実際に発行されている CRL に条件を近づけてみる
前回,CRL の処理をだらだらと書いてみたわけですが,http で公開されている CRL を見てみると,Extensions が無いか,
または,Extensions が含まれていても,CRL Number と Authority Key Identifier の 2 つを含むだけであり,
Issuing Distrubution Point は含まれていないことが多いようです
そこで,前回の処理から Issuing Distribution Point を省いた場合の処理を追ってみます
また,証明書の cRLDistributionPoitns に Reasons が含まれていないことが多いようです
つまり,CRL は分割されずに,1 つの Distirbution Point の CRL が全ての失効理由を扱うことになります
条件
- delta CRL は使用しない
- 検証対象の証明書は,Root CA 証明書から直接発行されている
- CRL は,Root CA 証明書から直接発行されている
- 対象の証明書を検証する CRL の入手先は 1 つだけとする
- 下記で示す証明書と,CRL を使用する
- CRL は Issuing Distribution Point Extension を含まない
- 証明書の cRLDistributionPoints Extension の DistributionPoint に Reasons を含まない
Root CA 証明書
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=JP, CN=CA
Validity
Not Before: Dec 19 15:58:24 2012 GMT
Not After : Jan 31 06:00:00 2013 GMT
Subject: C=JP, CN=CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b3:df:e2:43:87:62:c1:dd:4c:e9:5c:1e:0a:43:
a4:37:78:a5:f3:70:3c:f4:cb:9a:b4:8d:a1:9a:c8:
76:47:dc:f0:f7:f6:f7:d2:bf:7c:f4:76:c0:80:fb:
f2:e8:b8:8e:7d:86:5d:09:66:7e:ff:79:4f:38:f5:
0f:1d:1b:fe:8a:16:62:38:0f:e7:09:26:15:f9:b6:
36:21:b1:93:f2:b8:a1:41:9a:34:97:cf:75:fd:f3:
a3:de:55:09:f5:5c:ba:56:07:32:b3:f4:95:38:5b:
60:59:83:a1:7b:cd:36:9c:b9:f1:4b:df:74:40:a4:
0c:09:cf:88:74:a3:75:3a:54:b8:e1:15:b8:99:ce:
2f:89:ff:41:7e:5b:32:56:74:ce:1c:c3:80:44:aa:
99:ff:3a:36:56:14:3a:74:cf:da:4d:62:28:70:35:
9e:9b:5a:e4:81:1b:3e:d0:a9:e0:53:02:41:e3:28:
a9:ef:15:01:48:0a:0c:a1:cb:16:90:38:c4:8c:ea:
8e:f9:0c:95:c2:1f:3c:ec:22:c9:76:b6:7b:2c:60:
ff:d5:fd:80:3c:91:ca:5a:20:e2:94:01:0e:dd:e1:
3f:e5:5c:8f:c4:a3:ed:fb:66:14:b3:2a:42:47:37:
dd:dc:6b:57:24:58:ac:e7:2d:67:15:be:cf:94:ae:
a5:ff
Exponent: 3 (0x3)
X509v3 extensions:
X509v3 Subject Key Identifier:
4C:1E:86:57:FC:A7:D6:EB:73:B1:F3:CA:52:E4:FE:77:2A:0A:C0:7C
X509v3 Authority Key Identifier:
keyid:4C:1E:86:57:FC:A7:D6:EB:73:B1:F3:CA:52:E4:FE:77:2A:0A:C0:7C
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha1WithRSAEncryption
16:a0:c7:a0:fc:c2:7d:ad:f4:c7:4c:11:78:a7:e1:0e:ac:ed:
