我们需要在我们的 ASP.NET Core 2.X 应用程序中实现客户端证书有效性检查,该应用程序已 Docker 化并在 Linux 下运行。特别是,我们对证书的撤销状态感兴趣。这种验证是通过使用 X509Chain 实现的并且按预期工作。
var chain = new X509Chain();
var chainPolicy = new X509ChainPolicy
{
RevocationMode = X509RevocationMode.Online,
RevocationFlag = X509RevocationFlag.EntireChain
};
chain.ChainPolicy = chainPolicy;
...
docker 文件
FROM mcr.microsoft.com/dotnet/core/aspnet:2.2-stretch-slim AS base
WORKDIR /app
EXPOSE 80
FROM mcr.microsoft.com/dotnet/core/sdk:2.2-stretch AS build
....
但是,我们对应用程序的 CRL 缓存的过期时间有要求。看起来 Linux(我假设它是 debian 对于 mcr.microsoft.com/dotnet/core/aspnet:2.2-stretch-slim
图像)默认缓存 CRL - 第一个请求持续 ~150ms 并且几乎立即处理以下请求(不幸的是我找不到可用的信息来证实这个观察).
Linux (debian) 中 CRL 缓存的默认时间是多少?有可能改变吗?有没有办法检查缓存的 CRL 列表?
是否可以像在 Windows 中那样清理 CRL 缓存?
certutil -urlcache * 删除
Linux 证书实用程序 dirmngr似乎不是 ASP.NET Core 2.2 应用程序的 mcr.microsoft.com/dotnet/core/aspnet:2.2-stretch-slim
基本镜像的一部分。
最佳答案
因为它是 .net Core,它是开源的,你有没有在 github 上查找源代码? .在那里你会找到一个电话 CrlCache它显示了数据的存储位置:
namespace Internal.Cryptography.Pal
{
internal static class CrlCache
{
private static readonly string s_crlDir =
PersistedFiles.GetUserFeatureDirectory(
X509Persistence.CryptographyFeatureName,
X509Persistence.CrlsSubFeatureName);
internal static class X509Persistence
{
internal const string CryptographyFeatureName = "cryptography";
internal const string X509StoresSubFeatureName = "x509stores";
internal const string CrlsSubFeatureName = "crls";
internal const string OcspSubFeatureName = "ocsp";
}
...
internal const string TopLevelDirectory = "dotnet";
internal const string TopLevelHiddenDirectory = "." + TopLevelDirectory;
internal const string SecondLevelDirectory = "corefx";
...
internal static string GetUserFeatureDirectory(params string[] featurePathParts)
{
Debug.Assert(featurePathParts != null);
Debug.Assert(featurePathParts.Length > 0);
if (s_userProductDirectory == null)
{
EnsureUserDirectories();
}
return Path.Combine(s_userProductDirectory, Path.Combine(featurePathParts));
}
private static void EnsureUserDirectories()
{
string userHomeDirectory = GetHomeDirectory();
if (string.IsNullOrEmpty(userHomeDirectory))
{
throw new InvalidOperationException(SR.PersistedFiles_NoHomeDirectory);
}
s_userProductDirectory = Path.Combine(
userHomeDirectory,
TopLevelHiddenDirectory,
SecondLevelDirectory);
}
internal static string GetHomeDirectory()
{
// First try to get the user's home directory from the HOME environment variable.
// This should work in most cases.
string userHomeDirectory = Environment.GetEnvironmentVariable("HOME");
所以路径应该是$HOME/.dotnet/corefx/cryptography/crls
关于linux - 有没有办法检查和清理在 Linux 下运行的 ASP.NET Core 应用程序的证书吊销列表缓存?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55653143/