ruby – 如何以编程方式检查证书是否已被撤销？

概述我正在开发一个 xcode自动构建系统.执行一些预构建验证时,我想检查指定的证书文件是否已被撤销.我了解安全验证证书验证其他证书属性,但不验证revokation.我怎样才能检查是否失败？ 我正在用Ruby编写构建系统,但我对任何语言的思想都很开放. 我读了这个答案(Openssl – How to check if a certificate is revoked or not),但是到底部的链 我正在开发一个 xcode自动构建系统.执行一些预构建验证时,我想检查指定的证书文件是否已被撤销.我了解安全验证证书验证其他证书属性,但不验证revokation.我怎样才能检查是否失败？

我正在用Ruby编写构建系统,但我对任何语言的思想都很开放.

我读了这个答案(Openssl – How to check if a certificate is revoked or not),但是到底部的链接(Does OpenSSL automatically handle CRLs (Certificate Revocation Lists) now?)进入的材料对我的目的而言有点过于牵连(用户上传一个被撤销的证书是一个远远不够的情况).是否有一个更简单/ruby的方法来检查revokation？

提前致谢！

解决方法 检查证书是否被撤销可能是一个复杂的过程.首先,您必须查找CDP或OCSP AIA,然后发出请求,解析响应,并检查响应是否由有权响应相关证书的CA签署.如果是CRL,则需要查看列表中是否存在您正在检查的证书的序列号.如果它是OCSP,那么您需要查看您是否收到了“良好”响应(而不是未知,已撤销或任何OCSP响应者错误,如未经授权).此外,您可能需要验证证书是否在其有效期内,并链接到受信任的根.最后,您还应对每个中间人进行撤销检查,并根据Mozilla / Apple / Google / Microsoft维护的明确黑名单检查证书的指纹.

我不知道任何Ruby库为你自动化撤销检查过程(最终我希望将它添加到r509),但是考虑到你的更具体的用例,这里有一些未经测试的代码应该指向正确的方向.

require 'r509'require 'net/http'cert = R509::Cert.load_from_file("some_iphone_cert.pem")crl_uri = cert.crl_distribution_points.crl.uris[0]crl = Net::http.get_response(URI(crl_uri)) # you may need to follow redirects here,but let's assume you got the CRL.# Also note that the Apple WWDRCA CRL is like 28MB so you may want to cache this damned thing. OCSP would be nicer but it's a bit trickIEr to valIDate.parsed_crl = R509::CRL::SignedList.new(crl)if not parsed_crl.verify(cert.public_key)  raise StandardError,"InvalID CRL for certificate"endif parsed_crl.revoked?(cert.serial)  puts 'revoked'end

不幸的是,由于Apple WWDRCA CRL的大小(~680k条目),使用r509的当前哈希映射模型,这种检查可能会非常慢.

如果您对沿着OCSP路径感兴趣,我可以编写如何在Ruby中生成OCSP请求/解析响应.

编辑：看来iPhone开发人员证书我没有包含嵌入式OCSP AIA,因此撤销检查的唯一选择是通过CRL分发点,如上所示.

编辑2：哦,为什么不呢,让我们在Ruby中进行OCSP检查！为此,我们需要证书及其颁发证书.您不能使用WWDRCA证书,因此只需从您喜欢的网站上获取一个.我正在使用自己的网站.

require 'net/http'require 'r509'cert = R509::Cert.load_from_file("my_website.pem")# get the first OCSP AIA URI. There can be more than one # (degenerate example!)ocsp_uri = cert.aia.ocsp.uris[0]issuer = R509::Cert.load_from_file("my_issuer.pem")cert_ID = OpenSSL::OCSP::CertificateID.new(cert.cert,issuer.cert)request = OpenSSL::OCSP::Request.newrequest.add_certID(cert_ID)# we're going to make a GET request per RFC 5019. You can also POST the # binary DER encoded version if you're more of an RFC 2560 partisanrequest_uri = URI(ocsp_uri+"/"+URI.encode_www_form_component(req_pem.strip)http_response = Net::http.get_response(request_uri)if http_response.code != "200"  raise StandardError,"InvalID response code from OCSP responder"endresponse = OpenSSL::OCSP::Response.new(http_response.body)if response.status != 0  raise StandardError,"Not a successful status"endif response.basic[0][0].serial != cert.serial  raise StandardError,"Not the same serial"endif response.basic[0][1] != 0 # 0 is good,1 is revoked,2 is unkNown.  raise StandardError,"Not a good status"endcurrent_time = Time.Nowif response.basic[0][4] > current_time or response.basic[0][5] < current_time  raise StandardError,"The response is not within its valIDity window"end# we also need to verify that the OCSP response is signed by # a certificate that is allowed and chains up to a trusted root. # To do this you'll need to build an OpenSSL::X509::Store object # that contains the certificate you're checking + intermediates + root.store = OpenSSL::X509::Store.newstore.add_cert(cert.cert)store.add_cert(issuer.cert) #assuming issuer is a trusted root here,but in reality you'll need at least one more certificateif response.basic.verify([],store) != true  raise StandardError,"Certificate verification error"end

上面的示例代码忽略了处理许多可能的边缘情况,因此它应该仅被视为起点.祝好运！

总结

以上是内存溢出为你收集整理的ruby – 如何以编程方式检查证书是否已被撤销？全部内容，希望文章能够帮你解决ruby – 如何以编程方式检查证书是否已被撤销？所遇到的程序开发问题。

如果觉得内存溢出网站内容还不错，欢迎将内存溢出网站推荐给程序员好友。