d8:d2:f8:91:81:27:72:44:cd:19:a4:03:a7:ca:0b:e8:49:5e:
8d:9f:a7:2a:39:6c:2a:f1:af:16:ee:b0:1b:fd:5a:56:e6:74:
fa:56:80:11:d1:5f:6e:96:89:91:c9:85:cf:0e:a8:a5:cb:52:
23:64:d6:97:ac:15:e4:c9:03:1e:03:b8:c9:86:ea:e8:0f:e2:
a4:ef:00:cc:61:09:b5:c9:4a:18:07:f9:4c:08:ee:3a:60:92:
8e:5d:d0:43:ad:e7:df:56:5a:c0:d8:5e:92:58:1c:0c:50:a6:
bb:54:fc:1f:e6:32:9b:ed:43:b7:f1:31:53:44:54:d9:4b:4f:
37:3e:0b:f3:12:c1:0c:d2:db:08:0d:2a:18:84:a5:2a:67:3b:
ac:4a:7f:de:38:95:98:d3:5a:9a:e3:eb:10:71:f1:6e:47:b2:
09:41:da:cd:ec:16:2a:b3:16:94:dd:b5:c5:71:03:28:67:19:
a8:c2:09:ab:35:d5:69:03:86:24:f2:b1:7a:4b:49:d5:1d:cf:
be:cb:19:bd:4f:d2:56:25:c8:6a:31:46:f2:14:a3:93:39:20:
f6:ee:0d:8c:e8:cb:df:99:95:f7:4b:7f:9b:f7:9f:39:59:9c:
69:62:56:3f
-----BEGIN CERTIFICATE-----
MIIDEDCCAfigAwIBAgIBATANBgkqhkiG9w0BAQUFADAaMQswCQYDVQQGEwJKUDEL
MAkGA1UEAwwCQ0EwHhcNMTIxMjE5MTU1ODI0WhcNMTMwMTMxMDYwMDAwWjAaMQsw
CQYDVQQGEwJKUDELMAkGA1UEAwwCQ0EwggEgMA0GCSqGSIb3DQEBAQUAA4IBDQAw
ggEIAoIBAQCz3+JDh2LB3UzpXB4KQ6Q3eKXzcDz0y5q0jaGayHZH3PD39vfSv3z0
dsCA+/LouI59hl0JZn7/eU849Q8dG/6KFmI4D+cJJhX5tjYhsZPyuKFBmjSXz3X9
86PeVQn1XLpWBzKz9JU4W2BZg6F7zTacufFL33RApAwJz4h0o3U6VLjhFbiZzi+J
/0F+WzJWdM4cw4BEqpn/OjZWFDp0z9pNYihwNZ6bWuSBGz7QqeBTAkHjKKnvFQFI
CgyhyxaQOMSM6o75DJXCHzzsIsl2tnssYP/V/YA8kcpaIOKUAQ7d4T/lXI/Eo+37
ZhSzKkJHN93ca1ckWKznLWcVvs+UrqX/AgEDo2MwYTAdBgNVHQ4EFgQUTB6GV/yn
1utzsfPKUuT+dyoKwHwwHwYDVR0jBBgwFoAUTB6GV/yn1utzsfPKUuT+dyoKwHww
DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQAD
ggEBABagx6D8wn2t9MdMEXin4Q6s7djS+JGBJ3JEzRmkA6fKC+hJXo2fpyo5bCrx
rxbusBv9WlbmdPpWgBHRX26WiZHJhc8OqKXLUiNk1pesFeTJAx4DuMmG6ugP4qTv
AMxhCbXJShgH+UwI7jpgko5d0EOt599WWsDYXpJYHAxQprtU/B/mMpvtQ7fxMVNE
VNlLTzc+C/MSwQzS2wgNKhiEpSpnO6xKf944lZjTWprj6xBx8W5HsglB2s3sFiqz
FpTdtcVxAyhnGajCCas11WkDhiTysXpLSdUdz77LGb1P0lYlyGoxRvIUo5M5IPbu
DYzoy9+ZlfdLf5v3nzlZnGliVj8=
-----END CERTIFICATE-----
end entity 証明書
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2416150925 (0x9003898d)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=JP, CN=CA
Validity
