2016-07-08 13 views
0

私のOIDC IdP(私の場合はGoogle)の証明書を取得しようとしていて、証明書チェーンをダウンロードしたいのですが。私がインストールされ、OpenSSLを構成し、以下を使用して、IdPの設定文書を取得していますOIDCの拇印を取得中にgetservbynameエラーが発生しました

https://server.example.com/.well-known/openid-configuration

明らかに以下を返さaccounts.google.com

server.example.comを置き換える:

{ 
"issuer": "https://accounts.google.com", 
"authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth", 
"token_endpoint": "https://www.googleapis.com/oauth2/v4/token", 
"userinfo_endpoint": "https://www.googleapis.com/oauth2/v3/userinfo", 
"revocation_endpoint": "https://accounts.google.com/o/oauth2/revoke", 
"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs", 
"response_types_supported": [ 
    "code", 
    "token", 
    "id_token", 
    "code token", 
    "code id_token", 
    "token id_token", 
    "code token id_token", 
    "none" 
], 
"subject_types_supported": [ 
    "public" 
], 
"id_token_signing_alg_values_supported": [ 
    "RS256" 
], 
"scopes_supported": [ 
    "openid", 
    "email", 
    "profile" 
], 
"token_endpoint_auth_methods_supported": [ 
    "client_secret_post", 
    "client_secret_basic" 
], 
"claims_supported": [ 
    "aud", 
    "email", 
    "email_verified", 
    "exp", 
    "family_name", 
    "given_name", 
    "iat", 
    "iss", 
    "locale", 
    "name", 
    "picture", 
    "sub" 
], 
"code_challenge_methods_supported": [ 
    "plain", 
    "S256" 
] 
} 

私はキーの値にのみ興味があるjwks_uriはです今ウリを使用して

私は証明書チェーン取得したいと考えていると、ターミナルで次のコマンドを入力します。上から:

:この恐ろしい、恐ろしい、混乱、侮辱的な応答を返す

openssl s_client -showcerts -connect https://www.googleapis.com/oauth2/v3/certs:443

getservbyname failure for //www.googleapis.com/oauth2/v3/certs:443 
usage: s_client args 

-host host  - use -connect instead 
-port port  - use -connect instead 
-connect host:port - who to connect to (default is localhost:4433) 
-verify_hostname host - check peer certificate matches "host" 
-verify_email email - check peer certificate matches "email" 
-verify_ip ipaddr - check peer certificate matches "ipaddr" 
-verify arg - turn on peer certificate verification 
-verify_return_error - return verification errors 
-cert arg  - certificate file to use, PEM format assumed 
-certform arg - certificate format (PEM or DER) PEM default 
-key arg  - Private key file to use, in cert file if 
       not specified but cert file is. 
-keyform arg - key format (PEM or DER) PEM default 
-pass arg  - private key file pass phrase source 
-CApath arg - PEM format directory of CA's 
-CAfile arg - PEM format file of CA's 
-no_alt_chains - only ever use the first certificate chain found 
-reconnect - Drop and re-make the connection with the same Session-ID 
-pause  - sleep(1) after each read(2) and write(2) system call 
-prexit  - print session information even on connection failure 
-showcerts - show all certificates in the chain 
-debug  - extra output 
-msg   - Show protocol messages 
-nbio_test - more ssl protocol testing 
-state  - print the 'ssl' states 
-nbio   - Run with non-blocking IO 
-crlf   - convert LF from terminal into CRLF 
-quiet  - no s_client output 
-ign_eof  - ignore input eof (default when -quiet) 
-no_ign_eof - don't ignore input eof 
-psk_identity arg - PSK identity 
-psk arg  - PSK in hex (without 0x) 
-srpuser user  - SRP authentification for 'user' 
-srppass arg  - password for 'user' 
-srp_lateuser  - SRP username into second ClientHello message 
-srp_moregroups - Tolerate other than the known g N values. 
-srp_strength int - minimal length in bits for N (default 1024). 
-ssl2   - just use SSLv2 
-ssl3   - just use SSLv3 
-tls1_2  - just use TLSv1.2 
-tls1_1  - just use TLSv1.1 
-tls1   - just use TLSv1 
-dtls1  - just use DTLSv1 
-fallback_scsv - send TLS_FALLBACK_SCSV 
-mtu   - set the link layer MTU 
-no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol 
-bugs   - Switch on all SSL implementation bug workarounds 
-cipher  - preferred cipher to use, use the 'openssl ciphers' 
       command to see what is available 
-starttls prot - use the STARTTLS command before starting TLS 
       for those protocols that support it, where 
       'prot' defines which one to assume. Currently, 
       only "smtp", "pop3", "imap", "ftp" and "xmpp" 
       are supported. 
-engine id - Initialise and use the specified engine 
-rand file:file:... 
-sess_out arg - file to write SSL session to 
-sess_in arg - file to read SSL session from 
-servername host - Set TLS extension servername in ClientHello 
-tlsextdebug  - hex dump of all TLS extensions received 
-status   - request certificate status from server 
-no_ticket  - disable use of RFC4507bis session tickets 
-serverinfo types - send empty ClientHello extensions (comma-separated numbers) 
-curves arg  - Elliptic curves to advertise (colon-separated list) 
-sigalgs arg  - Signature algorithms to support (colon-separated list) 
-client_sigalgs arg - Signature algorithms to support for client 
         certificate authentication (colon-separated list) 
-nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list) 
-alpn arg   - enable ALPN extension, considering named protocols supported (comma-separated list) 
-legacy_renegotiation - enable use of legacy renegotiation (dangerous) 
-use_srtp profiles - Offer SRTP key management with a colon-separated profile list 
-keymatexport label - Export keying material using label 
-keymatexportlen len - Export len bytes of keying material (default 20) 

私は上記のコードが私のYigretteであり、私はまだ素朴なJon Snowだと思っています。私はまだ何も知りません。もし私が明白でないと分かったら、私を助けて、許してください。私は何も知りません。おかげで誰もがSSLは、HTTPではなくTCPレベルのプロトコルであるため、そのコマンドを機能させるために-connectからプロトコルとパスを取り除く

答えて

0

を:):

openssl s_client -showcerts -connect www.googleapis.com:443 

しかし、あなたはおそらく何であるか後にありますJWK OpenID Connectサーバーが検出文書に公開するように設定します。これは、あなただけの取得とanalyseことができます。

curl https://www.googleapis.com/oauth2/v3/certs 

次に、各JWTのためにあなたがそのヘッダからkidを抽出し、公表セットで正しい公開鍵をルックアップするためにそれを使用し、確認してください。

+0

それは魅力のように働いた、ありがとうピーテル!私はちょうどパスをトリップする必要があります:) – JonSnow

関連する問題