OpenSSL VPN Serveurs de messagerie |
OpenSSL/Openssl-asn1
La structure binaire d'un certificat
Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } TBSCertificate ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version shall be v2 or v3 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version shall be v2 or v3 extensions [3] EXPLICIT Extensions OPTIONAL -- If present, version shall be v3 } Version ::= INTEGER { v1(0), v2(1), v3(2) } CertificateSerialNumber ::= INTEGER
On en comprend qu'un Certificat est composé de trois éléments : Modification de la version du certificatLa version peut prendre trois valeurs : 0,1,2 chacune correspond respectivement à la version v1,v2 et v3 des certicats x509. C:\openssl-0.9.8g\out32dll>openssl x509 -text -noout -inform DER -in google.der Data: Version: 3 (0x2) Serial Number: 68:76:64:38:3d:49:6e:2e:f5:e3:19:98:42:e0:7c:ee Signature Algorithm: sha1WithRSAEncryption Issuer: C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte SGC CA Validity Not Before: May 3 15:34:58 2007 GMT Not After : May 14 23:18:11 2008 GMT .../... Le certificat est en v3 ( valeur 2 ) OpenSSL permet l'analyse binaire du certificat via l'option asn1parse C:\openssl-0.9.8g\out32dll>openssl asn1parse -i -inform DER -in google.der 0:d=0 hl=4 l= 801 cons: SEQUENCE 4:d=1 hl=4 l= 650 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 16 prim: INTEGER :687664383D496E2EF5E3199842E07CEE 31:d=2 hl=2 l= 13 cons: SEQUENCE 33:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption 44:d=3 hl=2 l= 0 prim: NULL 46:d=2 hl=2 l= 76 cons: SEQUENCE 48:d=3 hl=2 l= 11 cons: SET 50:d=4 hl=2 l= 9 cons: SEQUENCE 52:d=5 hl=2 l= 3 prim: OBJECT :countryName 57:d=5 hl=2 l= 2 prim: PRINTABLESTRING :ZA 61:d=3 hl=2 l= 37 cons: SET 63:d=4 hl=2 l= 35 cons: SEQUENCE 65:d=5 hl=2 l= 3 prim: OBJECT :organizationName 70:d=5 hl=2 l= 28 prim: PRINTABLESTRING :Thawte Consulting (Pty) Ltd. .../... Nous apprenons que dans le fichier google.der à l'offset 10 se trouve trois octets (hl+l), le troisième octet est un entier dont la valeur est deux. C:\openssl-0.9.8g\out32dll>openssl x509 -text -noout -inform DER -in google.der Data: Version: 2 (0x1) Serial Number: 68:76:64:38:3d:49:6e:2e:f5:e3:19:98:42:e0:7c:ee Signature Algorithm: sha1WithRSAEncryption Issuer: C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte SGC CA .../... Le certificat est bien modifié, le code de hashage pourrait être recalculé mais ne pouvant être signé l'ouverture du certificat donne ceci :
Liens et outilsLa syntaxe ASN1 : http://www.oss.com/asn1/booksintro.html c:\libtasn1-0.3.9\tests>..\src\asn1Decoding -c pkix.asn google.der PKIX1.Certificate Decoding: SUCCESS DECODING RESULT: name:NULL type:SEQUENCE name:tbsCertificate type:SEQUENCE name:version type:INTEGER value:0x02 name:NULL type:DEFAULT value:v1 name:serialNumber type:INTEGER value:0x687664383d496e2ef5e3199842e07cee name:signature type:SEQUENCE name:algorithm type:OBJ_ID value:1.2.840.113549.1.1.5 name:parameters type:ANY value:0500 name:issuer type:CHOICE name:rdnSequence type:SEQ_OF name:NULL type:SET_OF name:NULL type:SEQUENCE name:type type:OBJ_ID name:value type:ANY name:?1 type:SET_OF name:NULL type:SEQUENCE name:type type:OBJ_ID name:value type:ANY name:?1 type:SEQUENCE name:type type:OBJ_ID value:2.5.4.6 name:value type:ANY value:13025a41 name:?2 type:SET_OF name:NULL type:SEQUENCE name:type type:OBJ_ID name:value type:ANY name:?1 type:SEQUENCE name:type type:OBJ_ID value:2.5.4.10 name:value type:ANY value:131c54686177746520436f6e73756c74696e67202850747929204c74642e name:?3 type:SET_OF name:NULL type:SEQUENCE name:type type:OBJ_ID name:value type:ANY name:?1 type:SEQUENCE name:type type:OBJ_ID value:2.5.4.3 .../... |