Not Before: Dec 19 15:58:24 2012 GMT
Not After : Jan 21 06:00:00 2013 GMT
Subject: C=JP, CN=end entity
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c3:58:76:85:6e:d3:07:7d:4e:50:b7:40:ba:60:
36:5e:0d:5a:e0:47:9b:f9:43:ad:09:8f:2d:60:2f:
5f:dd:f5:dd:f0:0a:b3:2f:1f:bb:4a:df:48:54:5c:
9a:b2:1e:9f:e8:3f:4a:a9:8d:52:3b:ba:9c:c5:a5:
66:31:1c:5e:36:ef:41:a3:5e:16:74:b3:31:1c:82:
be:b6:d2:75:94:bb:fd:fc:96:67:f9:7f:b2:43:26:
ab:93:76:35:96:e2:f6:1b:58:8e:c4:90:62:44:0e:
01:dd:14:84:e8:e5:38:6d:ec:ba:f6:8d:e3:0a:61:
ea:d4:b4:d2:df:38:34:c4:e8:dc:35:8f:ef:70:b4:
5e:61:34:1d:1b:b1:97:f0:5b:fc:c7:d8:e3:37:52:
3f:cc:cd:f5:da:32:af:c4:f1:48:95:2a:f0:6a:67:
7c:38:dd:8c:5e:c8:90:99:f3:e9:a3:f2:99:f0:90:
a0:5e:d3:33:14:cf:0f:34:4b:f8:4e:f9:cd:18:a2:
1a:2f:85:e0:21:d6:4d:00:04:47:e5:5f:b5:68:97:
20:5b:3a:67:50:74:1b:46:81:eb:64:6e:4f:b3:ec:
55:7e:a9:f5:87:1b:78:75:3b:77:60:b2:49:15:bf:
f3:e2:db:92:f1:25:56:50:d4:ed:17:1a:ba:fa:39:
9e:05
Exponent: 3 (0x3)
X509v3 extensions:
X509v3 Subject Key Identifier:
4E:14:00:73:08:C8:D4:13:0B:EC:E7:1C:AF:5E:A1:5E:81:84:0B:90
X509v3 Authority Key Identifier:
keyid:4C:1E:86:57:FC:A7:D6:EB:73:B1:F3:CA:52:E4:FE:77:2A:0A:C0:7C
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://example.com/example.crl
Signature Algorithm: sha1WithRSAEncryption
22:1d:ae:06:b4:5d:e7:22:3b:b2:9e:fb:7b:0a:30:0d:15:d6:
10:84:c3:9c:90:ad:45:09:fc:f9:a4:87:42:78:aa:b1:94:94:
1c:26:d4:34:4a:44:24:02:7b:00:5e:69:cf:ab:c7:b0:57:be:
ac:c2:da:e9:3d:ef:a0:30:e4:8d:da:57:95:27:81:57:72:8a:
7d:fa:f2:0d:28:4c:4e:0f:f7:cd:7f:fe:fa:8a:4c:5e:f2:5d:
8c:ed:6f:58:64:21:97:97:17:b2:a9:d5:53:15:51:02:78:e2:
b4:67:48:ef:0e:da:b8:ac:69:49:c9:40:61:22:23:24:90:4f:
cf:30:55:de:a8:e5:11:e0:03:cb:4c:bf:4d:b8:53:57:e2:6b:
20:80:82:c6:09:b2:58:ff:b5:f6:67:6c:75:63:c7:c9:8e:fe:
cf:f4:7a:2d:a7:f0:2d:02:b3:05:4e:85:48:c2:9f:a7:b2:bf:
4a:a2:97:a7:20:c8:cc:5c:ed:bb:3a:4c:08:da:32:c0:c6:7f:
28:0b:f8:2a:ba:61:90:53:50:3c:b5:28:e4:60:87:ad:f3:12:
44:4d:47:4d:81:87:9b:f4:d4:6f:cd:0f:3a:a9:c7:a6:e2:d4:
