La chiave di firma di Windows D-Link trapelata è stata revocata?

11

Di recente le notizie si sono interrotte su D-Link che pubblicava erroneamente una chiave di firma del codice privata come parte di un framework open source:

The D-Link key was leaked in late February, and expired on September 3, it appears.

That means during that six-month period, miscreants who happened across the key could digitally sign their malware so that it appeared to be a legit D-Link application. This software would be trusted by Microsoft Windows, and allowed to run and infect someone's machine.
...
The D-Link key may have been revoked, meaning any code signed by it should no longer be trusted by Windows. Even if it hasn't been revoked, it has definitely expired, so no new malware can be signed using it. (Malicious code already signed by the key will still be trusted until revocation occurs.)

Fonte: The Register, 2015-09-18, D-Link ha sversato il suo privato chiave sul web: il malware si veste come app di Windows . (Archiviato qui .)

La chiave è stata già revocata?

    
posta Lyndon White 20.09.2015 - 16:00
fonte

1 risposta

15

Aggiornamento 2016-12-28: Ho infine deciso di controllare anche il CRL. E si scopre: sì, il certificato è ancora lì. Anche molto tempo dopo la data di scadenza originale.

$ openssl x509 -in 0.dlink.cer -noout -fingerprint | sed 's/://g'
SHA1 Fingerprint=3EB44E5FFE6DC72DED703E99902722DB38FFD1CB

$ openssl x509 -in 0.dlink.cer -noout -serial
serial=5067339614C5CC219C489D40420F3BF9

$ openssl x509 -in 0.dlink.cer -noout -text | grep CRL -A3 | grep URI | sed 's/^ *URI://' http://csc3-2010-crl.verisign.com/CSC3-2010.crl

$ openssl x509 -in 0.dlink.cer -noout -text | grep CRL -A3 | grep URI | sed 's/^ *URI://' | xargs -- wget -q --

$ sha256sum CSC3-2010.crl
529d1b6a0588d91bf2f8dc25e35b52d54f2865499d2d4fd6153f488bb1e90e73 *CSC3-2010.crl

$ openssl crl -inform der -in CSC3-2010.crl -noout -text | grep -A1 "Serial Number: 5067"
    Serial Number: 5067339614C5CC219C489D40420F3BF9
        Revocation Date: Sep  3 00:00:00 2015 GMT

Ulteriori informazioni su pastebin: snapshot CRL formato PEM , snapshot CRL formato di testo analizzato .

Aggiornamento 2016-09-29, 2/2: Se desideri provare il comando openssl ocsp per te: ho inserito certificati D-Link e l'output OCSP dettagliato su PasteBin .

Aggiornamento 2016-09-29, 1/2: Tornando a questo post un anno dopo, ho controllato VirusTotal e, sì, ora list la firma del file come revocata nella scheda "Dettaglio file". (Ma non so quando esattamente negli ultimi 11 mesi è successo.)

Aggiornamento 2015-10-02: domanda correlata: La revoca del certificato di D-Link ha invalidato solo un giorno (un'esposizione lunga sei mesi)?

Aggiornamento 2015-09-25. Revocato ora.

OCSP tramite OpenSSL produce "revocato"

$ openssl ocsp -issuer 1.intermediate.verisign.cer -CAfile <(cat 1.intermediate.verisign.cer 2.root.verisign.cer) -cert 0.dlink.cer  -url http://ocsp.verisign.com
WARNING: no nonce in response
Response verify OK
0.dlink.cer: revoked
        This Update: Sep 24 19:26:52 2015 GMT
        Next Update: Nov  7 03:08:53 2015 GMT
        Reason: keyCompromise
        Revocation Time: Sep  3 00:00:00 2015 GMT

Tempo di revoca strano

Linea temporale per prospettiva:

Jul  5 00:00:00 2012 GMT. Validity: Not Before
Feb 27          2015      Inadvertent disclosure
--- six months of nothing ---
Sep  3 00:00:00 2015 GMT. OCSP "revocationTime" backdated to this.
--- one day of invalidity (?) ---
Sep  3 23:59:59 2015 GMT. Validity: Not After 
Sep 17          2015      Tweakers.net report 
Sep 18          2015      TheRegister.co.uk report
Sep 20 14:00    2015      This question here posted.
Sep 20          2015      Answer posted. OCSP 'good'
Sep 22          2015      Update answer posted. OCSP 'revoked'

Quindi: OCSP revocationTime è 2015-09-03. Ma quando ho controllato il 2015-09-20 era ancora good . Quindi questo sembra retrodatato. (Correggimi se sbaglio.)

