Skip to content

Instantly share code, notes, and snippets.

@salrashid123
Last active August 1, 2023 04:13
Show Gist options
  • Save salrashid123/a34a0ae0141a1199efb11718ba0bd687 to your computer and use it in GitHub Desktop.
Save salrashid123/a34a0ae0141a1199efb11718ba0bd687 to your computer and use it in GitHub Desktop.
Extract OCSP Request Parametres from certificate

simple demo on how to create extract the ocsprequest parameters from an issuing ca cert

## start ocsp server
git clone https://github.com/salrashid123/go_mtls_scratchpad

cd go_mtls_scratchpad/ca1/ca_scratchpad
openssl ocsp -index ca/root-ca/db/root-ca.db -port 9999 -rsigner ca/root-ca.crt -rkey ca/root-ca/private/root-ca.key -CA ca/root-ca.crt -text -ndays 10

## test openssl ocsp client
cd go_mtls_scratchpad/ca1/ca_scratchpad
$ openssl ocsp -no_nonce -CA ca/root-ca.crt -CAfile ca/root-ca.crt -issuer ca/root-ca.crt  -cert certs/tee.crt -url http://localhost:9999  -resp_text -req_text 

this shows the decoded ocsp request

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 10CA8300F670BDF813C03C0CD3DACE5EA8AAB355
          Issuer Key Hash: 750D12CCDB33ED58068CADED0E9E2F00E96FC165
          Serial Number: 02

Note the Issuer Name Hash and Issuer Key Hash. Those are derived from the root-ca.crt

THe Serial Number is the serial number for the cert to check (tee.crt)

To manually derive the hash values

git clone https://github.com/salrashid123/go_mtls_scratchpad
cd go_mtls_scratchpad/ca1/ca_scratchpad

## create ca/rootca.pem with just the cert
openssl x509 -in ca/root-ca.crt  -cert -out ca/root-ca.pem

$ openssl asn1parse -in ca/root-ca.pem 
    0:d=0  hl=4 l=1003 cons: SEQUENCE          
    4:d=1  hl=4 l= 723 cons: SEQUENCE          
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]        
   10:d=3  hl=2 l=   1 prim: INTEGER           :02
   13:d=2  hl=2 l=   1 prim: INTEGER           :01
   16:d=2  hl=2 l=  13 cons: SEQUENCE          
   18:d=3  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
   29:d=3  hl=2 l=   0 prim: NULL              
   31:d=2  hl=2 l=  92 cons: SEQUENCE          <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
   33:d=3  hl=2 l=  11 cons: SET               
   35:d=4  hl=2 l=   9 cons: SEQUENCE          
   37:d=5  hl=2 l=   3 prim: OBJECT            :countryName
   42:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :US
   46:d=3  hl=2 l=  23 cons: SET               
   48:d=4  hl=2 l=  21 cons: SEQUENCE          
   50:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
   55:d=5  hl=2 l=  14 prim: UTF8STRING        :Collaborator 1
   71:d=3  hl=2 l=  19 cons: SET               
   73:d=4  hl=2 l=  17 cons: SEQUENCE          
   75:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
   80:d=5  hl=2 l=  10 prim: UTF8STRING        :Enterprise
   92:d=3  hl=2 l=  31 cons: SET               
   94:d=4  hl=2 l=  29 cons: SEQUENCE          
   96:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  101:d=5  hl=2 l=  22 prim: UTF8STRING        :Collaborator 1 Root CA
  125:d=2  hl=2 l=  30 cons: SEQUENCE          
  127:d=3  hl=2 l=  13 prim: UTCTIME           :230417120250Z
  142:d=3  hl=2 l=  13 prim: UTCTIME           :330416120250Z
  157:d=2  hl=2 l=  92 cons: SEQUENCE          
  159:d=3  hl=2 l=  11 cons: SET               
  161:d=4  hl=2 l=   9 cons: SEQUENCE          
  163:d=5  hl=2 l=   3 prim: OBJECT            :countryName
  168:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :US
  172:d=3  hl=2 l=  23 cons: SET               
  174:d=4  hl=2 l=  21 cons: SEQUENCE          
  176:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
  181:d=5  hl=2 l=  14 prim: UTF8STRING        :Collaborator 1
  197:d=3  hl=2 l=  19 cons: SET               
  199:d=4  hl=2 l=  17 cons: SEQUENCE          
  201:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
  206:d=5  hl=2 l=  10 prim: UTF8STRING        :Enterprise
  218:d=3  hl=2 l=  31 cons: SET               
  220:d=4  hl=2 l=  29 cons: SEQUENCE          
  222:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  227:d=5  hl=2 l=  22 prim: UTF8STRING        :Collaborator 1 Root CA
  251:d=2  hl=4 l= 290 cons: SEQUENCE          
  255:d=3  hl=2 l=  13 cons: SEQUENCE          
  257:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  268:d=4  hl=2 l=   0 prim: NULL              
  270:d=3  hl=4 l= 271 prim: BIT STRING        <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
  545:d=2  hl=3 l= 183 cons: cont [ 3 ]        
  548:d=3  hl=3 l= 180 cons: SEQUENCE          
  551:d=4  hl=2 l=  14 cons: SEQUENCE          
  553:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
  558:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  561:d=5  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:03020106
  567:d=4  hl=2 l=  15 cons: SEQUENCE          
  569:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
  574:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  577:d=5  hl=2 l=   5 prim: OCTET STRING      [HEX DUMP]:30030101FF
  584:d=4  hl=2 l=  29 cons: SEQUENCE          
  586:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
  591:d=5  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414750D12CCDB33ED58068CADED0E9E2F00E96FC165
  615:d=4  hl=2 l=  31 cons: SEQUENCE          
  617:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
  622:d=5  hl=2 l=  24 prim: OCTET STRING      [HEX DUMP]:30168014750D12CCDB33ED58068CADED0E9E2F00E96FC165
  648:d=4  hl=2 l=  29 cons: SEQUENCE          
  650:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Extended Key Usage
  655:d=5  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:301406082B0601050507030106082B06010505070302
  679:d=4  hl=2 l=  50 cons: SEQUENCE          
  681:d=5  hl=2 l=   8 prim: OBJECT            :Authority Information Access
  691:d=5  hl=2 l=  38 prim: OCTET STRING      [HEX DUMP]:3024302206082B060105050730018616687474703A2F2F6C6F63616C686F73743A393939392F
  731:d=1  hl=2 l=  13 cons: SEQUENCE          
  733:d=2  hl=2 l=   9 prim: OBJECT            :sha256WithRSAEncryption
  744:d=2  hl=2 l=   0 prim: NULL              
  746:d=1  hl=4 l= 257 prim: BIT STRING 

