実際に発行されている CRL に条件を近づけてみる
前回,CRL の処理をだらだらと書いてみたわけですが,http で公開されている CRL を見てみると,Extensions が無いか,
または,Extensions が含まれていても,CRL Number と Authority Key Identifier の 2 つを含むだけであり,
Issuing Distrubution Point は含まれていないことが多いようです
そこで,前回の処理から Issuing Distribution Point を省いた場合の処理を追ってみます
また,証明書の cRLDistributionPoitns に Reasons が含まれていないことが多いようです
つまり,CRL は分割されずに,1 つの Distirbution Point の CRL が全ての失効理由を扱うことになります
条件
- delta CRL は使用しない
- 検証対象の証明書は,Root CA 証明書から直接発行されている
- CRL は,Root CA 証明書から直接発行されている
- 対象の証明書を検証する CRL の入手先は 1 つだけとする
- 下記で示す証明書と,CRL を使用する
- CRL は Issuing Distribution Point Extension を含まない
- 証明書の cRLDistributionPoints Extension の DistributionPoint に Reasons を含まない
Root CA 証明書
Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, CN=CA Validity Not Before: Dec 19 15:58:24 2012 GMT Not After : Jan 31 06:00:00 2013 GMT Subject: C=JP, CN=CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b3:df:e2:43:87:62:c1:dd:4c:e9:5c:1e:0a:43: a4:37:78:a5:f3:70:3c:f4:cb:9a:b4:8d:a1:9a:c8: 76:47:dc:f0:f7:f6:f7:d2:bf:7c:f4:76:c0:80:fb: f2:e8:b8:8e:7d:86:5d:09:66:7e:ff:79:4f:38:f5: 0f:1d:1b:fe:8a:16:62:38:0f:e7:09:26:15:f9:b6: 36:21:b1:93:f2:b8:a1:41:9a:34:97:cf:75:fd:f3: a3:de:55:09:f5:5c:ba:56:07:32:b3:f4:95:38:5b: 60:59:83:a1:7b:cd:36:9c:b9:f1:4b:df:74:40:a4: 0c:09:cf:88:74:a3:75:3a:54:b8:e1:15:b8:99:ce: 2f:89:ff:41:7e:5b:32:56:74:ce:1c:c3:80:44:aa: 99:ff:3a:36:56:14:3a:74:cf:da:4d:62:28:70:35: 9e:9b:5a:e4:81:1b:3e:d0:a9:e0:53:02:41:e3:28: a9:ef:15:01:48:0a:0c:a1:cb:16:90:38:c4:8c:ea: 8e:f9:0c:95:c2:1f:3c:ec:22:c9:76:b6:7b:2c:60: ff:d5:fd:80:3c:91:ca:5a:20:e2:94:01:0e:dd:e1: 3f:e5:5c:8f:c4:a3:ed:fb:66:14:b3:2a:42:47:37: dd:dc:6b:57:24:58:ac:e7:2d:67:15:be:cf:94:ae: a5:ff Exponent: 3 (0x3) X509v3 extensions: X509v3 Subject Key Identifier: 4C:1E:86:57:FC:A7:D6:EB:73:B1:F3:CA:52:E4:FE:77:2A:0A:C0:7C X509v3 Authority Key Identifier: keyid:4C:1E:86:57:FC:A7:D6:EB:73:B1:F3:CA:52:E4:FE:77:2A:0A:C0:7C X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption 16:a0:c7:a0:fc:c2:7d:ad:f4:c7:4c:11:78:a7:e1:0e:ac:ed: