|
OpenSSL VPN Serveurs de messagerie |
OpenSSL/Openssl-asn1
La structure binaire d'un certificat
Certificate ::= SEQUENCE { tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING }
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version shall be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version shall be v2 or v3
extensions [3] EXPLICIT Extensions OPTIONAL
-- If present, version shall be v3
}
Version ::= INTEGER { v1(0), v2(1), v3(2) }
CertificateSerialNumber ::= INTEGER
On en comprend qu'un Certificat est composé de trois éléments : Modification de la version du certificatLa version peut prendre trois valeurs : 0,1,2 chacune correspond respectivement à la version v1,v2 et v3 des certicats x509. C:\openssl-0.9.8g\out32dll>openssl x509 -text -noout -inform DER -in google.der Data:
Version: 3 (0x2)
Serial Number:
68:76:64:38:3d:49:6e:2e:f5:e3:19:98:42:e0:7c:ee
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte SGC CA
Validity
Not Before: May 3 15:34:58 2007 GMT
Not After : May 14 23:18:11 2008 GMT
.../... Le certificat est en v3 ( valeur 2 ) OpenSSL permet l'analyse binaire du certificat via l'option asn1parse C:\openssl-0.9.8g\out32dll>openssl asn1parse -i -inform DER -in google.der 0:d=0 hl=4 l= 801 cons: SEQUENCE
4:d=1 hl=4 l= 650 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 16 prim: INTEGER :687664383D496E2EF5E3199842E07CEE
31:d=2 hl=2 l= 13 cons: SEQUENCE
33:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
44:d=3 hl=2 l= 0 prim: NULL
46:d=2 hl=2 l= 76 cons: SEQUENCE
48:d=3 hl=2 l= 11 cons: SET
50:d=4 hl=2 l= 9 cons: SEQUENCE
52:d=5 hl=2 l= 3 prim: OBJECT :countryName
57:d=5 hl=2 l= 2 prim: PRINTABLESTRING :ZA
61:d=3 hl=2 l= 37 cons: SET
63:d=4 hl=2 l= 35 cons: SEQUENCE
65:d=5 hl=2 l= 3 prim: OBJECT :organizationName
70:d=5 hl=2 l= 28 prim: PRINTABLESTRING :Thawte Consulting (Pty) Ltd.
.../... Nous apprenons que dans le fichier google.der à l'offset 10 se trouve trois octets (hl+l), le troisième octet est un entier dont la valeur est deux. C:\openssl-0.9.8g\out32dll>openssl x509 -text -noout -inform DER -in google.der Data:
Version: 2 (0x1)
Serial Number:
68:76:64:38:3d:49:6e:2e:f5:e3:19:98:42:e0:7c:ee
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte SGC CA
.../... Le certificat est bien modifié, le code de hashage pourrait être recalculé mais ne pouvant être signé l'ouverture du certificat donne ceci : 
Liens et outilsLa syntaxe ASN1 : http://www.oss.com/asn1/booksintro.html c:\libtasn1-0.3.9\tests>..\src\asn1Decoding -c pkix.asn google.der PKIX1.Certificate Decoding: SUCCESS DECODING RESULT: name:NULL type:SEQUENCE name:tbsCertificate type:SEQUENCE
name:version type:INTEGER value:0x02
name:NULL type:DEFAULT value:v1
name:serialNumber type:INTEGER value:0x687664383d496e2ef5e3199842e07cee
name:signature type:SEQUENCE
name:algorithm type:OBJ_ID value:1.2.840.113549.1.1.5
name:parameters type:ANY value:0500
name:issuer type:CHOICE
name:rdnSequence type:SEQ_OF
name:NULL type:SET_OF
name:NULL type:SEQUENCE
name:type type:OBJ_ID
name:value type:ANY
name:?1 type:SET_OF
name:NULL type:SEQUENCE
name:type type:OBJ_ID
name:value type:ANY
name:?1 type:SEQUENCE
name:type type:OBJ_ID value:2.5.4.6
name:value type:ANY value:13025a41
name:?2 type:SET_OF
name:NULL type:SEQUENCE
name:type type:OBJ_ID
name:value type:ANY
name:?1 type:SEQUENCE
name:type type:OBJ_ID value:2.5.4.10
name:value type:ANY value:131c54686177746520436f6e73756c74696e67202850747929204c74642e
name:?3 type:SET_OF
name:NULL type:SEQUENCE
name:type type:OBJ_ID
name:value type:ANY
name:?1 type:SEQUENCE
name:type type:OBJ_ID value:2.5.4.3
.../... |