45:a1:bb:93:a3:20:1d:c7:19:d2:e3:c4:85:cd:1a:13:38:fb:
75:56:b2:c3
-----BEGIN CERTIFICATE-----
MIIDUTCCAjmgAwIBAgIFAJADiY0wDQYJKoZIhvcNAQEFBQAwGjELMAkGA1UEBhMC
SlAxCzAJBgNVBAMMAkNBMB4XDTEyMTIxOTE1NTgyNFoXDTEzMDEyMTA2MDAwMFow
IjELMAkGA1UEBhMCSlAxEzARBgNVBAMMCmVuZCBlbnRpdHkwggEgMA0GCSqGSIb3
DQEBAQUAA4IBDQAwggEIAoIBAQDDWHaFbtMHfU5Qt0C6YDZeDVrgR5v5Q60Jjy1g
L1/d9d3wCrMvH7tK30hUXJqyHp/oP0qpjVI7upzFpWYxHF4270GjXhZ0szEcgr62
0nWUu/38lmf5f7JDJquTdjWW4vYbWI7EkGJEDgHdFITo5Tht7Lr2jeMKYerUtNLf
ODTE6Nw1j+9wtF5hNB0bsZfwW/zH2OM3Uj/MzfXaMq/E8UiVKvBqZ3w43YxeyJCZ
8+mj8pnwkKBe0zMUzw80S/hO+c0YohovheAh1k0ABEflX7VolyBbOmdQdBtGgetk
bk+z7FV+qfWHG3h1O3dgskkVv/Pi25LxJVZQ1O0XGrr6OZ4FAgEDo4GXMIGUMB0G
A1UdDgQWBBROFABzCMjUEwvs5xyvXqFegYQLkDAfBgNVHSMEGDAWgBRMHoZX/KfW
63Ox88pS5P53KgrAfDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMC
MC8GA1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9leGFtcGxlLmNvbS9leGFtcGxlLmNy
bDANBgkqhkiG9w0BAQUFAAOCAQEAIh2uBrRd5yI7sp77ewowDRXWEITDnJCtRQn8
+aSHQniqsZSUHCbUNEpEJAJ7AF5pz6vHsFe+rMLa6T3voDDkjdpXlSeBV3KKffry
DShMTg/3zX/++opMXvJdjO1vWGQhl5cXsqnVUxVRAnjitGdI7w7auKxpSclAYSIj
JJBPzzBV3qjlEeADy0y/TbhTV+JrIICCxgmyWP+19mdsdWPHyY7+z/R6LafwLQKz
BU6FSMKfp7K/SqKXpyDIzFztuzpMCNoywMZ/KAv4KrphkFNQPLUo5GCHrfMSRE1H
TYGHm/TUb80POqnHpuLURaG7k6MgHccZ0uPEhc0aEzj7dVayww==
-----END CERTIFICATE-----
CRL
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=JP/CN=CA
Last Update: Dec 19 15:58:24 2012 GMT
Next Update: Dec 21 06:00:00 2012 GMT
CRL extensions:
X509v3 CRL Number:
1
X509v3 Authority Key Identifier:
keyid:4C:1E:86:57:FC:A7:D6:EB:73:B1:F3:CA:52:E4:FE:77:2A:0A:C0:7C
Revoked Certificates:
Serial Number: 01
Revocation Date: Dec 19 15:58:24 2012 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Key Compromise
Serial Number: 9003898D
Revocation Date: Dec 19 15:58:24 2012 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Key Compromise
Signature Algorithm: sha1WithRSAEncryption
66:88:62:4c:6e:01:1e:f7:53:65:8b:17:e9:bc:87:c8:65:a9:
b2:27:b3:f8:c9:9d:8a:c6:fc:a1:23:d1:72:fb:23:ba:fc:59:
85:d4:7f:d2:99:ed:61:25:3c:3a:ac:c7:db:f4:6d:f0:2d:99:
