ruby – 如何以编程方式检查证书是否已被撤销？

检查证书是否被撤销可能是一个复杂的过程.首先,您必须查找CDP或OCSP AIA,然后发出请求,解析响应,并检查响应是否由有权响应相关证书的CA签署.如果是CRL,则需要查看列表中是否存在您正在检查的证书的序列号.如果它是OCSP,那么您需要查看您是否收到了“良好”响应(而不是未知,已撤销或任何OCSP响应者错误,如未经授权).此外,您可能需要验证证书是否在其有效期内,并链接到受信任的根.最后,您还应对每个中间人进行撤销检查,并根据Mozilla / Apple / Google / Microsoft维护的明确黑名单检查证书的指纹.

我不知道任何Ruby库为你自动化撤销检查过程(最终我希望将它添加到r509),但是考虑到你的更具体的用例,这里有一些未经测试的代码应该指向正确的方向.

require 'r509'
require 'net/http'
cert = R509::Cert.load_from_file("some_iphone_cert.pem")
crl_uri = cert.crl_distribution_points.crl.uris[0]
crl = Net::HTTP.get_response(URI(crl_uri)) # you may need to follow redirects here,but let's assume you got the CRL.
# Also note that the Apple WWDRCA CRL is like 28MB so you may want to cache this damned thing. OCSP would be nicer but it's a bit trickier to validate.
parsed_crl = R509::CRL::SignedList.new(crl)
if not parsed_crl.verify(cert.public_key)
  raise StandardError,"Invalid CRL for certificate"
end
if parsed_crl.revoked?(cert.serial)
  puts 'revoked'
end

不幸的是,由于Apple WWDRCA CRL的大小(~680k条目),使用r509的当前哈希映射模型,这种检查可能会非常慢.

如果您对沿着OCSP路径感兴趣,我可以编写如何在Ruby中生成OCSP请求/解析响应.

编辑：看来iPhone开发人员证书我没有包含嵌入式OCSP AIA,因此撤销检查的唯一选择是通过CRL分发点,如上所示.

编辑2：哦,为什么不呢,让我们在Ruby中进行OCSP检查！为此,我们需要证书及其颁发证书.您不能使用WWDRCA证书,因此只需从您喜欢的网站上获取一个.我正在使用自己的网站.

require 'net/http'
require 'r509'
cert = R509::Cert.load_from_file("my_website.pem")
# get the first OCSP AIA URI. There can be more than one 
# (degenerate example!)
ocsp_uri = cert.aia.ocsp.uris[0]
issuer = R509::Cert.load_from_file("my_issuer.pem")
cert_id = OpenSSL::OCSP::CertificateId.new(cert.cert,issuer.cert)
request = OpenSSL::OCSP::Request.new
request.add_certid(cert_id)
# we're going to make a GET request per RFC 5019. You can also POST the 
# binary DER encoded version if you're more of an RFC 2560 partisan
request_uri = URI(ocsp_uri+"/"+URI.encode_www_form_component(req_pem.strip)
http_response = Net::HTTP.get_response(request_uri)
if http_response.code != "200"
  raise StandardError,"Invalid response code from OCSP responder"
end
response = OpenSSL::OCSP::Response.new(http_response.body)
if response.status != 0
  raise StandardError,"Not a successful status"
end
if response.basic[0][0].serial != cert.serial
  raise StandardError,"Not the same serial"
end
if response.basic[0][1] != 0 # 0 is good,1 is revoked,2 is unknown.
  raise StandardError,"Not a good status"
end
current_time = Time.now
if response.basic[0][4] > current_time or response.basic[0][5] < current_time
  raise StandardError,"The response is not within its validity window"
end
# we also need to verify that the OCSP response is signed by 
# a certificate that is allowed and chains up to a trusted root. 
# To do this you'll need to build an OpenSSL::X509::Store object 
# that contains the certificate you're checking + intermediates + root.
store = OpenSSL::X509::Store.new
store.add_cert(cert.cert)
store.add_cert(issuer.cert) #assuming issuer is a trusted root here,but in reality you'll need at least one more certificate
if response.basic.verify([],store) != true
  raise StandardError,"Certificate verification error"
end

上面的示例代码忽略了处理许多可能的边缘情况,因此它应该仅被视为起点.祝好运！