- openssl verify には証明書を検証するためのオプションがいろいろ用意されているようにみえるが、man と help で乖離がある
- man にはある attime オプションは指定した時刻で証明書が有効かを確認できて便利そうだったが、結局現時点では存在しないようだ
- man にはある crlfile オプションも存在しないが、これは CAfile オプションで代替でき、 crl_check/crl_check_all 自体は機能する
$ openssl version
OpenSSL 1.0.2g 1 Mar 2016
man では便利そうなオプションがいろいろあるように見える。ここでは attime と crl_check_all を使おうとした。
$ man verify
SYNOPSIS
openssl verify [-CApath directory] [-CAfile file] [-purpose purpose] [-policy arg]
[-ignore_critical] [-attime timestamp] [-check_ss_sig] [-crlfile file] [-crl_download]
[-crl_check] [-crl_check_all] [-policy_check] [-explicit_policy] [-inhibit_any]
[-inhibit_map] [-x509_strict] [-extended_crl] [-use_deltas] [-policy_print]
[-no_alt_chains] [-untrusted file] [-help] [-issuer_checks] [-trusted file] [-verbose] [-]
[certificates]
DESCRIPTION
The verify command verifies certificate chains.
COMMAND OPTIONS
...
-crlfile file
File containing one or more CRL's (in PEM format) to load.
...
-attime timestamp
Perform validation checks using time specified by timestamp and not current system
time. timestamp is the number of seconds since 01.01.1970 (UNIX time).
...
-crl_check_all
Checks the validity of all certificates in the chain by attempting to look up valid
CRLs.
...
コマンドのヘルプ。使えるオプションが man より少ない?
openssl verify -help
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-no_alt_chains] [-attime timestamp] [-engine e] cert1 cert2 ...
recognized usages:
sslclient SSL client
sslserver SSL server
nssslserver Netscape SSL server
smimesign S/MIME signing
smimeencrypt S/MIME encryption
crlsign CRL signing
any Any Purpose
ocsphelper OCSP helper
timestampsign Time Stamp signing
attime はいかんともしがたかったが、crl_check_all は CAfile に CA証明書と一緒に入れることで検証できた。
$ #cross root:OldWithNew
$ openssl x509 -outform PEM -in $(pwd)/ca/selfsign-ca-2/cacert.pem > /tmp/$$.pem
$ openssl crl -outform PEM -in $(pwd)/ca/selfsign-ca-2/crl.pem >> /tmp/$$.pem
$ openssl x509 -outform PEM -in $(pwd)/ca/selfsign-ca-2/certs/selfsign-ca-1/cert.pem >> /tmp/$$.pem
$ openssl crl -outform PEM -in $(pwd)/ca/selfsign-ca-1/crl.pem >> /tmp/$$.pem
$ openssl x509 -outform PEM -in $(pwd)/ca/server-ca-1/cacert.pem >> /tmp/$$.pem
$ openssl crl -outform PEM -in $(pwd)/ca/server-ca-1/crl.pem >> /tmp/$$.pem
$ openssl verify -CAfile /tmp/$$.pem -crl_check_all -purpose sslserver -issuer_checks -verbose ./ca/server-ca-1/certs/581BD4AC-www.example.com/cert.pem
./ca/server-ca-1/certs/581BD4AC-www.example.com/cert.pem: OK
$ rm -f /tmp/$$.pem
CRL を CAfile に入れないと検証は失敗するので、間違えてはいないはず。
$ #cross root:OldWithNew
$ openssl x509 -outform PEM -in $(pwd)/ca/selfsign-ca-2/cacert.pem > /tmp/$$.pem
$ openssl crl -outform PEM -in $(pwd)/ca/selfsign-ca-2/crl.pem >> /tmp/$$.pem
$ openssl x509 -outform PEM -in $(pwd)/ca/selfsign-ca-2/certs/selfsign-ca-1/cert.pem >> /tmp/$$.pem
$ openssl crl -outform PEM -in $(pwd)/ca/selfsign-ca-1/crl.pem >> /tmp/$$.pem
$ openssl x509 -outform PEM -in $(pwd)/ca/server-ca-1/cacert.pem >> /tmp/$$.pem
$ #openssl crl -outform PEM -in $(pwd)/ca/server-ca-1/crl.pem >> /tmp/$$.pem
$ openssl verify -CAfile /tmp/$$.pem -crl_check_all -purpose sslserver -issuer_checks -verbose ./ca/server-ca-1/certs/581BD4AC-www.example.com/cert.pem
./ca/server-ca-1/certs/581BD4AC-www.example.com/cert.pem: CN = www.example.com
error 3 at 0 depth lookup:unable to get certificate CRL
$ rm -f /tmp/$$.pem
attime は追加されたあとすぐ削除されて、change log や man に残っているだけ、というパターンみたい。経緯はわからなかったが、復活しないのだろうか。