Alf*_*sen 5 ruby xcode openssl certificate xcodebuild
我正在开发一个xcode自动构建系统.执行一些预构建验证时,我想检查指定的证书文件是否已被撤销.据我所知,security verify-cert验证其他证书属性,但不验证revokation.我怎样才能检查是否失败?
我正在用Ruby编写构建系统,但我对任何语言的思想都很开放.
我读了这个答案(Openssl - 如何检查证书是否被撤销)但是底部的链接(OpenSSL现在是否自动处理CRL(证书撤销列表)?)进入的材料对我来说有点过于牵连(上传撤销证书的用户是一个远远不够的案例).是否有一个更简单/红宝石的方法来检查revokation?
提前致谢!
Pau*_*rer 10
检查证书是否被撤销可能是一个复杂的过程.首先,您必须查找CDP或OCSP AIA,然后发出请求,解析响应,并检查响应是否由有权响应相关证书的CA签署.如果是CRL,则需要查看列表中是否存在您正在检查的证书的序列号.如果它是OCSP,那么您需要查看您是否收到了"良好"响应(而不是未知,已撤销或任何OCSP响应者错误,如未经授权).此外,您可能需要验证证书是否在其有效期内,并链接到受信任的根.最后,您还应对每个中间人进行撤销检查,并根据Mozilla/Apple/Google/Microsoft维护的明确黑名单检查证书的指纹.
我不知道任何Ruby库为你自动化撤销检查过程(最终我希望将它添加到r509),但是考虑到你的更具体的用例,这里有一些未经测试的代码应该指向正确的方向.
require 'r509'
require 'net/http'
cert = R509::Cert.load_from_file("some_iphone_cert.pem")
crl_uri = cert.crl_distribution_points.crl.uris[0]
crl = Net::HTTP.get_response(URI(crl_uri)) # you may need to follow redirects here, but let's assume you got the CRL.
# Also note that the Apple WWDRCA CRL is like 28MB so you may want to cache this damned thing. OCSP would be nicer but it's a bit trickier to validate.
parsed_crl = R509::CRL::SignedList.new(crl)
if not parsed_crl.verify(cert.public_key)
raise StandardError, "Invalid CRL for certificate"
end
if parsed_crl.revoked?(cert.serial)
puts 'revoked'
end
不幸的是,由于Apple WWDRCA CRL的大小(~680k条目),使用r509的当前哈希映射模型,这种检查可能会非常慢.
如果您对沿着OCSP路径感兴趣,我可以编写如何在Ruby中生成OCSP请求/解析响应.
编辑:看来iPhone开发人员证书我没有包含嵌入式OCSP AIA,因此撤销检查的唯一选择是通过CRL分发点,如上所示.
编辑2:哦,为什么不呢,让我们在Ruby中进行OCSP检查!为此,我们需要证书及其颁发证书.您不能使用WWDRCA证书,因此只需从您喜欢的网站上获取一个.我正在使用自己的网站.
require 'net/http'
require 'r509'
cert = R509::Cert.load_from_file("my_website.pem")
# get the first OCSP AIA URI. There can be more than one
# (degenerate example!)
ocsp_uri = cert.aia.ocsp.uris[0]
issuer = R509::Cert.load_from_file("my_issuer.pem")
cert_id = OpenSSL::OCSP::CertificateId.new(cert.cert,issuer.cert)
request = OpenSSL::OCSP::Request.new
request.add_certid(cert_id)
# we're going to make a GET request per RFC 5019. You can also POST the
# binary DER encoded version if you're more of an RFC 2560 partisan
request_uri = URI(ocsp_uri+"/"+URI.encode_www_form_component(req_pem.strip)
http_response = Net::HTTP.get_response(request_uri)
if http_response.code != "200"
raise StandardError, "Invalid response code from OCSP responder"
end
response = OpenSSL::OCSP::Response.new(http_response.body)
if response.status != 0
raise StandardError, "Not a successful status"
end
if response.basic[0][0].serial != cert.serial
raise StandardError, "Not the same serial"
end
if response.basic[0][1] != 0 # 0 is good, 1 is revoked, 2 is unknown.
raise StandardError, "Not a good status"
end
current_time = Time.now
if response.basic[0][4] > current_time or response.basic[0][5] < current_time
raise StandardError, "The response is not within its validity window"
end
# we also need to verify that the OCSP response is signed by
# a certificate that is allowed and chains up to a trusted root.
# To do this you'll need to build an OpenSSL::X509::Store object
# that contains the certificate you're checking + intermediates + root.
store = OpenSSL::X509::Store.new
store.add_cert(cert.cert)
store.add_cert(issuer.cert) #assuming issuer is a trusted root here, but in reality you'll need at least one more certificate
if response.basic.verify([],store) != true
raise StandardError, "Certificate verification error"
end
上面的示例代码忽略了处理许多可能的边缘情况,因此它应该仅被视为起点.祝好运!
| 归档时间: |
|
| 查看次数: |
5247 次 |
| 最近记录: |