59:9f:67:ff:2e:1e:4e:6f:d3:a4:52:e6:a2:c0:bf:ef:db:ba:
b0:1d:ee:fd:1f:49:42:32:08:aa:09:61:47:cc:cc:70:ea:d4:
77:01:f4:13:c9:37:81:f9:d2:d8:bf:e6:cd:07:e6:5a:e1:09:
4e:e3:3f:1a:ba:e1:92:ad:7f:92:ee:20:72:d0:5e:83:d9:9c:
6c:af:b1:58:f5:22:52:5e:42:2a:d0:02:81:01:33:6e:f7:42:
91:5b:0a:a2:b2:cc:a4:61:07:e6:23:43:9b:11:29:c2:92:56:
b5:5d:41:69:52:7d:fa:8b:b8:ce:55:16:f5:52:eb:4d:41:f8:
b8:8c:5e:29:66:bf:bd:49:bf:83:62:35:ac:91:13:75:75:fe:
7f:3b:91:82:0b:a9:f6:01:1f:53:8a:e2:fe:e6:fd:58:6b:90:
ed:1a:9d:e2:44:dd:36:38:b4:51:03:e6:6b:4c:ba:aa:cf:77:
bb:f4:6b:28:00:93:06:02:60:1f:92:27:25:5d:0d:02:fb:2e:
24:57:60:f8
-----BEGIN X509 CRL-----
MIIB3jCBxwIBATANBgkqhkiG9w0BAQUFADAaMQswCQYDVQQGEwJKUDELMAkGA1UE
AwwCQ0EXDTEyMTIxOTE1NTgyNFoXDTEyMTIyMTA2MDAwMFowSDAgAgEBFw0xMjEy
MTkxNTU4MjRaMAwwCgYDVR0VBAMKAQEwJAIFAJADiY0XDTEyMTIxOTE1NTgyNFow
DDAKBgNVHRUEAwoBAaAvMC0wCgYDVR0UBAMCAQEwHwYDVR0jBBgwFoAUTB6GV/yn
1utzsfPKUuT+dyoKwHwwDQYJKoZIhvcNAQEFBQADggEBAGaIYkxuAR73U2WLF+m8
h8hlqbIns/jJnYrG/KEj0XL7I7r8WYXUf9KZ7WElPDqsx9v0bfAtmVmfZ/8uHk5v
06RS5qLAv+/burAd7v0fSUIyCKoJYUfMzHDq1HcB9BPJN4H50ti/5s0H5lrhCU7j
Pxq64ZKtf5LuIHLQXoPZnGyvsVj1IlJeQirQAoEBM273QpFbCqKyzKRhB+YjQ5sR
KcKSVrVdQWlSffqLuM5VFvVS601B+LiMXilmv71Jv4NiNayRE3V1/n87kYILqfYB
H1OK4v7m/VhrkO0aneJE3TY4tFED5mtMuqrPd7v0aygAkwYCYB+SJyVdDQL7LiRX
YPg=
-----END X509 CRL-----
処理(前回と同じ)
- 以前に処理された CRL はローカル CRL キャッシュに保存されます
- delta CRL は使用しないため,これ以下では complete CRL は単に CRL と記載します
- ここでは,上記の証明書と CRL の場合に検証する内容のみを記載します
1. CRL の Next Update の値のチェック
前回と同じため省略
2. CRL の Issuer と証明書の Issuer が一致することの確認
前回と同じため省略
3. 上記で取得した失効理由の集合が,これまでに検証した CRL がサポートしている失効理由に含まれていなかった失効理由を 1 つ以上含んでいることの確認
IDP Extension が無く,CRL は分割されていないため,全ての失効理由を含みます
4. CRL の発行者についての認証パスの取得と検証
前回と同じため省略
5. Key Usage Extension が CRL 発行者の証明書に存在している場合の検証
前回と同じため省略
6. 上記 4 で検証された公開鍵を使用して,CRL の署名を検証
前回と同じため省略
7. CRL 上の証明書を検索して,対象の証明書の発行者とシリアル番号が一致するエントリがあるかの確認
一致するエントリが存在している場合は,unspecified とします
一致するエントリが存在していない場合は UNREVOKED です
CRL を分割していない場合は,この時点で全ての失効理由に対する検証がおこなわれているため,この時点で失効の状態は決定します