d8:d2:f8:91:81:27:72:44:cd:19:a4:03:a7:ca:0b:e8:49:5e: 8d:9f:a7:2a:39:6c:2a:f1:af:16:ee:b0:1b:fd:5a:56:e6:74: fa:56:80:11:d1:5f:6e:96:89:91:c9:85:cf:0e:a8:a5:cb:52: 23:64:d6:97:ac:15:e4:c9:03:1e:03:b8:c9:86:ea:e8:0f:e2: a4:ef:00:cc:61:09:b5:c9:4a:18:07:f9:4c:08:ee:3a:60:92: 8e:5d:d0:43:ad:e7:df:56:5a:c0:d8:5e:92:58:1c:0c:50:a6: bb:54:fc:1f:e6:32:9b:ed:43:b7:f1:31:53:44:54:d9:4b:4f: 37:3e:0b:f3:12:c1:0c:d2:db:08:0d:2a:18:84:a5:2a:67:3b: ac:4a:7f:de:38:95:98:d3:5a:9a:e3:eb:10:71:f1:6e:47:b2: 09:41:da:cd:ec:16:2a:b3:16:94:dd:b5:c5:71:03:28:67:19: a8:c2:09:ab:35:d5:69:03:86:24:f2:b1:7a:4b:49:d5:1d:cf: be:cb:19:bd:4f:d2:56:25:c8:6a:31:46:f2:14:a3:93:39:20: f6:ee:0d:8c:e8:cb:df:99:95:f7:4b:7f:9b:f7:9f:39:59:9c: 69:62:56:3f -----BEGIN CERTIFICATE----- MIIDEDCCAfigAwIBAgIBATANBgkqhkiG9w0BAQUFADAaMQswCQYDVQQGEwJKUDEL MAkGA1UEAwwCQ0EwHhcNMTIxMjE5MTU1ODI0WhcNMTMwMTMxMDYwMDAwWjAaMQsw CQYDVQQGEwJKUDELMAkGA1UEAwwCQ0EwggEgMA0GCSqGSIb3DQEBAQUAA4IBDQAw ggEIAoIBAQCz3+JDh2LB3UzpXB4KQ6Q3eKXzcDz0y5q0jaGayHZH3PD39vfSv3z0 dsCA+/LouI59hl0JZn7/eU849Q8dG/6KFmI4D+cJJhX5tjYhsZPyuKFBmjSXz3X9 86PeVQn1XLpWBzKz9JU4W2BZg6F7zTacufFL33RApAwJz4h0o3U6VLjhFbiZzi+J /0F+WzJWdM4cw4BEqpn/OjZWFDp0z9pNYihwNZ6bWuSBGz7QqeBTAkHjKKnvFQFI CgyhyxaQOMSM6o75DJXCHzzsIsl2tnssYP/V/YA8kcpaIOKUAQ7d4T/lXI/Eo+37 ZhSzKkJHN93ca1ckWKznLWcVvs+UrqX/AgEDo2MwYTAdBgNVHQ4EFgQUTB6GV/yn 1utzsfPKUuT+dyoKwHwwHwYDVR0jBBgwFoAUTB6GV/yn1utzsfPKUuT+dyoKwHww DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQAD ggEBABagx6D8wn2t9MdMEXin4Q6s7djS+JGBJ3JEzRmkA6fKC+hJXo2fpyo5bCrx rxbusBv9WlbmdPpWgBHRX26WiZHJhc8OqKXLUiNk1pesFeTJAx4DuMmG6ugP4qTv AMxhCbXJShgH+UwI7jpgko5d0EOt599WWsDYXpJYHAxQprtU/B/mMpvtQ7fxMVNE VNlLTzc+C/MSwQzS2wgNKhiEpSpnO6xKf944lZjTWprj6xBx8W5HsglB2s3sFiqz FpTdtcVxAyhnGajCCas11WkDhiTysXpLSdUdz77LGb1P0lYlyGoxRvIUo5M5IPbu DYzoy9+ZlfdLf5v3nzlZnGliVj8= -----END CERTIFICATE-----
end entity 証明書
