date:20170908

Re: [openssl-users] Why is this OCSP response reporting a hash using SHA1?

2017-09-08 Thread Dr. Stephen Henson

On Fri, Sep 08, 2017, Robert Moskowitz wrote:

> I am using the test responder:
> 
>openssl ocsp -port 2560 -text -rmd sha256\
>  -index index.txt \
>  -CA certs/ca-chain.cert.pem \
>  -rkey private/$ocspurl.key.pem \
>  -rsigner certs/$ocspurl.cert.pem \
>  -nrequest 1
> 
> 
> What is the SHA1 hash report about?  It comes right after the line:
> Certificate ID:
> 
> Certificate ID:
>   Hash Algorithm: sha1
>   Issuer Name Hash: CA1F5832FA387F0127D8E0583F7331D1B903DBF0
>   Issuer Key Hash: A3278D00B053BF259193A4833E669C451DAD36E0
>   Serial Number: 762900CAB55A4762

It's the hash algorithm used to hash the issuer name and key to identify them.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] New version of draft-moskowitz-ecdsa-pki

2017-09-08 Thread Robert Moskowitz

I want to thank all for the help over the past few weeks.   Here is the 
latest version.  I know I have a few things to tune up.  Like why the 
SHA1 in the OCSP response.  I also want to put more justification in the 
beginning for people to use this (Standards writers, developers, 
testers).


But as often said, Internet Draft revision numbers are free and it is 
better to get things out stepwise then wait until everything is done.


Next big addition is IEEE 1609.2 cert support.

Bob




 Forwarded Message 
Subject:New Version Notification for draft-moskowitz-ecdsa-pki-01.txt
Date:   Fri, 08 Sep 2017 12:26:36 -0700
From:   internet-dra...@ietf.org
To: 	Robert Moskowitz , Liang Xia 
, Henk Birkholz 
, Liang Xia 




A new version of I-D, draft-moskowitz-ecdsa-pki-01.txt
has been successfully submitted by Robert Moskowitz and posted to the
IETF repository.

Name:   draft-moskowitz-ecdsa-pki
Revision:   01
Title:  Guide for building an ECC pki
Document date:  2017-09-07
Group:  Individual Submission
Pages:  31
URL:
https://www.ietf.org/internet-drafts/draft-moskowitz-ecdsa-pki-01.txt
Status: https://datatracker.ietf.org/doc/draft-moskowitz-ecdsa-pki/
Htmlized:   https://tools.ietf.org/html/draft-moskowitz-ecdsa-pki-01
Htmlized:   
https://datatracker.ietf.org/doc/html/draft-moskowitz-ecdsa-pki-01
Diff:   https://www.ietf.org/rfcdiff?url2=draft-moskowitz-ecdsa-pki-01

Abstract:
   This memo provides a guide for building a PKI (Public Key
   Infrastructure) using openSSL.  All certificates in this guide are
   ECDSA, P-256, with SHA256 certificates.  Along with common End Entity
   certificates, this guide provides instructions for creating IEEE
   802.1AR iDevID Secure Device certificates.

  



Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Why is this OCSP response reporting a hash using SHA1?

2017-09-08 Thread Robert Moskowitz


I am using the test responder:

   openssl ocsp -port 2560 -text -rmd sha256\
 -index index.txt \
 -CA certs/ca-chain.cert.pem \
 -rkey private/$ocspurl.key.pem \
 -rsigner certs/$ocspurl.cert.pem \
 -nrequest 1


What is the SHA1 hash report about?  It comes right after the line: 
Certificate ID:



openssl ocsp -CAfile certs/ca-chain.cert.pem \
  -url http://127.0.0.1:2560 -resp_text \
  -issuer certs/8021ARintermediate.cert.pem \
  -cert certs/$targetcert.cert.pem

OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: O = HTT Consulting, OU = Devices
Produced At: Sep  8 16:11:38 2017 GMT
Responses:
Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: CA1F5832FA387F0127D8E0583F7331D1B903DBF0
  Issuer Key Hash: A3278D00B053BF259193A4833E669C451DAD36E0
  Serial Number: 762900CAB55A4762
Cert Status: revoked
Revocation Time: Sep  7 06:48:28 2017 GMT
This Update: Sep  8 16:11:38 2017 GMT