from ref

$ openssl asn1parse -in ca/root-ca.pem  -strparse 31 -out cry87661.name

$ openssl sha1 <cry87661.name
SHA1(stdin)= 10ca8300f670bdf813c03c0cd3dace5ea8aab355
$ openssl asn1parse -in ca/root-ca.pem -strparse 270 -out cry87661.keyx

$ openssl sha1 <cry87661.keyx
SHA1(stdin)= 750d12ccdb33ed58068caded0e9e2f00e96fc165

in golang:

package main

import (
	"crypto"
	"crypto/x509"
	"encoding/hex"
	"encoding/pem"
	"flag"
	"fmt"
	"os"

	"golang.org/x/crypto/ocsp"
)

const ()

var (
	issuer = flag.String("issuer", "ca/root-ca.crt", "Certificate Issuer PEM file")
	client = flag.String("client", "certs/tee.crt", "Certificate client PEM file")
)

func main() {

	flag.Parse()
	var err error

	certPEM, err := os.ReadFile(*issuer)
	block, _ := pem.Decode([]byte(certPEM))
	if block == nil {
		panic(err)
	}
	issuerCert, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		panic(err)
	}

	clientPEM, err := os.ReadFile(*client)
	blockPEM, _ := pem.Decode([]byte(clientPEM))
	if block == nil {
		panic(err)
	}
	clientCert, err := x509.ParseCertificate(blockPEM.Bytes)
	if err != nil {
		panic(err)
	}

	ocspReqOpt := &ocsp.RequestOptions{
		Hash: crypto.SHA1,
	}
	ocspReq, err := ocsp.CreateRequest(clientCert, issuerCert, ocspReqOpt)
	if err != nil {
		panic(err)
	}
	r, err := ocsp.ParseRequest(ocspReq)
	if err != nil {
		panic(err)
	}

	fmt.Printf("IssuerKeyHash %s\n", hex.EncodeToString(r.IssuerKeyHash))
	fmt.Printf("IssuerNameHash %s\n", hex.EncodeToString(r.IssuerNameHash))
	fmt.Printf("OCSP Req %s\n", hex.EncodeToString(ocspReq))
}
$ go run main.go 
IssuerKeyHash 750d12ccdb33ed58068caded0e9e2f00e96fc165
IssuerNameHash 10ca8300f670bdf813c03c0cd3dace5ea8aab355
OCSP Req 
30423040303e303c303a300906052b0e03021a0500041410ca8300f670bdf813c03c0cd3dace5ea8aab3550414750d12ccdb33ed58068caded0e9e2f00e96fc165020102

ocsp with curl

## with curl
openssl ocsp -CA ca/root-ca.crt -CAfile ca/root-ca.crt -issuer ca/root-ca.crt  -cert certs/tee.crt \
  -resp_text -no_nonce  \
  -reqout /tmp/req.req -out /dev/null

$ cat  /tmp/req.req | xxd -p -c100
30423040303e303c303a300906052b0e03021a0500041410ca8300f670bdf813c03c0cd3dace5ea8aab3550414750d12ccdb33ed58068caded0e9e2f00e96fc165020102

### make ocsp request directly
export OCSP_FILENAME=`openssl enc -in /tmp/req.req | base64 -w 0  -`
export OCSP_URL_ENCODED=`jq -R -r @uri <<<"$OCSP_FILENAME"`
echo $OCSP_URL_ENCODED

## use ocsp request using curl
curl -s "http://localhost:9999/$OCSP_URL_ENCODED" |   openssl ocsp -CA  ca/root-ca.crt -CAfile  ca/root-ca.crt   -resp_text -no_nonce -text -respin -
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment