4

我们需要在 ASP.NET Core 2.X 应用程序中实现客户端证书有效性检查,该应用程序是 dockerized 并在 Linux 下运行。特别是,我们对证书的撤销状态感兴趣。这种验证是通过使用X509Chain实现的,并且可以按预期工作。

var chain = new X509Chain();
var chainPolicy = new X509ChainPolicy
{
    RevocationMode = X509RevocationMode.Online,
    RevocationFlag = X509RevocationFlag.EntireChain
};
chain.ChainPolicy = chainPolicy;
...

Dockerfile

FROM mcr.microsoft.com/dotnet/core/aspnet:2.2-stretch-slim AS base
WORKDIR /app
EXPOSE 80

FROM mcr.microsoft.com/dotnet/core/sdk:2.2-stretch AS build
....

但是,我们对我们的应用程序的 CRL 缓存的到期时间有要求。看起来 Linux(我假设它是debian for mcr.microsoft.com/dotnet/core/aspnet:2.2-stretch-slimimage)默认缓存 CRL - 第一个请求持续约 150 毫秒,并且几乎立即处理以下请求(不幸的是,我找不到可用信息来确认这一观察结果)。

Linux(debian)中 CRL 缓存的默认时间是多少?有可能改变它吗?有没有办法检查缓存的 CRL 列表?

是否可以像在 Windows 中一样清理 CRL 缓存?

certutil -urlcache * delete

Linux 证书 util dirmngr似乎不是mcr.microsoft.com/dotnet/core/aspnet:2.2-stretch-slimASP.NET Core 2.2 应用程序基础映像的一部分。

4

1 回答 1

4

因为它是.net Core,它是开源的,你有没有在github上查找过源代码。在那里你可以找到对CrlCache的调用,它显示了数据的存储位置:

namespace Internal.Cryptography.Pal
{
    internal static class CrlCache
    {
        private static readonly string s_crlDir =
            PersistedFiles.GetUserFeatureDirectory(
                X509Persistence.CryptographyFeatureName,
X509Persistence.CrlsSubFeatureName);


    internal static class X509Persistence
    {
        internal const string CryptographyFeatureName = "cryptography";
        internal const string X509StoresSubFeatureName = "x509stores";
        internal const string CrlsSubFeatureName = "crls";
        internal const string OcspSubFeatureName = "ocsp";
    }
...
        internal const string TopLevelDirectory = "dotnet";
        internal const string TopLevelHiddenDirectory = "." + TopLevelDirectory;
        internal const string SecondLevelDirectory = "corefx";
...
        internal static string GetUserFeatureDirectory(params string[] featurePathParts)
        {
            Debug.Assert(featurePathParts != null);
            Debug.Assert(featurePathParts.Length > 0);

            if (s_userProductDirectory == null)
            {
                EnsureUserDirectories();
            }

            return Path.Combine(s_userProductDirectory, Path.Combine(featurePathParts));
        }

        private static void EnsureUserDirectories()
        {
            string userHomeDirectory = GetHomeDirectory();

            if (string.IsNullOrEmpty(userHomeDirectory))
            {
                throw new InvalidOperationException(SR.PersistedFiles_NoHomeDirectory);
            }

            s_userProductDirectory = Path.Combine(
                userHomeDirectory,
                TopLevelHiddenDirectory,
                SecondLevelDirectory);
}

        internal static string GetHomeDirectory()
        {
            // First try to get the user's home directory from the HOME environment variable.
            // This should work in most cases.
string userHomeDirectory = Environment.GetEnvironmentVariable("HOME");

所以路径应该是$HOME/.dotnet/corefx/cryptography/crls

于 2019-04-17T19:02:49.260 回答