我有兩個二進制文件,一個在第一個之後〜4天建成,並且使用相同的證書(由Thawte發佈的相同序列號)簽名,但是當我檢查證書時,在一個文件上有錯誤消息Revocation Status : The revocation function was unable to check revocation because the revocation server was offline. ,第二個效果很好。是否有可能,撤銷服務器在簽名時處於脫機狀態,並導致此問題?我不確定是否有其他方式可以讓一個證書擁有不同的撤銷服務器。signtool撤銷問題?
另外我想可以想到的是,第二個是在證書到期前幾天(<個月)簽署的。情況會是這樣嗎?
首先,您應該查看有關如何驗證簽署的二進制文件的MSDN文檔here。錯誤響應將更加豐富。
這個blogger has a workaround,如果你有與自己的鑰匙revokation服務器的問題,你會知道如果它已被撤銷:)。此外,由於此密鑰已過期,因此配置此設置可能不是什麼大問題。
如果您發佈了詳細的錯誤代碼,我可以再看一下,但現在這應該適合您。
證書的格式是什麼?如果您可以使用合適的格式,則可以使用「openssl」命令行unix工具來調查證書。 Openssl也適用於Windows。
下面是一個運行示例:
openssl x509 -in usertrust.pem -inform PEM -noout -text
而這裏的輸出:
Version: 3 (0x2)
Serial Number:
07:74:8d:73:00:00:00:00:00:94
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network
Validity
Not Before: Apr 5 18:35:06 2005 GMT
Not After : Mar 6 03:22:04 2007 GMT
Subject:C=US, ST=UT, L=Salt Lake City, O=USERTRUST, CN=www.usertrust.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:d7:21:6d:f8:58:e7:ed:52:5a:3e:fe:e5:bf:92:
32:41:38:f1:ee:61:6f:da:6c:83:39:c8:b4:b1:fd:
77:4a:35:a8:e8:3f:0b:bf:ff:2d:0b:b5:ed:56:80:
d7:ca:89:c3:63:8b:a5:06:ed:b0:22:82:8d:a1:c6:
ed:c8:d4:06:8d:be:d1:69:83:31:a7:13:2b:17:27:
72:a4:85:97:55:fc:f7:ca:eb:c9:af:be:19:78:67:
35:d1:7f:af:2d:3c:d3:86:c4:1e:fd:02:e4:ab:10:
ea:d1:bb:63:19:fb:9a:61:ed:30:7e:88:0e:1a:1e:
a7:a6:d5:8d:02:20:af:be:b0:0e:f5:30:44:e0:d5:
b9:ab:b1:76:65:94:03:fc:c8:55:80:6d:a8:fa:b1:
94:38:be:e2:78:45:8d:b5:7e:cf:e7:de:a1:09:46:
a3:8b:ab:76:50:85:50:5d:58:91:78:21:a3:a2:dd:
1d:c3:dc:0b:18:9d:fc:84:b2:17:f8:a7:48:e5:aa:
c1:d3:43:83:49:ea:35:5f:e1:28:6c:33:a9:2f:ac:
62:22:1d:6f:44:94:bb:09:be:7d:fd:c5:e4:fc:ff:
92:4c:63:97:56:53:fe:77:5c:53:5b:ae:ab:7d:8b:
af:74:ac:ea:30:80:b1:6e:08:57:85:01:7d:b4:3d:
26:65
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
A0:3C:DC:84:FF:51:06:AC:C6:CB:21:EB:CB:05:07:D7:10:C2:68:E6
X509v3 Authority Key Identifier:
keyid:75:01:28:97:C6:46:1B:34:6E:E8:A0:91:15:71:92:79:EE:B7:03:CE
serial:15:6C:27:1A:54:FE:B3:82:BE:AF:54:FE:F4:A2:8B
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
URI:http://crl.usertrust.com/USERTRUST-ServerAuthentication.crl
URI:http://www.utnsecurity.com/USERTRUST-ServerAuthentication.crl
X509v3 Certificate Policies:
Policy: 1.2.840.114015.1.1
CPS: http://www.usertrust.com/CPS
User Notice: Explicit Text: ...
Signature Algorithm: sha1WithRSAEncryption
cf:66:95:18:8b:a3:73:e7:04:a8:fa:16:f3:62:60:4a:26:f1:
b5:37:b3:cd:7a:d4:9d:63:3f:a1:ee:52:30:29:9e:7a:b2:e7:
ba:a0:f9:bf:4f:95:63:63:bb:a9:cf:c5:b9:18:bd:6a:e5:82:
cd:3a:bf:37:ea:9c:57:bc:d8:20:d8:be:1a:8c:f5:00:9e:ad:
c4:66:d3:60:92:dd:22:66:61:88:49:0c:05:72:05:03:9d:82:
78:2f:9e:9c:f3:8b:d7:96:b7:8b:4b:6c:40:0f:7a:cb:f9:77:
88:13:f7:74:f0:e7:31:2e:94:81:b9:d4:0a:7c:d1:1d:f3:8b:
4c:e7:ae:21:12:40:f9:6a:1f:7d:a8:96:dc:90:11:6a:44:d7:
fc:f5:98:a3:5b:bc:4f:51:ab:db:84:64:ad:69:e6:82:bd:d9:
65:7a:44:43:65:8b:69:a7:01:8c:94:0d:4b:c3:be:29:ef:81:
a9:80:0c:33:46:d7:37:be:4c:9a:e0:bb:3f:15:9e:dd:ef:f4:
7f:70:e9:0b:5f:e3:18:a7:a4:80:8b:e1:ac:1c:46:33:e7:90:
02:11:43:61:15:4e:97:ea:c2:24:84:58:31:a8:37:b4:84:bf:
c0:70:a0:95:f9:64:c9:d2:94:86:5c:21:5d:51:b3:c6:b0:f4:
02:cb:77:24
尤其注意到這些:
X509v3 CRL Distribution Points:
URI:http://crl.usertrust.com/USERTRUST-ServerAuthentication.crl
URI:http://www.utnsecurity.com/USERTRUST-ServerAuthentication.crl
這些都是CRL的(對於這個特定的證書),並且您可以使用常規瀏覽器訪問它們以查看問題所在!注意:有些證書使用OCSP進行撤銷,因此請在輸出中查找OCSP和CRL。
證書籤名不依賴於檢查證書吊銷,只驗證。這聽起來像是在驗證證書時出現臨時網絡故障。這個問題是否可重複?
你如何檢查你的二進制文件的簽名? – pajton 2011-03-25 14:02:11
r-click->屬性 - >數字簽名 - >詳細信息 – nothrow 2011-03-25 14:07:48