Quindi, se hai un backdate, allora perché non retrodatare direttamente al 2015-02-27? Questo importa anche?

Microsoft nella blacklist

  • Microsoft Security Advisory 3097966, 2015-09-24, I certificati digitali rivelati inavvertitamente potrebbero consentire lo spoofing

    Microsoft is aware of four digital certificates that were inadvertently disclosed by D-Link Corporation that could be used in attempts to spoof content. The disclosed end-entity certificates cannot be used to issue other certificates or impersonate other domains, but could be used to sign code. This issue affects all supported releases of Microsoft Windows.

VirusTotal ancora buono.

Motivo sconosciuto. Potrebbe essere a causa dello strano revocationTime .

Vecchi messaggi di seguito.

No. OCSP è ancora "buono".

Non più valido. Vedi aggiornamento 2015-09-25.
OCSP dice che è ancora "buono". CRL, non lo so. (E non ho nemmeno provato CRL.) CRL non dovrebbe (o non deve?) Elencare qualsiasi certificato che è già scaduto. E quel certificato D-Link è scaduto circa due settimane fa.

Verifica con OpenSSL

$ openssl ocsp -issuer 1.intermediate.verisign.cer -CAfile <(cat 1.intermediate.verisign.cer 2.root.verisign.cer) -cert 0.dlink.cer  -url http://ocsp.verisign.com
WARNING: no nonce in response
Response verify OK
0.dlink.cer: good
    This Update: Sep 19 11:43:51 2015 GMT
    Next Update: Sep 26 11:43:51 2015 GMT

Verifica con VirusTotal.com

Ecco un file di esempio che è stato firmato con quel particolare certificato D-Link:

Screenshot di VirusTotal

E al momento (2015-09-20) dice ancora "Valido" sotto File Details | Signers | [+] D-LINK CORPORATION | Status

Credochequestostatopotrebbecambiarenelleprossimesettimane.QuindidovrebbedireSignatureverification:Acertificatewasexplicitlyrevokedbyitsissuer.Comequestiduecertificatiquiperesempio:

Membri della catena

Se vuoi controllarti, qui sotto trovi i file che ho usato.

0.dlink.cer

Questo è il certificato con Serial Number e SHA1 hash che corrispondono agli screenshot in articolo di Tweakers.net .

$ openssl x509 -in 0.dlink.cer -noout -fingerprint
SHA1 Fingerprint=3E:B4:4E:5F:FE:6D:C7:2D:ED:70:3E:99:90:27:22:DB:38:FF:D1:CB

$ openssl x509 -in 0.dlink.cer -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            50:67:33:96:14:c5:cc:21:9c:48:9d:40:42:0f:3b:f9
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
        Validity
            Not Before: Jul  5 00:00:00 2012 GMT
            Not After : Sep  3 23:59:59 2015 GMT
        Subject: C=TW, ST=Taipei, L=TAIPEI CITY, O=D-LINK CORPORATION, OU=Digital ID Class 3 - Microsoft Software Validation v2, CN=D-LINK CORPORATION
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e2:d5:cc:02:33:47:16:ea:79:bc:51:39:ae:c3:
                    f6:96:f6:43:73:68:6c:35:83:58:63:f6:46:d8:56:
                    48:df:48:fd:bd:b0:a6:0c:59:10:20:89:c0:cc:73:
                    59:2f:8c:1a:5a:fc:15:b7:b8:de:cc:4e:1b:3f:50:
                    4c:98:bb:53:33:fc:7b:13:15:b1:b5:c0:5d:97:95:
                    81:ab:9c:2d:0a:3c:e5:14:0d:03:3d:cd:6e:43:9c:
                    0a:75:04:00:b8:50:32:12:ba:9e:6f:ac:fe:93:c7:
                    93:53:c9:98:29:71:dc:85:fc:23:ef:8c:4a:6a:e7:
                    b9:c7:47:af:58:73:cb:29:e1:3b:ac:c9:55:71:89:
                    4c:d6:0a:7c:70:dc:bc:cb:f0:b4:dd:25:ec:72:96:
                    86:36:86:09:1c:c7:ba:5f:a4:37:2d:42:f0:ae:00:
                    fb:5d:97:52:ed:c6:e0:d5:bd:2f:71:fe:98:f6:b4:
                    40:d1:67:61:0a:41:ce:a2:32:6d:ce:90:d9:5f:09:
                    df:b3:c8:f9:8c:da:33:89:42:8d:72:1e:a2:39:c7:
                    2a:2d:b0:a3:91:aa:8a:e9:a9:e6:ab:24:7b:62:d2:
                    9b:35:22:0f:46:1c:87:8b:af:e1:19:98:b4:bd:cf:
                    6d:4c:c4:04:7f:cf:a1:dd:47:71:d8:fb:eb:33:3e:
                    09:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://csc3-2010-crl.verisign.com/CSC3-2010.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.113733.1.7.23.3
                  CPS: https://www.verisign.com/rpa