Certificate: Data: Version: 3 (0x2) Serial Number: 2416150925 (0x9003898d) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, CN=CA Validity Not Before: Dec 19 15:58:24 2012 GMT Not After : Jan 21 06:00:00 2013 GMT Subject: C=JP, CN=end entity Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c3:58:76:85:6e:d3:07:7d:4e:50:b7:40:ba:60: 36:5e:0d:5a:e0:47:9b:f9:43:ad:09:8f:2d:60:2f: 5f:dd:f5:dd:f0:0a:b3:2f:1f:bb:4a:df:48:54:5c: 9a:b2:1e:9f:e8:3f:4a:a9:8d:52:3b:ba:9c:c5:a5: 66:31:1c:5e:36:ef:41:a3:5e:16:74:b3:31:1c:82: be:b6:d2:75:94:bb:fd:fc:96:67:f9:7f:b2:43:26: ab:93:76:35:96:e2:f6:1b:58:8e:c4:90:62:44:0e: 01:dd:14:84:e8:e5:38:6d:ec:ba:f6:8d:e3:0a:61: ea:d4:b4:d2:df:38:34:c4:e8:dc:35:8f:ef:70:b4: 5e:61:34:1d:1b:b1:97:f0:5b:fc:c7:d8:e3:37:52: 3f:cc:cd:f5:da:32:af:c4:f1:48:95:2a:f0:6a:67: 7c:38:dd:8c:5e:c8:90:99:f3:e9:a3:f2:99:f0:90: a0:5e:d3:33:14:cf:0f:34:4b:f8:4e:f9:cd:18:a2: 1a:2f:85:e0:21:d6:4d:00:04:47:e5:5f:b5:68:97: 20:5b:3a:67:50:74:1b:46:81:eb:64:6e:4f:b3:ec: 55:7e:a9:f5:87:1b:78:75:3b:77:60:b2:49:15:bf: f3:e2:db:92:f1:25:56:50:d4:ed:17:1a:ba:fa:39: 9e:05 Exponent: 3 (0x3) X509v3 extensions: X509v3 Subject Key Identifier: 4E:14:00:73:08:C8:D4:13:0B:EC:E7:1C:AF:5E:A1:5E:81:84:0B:90 X509v3 Authority Key Identifier: keyid:4C:1E:86:57:FC:A7:D6:EB:73:B1:F3:CA:52:E4:FE:77:2A:0A:C0:7C X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://example.com/example.crl Signature Algorithm: sha1WithRSAEncryption 22:1d:ae:06:b4:5d:e7:22:3b:b2:9e:fb:7b:0a:30:0d:15:d6: 10:84:c3:9c:90:ad:45:09:fc:f9:a4:87:42:78:aa:b1:94:94: 1c:26:d4:34:4a:44:24:02:7b:00:5e:69:cf:ab:c7:b0:57:be: ac:c2:da:e9:3d:ef:a0:30:e4:8d:da:57:95:27:81:57:72:8a: 7d:fa:f2:0d:28:4c:4e:0f:f7:cd:7f:fe:fa:8a:4c:5e:f2:5d: 8c:ed:6f:58:64:21:97:97:17:b2:a9:d5:53:15:51:02:78:e2: b4:67:48:ef:0e:da:b8:ac:69:49:c9:40:61:22:23:24:90:4f: cf:30:55:de:a8:e5:11:e0:03:cb:4c:bf:4d:b8:53:57:e2:6b: 20:80:82:c6:09:b2:58:ff:b5:f6:67:6c:75:63:c7:c9:8e:fe: cf:f4:7a:2d:a7:f0:2d:02:b3:05:4e:85:48:c2:9f:a7:b2:bf: 4a:a2:97:a7:20:c8:cc:5c:ed:bb:3a:4c:08:da:32:c0:c6:7f: 28:0b:f8:2a:ba:61:90:53:50:3c:b5:28:e4:60:87:ad:f3:12: 44:4d:47:4d:81:87:9b:f4:d4:6f:cd:0f:3a:a9:c7:a6:e2:d4: 45:a1:bb:93:a3:20:1d:c7:19:d2:e3:c4:85:cd:1a:13:38:fb: 