如何检查证书日志中的证书是否被吊销?

信息安全 证书 openssl 证书颁发机构 Python
2021-08-17 03:59:42

我有一个带有 CTL 证书的数据库。(使用“certstream”实用程序)。

以下是一组证书数据的示例:

{
"all_domains" : [ 
    "benesseresalus.com", 
    "benesseresalus.it", 
    "dimagriresalus.com", 
    "dimagriresalus.it"
],
"as_der" : "MIIFtzCCBJ+gAwIBAgISA4HNUHaLqcuseznIF3iOrjPzMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA4MjQwNzIyMTlaFw0xODExMjIwNzIyMTlaMB0xGzAZBgNVBAMTEmJlbmVzc2VyZXNhbHVzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANmPDiKIdOGpRQDzHiQZPVHBFVYHn+E0vv2BOC5Cp+GmuuPC+nxyRn0Mn7d7FL10xZQIjbjmY49iAfnpOQcyE/qgaZeJ80hI4ueoJD0tN1XPXIPIIJApin2i5HgB2s3UL+AEmCMCy81OmKzStC7+tVx2cugyUkBDuABz1ty6HPz9igshJJ2MhCX87Pc4lkLmX9phMAu9E1wpbT+XFdZsnqUp1fUixiHWGq8oVSL+CC4fz51WmzyDvTMV/FEreUBecjErXJ7uldlpNfv/tcPwUhEkGfTfRn8lHg9U1mhqmws8+qxdjR6bgpKjwnW2GkhMqvj9gkoT8mGtei6DyCbi17UCAwEAAaOCAsIwggK+MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUoYmVOj6I7epePo5xj33E1LBi94owHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzCBtwYDVR0RBIGvMIGsghJiZW5lc3NlcmVzYWx1cy5jb22CEWJlbmVzc2VyZXNhbHVzLml0ghJkaW1hZ3JpcmVzYWx1cy5jb22CEWRpbWFncmlyZXNhbHVzLml0ghZ3d3cuYmVuZXNzZXJlc2FsdXMuY29tghV3d3cuYmVuZXNzZXJlc2FsdXMuaXSCFnd3dy5kaW1hZ3JpcmVzYWx1cy5jb22CFXd3dy5kaW1hZ3JpcmVzYWx1cy5pdDCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMBMGCisGAQQB1nkCBAMBAf8EAgUAMA0GCSqGSIb3DQEBCwUAA4IBAQCY8fgDv16BEr2jGHrC/zy21Mq5BN6PGHpCL3Vi99wxWK06NjapOjPkLLpPfrJqfL98ZNyavQLueAbYqJSb9gvQwK+CktB/ZGyyUpTgfwv9+yRXURpGNt0Vx8LZdVMtDfJIIs0JiQQ0kM0P1qpuifHiWu0z+HNkptnYMuJWFNWwqDJydh8N5scQQyh98Y9eSAnFW8647Z57zNdOPzQN94dLGVY7lzDZKbPQ2//g+F8ssh04k5tBU4RM2ZRFin6/AwY3z98L1Avaed7hPhDHbgJhkcVQF5jAV0uowD2GGDrf5fuQx71hPIDBy+LOzRcKSy2ALh8ALVijumhqdZBMFEl5",
"extensions" : {
    "authorityInfoAccess" : "CA Issuers - URI:http://cert.int-x3.letsencrypt.org/\nOCSP - URI:http://ocsp.int-x3.letsencrypt.org\n",
    "authorityKeyIdentifier" : "keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1\n",
    "basicConstraints" : "CA:FALSE",
    "certificatePolicies" : "Policy: 1.3.6.1.4.1.44947.1.1.1\n  CPS: http://cps.letsencrypt.org\n  User Notice: is Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/",
    "ctlPoisonByte" : true,
    "extendedKeyUsage" : "TLS Web server authentication, TLS Web client authentication",
    "keyUsage" : "Digital Signature, Key Encipherment",
    "subjectAltName" : "DNS:www.dimagriresalus.it, DNS:www.dimagriresalus.com, DNS:www.benesseresalus.it, DNS:www.benesseresalus.com, DNS:dimagriresalus.it, DNS:dimagriresalus.com, DNS:benesseresalus.it, DNS:benesseresalus.com",
    "subjectKeyIdentifier" : "A1:89:95:3A:3E:88:ED:EA:5E:3E:8E:71:8F:7D:C4:D4:B0:62:F7:8A"
},
"fingerprint" : "FC:A6:A6:3A:CB:C7:8C:6F:16:84:D3:92:0E:C6:A3:25:D5:91:72:9D",
"not_after" : 1542871339,
"not_before" : 1535095339,
"serial_number" : "381CD50768BA9CBAC7B39C817788EAE33F3",
"subject" : {
    "C" : null,
    "CN" : "benesseresalus.com",
    "L" : null,
    "O" : null,
    "OU" : null,
    "ST" : null,
    "aggregated" : "/CN=benesseresalus.com"
}
}

我想使用代码检查此证书的有效性。

我已经搜索并看到了 pyopenssl 的许多用法,但所有这些都要求我拥有.pem文件。我想我可以通过打开这样的新文件来创建.cert文件:

 ----BEGIN CERTIFICATE----   
MIIFtzCCBJ+gAwIBAgISA4HNUHaLqcuseznIF3iOrjPzMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA4MjQwNzIyMTlaFw0xODExMjIwNzIyMTlaMB0xGzAZBgNVBAMTEmJlbmVzc2VyZXNhbHVzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANmPDiKIdOGpRQDzHiQZPVHBFVYHn+E0vv2BOC5Cp+GmuuPC+nxyRn0Mn7d7FL10xZQIjbjmY49iAfnpOQcyE/qgaZeJ80hI4ueoJD0tN1XPXIPIIJApin2i5HgB2s3UL+AEmCMCy81OmKzStC7+tVx2cugyUkBDuABz1ty6HPz9igshJJ2MhCX87Pc4lkLmX9phMAu9E1wpbT+XFdZsnqUp1fUixiHWGq8oVSL+CC4fz51WmzyDvTMV/FEreUBecjErXJ7uldlpNfv/tcPwUhEkGfTfRn8lHg9U1mhqmws8+qxdjR6bgpKjwnW2GkhMqvj9gkoT8mGtei6DyCbi17UCAwEAAaOCAsIwggK+MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUoYmVOj6I7epePo5xj33E1LBi94owHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzCBtwYDVR0RBIGvMIGsghJiZW5lc3NlcmVzYWx1cy5jb22CEWJlbmVzc2VyZXNhbHVzLml0ghJkaW1hZ3JpcmVzYWx1cy5jb22CEWRpbWFncmlyZXNhbHVzLml0ghZ3d3cuYmVuZXNzZXJlc2FsdXMuY29tghV3d3cuYmVuZXNzZXJlc2FsdXMuaXSCFnd3dy5kaW1hZ3JpcmVzYWx1cy5jb22CFXd3dy5kaW1hZ3JpcmVzYWx1cy5pdDCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMBMGCisGAQQB1nkCBAMBAf8EAgUAMA0GCSqGSIb3DQEBCwUAA4IBAQCY8fgDv16BEr2jGHrC/zy21Mq5BN6PGHpCL3Vi99wxWK06NjapOjPkLLpPfrJqfL98ZNyavQLueAbYqJSb9gvQwK+CktB/ZGyyUpTgfwv9+yRXURpGNt0Vx8LZdVMtDfJIIs0JiQQ0kM0P1qpuifHiWu0z+HNkptnYMuJWFNWwqDJydh8N5scQQyh98Y9eSAnFW8647Z57zNdOPzQN94dLGVY7lzDZKbPQ2//g+F8ssh04k5tBU4RM2ZRFin6/AwY3z98L1Avaed7hPhDHbgJhkcVQF5jAV0uowD2GGDrf5fuQx71hPIDBy+LOzRcKSy2ALh8ALVijumhqdZBMFEl5
-----END CERTIFICATE-----

..但我仍然会丢失.pem文件。

底线: 我想使用提供的 json 数据来查明此证书是否已被吊销。请告诉我我错过了什么。谢谢。

编辑:

这个怎么样:

certutil -f –urlfetch -verify [FilenameOfCertificate]

来源: https ://www.namecheap.com/support/knowledgebase/article.aspx/9968/38/how-to-check-the-certificate-revocation-status

之后,我可以解析响应并查看是否有撤销状态...但是如果我尝试签署已撤销的证书,它会警告我吗?

