我有两个二进制文件,一个在第一个之后〜4天建成,并且使用相同的证书(由Thawte发布的相同序列号)签名,但是当我检查证书时,在一个文件上有错误消息Revocation Status : The revocation function was unable to check revocation because the revocation server was offline. ,第二个效果很好。是否有可能,撤销服务器在签名时处于脱机状态,并导致此问题?我不确定是否有其他方式可以让一个证书拥有不同的撤销服务器。signtool撤销问题?
另外我想可以想到的是,第二个是在证书到期前几天(<个月)签署的。情况会是这样吗?
首先,您应该查看有关如何验证签署的二进制文件的MSDN文档here。错误响应将更加丰富。
这个blogger has a workaround,如果你有与自己的钥匙revokation服务器的问题,你会知道如果它已被撤销:)。此外,由于此密钥已过期,因此配置此设置可能不是什么大问题。
如果您发布了详细的错误代码,我可以再看一下,但现在这应该适合您。
证书的格式是什么?如果您可以使用合适的格式,则可以使用“openssl”命令行unix工具来调查证书。 Openssl也适用于Windows。
下面是一个运行示例:
openssl x509 -in usertrust.pem -inform PEM -noout -text
而这里的输出:
Version: 3 (0x2)
Serial Number:
07:74:8d:73:00:00:00:00:00:94
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network
Validity
Not Before: Apr 5 18:35:06 2005 GMT
Not After : Mar 6 03:22:04 2007 GMT
Subject:C=US, ST=UT, L=Salt Lake City, O=USERTRUST, CN=www.usertrust.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:d7:21:6d:f8:58:e7:ed:52:5a:3e:fe:e5:bf:92:
32:41:38:f1:ee:61:6f:da:6c:83:39:c8:b4:b1:fd:
77:4a:35:a8:e8:3f:0b:bf:ff:2d:0b:b5:ed:56:80:
d7:ca:89:c3:63:8b:a5:06:ed:b0:22:82:8d:a1:c6:
ed:c8:d4:06:8d:be:d1:69:83:31:a7:13:2b:17:27:
72:a4:85:97:55:fc:f7:ca:eb:c9:af:be:19:78:67:
35:d1:7f:af:2d:3c:d3:86:c4:1e:fd:02:e4:ab:10:
ea:d1:bb:63:19:fb:9a:61:ed:30:7e:88:0e:1a:1e:
a7:a6:d5:8d:02:20:af:be:b0:0e:f5:30:44:e0:d5:
b9:ab:b1:76:65:94:03:fc:c8:55:80:6d:a8:fa:b1:
94:38:be:e2:78:45:8d:b5:7e:cf:e7:de:a1:09:46:
a3:8b:ab:76:50:85:50:5d:58:91:78:21:a3:a2:dd:
1d:c3:dc:0b:18:9d:fc:84:b2:17:f8:a7:48:e5:aa:
c1:d3:43:83:49:ea:35:5f:e1:28:6c:33:a9:2f:ac:
62:22:1d:6f:44:94:bb:09:be:7d:fd:c5:e4:fc:ff:
92:4c:63:97:56:53:fe:77:5c:53:5b:ae:ab:7d:8b:
af:74:ac:ea:30:80:b1:6e:08:57:85:01:7d:b4:3d:
26:65
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
A0:3C:DC:84:FF:51:06:AC:C6:CB:21:EB:CB:05:07:D7:10:C2:68:E6
X509v3 Authority Key Identifier:
keyid:75:01:28:97:C6:46:1B:34:6E:E8:A0:91:15:71:92:79:EE:B7:03:CE
serial:15:6C:27:1A:54:FE:B3:82:BE:AF:54:FE:F4:A2:8B
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
URI:http://crl.usertrust.com/USERTRUST-ServerAuthentication.crl
URI:http://www.utnsecurity.com/USERTRUST-ServerAuthentication.crl
X509v3 Certificate Policies:
Policy: 1.2.840.114015.1.1
CPS: http://www.usertrust.com/CPS
User Notice: Explicit Text: ...
Signature Algorithm: sha1WithRSAEncryption
cf:66:95:18:8b:a3:73:e7:04:a8:fa:16:f3:62:60:4a:26:f1:
b5:37:b3:cd:7a:d4:9d:63:3f:a1:ee:52:30:29:9e:7a:b2:e7:
ba:a0:f9:bf:4f:95:63:63:bb:a9:cf:c5:b9:18:bd:6a:e5:82:
cd:3a:bf:37:ea:9c:57:bc:d8:20:d8:be:1a:8c:f5:00:9e:ad:
c4:66:d3:60:92:dd:22:66:61:88:49:0c:05:72:05:03:9d:82:
78:2f:9e:9c:f3:8b:d7:96:b7:8b:4b:6c:40:0f:7a:cb:f9:77:
88:13:f7:74:f0:e7:31:2e:94:81:b9:d4:0a:7c:d1:1d:f3:8b:
4c:e7:ae:21:12:40:f9:6a:1f:7d:a8:96:dc:90:11:6a:44:d7:
fc:f5:98:a3:5b:bc:4f:51:ab:db:84:64:ad:69:e6:82:bd:d9:
65:7a:44:43:65:8b:69:a7:01:8c:94:0d:4b:c3:be:29:ef:81:
a9:80:0c:33:46:d7:37:be:4c:9a:e0:bb:3f:15:9e:dd:ef:f4:
7f:70:e9:0b:5f:e3:18:a7:a4:80:8b:e1:ac:1c:46:33:e7:90:
02:11:43:61:15:4e:97:ea:c2:24:84:58:31:a8:37:b4:84:bf:
c0:70:a0:95:f9:64:c9:d2:94:86:5c:21:5d:51:b3:c6:b0:f4:
02:cb:77:24
尤其注意到这些:
X509v3 CRL Distribution Points:
URI:http://crl.usertrust.com/USERTRUST-ServerAuthentication.crl
URI:http://www.utnsecurity.com/USERTRUST-ServerAuthentication.crl
这些都是CRL的(对于这个特定的证书),并且您可以使用常规浏览器访问它们以查看问题所在!注意:有些证书使用OCSP进行撤销,因此请在输出中查找OCSP和CRL。
证书签名不依赖于检查证书吊销,只验证。这听起来像是在验证证书时出现临时网络故障。这个问题是否可重复?
你如何检查你的二进制文件的签名? – pajton 2011-03-25 14:02:11
r-click->属性 - >数字签名 - >详细信息 – nothrow 2011-03-25 14:07:48