Oh.. I'm a step further. I've checked every byte range of the ocsp
response for the recovered sha256 signature.
$ len=`cat ocsp.resp | wc -c`
$ for start in `seq 1 $len`; do
echo -n "$start "
for end in `seq 1 $[$len+1-$start]`; do
output=`cat ocsp.resp | tail -c +$start | head -c $end |
sha256sum| grep
b483f2c34a6c1b4edf66b4d5310b58c3603ce9200f4fb0df61882fc0e02566a8`
if [ "$output" != "" ]; then
echo ''
echo $start $end $output
cat ocsp.resp | tail -c +$start | head -c $end | od -An -tx1
break
fi
done
if [ "$output" != "" ]; then break; fi
done
35 193 b483f2c34a6c1b4edf66b4d5310b58c3603ce9200f4fb0df61882fc0e02566a8 -
30 81 be a1 34 30 32 31 0b 30 09 06 03 55 04 06
13 02 55 53 31 16 30 14 06 03 55 04 0a 13 0d 4c
65 74 27 73 20 45 6e 63 72 79 70 74 31 0b 30 09
06 03 55 04 03 13 02 52 33 18 0f 32 30 32 31 30
37 31 38 31 38 30 30 30 30 5a 30 75 30 73 30 4b
30 09 06 05 2b 0e 03 02 1a 05 00 04 14 48 da c9
a0 fb 2b d3 2d 4f f0 de 68 d2 f5 67 b7 35 f9 b3
c4 04 14 14 2e b3 17 b7 58 56 cb ae 50 09 40 e6
1f af 9d 8b 14 c2 c6 02 12 03 dc be 01 33 c9 b8
33 12 54 75 b4 a7 7a b5 4a 3d f6 80 00 18 0f 32
30 32 31 30 37 31 38 31 38 30 30 30 30 5a a0 11
18 0f 32 30 32 31 30 37 32 35 31 38 30 30 30 30
5a
So the TBS part starts in byte 35 and is 193 bytes long, meaning bytes
35-227.
Looking at wireshark, that's indeed the 'tbsResponseData'. Any way to
extract the tbs with openssl ? Thanks.
On 2021-07-21 00:04, Gaardiolor wrote:
Good day,
I don't fully understand ocsp certificate verification. In order to
better understand it, I want to do it manually. I can already do that
with certificates.
$ openssl s_client -connect openssl.org:443 -showcerts
# I save the server.crt and intermediate.crt
$ openssl verify -no-CApath -partial_chain -trusted intermediate.crt
server.crt
server.crt: OK
Manually:
# Get the ASN id's of the TBS and Signature
$ asn=`openssl asn1parse -i -in server.crt |egrep -e '(^ .*:
SEQUENCE|: BIT STRING)'`
$ asn_tbs=`echo "$asn" | head -1 | awk -F: '{print $1}' | sed 's/ //g'`
$ asn_sig=`echo "$asn" | tail -1 | awk -F: '{print $1}' | sed 's/ //g'`
# Get tbs
openssl asn1parse -in server.crt -strparse ${asn_tbs} -out server.tbs
> /dev/null
# Hash tbs
$ cat server.tbs | openssl sha256 -binary > server.tbs.sha256
# Get signature (ignore 'header too long' error)
$ openssl asn1parse -in server.crt -strparse ${asn_sig} -out
server.sig > /dev/null
# Get public key of intermediate
$ openssl x509 -in intermediate.crt -noout -pubkey > intermediate.pub
# Recover (decrypt) the signature
$ openssl rsautl -inkey intermediate.pub -pubin -in server.sig -out
server.sig.recovered
# Verify. Ignore the first line of server.sig.recovered, this is the
hash algoritm designator
$ od -An -tx1 -w19 server.sig.recovered
30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20
87 36 67 06 ba d7 10 18 72 d3 f6 58 00 a9 34 78 bc 82 bf
57 37 20 ab 82 04 fb 04 78 38 e2 d3 a2
$ od -An -tx1 -w19 server.tbs.sha256
87 36 67 06 ba d7 10 18 72 d3 f6 58 00 a9 34 78 bc 82 bf
57 37 20 ab 82 04 fb 04 78 38 e2 d3 a2
Yay. Now how do I do that with OCSP ?
# Get OCSP
$ ocsp=`openssl x509 -noout -ocsp_uri -in server.crt`
# Verify
$ ocsp_response=`openssl ocsp -noverify -no_nonce -respout ocsp.resp
-reqout ocsp.req -issuer intermediate.crt -cert server.crt -text -url
$ocsp`
$ echo "$ocsp_response" | grep server.crt
server.crt: good
Manually:
# Get the signature. Can't find how to do this with asn1parse
$ for byte in `echo "$ocsp_response" | grep -A40 " Signature
Algorithm" | grep -B40 "server.crt" | egrep -ve '(Signature
Algorithm|server.crt)' | sed -e 's/ //g' -e 's/:/ /g'`; do
echo -ne "\x$byte"
done > ocsp.resp.sig
# Recover (decrypt) the signature
$ openssl rsautl -inkey intermediate.pub -pubin -in ocsp.resp.sig -out
ocsp.resp.sig.recovered
# Print the decrypted signature (looks good, first line is hash
algorithm designator, length looks ok, no errors)
$ od -An -tx1 -w19 ocsp.resp.sig.recovered
30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20
b4 83 f2 c3 4a 6c 1b 4e df 66 b4 d5 31 0b 58 c3 60 3c e9
20 0f 4f b0 df 61 88 2f c0 e0 25 66 a8
But.. How to extract the tbs data from the response, so I can sha256
that and compare ?