            X509v3 Extended Key Usage: 
                Code Signing
            Authority Information Access: 
                OCSP - URI:http://ocsp.verisign.com
                CA Issuers - URI:http://csc3-2010-aia.verisign.com/CSC3-2010.cer

            X509v3 Authority Key Identifier: 
                keyid:CF:99:A9:EA:7B:26:F4:4B:C9:8E:8F:D7:F0:05:26:EF:E3:D2:A7:9D

            Netscape Cert Type: 
                Object Signing
            1.3.6.1.4.1.311.2.1.27: 
                0.......
    Signature Algorithm: sha1WithRSAEncryption
         eb:4e:60:57:88:d5:ce:77:a1:94:32:9b:68:fd:3c:23:c4:06:
         fc:43:2e:d6:66:8c:9d:6d:7a:03:07:fb:7b:66:24:3b:30:99:
         9b:d1:3d:66:a9:ca:95:f0:e3:1c:e0:6b:45:03:51:f4:64:15:
         e8:8e:7a:98:17:8c:c0:95:56:58:55:54:ae:54:5d:8f:e2:65:
         0e:cd:79:17:87:0e:8a:2e:40:de:2e:1c:35:5b:6e:ea:23:5a:
         4d:70:8e:1d:05:c0:04:d6:2d:c1:26:80:cf:0f:f8:b6:84:4c:
         eb:82:44:c4:03:f0:65:9e:33:43:f0:e7:39:73:30:be:51:11:
         e8:70:b3:c3:48:77:fd:d2:e0:8f:fe:dd:89:27:b5:b0:31:ac:
         57:63:9d:29:68:9d:2a:8e:e4:d0:dd:5e:d0:6d:f3:bf:63:4d:
         fa:76:ff:f8:ad:a8:29:c9:90:32:f4:31:22:32:b8:67:92:00:
         15:3f:ae:cd:27:71:c2:01:80:24:52:09:6c:14:63:0b:c0:b6:
         69:16:5c:d4:34:a4:40:b0:c6:b6:c3:90:ef:64:fc:a8:b2:eb:
         d8:57:68:43:47:21:55:88:2b:f3:f8:e7:84:52:75:17:73:0c:
         8f:86:f7:b1:ea:66:4e:c5:47:7c:27:13:d0:f4:c7:c6:8a:8a:
         f0:df:d9:a5
-----BEGIN CERTIFICATE-----
MIIFazCCBFOgAwIBAgIQUGczlhTFzCGcSJ1AQg87+TANBgkqhkiG9w0BAQUFADCB
tDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMl
VmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTAeFw0xMjA3MDUw
MDAwMDBaFw0xNTA5MDMyMzU5NTlaMIGuMQswCQYDVQQGEwJUVzEPMA0GA1UECBMG
VGFpcGVpMRQwEgYDVQQHEwtUQUlQRUkgQ0lUWTEbMBkGA1UEChQSRC1MSU5LIENP
UlBPUkFUSU9OMT4wPAYDVQQLEzVEaWdpdGFsIElEIENsYXNzIDMgLSBNaWNyb3Nv
ZnQgU29mdHdhcmUgVmFsaWRhdGlvbiB2MjEbMBkGA1UEAxQSRC1MSU5LIENPUlBP
UkFUSU9OMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4tXMAjNHFup5
vFE5rsP2lvZDc2hsNYNYY/ZG2FZI30j9vbCmDFkQIInAzHNZL4waWvwVt7jezE4b
P1BMmLtTM/x7ExWxtcBdl5WBq5wtCjzlFA0DPc1uQ5wKdQQAuFAyErqeb6z+k8eT
U8mYKXHchfwj74xKaue5x0evWHPLKeE7rMlVcYlM1gp8cNy8y/C03SXscpaGNoYJ
HMe6X6Q3LULwrgD7XZdS7cbg1b0vcf6Y9rRA0WdhCkHOojJtzpDZXwnfs8j5jNoz
iUKNch6iOccqLbCjkaqK6anmqyR7YtKbNSIPRhyHi6/hGZi0vc9tTMQEf8+h3Udx
2PvrMz4J2QIDAQABo4IBezCCAXcwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCB4Aw
QAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2NzYzMtMjAxMC1jcmwudmVyaXNpZ24u
Y29tL0NTQzMtMjAxMC5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgG
CCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMBMGA1UdJQQM
MAoGCCsGAQUFBwMDMHEGCCsGAQUFBwEBBGUwYzAkBggrBgEFBQcwAYYYaHR0cDov
L29jc3AudmVyaXNpZ24uY29tMDsGCCsGAQUFBzAChi9odHRwOi8vY3NjMy0yMDEw
LWFpYS52ZXJpc2lnbi5jb20vQ1NDMy0yMDEwLmNlcjAfBgNVHSMEGDAWgBTPmanq
eyb0S8mOj9fwBSbv49KnnTARBglghkgBhvhCAQEEBAMCBBAwFgYKKwYBBAGCNwIB
GwQIMAYBAQABAf8wDQYJKoZIhvcNAQEFBQADggEBAOtOYFeI1c53oZQym2j9PCPE
BvxDLtZmjJ1tegMH+3tmJDswmZvRPWapypXw4xzga0UDUfRkFeiOepgXjMCVVlhV
VK5UXY/iZQ7NeReHDoouQN4uHDVbbuojWk1wjh0FwATWLcEmgM8P+LaETOuCRMQD
8GWeM0Pw5zlzML5REehws8NId/3S4I/+3YkntbAxrFdjnSlonSqO5NDdXtBt879j
Tfp2//itqCnJkDL0MSIyuGeSABU/rs0nccIBgCRSCWwUYwvAtmkWXNQ0pECwxrbD
kO9k/Kiy69hXaENHIVWIK/P454RSdRdzDI+G97HqZk7FR3wnE9D0x8aKivDf2aU=
-----END CERTIFICATE-----

