0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

openssl verify の attime/crl_check_all オプション

Posted at
  • openssl verify には証明書を検証するためのオプションがいろいろ用意されているようにみえるが、man と help で乖離がある
  • man にはある attime オプションは指定した時刻で証明書が有効かを確認できて便利そうだったが、結局現時点では存在しないようだ
  • man にはある crlfile オプションも存在しないが、これは CAfile オプションで代替でき、 crl_check/crl_check_all 自体は機能する
$ openssl version
OpenSSL 1.0.2g  1 Mar 2016

man では便利そうなオプションがいろいろあるように見える。ここでは attime と crl_check_all を使おうとした。

$ man verify
SYNOPSIS
       openssl verify [-CApath directory] [-CAfile file] [-purpose purpose] [-policy arg]
       [-ignore_critical] [-attime timestamp] [-check_ss_sig] [-crlfile file] [-crl_download]
       [-crl_check] [-crl_check_all] [-policy_check] [-explicit_policy] [-inhibit_any]
       [-inhibit_map] [-x509_strict] [-extended_crl] [-use_deltas] [-policy_print]
       [-no_alt_chains] [-untrusted file] [-help] [-issuer_checks] [-trusted file] [-verbose] [-]
       [certificates]

DESCRIPTION
       The verify command verifies certificate chains.

COMMAND OPTIONS
...
       -crlfile file
           File containing one or more CRL's (in PEM format) to load.
...
       -attime timestamp
           Perform validation checks using time specified by timestamp and not current system
           time. timestamp is the number of seconds since 01.01.1970 (UNIX time).
...
       -crl_check_all
           Checks the validity of all certificates in the chain by attempting to look up valid
           CRLs.

...

コマンドのヘルプ。使えるオプションが man より少ない?

openssl verify -help

usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-no_alt_chains] [-attime timestamp] [-engine e] cert1 cert2 ...
recognized usages:
	sslclient 	SSL client
	sslserver 	SSL server
	nssslserver	Netscape SSL server
	smimesign 	S/MIME signing
	smimeencrypt	S/MIME encryption
	crlsign   	CRL signing
	any       	Any Purpose
	ocsphelper	OCSP helper
	timestampsign	Time Stamp signing

attime はいかんともしがたかったが、crl_check_all は CAfile に CA証明書と一緒に入れることで検証できた。

$ #cross root:OldWithNew
$ openssl x509 -outform PEM -in $(pwd)/ca/selfsign-ca-2/cacert.pem  > /tmp/$$.pem
$ openssl crl  -outform PEM -in $(pwd)/ca/selfsign-ca-2/crl.pem    >> /tmp/$$.pem
$ openssl x509 -outform PEM -in $(pwd)/ca/selfsign-ca-2/certs/selfsign-ca-1/cert.pem  >> /tmp/$$.pem
$ openssl crl  -outform PEM -in $(pwd)/ca/selfsign-ca-1/crl.pem    >> /tmp/$$.pem
$ openssl x509 -outform PEM -in $(pwd)/ca/server-ca-1/cacert.pem   >> /tmp/$$.pem
$ openssl crl  -outform PEM -in $(pwd)/ca/server-ca-1/crl.pem      >> /tmp/$$.pem
$ openssl verify -CAfile /tmp/$$.pem -crl_check_all -purpose sslserver -issuer_checks -verbose ./ca/server-ca-1/certs/581BD4AC-www.example.com/cert.pem 
./ca/server-ca-1/certs/581BD4AC-www.example.com/cert.pem: OK
$ rm -f /tmp/$$.pem

CRL を CAfile に入れないと検証は失敗するので、間違えてはいないはず。

$ #cross root:OldWithNew
$ openssl x509 -outform PEM -in $(pwd)/ca/selfsign-ca-2/cacert.pem  > /tmp/$$.pem
$ openssl crl  -outform PEM -in $(pwd)/ca/selfsign-ca-2/crl.pem    >> /tmp/$$.pem
$ openssl x509 -outform PEM -in $(pwd)/ca/selfsign-ca-2/certs/selfsign-ca-1/cert.pem  >> /tmp/$$.pem
$ openssl crl  -outform PEM -in $(pwd)/ca/selfsign-ca-1/crl.pem    >> /tmp/$$.pem
$ openssl x509 -outform PEM -in $(pwd)/ca/server-ca-1/cacert.pem   >> /tmp/$$.pem
$ #openssl crl  -outform PEM -in $(pwd)/ca/server-ca-1/crl.pem      >> /tmp/$$.pem
$ openssl verify -CAfile /tmp/$$.pem -crl_check_all -purpose sslserver -issuer_checks -verbose ./ca/server-ca-1/certs/581BD4AC-www.example.com/cert.pem 
./ca/server-ca-1/certs/581BD4AC-www.example.com/cert.pem: CN = www.example.com
error 3 at 0 depth lookup:unable to get certificate CRL
$ rm -f /tmp/$$.pem

attime は追加されたあとすぐ削除されて、change log や man に残っているだけ、というパターンみたい。経緯はわからなかったが、復活しないのだろうか。

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?