openssl verify の attime/crl_check_all オプション


  • openssl verify には証明書を検証するためのオプションがいろいろ用意されているようにみえるが、man と help で乖離がある
  • man にはある attime オプションは指定した時刻で証明書が有効かを確認できて便利そうだったが、結局現時点では存在しないようだ
  • man にはある crlfile オプションも存在しないが、これは CAfile オプションで代替でき、 crl_check/crl_check_all 自体は機能する
$ openssl version
OpenSSL 1.0.2g  1 Mar 2016

man では便利そうなオプションがいろいろあるように見える。ここでは attime と crl_check_all を使おうとした。

$ man verify
SYNOPSIS
       openssl verify [-CApath directory] [-CAfile file] [-purpose purpose] [-policy arg]
       [-ignore_critical] [-attime timestamp] [-check_ss_sig] [-crlfile file] [-crl_download]
       [-crl_check] [-crl_check_all] [-policy_check] [-explicit_policy] [-inhibit_any]
       [-inhibit_map] [-x509_strict] [-extended_crl] [-use_deltas] [-policy_print]
       [-no_alt_chains] [-untrusted file] [-help] [-issuer_checks] [-trusted file] [-verbose] [-]
       [certificates]

DESCRIPTION
       The verify command verifies certificate chains.

COMMAND OPTIONS
...
       -crlfile file
           File containing one or more CRL's (in PEM format) to load.
...
       -attime timestamp
           Perform validation checks using time specified by timestamp and not current system
           time. timestamp is the number of seconds since 01.01.1970 (UNIX time).
...
       -crl_check_all
           Checks the validity of all certificates in the chain by attempting to look up valid
           CRLs.

...

コマンドのヘルプ。使えるオプションが man より少ない?

openssl verify -help

usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-no_alt_chains] [-attime timestamp] [-engine e] cert1 cert2 ...
recognized usages:
    sslclient   SSL client
    sslserver   SSL server
    nssslserver Netscape SSL server
    smimesign   S/MIME signing
    smimeencrypt    S/MIME encryption
    crlsign     CRL signing
    any         Any Purpose
    ocsphelper  OCSP helper
    timestampsign   Time Stamp signing

attime はいかんともしがたかったが、crl_check_all は CAfile に CA証明書と一緒に入れることで検証できた。

$ #cross root:OldWithNew
$ openssl x509 -outform PEM -in $(pwd)/ca/selfsign-ca-2/cacert.pem  > /tmp/$$.pem
$ openssl crl  -outform PEM -in $(pwd)/ca/selfsign-ca-2/crl.pem    >> /tmp/$$.pem
$ openssl x509 -outform PEM -in $(pwd)/ca/selfsign-ca-2/certs/selfsign-ca-1/cert.pem  >> /tmp/$$.pem
$ openssl crl  -outform PEM -in $(pwd)/ca/selfsign-ca-1/crl.pem    >> /tmp/$$.pem
$ openssl x509 -outform PEM -in $(pwd)/ca/server-ca-1/cacert.pem   >> /tmp/$$.pem
$ openssl crl  -outform PEM -in $(pwd)/ca/server-ca-1/crl.pem      >> /tmp/$$.pem
$ openssl verify -CAfile /tmp/$$.pem -crl_check_all -purpose sslserver -issuer_checks -verbose ./ca/server-ca-1/certs/581BD4AC-www.example.com/cert.pem 
./ca/server-ca-1/certs/581BD4AC-www.example.com/cert.pem: OK
$ rm -f /tmp/$$.pem

CRL を CAfile に入れないと検証は失敗するので、間違えてはいないはず。

$ #cross root:OldWithNew
$ openssl x509 -outform PEM -in $(pwd)/ca/selfsign-ca-2/cacert.pem  > /tmp/$$.pem
$ openssl crl  -outform PEM -in $(pwd)/ca/selfsign-ca-2/crl.pem    >> /tmp/$$.pem
$ openssl x509 -outform PEM -in $(pwd)/ca/selfsign-ca-2/certs/selfsign-ca-1/cert.pem  >> /tmp/$$.pem
$ openssl crl  -outform PEM -in $(pwd)/ca/selfsign-ca-1/crl.pem    >> /tmp/$$.pem
$ openssl x509 -outform PEM -in $(pwd)/ca/server-ca-1/cacert.pem   >> /tmp/$$.pem
$ #openssl crl  -outform PEM -in $(pwd)/ca/server-ca-1/crl.pem      >> /tmp/$$.pem
$ openssl verify -CAfile /tmp/$$.pem -crl_check_all -purpose sslserver -issuer_checks -verbose ./ca/server-ca-1/certs/581BD4AC-www.example.com/cert.pem 
./ca/server-ca-1/certs/581BD4AC-www.example.com/cert.pem: CN = www.example.com
error 3 at 0 depth lookup:unable to get certificate CRL
$ rm -f /tmp/$$.pem

attime は追加されたあとすぐ削除されて、change log や man に残っているだけ、というパターンみたい。経緯はわからなかったが、復活しないのだろうか。
- Commits on Dec 13, 2011 Make it possible to set a time for verification.
- Commits on Dec 14, 2011 Back out redundant verification time change.