python - 如何使用 Python 检查证书日志中的证书(不在 PC 上)是否被撤销？

Question

我有带有来自 CTL 的证书的数据库(使用“certstream”实用程序)。一个证书数据示例:

{
"all_domains" : [ 
    "benesseresalus.com", 
    "benesseresalus.it", 
    "dimagriresalus.com", 
    "dimagriresalus.it"
],
"as_der" : "MIIFtzCCBJ+gAwIBAgISA4HNUHaLqcuseznIF3iOrjPzMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA4MjQwNzIyMTlaFw0xODExMjIwNzIyMTlaMB0xGzAZBgNVBAMTEmJlbmVzc2VyZXNhbHVzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANmPDiKIdOGpRQDzHiQZPVHBFVYHn+E0vv2BOC5Cp+GmuuPC+nxyRn0Mn7d7FL10xZQIjbjmY49iAfnpOQcyE/qgaZeJ80hI4ueoJD0tN1XPXIPIIJApin2i5HgB2s3UL+AEmCMCy81OmKzStC7+tVx2cugyUkBDuABz1ty6HPz9igshJJ2MhCX87Pc4lkLmX9phMAu9E1wpbT+XFdZsnqUp1fUixiHWGq8oVSL+CC4fz51WmzyDvTMV/FEreUBecjErXJ7uldlpNfv/tcPwUhEkGfTfRn8lHg9U1mhqmws8+qxdjR6bgpKjwnW2GkhMqvj9gkoT8mGtei6DyCbi17UCAwEAAaOCAsIwggK+MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUoYmVOj6I7epePo5xj33E1LBi94owHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzCBtwYDVR0RBIGvMIGsghJiZW5lc3NlcmVzYWx1cy5jb22CEWJlbmVzc2VyZXNhbHVzLml0ghJkaW1hZ3JpcmVzYWx1cy5jb22CEWRpbWFncmlyZXNhbHVzLml0ghZ3d3cuYmVuZXNzZXJlc2FsdXMuY29tghV3d3cuYmVuZXNzZXJlc2FsdXMuaXSCFnd3dy5kaW1hZ3JpcmVzYWx1cy5jb22CFXd3dy5kaW1hZ3JpcmVzYWx1cy5pdDCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMBMGCisGAQQB1nkCBAMBAf8EAgUAMA0GCSqGSIb3DQEBCwUAA4IBAQCY8fgDv16BEr2jGHrC/zy21Mq5BN6PGHpCL3Vi99wxWK06NjapOjPkLLpPfrJqfL98ZNyavQLueAbYqJSb9gvQwK+CktB/ZGyyUpTgfwv9+yRXURpGNt0Vx8LZdVMtDfJIIs0JiQQ0kM0P1qpuifHiWu0z+HNkptnYMuJWFNWwqDJydh8N5scQQyh98Y9eSAnFW8647Z57zNdOPzQN94dLGVY7lzDZKbPQ2//g+F8ssh04k5tBU4RM2ZRFin6/AwY3z98L1Avaed7hPhDHbgJhkcVQF5jAV0uowD2GGDrf5fuQx71hPIDBy+LOzRcKSy2ALh8ALVijumhqdZBMFEl5",
"extensions" : {
    "authorityInfoAccess" : "CA Issuers - URI:http://cert.int-x3.letsencrypt.org/\nOCSP - URI:http://ocsp.int-x3.letsencrypt.org\n",
    "authorityKeyIdentifier" : "keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1\n",
    "basicConstraints" : "CA:FALSE",
    "certificatePolicies" : "Policy: 1.3.6.1.4.1.44947.1.1.1\n  CPS: http://cps.letsencrypt.org\n  User Notice: is Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/",
    "ctlPoisonByte" : true,
    "extendedKeyUsage" : "TLS Web server authentication, TLS Web client authentication",
    "keyUsage" : "Digital Signature, Key Encipherment",
    "subjectAltName" : "DNS:www.dimagriresalus.it, DNS:www.dimagriresalus.com, DNS:www.benesseresalus.it, DNS:www.benesseresalus.com, DNS:dimagriresalus.it, DNS:dimagriresalus.com, DNS:benesseresalus.it, DNS:benesseresalus.com",
    "subjectKeyIdentifier" : "A1:89:95:3A:3E:88:ED:EA:5E:3E:8E:71:8F:7D:C4:D4:B0:62:F7:8A"
},
"fingerprint" : "FC:A6:A6:3A:CB:C7:8C:6F:16:84:D3:92:0E:C6:A3:25:D5:91:72:9D",
"not_after" : 1542871339,
"not_before" : 1535095339,
"serial_number" : "381CD50768BA9CBAC7B39C817788EAE33F3",
"subject" : {
    "C" : null,
    "CN" : "benesseresalus.com",
    "L" : null,
    "O" : null,
    "OU" : null,
    "ST" : null,
    "aggregated" : "/CN=benesseresalus.com"
}
}

