对这个有点绝望……
我正在实施 OCSP 检查服务,主要基于这两个示例:
http ://docs.ruby-lang.org/en/2.2.0/OpenSSL/OCSP.html
如何以编程方式检查证书是否已被吊销?
我已经通过 openssl 客户端验证了我的请求的有效性:
openssl ocsp -issuer ISSUER_OF_TESTCERT.pem.crt -cert TESTCERT.pem.crt -url http://url.of.ocspservice/ocsp -VAfile SIGNING_CERT_OF_OCSP_SERVICE_RESPoNSE.pem.crt
这给了我:
Response verify OK
TESTCERT.pem.crt good
This Update: <timestamp>
使用 ruby 的 openssl api 时,我也得到了肯定的响应,200 OK
但是,一旦我想验证响应,我就会得到
warning: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found
所以这是我尝试验证响应的方法:
# instantiate a ocsp response object from the http response body (side note: instantiating a BasicResponse object directly let's the irb segfault in the strangest way)
response = OpenSSL::OCSP::Response.new http_response.body
# transform into BasicResponse
basic_response = response.basic
# instantiate certificate store
cert_store = OpenSSL::X509::Store.new
# add the ocsp responder's cert and its root ca cert
cert_store.add_file('ocsp_cert')
cert_store.add_file('ocsp_cert_root')
# finally the verification
basic_response.verify([], cert_store)
# result:
=> OCSP routines:OCSP_basic_verify:signer certificate not found
当我尝试双重添加证书时,我确实得到了预期的错误:
# instantiate certificate store
cert_store = OpenSSL::X509::Store.new
# double-add the ocsp responder's cert and its root ca cert
cert_store.add_file('ocsp_cert')
cert_store.add_file('ocsp_cert')
# result:
=> cert already in hash table (OpenSSL::X509::StoreError)
我不知道如何排除故障,因为我不擅长阅读这些功能的来源。这引出了我的问题: 1. 有没有办法转储和分析所述哈希表的内容,所以我可以确定加载了正确的证书?2.我在这里遗漏了一些明显的东西吗?
感谢您的任何意见和反馈。
仅供参考,我尝试验证证书的系统是爱沙尼亚身份证证书中心的 ocsp 响应者。