verify ocsp manually
Dirk-Willem van Gulik
dirkx at webweaving.org
Wed Jul 21 09:16:59 UTC 2021
Try sending that block to
pbpaste| xxd -r -p | openssl asn1parse -inform DER
0:d=0 hl=3 l= 190 cons: SEQUENCE
3:d=1 hl=2 l= 52 cons: cont [ 1 ]
5:d=2 hl=2 l= 50 cons: SEQUENCE
7:d=3 hl=2 l= 11 cons: SET
9:d=4 hl=2 l= 9 cons: SEQUENCE
11:d=5 hl=2 l= 3 prim: OBJECT :countryName
16:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
20:d=3 hl=2 l= 22 cons: SET
22:d=4 hl=2 l= 20 cons: SEQUENCE
24:d=5 hl=2 l= 3 prim: OBJECT :organizationName
29:d=5 hl=2 l= 13 prim: PRINTABLESTRING :Let's Encrypt
44:d=3 hl=2 l= 11 cons: SET
46:d=4 hl=2 l= 9 cons: SEQUENCE
48:d=5 hl=2 l= 3 prim: OBJECT :commonName
53:d=5 hl=2 l= 2 prim: PRINTABLESTRING :R3
57:d=1 hl=2 l= 15 prim: GENERALIZEDTIME :20210718180000Z
74:d=1 hl=2 l= 117 cons: SEQUENCE
76:d=2 hl=2 l= 115 cons: SEQUENCE
78:d=3 hl=2 l= 75 cons: SEQUENCE
80:d=4 hl=2 l= 9 cons: SEQUENCE
82:d=5 hl=2 l= 5 prim: OBJECT :sha1
89:d=5 hl=2 l= 0 prim: NULL
91:d=4 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
113:d=4 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:142EB317B75856CBAE500940E61FAF9D8B14C2C6
135:d=4 hl=2 l= 18 prim: INTEGER :03DCBE0133C9B833125475B4A77AB54A3DF6
155:d=3 hl=2 l= 0 prim: cont [ 0 ]
157:d=3 hl=2 l= 15 prim: GENERALIZEDTIME :20210718180000Z
174:d=3 hl=2 l= 17 cons: cont [ 0 ]
176:d=4 hl=2 l= 15 prim: GENERALIZEDTIME :20210725180000Z
> On 21 Jul 2021, at 11:11, Gaardiolor <gaardiolor at gmail.com> wrote:
>
> Oh.. I'm a step further. I've checked every byte range of the ocsp response for the recovered sha256 signature.
>
> $ len=`cat ocsp.resp | wc -c`
> $ for start in `seq 1 $len`; do
> echo -n "$start "
> for end in `seq 1 $[$len+1-$start]`; do
> output=`cat ocsp.resp | tail -c +$start | head -c $end | sha256sum| grep b483f2c34a6c1b4edf66b4d5310b58c3603ce9200f4fb0df61882fc0e02566a8`
> if [ "$output" != "" ]; then
> echo ''
> echo $start $end $output
> cat ocsp.resp | tail -c +$start | head -c $end | od -An -tx1
> break
> fi
> done
> if [ "$output" != "" ]; then break; fi
> done
>
>
> 35 193 b483f2c34a6c1b4edf66b4d5310b58c3603ce9200f4fb0df61882fc0e02566a8 -
> 30 81 be a1 34 30 32 31 0b 30 09 06 03 55 04 06
> 13 02 55 53 31 16 30 14 06 03 55 04 0a 13 0d 4c
> 65 74 27 73 20 45 6e 63 72 79 70 74 31 0b 30 09
> 06 03 55 04 03 13 02 52 33 18 0f 32 30 32 31 30
> 37 31 38 31 38 30 30 30 30 5a 30 75 30 73 30 4b
> 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 48 da c9
> a0 fb 2b d3 2d 4f f0 de 68 d2 f5 67 b7 35 f9 b3
> c4 04 14 14 2e b3 17 b7 58 56 cb ae 50 09 40 e6
> 1f af 9d 8b 14 c2 c6 02 12 03 dc be 01 33 c9 b8
> 33 12 54 75 b4 a7 7a b5 4a 3d f6 80 00 18 0f 32
> 30 32 31 30 37 31 38 31 38 30 30 30 30 5a a0 11
> 18 0f 32 30 32 31 30 37 32 35 31 38 30 30 30 30
> 5a
>
>
> So the TBS part starts in byte 35 and is 193 bytes long, meaning bytes 35-227.
