRL(签名、颁发者 DN、有效期、主题密钥标识符等...).OpenSSL 提供了不同的低级功能.
• 验证要检查的证书的序列号是否在 CRL 中.

当然，这应该在检查证书本身是否有效"之后完成，因为它是由受信任的(或值得信赖的)CA 颁发的，它具有正确的使用扩展，并且它(连同它的信任)链)在其有效期内.OpenSSL 有一些低级和中级函数可以帮助解决这个问题.

Of course this should be done after checking that the certificate itself is "valid" in the sense that it is issued by a trusted (or trustworthy) CA, it has the right usage extensions, and that it (along with its trust chain) is within it's validity period. OpenSSL has some low- and mid-level functions to help with that.

一些额外的细节可能会使完全通用的实现复杂化:

Some additional details that might complicate things for a completely generic implementation:

• 某些证书可能使用 OCSP 而不是 CRL.
• 某些证书将 LDAP DN 或 URL 作为分发点.
• 某些 CRL 由委托的 CRL 签署人签署.
• Delta-CRL 或分区 CRL 可能会使实现复杂化(尤其是 w.r.t. 缓存).
• 等

RFC 5280 描述了完整的 PKIX 验证算法.您不必实现所有内容，但它是检查您没有忘记重要内容的一个很好的参考.您应该查看 mod_ssl(包含在 Apache httpd 服务器中)模块以获取在本地检查 CRL 并实现 OCSP 检查的实现.

The RFC 5280 describes the complete PKIX validation algorithm. You don't have to implement everything, but it's a good reference to check that you don't forget something important. You should look at the mod_ssl (contained in the Apache httpd server) module for an implementation that checks for CRL locally and implements OCSP checking.

如果您事先知道您信任哪些 CA(从安全的角度来看它更好)，那么您可以通过 cron 作业下载和更新 CRL.这将使您无需在程序中执行有关定位/下载/缓存 CRL 的部分.

If you know in advance which CAs you trust (from a security point of view it's better), then you could have a cron job downloading and updating the CRLs. This would save you from implementing the part about locating/downloading/caching CRLs inside your program.

这篇关于Openssl - 如何检查证书是否被吊销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！