cheatsheet-openssl-ocsp | zuhdi.org

OpenSSL Certificate Verification Using OCSP

Environment

  • Debian 9.7 x64
  • OpenSSL 1.1.0j 20 Nov 2018

Excerpt

Log 2019 / 06

1. Download a certificate to inspect

openssl s_client -connect amazon.com:443 2>&1 < /dev/null | \
  sed -n '/-----BEGIN/,/-----END/p' > ee_amazon.pem

root@athos:~# openssl s_client -connect amazon.com:443 2>&1 < /dev/null | \
>   sed -n '/-----BEGIN/,/-----END/p' > ee_amazon.pem

2. Locate OCSP url

root@athos:~# openssl x509 -in ee_amazon.pem -noout -ocsp_uri
http://ocsp.digicert.com

3. Download certificate chain

openssl s_client -connect amazon.com:443 \
  -showcerts 2>&1 < /dev/null > all_amazon.tmp

root@athos:~# openssl s_client -connect amazon.com:443 \
>   -showcerts 2>&1 < /dev/null > all_amazon.tmp
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global CA G2
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = "Amazon.com, Inc.", CN = *.peg.a2z.com
verify return:1
DONE

4. Extract certificates chain

4.1. Using Bash

OLDIFS=$IFS; \
IFS=':' certificates=$(openssl s_client -connect google.com:443 \
-showcerts -tlsextdebug -tls1 2>&1 </dev/null | \
sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}'); \ 
for certificate in ${certificates#:}; do echo $certificate | \
tee -a all_amazon.pem ; done; IFS=$OLDIFS

4.2. Using Python

cat <<EOF > get_certificate.py
#!/usr/bin/env python

'''
  example: 
    python3 get_certificate.py all_amazon.tmp 1,2
    python3 get_certificate.py all_amazon.tmp 1
'''

import sys

filename = sys.argv[1]
levels = sys.argv[2].split(',')
strip_levels = [int(i.strip()) for i in levels]

lines, begin, end = [], [], []


def get_certificates(levels):
  for i in levels:
    print_certificate(i)


def print_certificate(set):
  for i in range(begin[set], end[set] + 1):
    print(lines[i], end='')


with open(filename, 'r') as f:
  lines = f.readlines()

for i, reader in enumerate(lines):
  if reader == '-----BEGIN CERTIFICATE-----\n':
    begin.append(i)
  elif reader == '-----END CERTIFICATE-----\n':
    end.append(i)

get_certificates(strip_levels)
EOF

root@athos:~# cat <<EOF > get_certificate.py
> #!/usr/bin/env python
>
> '''
>   example:
>     python3 get_certificate.py all_amazon.tmp 1,2
>     python3 get_certificate.py all_amazon.tmp 1
> '''
>
> import sys
>
> filename = sys.argv[1]
> levels = sys.argv[2].split(',')
> strip_levels = [int(i.strip()) for i in levels]
>
> lines, begin, end = [], [], []
>
>
> def get_certificates(levels):
>   for i in levels:
>     print_certificate(i)
>
>
> def print_certificate(set):
>   for i in range(begin[set], end[set] + 1):
>     print(lines[i], end='')
>
>
> with open(filename, 'r') as f:
>   lines = f.readlines()
>
> for i, reader in enumerate(lines):
>   if reader == '-----BEGIN CERTIFICATE-----\n':
>     begin.append(i)
>   elif reader == '-----END CERTIFICATE-----\n':
>     end.append(i)
>
> get_certificates(strip_levels)
> EOF

python3 get_certificate.py all_amazon.tmp 1 > ica_amazon.pem \
  #(1=Intermediate, 2=Root)

python3 get_certificate.py all_amazon.tmp 2 > rca_amazon.pem \
  #(1=Intermediate, 2=Root)

root@athos:~# python3 get_certificate.py all_amazon.tmp 1 > ica_amazon.pem \
>   #(1=Intermediate, 2=Root)

root@athos:~# python3 get_certificate.py all_amazon.tmp 2 > rca_amazon.pem \
>   #(1=Intermediate, 2=Root)

5. Send OCSP request

openssl ocsp -issuer ica_amazon.pem -cert ee_amazon.pem \
  -url http://ocsp.digicert.com

root@athos:~# openssl ocsp -issuer ica_amazon.pem -cert ee_amazon.pem \
>   -url http://ocsp.digicert.com
WARNING: no nonce in response
Response verify OK
ee_amazon.pem: good
        This Update: Jun  2 13:45:00 2019 GMT
        Next Update: Jun  9 13:00:00 2019 GMT

6. Send OCSP request (detailed)

openssl ocsp -issuer ica_amazon.pem -cert ee_amazon.pem \
  -url http://ocsp.digicert.com -text

root@athos:~# openssl ocsp -issuer ica_amazon.pem -cert ee_amazon.pem \
>   -url http://ocsp.digicert.com -text
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: A87E303106E4E88565CFE952598FA6DA7C00532F
          Issuer Key Hash: 246E2B2DD06A925151256901AA9A47A689E74020
          Serial Number: 0606D97F8028DD681C2566C88583E366
    Request Extensions:
        OCSP Nonce:
            041097A56486AD4BD80C641BCF60B77C0691
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 246E2B2DD06A925151256901AA9A47A689E74020
    Produced At: Jun  2 13:45:00 2019 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: A87E303106E4E88565CFE952598FA6DA7C00532F
      Issuer Key Hash: 246E2B2DD06A925151256901AA9A47A689E74020
      Serial Number: 0606D97F8028DD681C2566C88583E366
    Cert Status: good
    This Update: Jun  2 13:45:00 2019 GMT
    Next Update: Jun  9 13:00:00 2019 GMT