>
> Looking at wireshark, that's indeed the 'tbsResponseData'. Any way to extract the tbs with openssl ? Thanks.
>
>
>
> On 2021-07-21 00:04, Gaardiolor wrote:
>> Good day,
>>
>> I don't fully understand ocsp certificate verification. In order to better understand it, I want to do it manually. I can already do that with certificates.
>>
>> $ openssl s_client -connect openssl.org:443 -showcerts
>> # I save the server.crt and intermediate.crt
>>
>> $ openssl verify -no-CApath -partial_chain -trusted intermediate.crt server.crt
>> server.crt: OK
>>
>> Manually:
>> # Get the ASN id's of the TBS and Signature
>> $ asn=`openssl asn1parse -i -in server.crt |egrep -e '(^ .*: SEQUENCE|: BIT STRING)'`
>> $ asn_tbs=`echo "$asn" | head -1 | awk -F: '{print $1}' | sed 's/ //g'`
>> $ asn_sig=`echo "$asn" | tail -1 | awk -F: '{print $1}' | sed 's/ //g'`
>>
>> # Get tbs
>> openssl asn1parse -in server.crt -strparse ${asn_tbs} -out server.tbs > /dev/null
>>
>> # Hash tbs
>> $ cat server.tbs | openssl sha256 -binary > server.tbs.sha256
>>
>> # Get signature (ignore 'header too long' error)
>> $ openssl asn1parse -in server.crt -strparse ${asn_sig} -out server.sig > /dev/null
>>
>> # Get public key of intermediate
>> $ openssl x509 -in intermediate.crt -noout -pubkey > intermediate.pub
>>
>> # Recover (decrypt) the signature
>> $ openssl rsautl -inkey intermediate.pub -pubin -in server.sig -out server.sig.recovered
>>
>> # Verify. Ignore the first line of server.sig.recovered, this is the hash algoritm designator
>> $ od -An -tx1 -w19 server.sig.recovered
>> 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20
>> 87 36 67 06 ba d7 10 18 72 d3 f6 58 00 a9 34 78 bc 82 bf
>> 57 37 20 ab 82 04 fb 04 78 38 e2 d3 a2
>> $ od -An -tx1 -w19 server.tbs.sha256
>> 87 36 67 06 ba d7 10 18 72 d3 f6 58 00 a9 34 78 bc 82 bf
>> 57 37 20 ab 82 04 fb 04 78 38 e2 d3 a2
>>
>> Yay. Now how do I do that with OCSP ?
>>
>> # Get OCSP
>> $ ocsp=`openssl x509 -noout -ocsp_uri -in server.crt`
>>
>> # Verify
>> $ ocsp_response=`openssl ocsp -noverify -no_nonce -respout ocsp.resp -reqout ocsp.req -issuer intermediate.crt -cert server.crt -text -url $ocsp`
>> $ echo "$ocsp_response" | grep server.crt
>> server.crt: good
>>
>> Manually:
>> # Get the signature. Can't find how to do this with asn1parse
>> $ for byte in `echo "$ocsp_response" | grep -A40 " Signature Algorithm" | grep -B40 "server.crt" | egrep -ve '(Signature Algorithm|server.crt)' | sed -e 's/ //g' -e 's/:/ /g'`; do
>> echo -ne "\x$byte"
>> done > ocsp.resp.sig
>>
>> # Recover (decrypt) the signature
>> $ openssl rsautl -inkey intermediate.pub -pubin -in ocsp.resp.sig -out ocsp.resp.sig.recovered
>>
>> # Print the decrypted signature (looks good, first line is hash algorithm designator, length looks ok, no errors)
>> $ od -An -tx1 -w19 ocsp.resp.sig.recovered
>> 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20
>> b4 83 f2 c3 4a 6c 1b 4e df 66 b4 d5 31 0b 58 c3 60 3c e9
>> 20 0f 4f b0 df 61 88 2f c0 e0 25 66 a8
>>
>> But.. How to extract the tbs data from the response, so I can sha256 that and compare ?
>>
More information about the openssl-users
mailing list