1.intermediate.verisign.cer

$ openssl x509 -in 1.intermediate.verisign.cer -noout -fingerprint
SHA1 Fingerprint=49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F

$ openssl x509 -in 1.intermediate.verisign.cer -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Validity
            Not Before: Feb  8 00:00:00 2010 GMT
            Not After : Feb  7 23:59:59 2020 GMT
        Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f5:23:4b:5e:a5:d7:8a:bb:32:e9:d4:57:f7:ef:
                    e4:c7:26:7e:ad:19:98:fe:a8:9d:7d:94:f6:36:6b:
                    10:d7:75:81:30:7f:04:68:7f:cb:2b:75:1e:cd:1d:
                    08:8c:df:69:94:a7:37:a3:9c:7b:80:e0:99:e1:ee:
                    37:4d:5f:ce:3b:14:ee:86:d4:d0:f5:27:35:bc:25:
                    0b:38:a7:8c:63:9d:17:a3:08:a5:ab:b0:fb:cd:6a:
                    62:82:4c:d5:21:da:1b:d9:f1:e3:84:3b:8a:2a:4f:
                    85:5b:90:01:4f:c9:a7:76:10:7f:27:03:7c:be:ae:
                    7e:7d:c1:dd:f9:05:bc:1b:48:9c:69:e7:c0:a4:3c:
                    3c:41:00:3e:df:96:e5:c5:e4:94:71:d6:55:01:c7:
                    00:26:4a:40:3c:b5:a1:26:a9:0c:a7:6d:80:8e:90:
                    25:7b:cf:bf:3f:1c:eb:2f:96:fa:e5:87:77:c6:b5:
                    56:b2:7a:3b:54:30:53:1b:df:62:34:ff:1e:d1:f4:
                    5a:93:28:85:e5:4c:17:4e:7e:5b:fd:a4:93:99:7f:
                    df:cd:ef:a4:75:ef:ef:15:f6:47:e7:f8:19:72:d8:
                    2e:34:1a:a6:b4:a7:4c:7e:bd:bb:4f:0c:3d:57:f1:
                    30:d6:a6:36:8e:d6:80:76:d7:19:2e:a5:cd:7e:34:
                    2d:89
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.113733.1.7.23.3
                  CPS: https://www.verisign.com/cps
                  User Notice:
                    Explicit Text: https://www.verisign.com/rpa