编辑最终:感谢@Steffen Ullrich,工作python代码:

import os
import subprocess
openssl_location = "\"C:\\Program Files\\OpenSSL-Win64\\bin\\openssl.exe\""`
for element in cursor:
        authorityInfoAccess = element['data']['leaf_cert']['extensions']['authorityInfoAccess']
        ocsp_url, crt_url = [x.strip(" ").lstrip("URI:").rstrip("\n").rstrip("\nCA Issuers") for x in authorityInfoAccess.split("-") if 'URI' in x]

        if 'ocsp' in crt_url:
            ocsp_url, crt_url = crt_url, ocsp_url

        serial_number = authorityInfoAccess = element['data']['leaf_cert']['serial_number']

        shell_convert_cmd = 'curl ' + crt_url + " > issuer.crt"
        os.system(shell_convert_cmd)

        to_pem_cmd = openssl_location + ' x509 -in issuer.crt -inform der -out issuer.pem'
        os.system(to_pem_cmd)

        request_cmd = 'ocsp -issuer issuer.pem -serial 0x' + serial_number + ' -url ' + ocsp_url
        full_cmd = openssl_location + " " + request_cmd
        out = subprocess.check_output(full_cmd, shell=True)
        print (f"program output: {str(out)}")
1个回答

要进行 OCSP 检查以了解证书是否被吊销,您需要向负责证书的 OCSP 响应者发送 OCSP 请求,然后查看返回的 OCSP 结果。要创建 OCSP 请求,您需要颁发者证书(实际上 DN 和来自它的公钥就足够了)以及要检查的证书的序列号。这是因为CertIDOCSP 请求的核心部分是这样定义的

CertID          ::=     SEQUENCE {
   hashAlgorithm       AlgorithmIdentifier,
   issuerNameHash      OCTET STRING, -- Hash of issuer's DN
   issuerKeyHash       OCTET STRING, -- Hash of issuer's public key
   serialNumber        CertificateSerialNumber }

在这种情况下,发行人证书可以通过查看被检索CA IssuersauthorityInfoAccess证书,即信息URI:http://cert.int-x3.letsencrypt.org/在这种情况下。要检索此颁发者证书,您可以这样做:

 $ curl http://cert.int-x3.letsencrypt.org/ > issuer.crt

序列号也在 JSON 中:

"serial_number" : "381CD50768BA9CBAC7B39C817788EAE33F3",

然后需要 OCSP 解析器的 URL。这也是authorityInfoAccess扩展的一部分,OCSP设置的值为URI:http://ocsp.int-x3.letsencrypt.org

由此可以创建 OCSP 请求并将其发送到 OCSP 解析器,例如使用openssl

# convert issuer certificate from DER to PEM format, as needed by openssl ocsp
$ openssl x509 -in issuer.crt -inform der -out issuer.pem

# build the OCSP request and query the OCSP resolver
$ openssl ocsp \
  -issuer issuer.pem \
  -serial 0x381CD50768BA9CBAC7B39C817788EAE33F3 \
  -url http://ocsp.int-x3.letsencrypt.org/

正确使用(请注意0x指定序列号为十六进制)这会导致:

WARNING: no nonce in response
Response verify OK
0x381CD50768BA9CBAC7B39C817788EAE33F3: good
        This Update: Oct 11 08:00:00 2018 GMT
        Next Update: Oct 18 08:00:00 2018 GMT

good表示证书没有被吊销。

请注意,您至少需要 OpenSSL 1.1.0 才能按照说明进行操作。使用 OpenSSL 1.0.2 你会得到

Error querying OCSP responder
... OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:314:Code=400,Reason=Bad Request

这是因为 OpenSSL 1.0.2(可能更早版本)发送的HTTP/1.0请求没有 HTTPHost标头。虽然理论上罚款HTTP/1.0Host。这里需要头,因为OCSP解析器的背后是Akamai的CDN哪里像几乎所有的CDN(任何许多托管商)多个主机名共享同一个IP地址。

至于如何用 Python 做到这一点:我在pyopenssl 中根本看不到对 OCSP 的任何支持虽然在密码学中对 OCSP 有一些支持,但它似乎要求您拥有原始证书。

其它你可能感兴趣的问题
上一篇如何安全地允许脚本但防止 XSS? 下一篇为什么强路由器密码很重要?