Skip to content

Instantly share code, notes, and snippets.

@gbolo

gbolo/x509-cert-sig-verify.sh

Created February 14, 2017 02:32
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save gbolo/807e1c05335843758abe80935730537a to your computer and use it in GitHub Desktop.
Save gbolo/807e1c05335843758abe80935730537a to your computer and use it in GitHub Desktop.
Download ZIP
Verification of Signatures on x.509 Certificates
Raw
x509-cert-sig-verify.sh
#!/bin/bash
#############################################################
## x.509 Certifcate Signature Verification
## This script was made for educational purposes.
## VERIFICATION MAY BE WRONG, USE AT YOUR OWN RISK!
## - gbolo linuxctl.com 2016
#############################################################
VERSION=0.2
DATE=`date +%Y-%m-%d.%H-%M-%S`
FULL_PATH=$(readlink -f $0) ## Path of this file including filename
DIR_NAME=`dirname ${FULL_PATH}` ## Dir where this file is
SCRIPT_FILENAME=`basename ${FULL_PATH}` ## file name of this script.
TMP_DIR="/tmp/.x509-verify_${DATE}"
LOG_VERBOSE="${TMP_DIR}/${SCRIPT_FILENAME}_verbose.log"
ISSUER_PUB_OUTPUT="${TMP_DIR}/issuer-pub.pem"
SIGNATURE_OUTPUT="${TMP_DIR}/x509-signature.bin"
BODY_OUTPUT="${TMP_DIR}/x509-body.bin"
function usage {
echo "
usage: $SCRIPT_FILENAME [OPTIONS...]
-i issuer-cert required path of issuer x509 cert
-s signed-cert required path of signed x509 cert
-v optional verbose logging
*WARNING*
This script was made for educational purposes.
VERIFICATION MAY BE WRONG, USE AT YOUR OWN RISK!"
exit 1
}
#############################################################
## THESE BINARIES MUST BE INSTALLED FOR THIS SCRIPT TO WORK
#############################################################
REQ_BINS=(openssl tr bc tac xxd cut curl awk)
for b in ${REQ_BINS[@]}; do
hash "${b}" 2>&- || {
echo >&2 " Required program \"${b}\" not installed.";
echo " Please install it and run this script again";
usage;
exit 1;
}
done
#############################################################
## DEFINE THE DEFAULTS
#############################################################
VERBOSE_LOGGING='false';
#############################################################
## LOGGING FUNCTION
#############################################################
function LOG_MESSAGE {
if [[ $VERBOSE_LOGGING == "true" ]]
then
echo "`date` $1" 1>> $LOG_VERBOSE
fi
}
#############################################################
## PARSE THE ARGUMENTS PROVIDED BY USER
#############################################################
while getopts "i:s:v" args
do
case $args in
i) ISSUER_CERTIFICATE="$OPTARG" ;;
s) SIGNED_CERTIFICATE="$OPTARG" ;;
v) VERBOSE_LOGGING='true' ;;
:) LOG_MESSAGE "The argument -$args requires a parameter" ;;
*) usage ;;
esac
done
#############################################################
## VALIDATE ARGUMENTS
#############################################################
if [[ -z "$ISSUER_CERTIFICATE" ]]; then
echo >&2 " Missing REQUIRED option -i <ISSUER_CERTIFICATE>";
usage;
exit 1;
fi
# check file and other option
#############################################################
## START DEFINING FUNCTIONS
#############################################################
function DISPLAY_WARNING {
echo "
---
*WARNING*
This script was made for educational purposes.
VERIFICATION MAY BE WRONG, USE AT YOUR OWN RISK!
---
"
}
function PREPARE_WORKING_DIR {
mkdir ${TMP_DIR}
}
function EXTRACT_SIGNATURE {
# extract signature (last occurance only)
#SIGNATURE=$(openssl x509 -in ${SIGNED_CERTIFICATE} -text -noout | tac | sed '/.*Signature Algorithm:/q' | tac)
SIGNATURE=$(openssl x509 -in ${SIGNED_CERTIFICATE} -text -noout -certopt ca_default -certopt no_validity -certopt no_serial -certopt no_subject -certopt no_extensions -certopt no_signame)
# extract hex dump of signature
SIGNATURE_HEX=$(echo "${SIGNATURE}" | grep -v 'Signature Algorithm' | tr -d '[:space:]:')
#echo $SIGNATURE_HEX
# convert to decimal (^^ captializes characters)
SIGNATURE_DEC=$(echo "ibase=16; ${SIGNATURE_HEX^^}" | bc)
#echo $SIGNATURE_DEC
# extract signature algorithm
SIGNATURE_ALGORITHM=$(echo "${SIGNATURE}" | awk 'FNR==1{print $3}')
# create signature dump
echo ${SIGNATURE_HEX} | xxd -r -p > ${SIGNATURE_OUTPUT}
LOG_MESSAGE "[INFO] -- EXTRACTED SIGNATURE TO ${SIGNATURE_OUTPUT}";
}
function EXTRACT_BODY {
BODY_ANS1=$(openssl asn1parse -in ${SIGNED_CERTIFICATE} | awk 'FNR==2{print $0}')
BODY_START=$(echo ${BODY_ANS1} | cut -d":" -f1)
openssl asn1parse -in ${SIGNED_CERTIFICATE} -strparse ${BODY_START} -out ${BODY_OUTPUT} -noout
LOG_MESSAGE "[INFO] -- EXTRACTED BODY TO ${BODY_OUTPUT}";
}
function EXTRACT_ISSUER_PUBLIC_KEY {
# extract public key from issuer
openssl x509 -in ${ISSUER_CERTIFICATE} -noout -pubkey > ${ISSUER_PUB_OUTPUT}
LOG_MESSAGE "[INFO] -- EXTRACTED ISSUER PUBLIC KEY TO ${ISSUER_PUB_OUTPUT}";
}
function VERIFY_SIGNATURE {
# verification
SIGNATURE_DIGEST=$(echo ${SIGNATURE_ALGORITHM} | sed -n 's|\(.*\)With.*|\1|p')
echo "Issuer Certificate: ${ISSUER_CERTIFICATE}"
echo "Signed Certificate: ${SIGNED_CERTIFICATE}"
openssl dgst -${SIGNATURE_DIGEST} -verify ${ISSUER_PUB_OUTPUT} -signature ${SIGNATURE_OUTPUT} ${BODY_OUTPUT}
}
function DISPLAY_LOGS {
if [[ $VERBOSE_LOGGING == "true" ]]
then
echo "logs were stored in the following files:
$LOG_VERBOSE";
fi
}
#############################################################
## DEFINE MAIN FUNCTION CODE
#############################################################
function main {
DISPLAY_WARNING;
PREPARE_WORKING_DIR;
EXTRACT_SIGNATURE;
EXTRACT_BODY;
EXTRACT_ISSUER_PUBLIC_KEY;
VERIFY_SIGNATURE;
DISPLAY_LOGS;
echo ""
}
#############################################################
## BOOTSTRAP MAIN CODE
#############################################################
main "$@"
@fredericoschardong
Copy link

Error reading signature file /tmp/.x509-verify_2024-02-20.22-42-42/x509-signature.bin with OpenSSL 3.0.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment