最近拿到一個 Linux 上用 OpenSSL 簽章 (sign) 過的檔案，

要怎麼看這個簽章的內容呢？

 

對 OpenSSL 非常的不熟 (它那複雜的參數我大概也一直不會熟 Orz…)

在網路上查到了下面的用法，

我們在使用  verify 驗證簽章的同時，用  -certsout 指定擷取出來的憑證 (certificate)：

# openssl cms -verify -binary -in checksum.p7 -inform DER -verify -content checksum -purpose any -certsout need_to_check.certs

Verification failure
140087773292352:error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:crypto/cms/cms_smime.c:253:Verify error:certificate has expired

 

以上例來說，驗證失敗了，原因是憑證過期 (certificate has expired)。

不過憑證還是會擷取出來，因此我們可以檢視這個憑證的內容：

# openssl x509 -text -noout -in need_to_check.certs

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0c:ff:7d:a0:7e:fc:7b:e1:64:d4:37:3b:d5:a1:3a:72
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert EV Code Signing CA (SHA2)
        Validity
            Not Before: Aug  7 00:00:00 2020 GMT
            Not After : Apr 15 12:00:00 2021 GMT
        Subject: jurisdictionC = TW, businessCategory = Private Organization, C = TW, ST = Taipei City, O = "Test, Inc.", CN = "Test, Inc."
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:a9:84:52:b4:b3:36:7c:10:27:cd:b5:5c:2c:f1:
                    a5:9d:72:1c:c6:ee:06:46:2c:b5:0a:e5:8e:a9:ab:
                    29:24:0c:a0:87:2f:19:e5:9e:f5:e5:19:d3:5d:b6:
                    a9:a3
                Exponent: 65537 (0x10001)

 

以上例來說，可以看到憑證有效日期是 2020/8/7~2021/4/15，

以目前的日期來說，這憑證確實已經過期了～

 

上面的指令在 need_to_check.certs 裡有多張憑證時，只會顯示出 Root CA 憑證。

如果想要所有的憑證都顯示出來的話，可以用：

openssl crl2pkcs7 -nocrl -certfile need_to_check.certs | openssl pkcs7 -print_certs -text -noout

 

參考資料：

• How To Read The SSL Certificate Info From the CLI
• What is a Timestamp in Code Signing? How Does Timestamping Work?
• ubuntu – How to view all ssl certificates in a bundle? – Server Fault