Response Extensions:
OCSP Nonce:
0410DBAEC40AE0C9696C715A8F476383D112
Signature Algorithm: ecdsa-with-SHA256
 30:46:02:21:00:a7:3e:9f:40:29:21:bc:1b:af:22:41:f7:5d:
 70:d8:3f:db:98:16:7c:62:b4:e9:cf:4c:1e:43:db:fa:07:42:
 f7:02:21:00:f6:05:82:c8:85:ef:dc:17:ec:0f:59:ce:5e:fd:
 36:8f:ac:5a:29:32:17:9d:22:c1:c2:77:e8:f7:7a:0c:ff:af
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
aa:56:78:7a:d5:f7:de:4f
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=MI, O=HTT Consulting, OU=Devices, CN=802.1AR CA
Validity
Not Before: Sep  7 06:40:11 2017 GMT
Not After : Dec 31 23:59:59  GMT
Subject: O=HTT Consulting, OU=Devices
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d8:a1:6c:09:c0:13:fc:30:6f:02:1e:a0:d3:cc:
02:8c:b0:e1:2a:84:1d:94:ed:2e:92:b8:25:d0:00:
3d:a0:1a:43:dc:83:12:13:e0:74:a4:97:b7:4e:ed:
26:18:c0:36:38:a1:f8:c0:bb:d8:5c:14:cd:a7:23:
f5:71:51:bc:6c
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
57:34:03:80:50:53:9B:EA:2A:06:37:FF:8A:1E:32:72:70:DD:41:9F
X509v3 Authority Key Identifier:

keyid:A3:27:8D:00:B0:53:BF:25:91:93:A4:83:3E:66:9C:45:1D:AD:36:E0

X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage: critical
OCSP Signing
X509v3 Subject Alternative Name:
DNS:ocsp.htt-consult.com, email:postmas...@htt-consult.com
Signature Algorithm: ecdsa-with-SHA256
 30:44:02:20:2b:99:ba:72:2a:e5:4c:1b:c1:9c:6a:72:f9:8e:
 8f:5f:97:ec:35:e0:19:f3:7f:58:c4:4b:67:fe:dc:47:68:45:
 02:20:37:07:0a:be:09:bd:20:b5:21:c5:23:80:4a:4d:57:47:
 56:4a:79:cc:6d:e0:57:5e:ef:bc:9b:eb:6d:3a:db:73
-BEGIN CERTIFICATE-
MIICMTCCAdigAwIBAgIJAKpWeHrV995PMAoGCCqGSM49BAMCMFoxCzAJBgNVBAYT
AlVTMQswCQYDVQQIDAJNSTEXMBUGA1UECgwOSFRUIENvbnN1bHRpbmcxEDAOBgNV
BAsMB0RldmljZXMxEzARBgNVBAMMCjgwMi4xQVIgQ0EwIBcNMTcwOTA3MDY0MDEx
WhgPOTk5OTEyMzEyMzU5NTlaMCsxFzAVBgNVBAoMDkhUVCBDb25zdWx0aW5nMRAw
DgYDVQQLDAdEZXZpY2VzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2KFsCcAT
/DBvAh6g08wCjLDhKoQdlO0ukrgl0AA9oBpD3IMSE+B0pJe3Tu0mGMA2OKH4wLvY
XBTNpyP1cVG8bKOBszCBsDAJBgNVHRMEAjAAMB0GA1UdDgQWBBRXNAOAUFOb6ioG
N/+KHjJycN1BnzAfBgNVHSMEGDAWgBSjJ40AsFO/JZGTpIM+ZpxFHa024DAOBgNV
HQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwOwYDVR0RBDQwMoIU
b2NzcC5odHQtY29uc3VsdC5jb22BGnBvc3RtYXN0ZXJAaHR0LWNvbnN1bHQuY29t
MAoGCCqGSM49BAMCA0cAMEQCICuZunIq5UwbwZxqcvmOj1+X7DXgGfN/WMRLZ/7c
R2hFAiA3Bwq+Cb0gtSHFI4BKTVdHVkp5zG3gV17vvJvrbTrbcw==
-END CERTIFICATE-
Response verify OK
certs/Wt1234.cert.pem: revoked
This Update: Sep  8 16:11:38 2017 GMT
Revocation Time: Sep  7 06:48:28 2017 GMT


Thank you

Bob


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Why is this OCSP response reporting a hash using SHA1?

[openssl-users] New version of draft-moskowitz-ecdsa-pki

[openssl-users] Why is this OCSP response reporting a hash using SHA1?

3 matches

Site Navigation

Mail list logo

Footer information