75:56:b2:c3 -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIFAJADiY0wDQYJKoZIhvcNAQEFBQAwGjELMAkGA1UEBhMC SlAxCzAJBgNVBAMMAkNBMB4XDTEyMTIxOTE1NTgyNFoXDTEzMDEyMTA2MDAwMFow IjELMAkGA1UEBhMCSlAxEzARBgNVBAMMCmVuZCBlbnRpdHkwggEgMA0GCSqGSIb3 DQEBAQUAA4IBDQAwggEIAoIBAQDDWHaFbtMHfU5Qt0C6YDZeDVrgR5v5Q60Jjy1g L1/d9d3wCrMvH7tK30hUXJqyHp/oP0qpjVI7upzFpWYxHF4270GjXhZ0szEcgr62 0nWUu/38lmf5f7JDJquTdjWW4vYbWI7EkGJEDgHdFITo5Tht7Lr2jeMKYerUtNLf ODTE6Nw1j+9wtF5hNB0bsZfwW/zH2OM3Uj/MzfXaMq/E8UiVKvBqZ3w43YxeyJCZ 8+mj8pnwkKBe0zMUzw80S/hO+c0YohovheAh1k0ABEflX7VolyBbOmdQdBtGgetk bk+z7FV+qfWHG3h1O3dgskkVv/Pi25LxJVZQ1O0XGrr6OZ4FAgEDo4GXMIGUMB0G A1UdDgQWBBROFABzCMjUEwvs5xyvXqFegYQLkDAfBgNVHSMEGDAWgBRMHoZX/KfW 63Ox88pS5P53KgrAfDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMC MC8GA1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9leGFtcGxlLmNvbS9leGFtcGxlLmNy bDANBgkqhkiG9w0BAQUFAAOCAQEAIh2uBrRd5yI7sp77ewowDRXWEITDnJCtRQn8 +aSHQniqsZSUHCbUNEpEJAJ7AF5pz6vHsFe+rMLa6T3voDDkjdpXlSeBV3KKffry DShMTg/3zX/++opMXvJdjO1vWGQhl5cXsqnVUxVRAnjitGdI7w7auKxpSclAYSIj JJBPzzBV3qjlEeADy0y/TbhTV+JrIICCxgmyWP+19mdsdWPHyY7+z/R6LafwLQKz BU6FSMKfp7K/SqKXpyDIzFztuzpMCNoywMZ/KAv4KrphkFNQPLUo5GCHrfMSRE1H TYGHm/TUb80POqnHpuLURaG7k6MgHccZ0uPEhc0aEzj7dVayww== -----END CERTIFICATE-----
CRL
Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=JP/CN=CA Last Update: Dec 19 15:58:24 2012 GMT Next Update: Dec 21 06:00:00 2012 GMT CRL extensions: X509v3 CRL Number: 1 X509v3 Authority Key Identifier: keyid:4C:1E:86:57:FC:A7:D6:EB:73:B1:F3:CA:52:E4:FE:77:2A:0A:C0:7C Revoked Certificates: Serial Number: 01 Revocation Date: Dec 19 15:58:24 2012 GMT CRL entry extensions: X509v3 CRL Reason Code: Key Compromise Serial Number: 9003898D Revocation Date: Dec 19 15:58:24 2012 GMT CRL entry extensions: X509v3 CRL Reason Code: Key Compromise Signature Algorithm: sha1WithRSAEncryption 66:88:62:4c:6e:01:1e:f7:53:65:8b:17:e9:bc:87:c8:65:a9: b2:27:b3:f8:c9:9d:8a:c6:fc:a1:23:d1:72:fb:23:ba:fc:59: 85:d4:7f:d2:99:ed:61:25:3c:3a:ac:c7:db:f4:6d:f0:2d:99: 