simple demo on how to create extract the ocsprequest parameters from an issuing ca cert
- https://pkg.go.dev/golang.org/x/crypto/ocsp#Request
- https://www.rfc-editor.org/rfc/rfc6960#section-2.1
## start ocsp server
git clone https://github.com/salrashid123/go_mtls_scratchpad
cd go_mtls_scratchpad/ca1/ca_scratchpad
openssl ocsp -index ca/root-ca/db/root-ca.db -port 9999 -rsigner ca/root-ca.crt -rkey ca/root-ca/private/root-ca.key -CA ca/root-ca.crt -text -ndays 10
## test openssl ocsp client
cd go_mtls_scratchpad/ca1/ca_scratchpad
$ openssl ocsp -no_nonce -CA ca/root-ca.crt -CAfile ca/root-ca.crt -issuer ca/root-ca.crt -cert certs/tee.crt -url http://localhost:9999 -resp_text -req_text
this shows the decoded ocsp request
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 10CA8300F670BDF813C03C0CD3DACE5EA8AAB355
Issuer Key Hash: 750D12CCDB33ED58068CADED0E9E2F00E96FC165
Serial Number: 02
Note the Issuer Name Hash
and Issuer Key Hash
. Those are derived from the root-ca.crt
THe Serial Number
is the serial number for the cert to check (tee.crt
)
To manually derive the hash values
git clone https://github.com/salrashid123/go_mtls_scratchpad
cd go_mtls_scratchpad/ca1/ca_scratchpad
## create ca/rootca.pem with just the cert
openssl x509 -in ca/root-ca.crt -cert -out ca/root-ca.pem
$ openssl asn1parse -in ca/root-ca.pem
0:d=0 hl=4 l=1003 cons: SEQUENCE
4:d=1 hl=4 l= 723 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 1 prim: INTEGER :01
16:d=2 hl=2 l= 13 cons: SEQUENCE
18:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
29:d=3 hl=2 l= 0 prim: NULL
31:d=2 hl=2 l= 92 cons: SEQUENCE <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
33:d=3 hl=2 l= 11 cons: SET
35:d=4 hl=2 l= 9 cons: SEQUENCE
37:d=5 hl=2 l= 3 prim: OBJECT :countryName
42:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
46:d=3 hl=2 l= 23 cons: SET
48:d=4 hl=2 l= 21 cons: SEQUENCE
50:d=5 hl=2 l= 3 prim: OBJECT :organizationName
55:d=5 hl=2 l= 14 prim: UTF8STRING :Collaborator 1
71:d=3 hl=2 l= 19 cons: SET
73:d=4 hl=2 l= 17 cons: SEQUENCE
75:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
80:d=5 hl=2 l= 10 prim: UTF8STRING :Enterprise
92:d=3 hl=2 l= 31 cons: SET
94:d=4 hl=2 l= 29 cons: SEQUENCE
96:d=5 hl=2 l= 3 prim: OBJECT :commonName
101:d=5 hl=2 l= 22 prim: UTF8STRING :Collaborator 1 Root CA
125:d=2 hl=2 l= 30 cons: SEQUENCE
127:d=3 hl=2 l= 13 prim: UTCTIME :230417120250Z
142:d=3 hl=2 l= 13 prim: UTCTIME :330416120250Z
157:d=2 hl=2 l= 92 cons: SEQUENCE
159:d=3 hl=2 l= 11 cons: SET
161:d=4 hl=2 l= 9 cons: SEQUENCE
163:d=5 hl=2 l= 3 prim: OBJECT :countryName
168:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
172:d=3 hl=2 l= 23 cons: SET
174:d=4 hl=2 l= 21 cons: SEQUENCE
176:d=5 hl=2 l= 3 prim: OBJECT :organizationName
181:d=5 hl=2 l= 14 prim: UTF8STRING :Collaborator 1
197:d=3 hl=2 l= 19 cons: SET
199:d=4 hl=2 l= 17 cons: SEQUENCE
201:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
206:d=5 hl=2 l= 10 prim: UTF8STRING :Enterprise
218:d=3 hl=2 l= 31 cons: SET
220:d=4 hl=2 l= 29 cons: SEQUENCE
222:d=5 hl=2 l= 3 prim: OBJECT :commonName
227:d=5 hl=2 l= 22 prim: UTF8STRING :Collaborator 1 Root CA
251:d=2 hl=4 l= 290 cons: SEQUENCE
255:d=3 hl=2 l= 13 cons: SEQUENCE
257:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
268:d=4 hl=2 l= 0 prim: NULL
270:d=3 hl=4 l= 271 prim: BIT STRING <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
545:d=2 hl=3 l= 183 cons: cont [ 3 ]
548:d=3 hl=3 l= 180 cons: SEQUENCE
551:d=4 hl=2 l= 14 cons: SEQUENCE
553:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
558:d=5 hl=2 l= 1 prim: BOOLEAN :255
561:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020106
