有没有办法检查和清理 ASP.NET 核心应用程序的证书吊销列表缓存和 Linux 下的 运行?
Is there a way to check and clean Certificate Revocation List cache for ASP.NET Core application that is dockerized and run under the Linux?
我们需要在 ASP.NET 核心 2.X 应用程序和 Linux 下的 运行 应用程序中实施客户端证书有效性检查。特别是,我们对证书的撤销状态感兴趣。这种验证是通过使用 X509Chain 实现的,并且按预期工作。
var chain = new X509Chain();
var chainPolicy = new X509ChainPolicy
{
RevocationMode = X509RevocationMode.Online,
RevocationFlag = X509RevocationFlag.EntireChain
};
chain.ChainPolicy = chainPolicy;
...
Docker 文件
FROM mcr.microsoft.com/dotnet/core/aspnet:2.2-stretch-slim AS base
WORKDIR /app
EXPOSE 80
FROM mcr.microsoft.com/dotnet/core/sdk:2.2-stretch AS build
....
但是,我们对应用程序的 CRL 缓存的过期时间有要求。看起来 Linux(我假设它是 debian for mcr.microsoft.com/dotnet/core/aspnet:2.2-stretch-slim 图像)默认缓存 CRL - 第一个请求持续约 150 毫秒,并且几乎立即处理以下请求(不幸的是我找不到可用的信息来确认这个观察)。
Linux (debian) 中 CRL 缓存的默认时间是多少?有可能改变吗?有没有办法检查缓存的 CRL 列表?
是否可以像 Windows 那样清理 CRL 缓存?
certutil -urlcache * delete
Linux certificate util dirmngr 似乎不是 ASP.NET Core 2.2 应用程序的 mcr.microsoft.com/dotnet/core/aspnet:2.2-stretch-slim 基础映像的一部分。
因为它是开源的 .net Core,您是否在 github. There you'lkl find a call to the CrlCache 上查找了显示数据存储位置的来源:
namespace Internal.Cryptography.Pal
{
internal static class CrlCache
{
private static readonly string s_crlDir =
PersistedFiles.GetUserFeatureDirectory(
X509Persistence.CryptographyFeatureName,
X509Persistence.CrlsSubFeatureName);
internal static class X509Persistence
{
internal const string CryptographyFeatureName = "cryptography";
internal const string X509StoresSubFeatureName = "x509stores";
internal const string CrlsSubFeatureName = "crls";
internal const string OcspSubFeatureName = "ocsp";
}
...
internal const string TopLevelDirectory = "dotnet";
internal const string TopLevelHiddenDirectory = "." + TopLevelDirectory;
internal const string SecondLevelDirectory = "corefx";
...
internal static string GetUserFeatureDirectory(params string[] featurePathParts)
{
Debug.Assert(featurePathParts != null);
Debug.Assert(featurePathParts.Length > 0);
if (s_userProductDirectory == null)
{
EnsureUserDirectories();
}
return Path.Combine(s_userProductDirectory, Path.Combine(featurePathParts));
}
private static void EnsureUserDirectories()
{
string userHomeDirectory = GetHomeDirectory();
if (string.IsNullOrEmpty(userHomeDirectory))
{
throw new InvalidOperationException(SR.PersistedFiles_NoHomeDirectory);
}
s_userProductDirectory = Path.Combine(
userHomeDirectory,
TopLevelHiddenDirectory,
SecondLevelDirectory);
}
internal static string GetHomeDirectory()
{
// First try to get the user's home directory from the HOME environment variable.
// This should work in most cases.
string userHomeDirectory = Environment.GetEnvironmentVariable("HOME");
所以路径应该是$HOME/.dotnet/corefx/cryptography/crls
我们需要在 ASP.NET 核心 2.X 应用程序和 Linux 下的 运行 应用程序中实施客户端证书有效性检查。特别是,我们对证书的撤销状态感兴趣。这种验证是通过使用 X509Chain 实现的,并且按预期工作。
var chain = new X509Chain();
var chainPolicy = new X509ChainPolicy
{
RevocationMode = X509RevocationMode.Online,
RevocationFlag = X509RevocationFlag.EntireChain
};
chain.ChainPolicy = chainPolicy;
...
Docker 文件
FROM mcr.microsoft.com/dotnet/core/aspnet:2.2-stretch-slim AS base
WORKDIR /app
EXPOSE 80
FROM mcr.microsoft.com/dotnet/core/sdk:2.2-stretch AS build
....
但是,我们对应用程序的 CRL 缓存的过期时间有要求。看起来 Linux(我假设它是 debian for mcr.microsoft.com/dotnet/core/aspnet:2.2-stretch-slim 图像)默认缓存 CRL - 第一个请求持续约 150 毫秒,并且几乎立即处理以下请求(不幸的是我找不到可用的信息来确认这个观察)。
Linux (debian) 中 CRL 缓存的默认时间是多少?有可能改变吗?有没有办法检查缓存的 CRL 列表?
是否可以像 Windows 那样清理 CRL 缓存?
certutil -urlcache * delete
Linux certificate util dirmngr 似乎不是 ASP.NET Core 2.2 应用程序的 mcr.microsoft.com/dotnet/core/aspnet:2.2-stretch-slim 基础映像的一部分。
因为它是开源的 .net Core,您是否在 github. There you'lkl find a call to the CrlCache 上查找了显示数据存储位置的来源:
namespace Internal.Cryptography.Pal
{
internal static class CrlCache
{
private static readonly string s_crlDir =
PersistedFiles.GetUserFeatureDirectory(
X509Persistence.CryptographyFeatureName,
X509Persistence.CrlsSubFeatureName);
internal static class X509Persistence
{
internal const string CryptographyFeatureName = "cryptography";
internal const string X509StoresSubFeatureName = "x509stores";
internal const string CrlsSubFeatureName = "crls";
internal const string OcspSubFeatureName = "ocsp";
}
...
internal const string TopLevelDirectory = "dotnet";
internal const string TopLevelHiddenDirectory = "." + TopLevelDirectory;
internal const string SecondLevelDirectory = "corefx";
...
internal static string GetUserFeatureDirectory(params string[] featurePathParts)
{
Debug.Assert(featurePathParts != null);
Debug.Assert(featurePathParts.Length > 0);
if (s_userProductDirectory == null)
{
EnsureUserDirectories();
}
return Path.Combine(s_userProductDirectory, Path.Combine(featurePathParts));
}
private static void EnsureUserDirectories()
{
string userHomeDirectory = GetHomeDirectory();
if (string.IsNullOrEmpty(userHomeDirectory))
{
throw new InvalidOperationException(SR.PersistedFiles_NoHomeDirectory);
}
s_userProductDirectory = Path.Combine(
userHomeDirectory,
TopLevelHiddenDirectory,
SecondLevelDirectory);
}
internal static string GetHomeDirectory()
{
// First try to get the user's home directory from the HOME environment variable.
// This should work in most cases.
string userHomeDirectory = Environment.GetEnvironmentVariable("HOME");
所以路径应该是$HOME/.dotnet/corefx/cryptography/crls