linux - 有没有办法检查和清理在 Linux 下运行的 ASP.NET Core 应用程序的证书吊销列表缓存？

Question

我们需要在我们的 ASP.NET Core 2.X 应用程序中实现客户端证书有效性检查，该应用程序已 Docker 化并在 Linux 下运行。特别是，我们对证书的撤销状态感兴趣。这种验证是通过使用 X509Chain 实现的并且按预期工作。

var chain = new X509Chain();
var chainPolicy = new X509ChainPolicy
{
    RevocationMode = X509RevocationMode.Online,
    RevocationFlag = X509RevocationFlag.EntireChain
};
chain.ChainPolicy = chainPolicy;
...

docker 文件

FROM mcr.microsoft.com/dotnet/core/aspnet:2.2-stretch-slim AS base
WORKDIR /app
EXPOSE 80

FROM mcr.microsoft.com/dotnet/core/sdk:2.2-stretch AS build
....

但是，我们对应用程序的 CRL 缓存的过期时间有要求。看起来 Linux(我假设它是 debian 对于 mcr.microsoft.com/dotnet/core/aspnet:2.2-stretch-slim 图像)默认缓存 CRL - 第一个请求持续 ~150ms 并且几乎立即处理以下请求(不幸的是我找不到可用的信息来证实这个观察).

Linux (debian) 中 CRL 缓存的默认时间是多少？有可能改变吗？有没有办法检查缓存的 CRL 列表？

是否可以像在 Windows 中那样清理 CRL 缓存？

certutil -urlcache * 删除

Linux 证书实用程序 dirmngr似乎不是 ASP.NET Core 2.2 应用程序的 mcr.microsoft.com/dotnet/core/aspnet:2.2-stretch-slim 基本镜像的一部分。

Answer 1

因为它是 .net Core，它是开源的，你有没有在 github 上查找源代码？ .在那里你会找到一个电话 CrlCache它显示了数据的存储位置:

namespace Internal.Cryptography.Pal
{
    internal static class CrlCache
    {
        private static readonly string s_crlDir =
            PersistedFiles.GetUserFeatureDirectory(
                X509Persistence.CryptographyFeatureName,
X509Persistence.CrlsSubFeatureName);

    internal static class X509Persistence
    {
        internal const string CryptographyFeatureName = "cryptography";
        internal const string X509StoresSubFeatureName = "x509stores";
        internal const string CrlsSubFeatureName = "crls";
        internal const string OcspSubFeatureName = "ocsp";
    }
...
        internal const string TopLevelDirectory = "dotnet";
        internal const string TopLevelHiddenDirectory = "." + TopLevelDirectory;
        internal const string SecondLevelDirectory = "corefx";
...
        internal static string GetUserFeatureDirectory(params string[] featurePathParts)
        {
            Debug.Assert(featurePathParts != null);
            Debug.Assert(featurePathParts.Length > 0);

            if (s_userProductDirectory == null)
            {
                EnsureUserDirectories();
            }

            return Path.Combine(s_userProductDirectory, Path.Combine(featurePathParts));
        }

        private static void EnsureUserDirectories()
        {
            string userHomeDirectory = GetHomeDirectory();

            if (string.IsNullOrEmpty(userHomeDirectory))
            {
                throw new InvalidOperationException(SR.PersistedFiles_NoHomeDirectory);
            }

            s_userProductDirectory = Path.Combine(
                userHomeDirectory,
                TopLevelHiddenDirectory,
                SecondLevelDirectory);
}

        internal static string GetHomeDirectory()
        {
            // First try to get the user's home directory from the HOME environment variable.
            // This should work in most cases.
string userHomeDirectory = Environment.GetEnvironmentVariable("HOME");

所以路径应该是$HOME/.dotnet/corefx/cryptography/crls