567:d=4 hl=2 l= 15 cons: SEQUENCE
569:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
574:d=5 hl=2 l= 1 prim: BOOLEAN :255
577:d=5 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF
584:d=4 hl=2 l= 29 cons: SEQUENCE
586:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
591:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414750D12CCDB33ED58068CADED0E9E2F00E96FC165
615:d=4 hl=2 l= 31 cons: SEQUENCE
617:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
622:d=5 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014750D12CCDB33ED58068CADED0E9E2F00E96FC165
648:d=4 hl=2 l= 29 cons: SEQUENCE
650:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
655:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030106082B06010505070302
679:d=4 hl=2 l= 50 cons: SEQUENCE
681:d=5 hl=2 l= 8 prim: OBJECT :Authority Information Access
691:d=5 hl=2 l= 38 prim: OCTET STRING [HEX DUMP]:3024302206082B060105050730018616687474703A2F2F6C6F63616C686F73743A393939392F
731:d=1 hl=2 l= 13 cons: SEQUENCE
733:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
744:d=2 hl=2 l= 0 prim: NULL
746:d=1 hl=4 l= 257 prim: BIT STRING
$ openssl asn1parse -in ca/root-ca.pem -strparse 31 -out cry87661.name
$ openssl sha1 <cry87661.name
SHA1(stdin)= 10ca8300f670bdf813c03c0cd3dace5ea8aab355
$ openssl asn1parse -in ca/root-ca.pem -strparse 270 -out cry87661.keyx
$ openssl sha1 <cry87661.keyx
SHA1(stdin)= 750d12ccdb33ed58068caded0e9e2f00e96fc165
in golang:
package main
import (
"crypto"
"crypto/x509"
"encoding/hex"
"encoding/pem"
"flag"
"fmt"
"os"
"golang.org/x/crypto/ocsp"
)
const ()
var (
issuer = flag.String("issuer", "ca/root-ca.crt", "Certificate Issuer PEM file")
client = flag.String("client", "certs/tee.crt", "Certificate client PEM file")
)
func main() {
flag.Parse()
var err error
certPEM, err := os.ReadFile(*issuer)
block, _ := pem.Decode([]byte(certPEM))
if block == nil {
panic(err)
}
issuerCert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
panic(err)
}
clientPEM, err := os.ReadFile(*client)
blockPEM, _ := pem.Decode([]byte(clientPEM))
if block == nil {
panic(err)
}
clientCert, err := x509.ParseCertificate(blockPEM.Bytes)
if err != nil {
panic(err)
}
ocspReqOpt := &ocsp.RequestOptions{
Hash: crypto.SHA1,
}
ocspReq, err := ocsp.CreateRequest(clientCert, issuerCert, ocspReqOpt)
if err != nil {
panic(err)
}
r, err := ocsp.ParseRequest(ocspReq)
if err != nil {
panic(err)
}
fmt.Printf("IssuerKeyHash %s\n", hex.EncodeToString(r.IssuerKeyHash))
fmt.Printf("IssuerNameHash %s\n", hex.EncodeToString(r.IssuerNameHash))
fmt.Printf("OCSP Req %s\n", hex.EncodeToString(ocspReq))
}
$ go run main.go
IssuerKeyHash 750d12ccdb33ed58068caded0e9e2f00e96fc165
IssuerNameHash 10ca8300f670bdf813c03c0cd3dace5ea8aab355
OCSP Req
30423040303e303c303a300906052b0e03021a0500041410ca8300f670bdf813c03c0cd3dace5ea8aab3550414750d12ccdb33ed58068caded0e9e2f00e96fc165020102
ocsp with curl
## with curl
openssl ocsp -CA ca/root-ca.crt -CAfile ca/root-ca.crt -issuer ca/root-ca.crt -cert certs/tee.crt \
-resp_text -no_nonce \
-reqout /tmp/req.req -out /dev/null
$ cat /tmp/req.req | xxd -p -c100
30423040303e303c303a300906052b0e03021a0500041410ca8300f670bdf813c03c0cd3dace5ea8aab3550414750d12ccdb33ed58068caded0e9e2f00e96fc165020102
### make ocsp request directly
export OCSP_FILENAME=`openssl enc -in /tmp/req.req | base64 -w 0 -`
export OCSP_URL_ENCODED=`jq -R -r @uri <<<"$OCSP_FILENAME"`
echo $OCSP_URL_ENCODED
## use ocsp request using curl
curl -s "http://localhost:9999/$OCSP_URL_ENCODED" | openssl ocsp -CA ca/root-ca.crt -CAfile ca/root-ca.crt -resp_text -no_nonce -text -respin -