    Signature Algorithm: sha256WithRSAEncryption
         3a:fd:83:27:38:c8:b5:14:ca:f6:fe:ac:d1:14:62:07:73:83:
         34:2c:99:61:5b:fc:04:7c:e7:b7:be:63:6c:eb:ff:b6:10:37:
         50:27:d9:22:6d:41:31:80:25:e8:1a:52:19:38:d6:3c:fa:c2:
         e9:8e:72:bf:01:20:74:1c:e7:83:38:85:91:c1:a0:dc:1e:35:
         e2:59:60:59:aa:55:00:5f:66:30:70:3c:8f:a8:c4:cc:17:de:
         9a:c7:0b:55:08:4f:22:9a:50:6a:8d:c5:44:c5:97:df:95:18:
         e0:da:b5:55:74:be:7c:df:c5:07:fa:0e:ee:58:fa:b5:65:12:
         67:a6:d1:82:f7:c5:5d:e1:d8:da:9a:71:75:0f:82:76:28:5f:
         40:b0:6e:cb:d0:2a:76:b7:31:8f:01:f4:62:2f:db:83:3a:28:
         82:c2:43:6f:ed:79:63:7f:c3:09:1a:d9:86:33:ff:30:93:85:
         60:47:5b:e8:bc:58:41:20:72:12:82:f2:ab:39:40:e6:29:18:
         17:f5:6d:c4:5f:18:dc:74:1a:59:cd:7c:d0:21:81:01:90:f0:
         88:e2:28:6c:e7:8a:ba:46:c2:48:df:d4:cf:70:be:23:cd:28:
         02:8b:da:81:1a:53:57:c4:5b:be:bb:da:72:59:ac:e6:72:d1:
         f2:41:b9:96
WARNING: no nonce in response
Response verify OK
ee_amazon.pem: good
        This Update: Jun  2 13:45:00 2019 GMT
        Next Update: Jun  9 13:00:00 2019 GMT

7. Common error

7.1. WARNING: no nonce in response

openssl ocsp -issuer ica_amazon.pem -cert ee_amazon.pem \
  -no_nonce -url http://ocsp.digicert.com

root@athos:~# openssl ocsp -issuer ica_amazon.pem -cert ee_amazon.pem \
>   -no_nonce -url http://ocsp.digicert.com
Response verify OK
ee_amazon.pem: good
        This Update: Jun  2 13:45:00 2019 GMT
        Next Update: Jun  9 13:00:00 2019 GMT

7.2. PARSE_HTTP_LINE1:Code=404,Reason=Not Found

error:27076072:OCSP routines:
  PARSE_HTTP_LINE1:server response error:ocsp_ht.c:314:Code=404,Reason=Not Found

7.2.1. Cygwin (Windows)

openssl ocsp -issuer ica_google.pem -cert ee_google.pem \
  -no_nonce -url http://ocsp.pki.goog/GTSGIAG3 -header host ocsp.pki.goog

$ openssl ocsp -issuer ica_google.pem -cert ee_google.pem \
>   -no_nonce -url http://ocsp.pki.goog/GTSGIAG3 -header host ocsp.pki.goog
Response Verify Failure
4294956672:error:27069076:OCSP routines:OCSP_basic_verify
  :signer certificate not found:ocsp_vfy.c:92:
ee_google.pem: good
        This Update: Jun  2 14:26:19 2019 GMT
        Next Update: Jun  9 14:26:19 2019 GMT

7.2.2. Linux

openssl ocsp -issuer ica_google.pem -cert ee_google.pem \
  -no_nonce -url http://ocsp.pki.goog/GTSGIAG3 -header host=ocsp.pki.goog

root@athos:~# openssl ocsp -issuer ica_google.pem -cert ee_google.pem \
>   -no_nonce -url http://ocsp.pki.goog/GTSGIAG3 -header host=ocsp.pki.goog
Response verify OK
ee_google.pem: good
        This Update: Jun  2 14:26:19 2019 GMT
        Next Update: Jun  9 14:26:19 2019 GMT

7.3. OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:92:

error:27069076:OCSP routines:
  OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:92:

openssl ocsp -issuer ica_google.pem -VAfile ica_google.pem -cert ee_google.pem \
  -no_nonce -url http://ocsp.pki.goog/GTSGIAG3 -header host ocsp.pki.goog

$ openssl ocsp -issuer ica_google.pem -VAfile ica_google.pem -cert ee_google.pem \
>   -no_nonce -url http://ocsp.pki.goog/GTSGIAG3 -header host ocsp.pki.goog
Response verify OK
ee_google.pem: good
        This Update: Jun  2 14:26:19 2019 GMT
        Next Update: Jun  9 14:26:19 2019 GMT

Hugo. Malte Kiefer & Zuhdi Najib.