Last active
February 12, 2020 09:22
-
-
Save ryu1kn/065eb55b51ab0d3b764a2ce04c748f0f to your computer and use it in GitHub Desktop.
Manually check if a server cert can be verified with its issuer cert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SHELL := /bin/bash | |
openssl := /usr/local/opt/openssl@1.1/bin/openssl | |
work_dir := __work | |
message_digest_type := sha256 | |
ifneq ($(wildcard __override.mk),) | |
include __override.mk | |
endif | |
assert_nonempty = [[ "$1" != '' ]] || { echo "Is Empty"; exit 1; } | |
$(shell mkdir -p $(work_dir)) | |
vpath % $(work_dir) | |
.PHONY: verify | |
verify: digest-from-cert-body.txt digest-from-signature.txt | |
diff $^ | |
$(work_dir)/digest-from-cert-body.txt: server.tbs | |
$(openssl) dgst -$(message_digest_type) $< | awk -F'= ' '{print $$2}' | tr -d '\n' > $@ | |
$(work_dir)/server.tbs: $(server_cert) | |
@$(call assert_nonempty,$<) | |
body_start=$$($(openssl) asn1parse -i -in $< | awk -F: 'NR==2 {print $$1}') \ | |
&& $(openssl) asn1parse -in $< -strparse $$body_start -out $@ -noout | |
$(work_dir)/digest-from-signature.txt: server-cert.sig issuer.pub | |
$(openssl) rsautl -in $< -verify -asn1parse -inkey $(word 2,$^) -pubin \ | |
| awk '{if (enabled) {x=substr($$0,14,47); gsub(/[ -]/,"",x); print x}}; /OCTET STRING/ {enabled=1}' ORS='' > $@ | |
$(work_dir)/server-cert.sig: $(server_cert) | |
@$(call assert_nonempty,$<) | |
signature_start=$$($(openssl) asn1parse -i -in $< | awk -F: '/BIT STRING/ {x=$$1}; END {print x}') \ | |
&& $(openssl) asn1parse -in $< -strparse $$signature_start -out $@ -noout | |
$(work_dir)/issuer.pub: $(issuer_cert) | |
@$(call assert_nonempty,$<) | |
$(openssl) x509 -in $< -pubkey -out $@ -noout | |
.PHONY: clean | |
clean: | |
rm -rf $(work_dir) | |
# --- Utilities | |
.PHONY: print-certificates | |
print-certificates: | |
@$(call assert_nonempty,$(server_name)) | |
@$(openssl) s_client -showcerts -connect $(server_name):443 < /dev/null | |
.PHONY: print-signature | |
print-signature: $(server_cert) | |
@$(openssl) x509 -in $< -text -noout \ | |
-certopt ca_default \ | |
-certopt no_validity \ | |
-certopt no_serial \ | |
-certopt no_subject \ | |
-certopt no_extensions \ | |
-certopt no_signame | |
# cf. | |
# | |
* https://www.openssl.org/docs/man1.1.1/man1/ | |
* https://linuxctl.com/2017/02/x509-certificate-manual-signature-verification/ | |
* https://stackoverflow.com/questions/5140425/openssl-command-line-to-verify-the-signature | |
* https://security.stackexchange.com/questions/98263/verifying-digest-signed-with-private-key-using-a-c-program | |
* https://tech.nikkeibp.co.jp/it/article/COLUMN/20071012/284426/ | |
* https://qiita.com/kunichiko/items/12cbccaadcbf41c72735 | |
* https://security.stackexchange.com/questions/127095/manually-walking-through-the-signature-validation-of-a-certificate | |
* https://stackoverflow.com/questions/18257185/how-does-a-public-key-verify-a-signature |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment