從https://stackoverflow.com/a/44524628?noredirect=1驗證簽名鏈SWI-Prolog 2-在最新版本的Swi中有所不同?
:-use_module(library(http/http_client)).
:-use_module(library(http/http_open)).
:-use_module(library(clpfd)).
url2('https://s3.amazonaws.com/echo.api/echo-api-cert-4.pem').
get_pem(Url,Certs):-
setup_call_cleanup(
http_open(Url,Stream,[]),
ssl_peer_certificate_chain(Stream,Certs),
close(Stream)
).
test(Key):-
url2(U),
get_pem(U,[A|Certs]),
checkcertvalid_time(A),
checkchain([A|Certs]),
memberchk(key(Key),A).
checkcertvalid_time(Acert):-
%what about The domain echo-api.amazon.com is present in the Subject Alternative Names (SANs) section of the signing certificate
memberchk(notbefore(NotBefore),Acert),
memberchk(notafter(NotAfter),Acert),
get_time(NowA),
Now is round(NowA),
Now #>NotBefore,
Now #<NotAfter.
checkchain(Chain):-
length(Chain,L),
L#>1, %Insure chain has more than one cert
checkchain_h(Chain).
checkchain_h([_]). %Reached the root.
checkchain_h([C1,C2|Rest]):-
memberchk(signature(Sig),C1),
memberchk(to_be_signed(Signed),C1),
memberchk(key(Key),C2),
hex_bytes(Signed,Bytes),
crypto_data_hash(Bytes,Hash,[algorithm(sha256),encoding(octet)]),
rsa_verify(Key,Hash,Sig,[type(sha256)]),
checkchain_h([C2|Rest]).
跟進如果我叫test/1
那麼這個代碼在7.5.3-1-g647ce9a但在7.5.9中斷。在調用memberchk(to_be_signed(Signed),C1)
時,在7.5.9 checkchain_h/1
失敗。
這是在兩臺不同的計算機上測試,而不是在同一臺計算機上。是否有外部軟件可能導致這種差異?
此外,據我所知還應該有一個'subject_alternative_name'字段,我不能看到。
更新: 在7.5.9:
OpenSSL 1.0.1t 3 May 2016
?- use_module(library(ssl)), current_prolog_flag(ssl_library_version, V).
V = 'OpenSSL 1.0.1t 3 May 2016'.
在7.5.3-1-g647ce9a:
OpenSSL 1.0.2g 1 Mar 2016
?- use_module(library(ssl)), current_prolog_flag(ssl_library_version, V).
V = 'OpenSSL 1.0.2g 1 Mar 2016'.
請爲這兩個系統以及查詢:'? - use_module(library(ssl)),current_prolog_flag(ssl_library_version,V).'添加'$ openssl version'的輸出。 – mat
我已添加該信息。 – user27815