Enumere os certificados no Mac Keychain e verifique suas datas de expiração

1

Eu olhei a página do manual para a ferramenta security , especificamente o argumento find-certificate .

link

Estou usando a spaceship gem para obter uma lista de certs no portal dev da Apple e gostaria de compará-los com os certificados instalados na máquina. O melhor método de comparação parece ser datas de criação e expiração.

No entanto, não consigo descobrir como fazer com que security produza um certificado que eu possa passar para openssl para determinar datas de criação / expiração.

Alguma orientação?

    
por ray 13.11.2016 / 23:32

2 respostas

2

-p despejará os certificados no formato PEM, que pode ser canalizado para a utilidade openssl x509 para exibição. Por exemplo:

security find-certificate -p -c "Apple Worldwide Developer Relations Certification Authority" | openssl x509 -text -noout

Aqui está a saída completa:

$ security find-certificate -p -c "Apple Worldwide Developer Relations Certification Authority" | openssl x509 -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 25 (0x19)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = US, O = Apple Inc., OU = Apple Certification Authority, CN = Apple Root CA
        Validity
            Not Before: Feb 14 18:56:35 2008 GMT
            Not After : Feb 14 18:56:35 2016 GMT
        Subject: C = US, O = Apple Inc., OU = Apple Worldwide Developer Relations, CN = Apple Worldwide Developer Relations Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ca:38:54:a6:cb:56:aa:c8:24:39:48:e9:8c:ee:
                    ec:5f:b8:7f:26:91:bc:34:53:7a:ce:7c:63:80:61:
                    77:64:5e:a5:07:23:b6:39:fe:50:2d:15:56:58:70:
                    2d:7e:c4:6e:c1:4a:85:3e:2f:f0:de:84:1a:a1:57:
                    c9:af:7b:18:ff:6a:fa:15:12:49:15:08:19:ac:aa:
                    db:2a:32:ed:96:63:68:52:15:3d:8c:8a:ec:bf:6b:
                    18:95:e0:03:ac:01:7d:97:05:67:ce:0e:85:95:37:
                    6a:ed:09:b6:ae:67:cd:51:64:9f:c6:5c:d1:bc:57:
                    6e:67:35:80:76:36:a4:87:81:6e:38:8f:d8:2b:15:
                    4e:7b:25:d8:5a:bf:4e:83:c1:8d:d2:93:d5:1a:71:
                    b5:60:9c:9d:33:4e:55:f9:12:58:0c:86:b8:16:0d:
                    c1:e5:77:45:8d:50:48:ba:2b:2d:e4:94:85:e1:e8:
                    c4:9d:c6:68:a5:b0:a3:fc:67:7e:70:ba:02:59:4b:
                    77:42:91:39:b9:f5:cd:e1:4c:ef:c0:3b:48:8c:a6:
                    e5:21:5d:fd:6a:6a:bb:a7:16:35:60:d2:e6:ad:f3:
                    46:29:c9:e8:c3:8b:e9:79:c0:6a:61:67:15:b2:f0:
                    fd:e5:68:bc:62:5f:6e:cf:99:dd:ef:1b:63:fe:92:
                    65:ab
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                88:27:17:09:A9:B6:18:60:8B:EC:EB:BA:F6:47:59:C5:52:54:A3:B7
            X509v3 Authority Key Identifier: 
                keyid:2B:D0:69:47:94:76:09:FE:F4:6B:8D:2E:40:A6:F7:47:4D:7F:08:5E

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://www.apple.com/appleca/root.crl

            1.2.840.113635.100.6.2.1: 
                ..
    Signature Algorithm: sha1WithRSAEncryption
         da:32:00:96:c5:54:94:d3:3b:82:37:66:7d:2e:68:d5:c3:c6:
         b8:cb:26:8c:48:90:cf:13:24:6a:46:8e:63:d4:f0:d0:13:06:
         dd:d8:c4:c1:37:15:f2:33:13:39:26:2d:ce:2e:55:40:e3:0b:
         03:af:fa:12:c2:e7:0d:21:b8:d5:80:cf:ac:28:2f:ce:2d:b3:
         4e:af:86:19:04:c6:e9:50:dd:4c:29:47:10:23:fc:6c:bb:1b:
         98:6b:48:89:e1:5b:9d:de:46:db:35:85:35:ef:3e:d0:e2:58:
         4b:38:f4:ed:75:5a:1f:5c:70:1d:56:39:12:e5:e1:0d:11:e4:
         89:25:06:bd:d5:b4:15:8e:5e:d0:59:97:90:e9:4b:81:e2:df:
         18:af:44:74:1e:19:a0:3a:47:cc:91:1d:3a:eb:23:5a:fe:a5:
         2d:97:f7:7b:bb:d6:87:46:42:85:eb:52:3d:26:b2:63:a8:b4:
         b1:ca:8f:f4:cc:e2:b3:c8:47:e0:bf:9a:59:83:fa:da:98:53:
         2a:82:f5:7c:65:2e:95:d9:33:5d:f5:ed:65:cc:31:37:c5:5a:
         04:e8:6b:e1:e7:88:03:4a:75:9e:9b:28:cb:4a:40:88:65:43:
         75:dd:cb:3a:25:23:c5:9e:57:f8:2e:ce:d2:a9:92:5e:73:2e:
         2f:25:75:15
    
por 16.11.2016 / 00:35
1

Ou para evitar a análise potencialmente complexa da saída openssl, você pode especificar apenas os campos de interesse, como:

security find-certificate -p -c "Apple Worldwide Developer Relations Certification Authority" | openssl x509 -enddate -noout

    
por 21.08.2018 / 10:06