我想用代码知道这个证书是否有效。

我搜索并看到了 pyopenssl 的许多用法:https://pyopenssl.org/en/stable/api/crypto.html#revoked-objects

但是所有的用法都要求我拥有 .pem 文件。我想我可以通过像这样打开一个新文件来创建 .cert 文件:

 ----BEGIN CERTIFICATE----   
MIIFtzCCBJ+gAwIBAgISA4HNUHaLqcuseznIF3iOrjPzMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA4MjQwNzIyMTlaFw0xODExMjIwNzIyMTlaMB0xGzAZBgNVBAMTEmJlbmVzc2VyZXNhbHVzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANmPDiKIdOGpRQDzHiQZPVHBFVYHn+E0vv2BOC5Cp+GmuuPC+nxyRn0Mn7d7FL10xZQIjbjmY49iAfnpOQcyE/qgaZeJ80hI4ueoJD0tN1XPXIPIIJApin2i5HgB2s3UL+AEmCMCy81OmKzStC7+tVx2cugyUkBDuABz1ty6HPz9igshJJ2MhCX87Pc4lkLmX9phMAu9E1wpbT+XFdZsnqUp1fUixiHWGq8oVSL+CC4fz51WmzyDvTMV/FEreUBecjErXJ7uldlpNfv/tcPwUhEkGfTfRn8lHg9U1mhqmws8+qxdjR6bgpKjwnW2GkhMqvj9gkoT8mGtei6DyCbi17UCAwEAAaOCAsIwggK+MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUoYmVOj6I7epePo5xj33E1LBi94owHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzCBtwYDVR0RBIGvMIGsghJiZW5lc3NlcmVzYWx1cy5jb22CEWJlbmVzc2VyZXNhbHVzLml0ghJkaW1hZ3JpcmVzYWx1cy5jb22CEWRpbWFncmlyZXNhbHVzLml0ghZ3d3cuYmVuZXNzZXJlc2FsdXMuY29tghV3d3cuYmVuZXNzZXJlc2FsdXMuaXSCFnd3dy5kaW1hZ3JpcmVzYWx1cy5jb22CFXd3dy5kaW1hZ3JpcmVzYWx1cy5pdDCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMBMGCisGAQQB1nkCBAMBAf8EAgUAMA0GCSqGSIb3DQEBCwUAA4IBAQCY8fgDv16BEr2jGHrC/zy21Mq5BN6PGHpCL3Vi99wxWK06NjapOjPkLLpPfrJqfL98ZNyavQLueAbYqJSb9gvQwK+CktB/ZGyyUpTgfwv9+yRXURpGNt0Vx8LZdVMtDfJIIs0JiQQ0kM0P1qpuifHiWu0z+HNkptnYMuJWFNWwqDJydh8N5scQQyh98Y9eSAnFW8647Z57zNdOPzQN94dLGVY7lzDZKbPQ2//g+F8ssh04k5tBU4RM2ZRFin6/AwY3z98L1Avaed7hPhDHbgJhkcVQF5jAV0uowD2GGDrf5fuQx71hPIDBy+LOzRcKSy2ALh8ALVijumhqdZBMFEl5
-----END CERTIFICATE-----

但我仍然缺少 .pem 文件。

底线:我想使用提供的json数据，并知道这个证书是否被吊销。请告诉我我缺少什么。

编辑

我需要 python 代码来完成它。我遇到了 certvalidator - https://github.com/wbond/certvalidator并运行以下代码:

context = ValidationContext(allow_fetching=True)
validator = CertificateValidator(end_entity_cert, validation_context=context)

而且我有 revocation_mode: soft-fail 这意味着据我所知没有信息。

Answer 1

编辑决赛:感谢@Steffen Ullrich，有效的 python 代码:

import os
import subprocess
openssl_location = "\"C:\\Program Files\\OpenSSL-Win64\\bin\\openssl.exe\""`
for element in cursor:
        authorityInfoAccess = element['data']['leaf_cert']['extensions']['authorityInfoAccess']
        ocsp_url, crt_url = [x.strip(" ").lstrip("URI:").rstrip("\n").rstrip("\nCA Issuers") for x in authorityInfoAccess.split("-") if 'URI' in x]

        if 'ocsp' in crt_url:
            ocsp_url, crt_url = crt_url, ocsp_url

        serial_number = authorityInfoAccess = element['data']['leaf_cert']['serial_number']

        shell_convert_cmd = 'curl ' + crt_url + " > issuer.crt"
        os.system(shell_convert_cmd)

        to_pem_cmd = openssl_location + ' x509 -in issuer.crt -inform der -out issuer.pem'
        os.system(to_pem_cmd)

        request_cmd = 'ocsp -issuer issuer.pem -serial 0x' + serial_number + ' -url ' + ocsp_url
        full_cmd = openssl_location + " " + request_cmd
        out = subprocess.check_output(full_cmd, shell=True)
        print (f"program output: {str(out)}")