[Mac/Linux] 使用 OpenSSL 檢查簽章內容與有效日期
最近拿到一個 Linux 上用 OpenSSL 簽章 (sign) 過的檔案,
要怎麼看這個簽章的內容呢?
對 OpenSSL 非常的不熟 (它那複雜的參數我大概也一直不會熟 Orz…)
在網路上查到了下面的用法,
我們在使用 verify
驗證簽章的同時,用 -certsout
指定擷取出來的憑證 (certificate):
# openssl cms -verify -binary -in checksum.p7 -inform DER -verify -content checksum -purpose any -certsout need_to_check.certs Verification failure 140087773292352:error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:crypto/cms/cms_smime.c:253:Verify error:certificate has expired
以上例來說,驗證失敗了,原因是憑證過期 (certificate has expired)。
不過憑證還是會擷取出來,因此我們可以檢視這個憑證的內容:
# openssl x509 -text -noout -in need_to_check.certs Certificate: Data: Version: 3 (0x2) Serial Number: 0c:ff:7d:a0:7e:fc:7b:e1:64:d4:37:3b:d5:a1:3a:72 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert EV Code Signing CA (SHA2) Validity Not Before: Aug 7 00:00:00 2020 GMT Not After : Apr 15 12:00:00 2021 GMT Subject: jurisdictionC = TW, businessCategory = Private Organization, C = TW, ST = Taipei City, O = "Test, Inc.", CN = "Test, Inc." Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:a9:84:52:b4:b3:36:7c:10:27:cd:b5:5c:2c:f1: a5:9d:72:1c:c6:ee:06:46:2c:b5:0a:e5:8e:a9:ab: 29:24:0c:a0:87:2f:19:e5:9e:f5:e5:19:d3:5d:b6: a9:a3 Exponent: 65537 (0x10001)
以上例來說,可以看到憑證有效日期是 2020/8/7~2021/4/15,
以目前的日期來說,這憑證確實已經過期了~
上面的指令在 need_to_check.certs 裡有多張憑證時,只會顯示出 Root CA 憑證。
如果想要所有的憑證都顯示出來的話,可以用:
openssl crl2pkcs7 -nocrl -certfile need_to_check.certs | openssl pkcs7 -print_certs -text -noout
參考資料:
- How To Read The SSL Certificate Info From the CLI
- What is a Timestamp in Code Signing? How Does Timestamping Work?
- ubuntu – How to view all ssl certificates in a bundle? – Server Fault
(本頁面已被瀏覽過 1,593 次)