59:9f:67:ff:2e:1e:4e:6f:d3:a4:52:e6:a2:c0:bf:ef:db:ba: b0:1d:ee:fd:1f:49:42:32:08:aa:09:61:47:cc:cc:70:ea:d4: 77:01:f4:13:c9:37:81:f9:d2:d8:bf:e6:cd:07:e6:5a:e1:09: 4e:e3:3f:1a:ba:e1:92:ad:7f:92:ee:20:72:d0:5e:83:d9:9c: 6c:af:b1:58:f5:22:52:5e:42:2a:d0:02:81:01:33:6e:f7:42: 91:5b:0a:a2:b2:cc:a4:61:07:e6:23:43:9b:11:29:c2:92:56: b5:5d:41:69:52:7d:fa:8b:b8:ce:55:16:f5:52:eb:4d:41:f8: b8:8c:5e:29:66:bf:bd:49:bf:83:62:35:ac:91:13:75:75:fe: 7f:3b:91:82:0b:a9:f6:01:1f:53:8a:e2:fe:e6:fd:58:6b:90: ed:1a:9d:e2:44:dd:36:38:b4:51:03:e6:6b:4c:ba:aa:cf:77: bb:f4:6b:28:00:93:06:02:60:1f:92:27:25:5d:0d:02:fb:2e: 24:57:60:f8 -----BEGIN X509 CRL----- MIIB3jCBxwIBATANBgkqhkiG9w0BAQUFADAaMQswCQYDVQQGEwJKUDELMAkGA1UE AwwCQ0EXDTEyMTIxOTE1NTgyNFoXDTEyMTIyMTA2MDAwMFowSDAgAgEBFw0xMjEy MTkxNTU4MjRaMAwwCgYDVR0VBAMKAQEwJAIFAJADiY0XDTEyMTIxOTE1NTgyNFow DDAKBgNVHRUEAwoBAaAvMC0wCgYDVR0UBAMCAQEwHwYDVR0jBBgwFoAUTB6GV/yn 1utzsfPKUuT+dyoKwHwwDQYJKoZIhvcNAQEFBQADggEBAGaIYkxuAR73U2WLF+m8 h8hlqbIns/jJnYrG/KEj0XL7I7r8WYXUf9KZ7WElPDqsx9v0bfAtmVmfZ/8uHk5v 06RS5qLAv+/burAd7v0fSUIyCKoJYUfMzHDq1HcB9BPJN4H50ti/5s0H5lrhCU7j Pxq64ZKtf5LuIHLQXoPZnGyvsVj1IlJeQirQAoEBM273QpFbCqKyzKRhB+YjQ5sR KcKSVrVdQWlSffqLuM5VFvVS601B+LiMXilmv71Jv4NiNayRE3V1/n87kYILqfYB H1OK4v7m/VhrkO0aneJE3TY4tFED5mtMuqrPd7v0aygAkwYCYB+SJyVdDQL7LiRX YPg= -----END X509 CRL-----
処理(前回と同じ)
- 以前に処理された CRL はローカル CRL キャッシュに保存されます
- delta CRL は使用しないため,これ以下では complete CRL は単に CRL と記載します
- ここでは,上記の証明書と CRL の場合に検証する内容のみを記載します
1. CRL の Next Update の値のチェック
前回と同じため省略
2. CRL の Issuer と証明書の Issuer が一致することの確認
前回と同じため省略
3. 上記で取得した失効理由の集合が,これまでに検証した CRL がサポートしている失効理由に含まれていなかった失効理由を 1 つ以上含んでいることの確認
IDP Extension が無く,CRL は分割されていないため,全ての失効理由を含みます
4. CRL の発行者についての認証パスの取得と検証
前回と同じため省略
5. Key Usage Extension が CRL 発行者の証明書に存在している場合の検証
前回と同じため省略
6. 上記 4 で検証された公開鍵を使用して,CRL の署名を検証
前回と同じため省略
7. CRL 上の証明書を検索して,対象の証明書の発行者とシリアル番号が一致するエントリがあるかの確認
一致するエントリが存在している場合は,unspecified とします
一致するエントリが存在していない場合は UNREVOKED です
CRL を分割していない場合は,この時点で全ての失効理由に対する検証がおこなわれているため,この時点で失効の状態は決定します