            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            1.3.6.1.5.5.7.1.12: 
                0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.verisign.com/pca3-g5.crl

            Authority Information Access: 
                OCSP - URI:http://ocsp.verisign.com

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, Code Signing
            X509v3 Subject Alternative Name: 
                DirName:/CN=VeriSignMPKI-2-8
            X509v3 Subject Key Identifier: 
                CF:99:A9:EA:7B:26:F4:4B:C9:8E:8F:D7:F0:05:26:EF:E3:D2:A7:9D
            X509v3 Authority Key Identifier: 
                keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33

    Signature Algorithm: sha1WithRSAEncryption
         56:22:e6:34:a4:c4:61:cb:48:b9:01:ad:56:a8:64:0f:d9:8c:
         91:c4:bb:cc:0c:e5:ad:7a:a0:22:7f:df:47:38:4a:2d:6c:d1:
         7f:71:1a:7c:ec:70:a9:b1:f0:4f:e4:0f:0c:53:fa:15:5e:fe:
         74:98:49:24:85:81:26:1c:91:14:47:b0:4c:63:8c:bb:a1:34:
         d4:c6:45:e8:0d:85:26:73:03:d0:a9:8c:64:6d:dc:71:92:e6:
         45:05:60:15:59:51:39:fc:58:14:6b:fe:d4:a4:ed:79:6b:08:
         0c:41:72:e7:37:22:06:09:be:23:e9:3f:44:9a:1e:e9:61:9d:
         cc:b1:90:5c:fc:3d:d2:8d:ac:42:3d:65:36:d4:b4:3d:40:28:
         8f:9b:10:cf:23:26:cc:4b:20:cb:90:1f:5d:8c:4c:34:ca:3c:
         d8:e5:37:d6:6f:a5:20:bd:34:eb:26:d9:ae:0d:e7:c5:9a:f7:
         a1:b4:21:91:33:6f:86:e8:58:bb:25:7c:74:0e:58:fe:75:1b:
         63:3f:ce:31:7c:9b:8f:1b:96:9e:c5:53:76:84:5b:9c:ad:91:
         fa:ac:ed:93:ba:5d:c8:21:53:c2:82:53:63:af:12:0d:50:87:
         11:1b:3d:54:52:96:8a:2c:9c:3d:92:1a:08:9a:05:2e:c7:93:
         a5:48:91:d3
-----BEGIN CERTIFICATE-----
MIIGCjCCBPKgAwIBAgIQUgDlqiVW/BqG7ZbJ1EszxzANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtDEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEuMCwGA1UEAxMlVmVy
aVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAxMCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAPUjS16l14q7MunUV/fv5Mcmfq0ZmP6onX2U9jZr
ENd1gTB/BGh/yyt1Hs0dCIzfaZSnN6Oce4DgmeHuN01fzjsU7obU0PUnNbwlCzin
jGOdF6MIpauw+81qYoJM1SHaG9nx44Q7iipPhVuQAU/Jp3YQfycDfL6ufn3B3fkF
vBtInGnnwKQ8PEEAPt+W5cXklHHWVQHHACZKQDy1oSapDKdtgI6QJXvPvz8c6y+W
+uWHd8a1VrJ6O1QwUxvfYjT/HtH0WpMoheVMF05+W/2kk5l/383vpHXv7xX2R+f4
GXLYLjQaprSnTH69u08MPVfxMNamNo7WgHbXGS6lzX40LYkCAwEAAaOCAf4wggH6
MBIGA1UdEwEB/wQIMAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtghkgBhvhFAQcXAzBW
MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoGCCsG
AQUFBwICMB4aHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwDgYDVR0PAQH/
BAQDAgEGMG0GCCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8w
BwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZl
cmlzaWduLmNvbS92c2xvZ28uZ2lmMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9j
cmwudmVyaXNpZ24uY29tL3BjYTMtZzUuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMB0GA1UdJQQWMBQGCCsG
AQUFBwMCBggrBgEFBQcDAzAoBgNVHREEITAfpB0wGzEZMBcGA1UEAxMQVmVyaVNp
Z25NUEtJLTItODAdBgNVHQ4EFgQUz5mp6nsm9EvJjo/X8AUm7+PSp50wHwYDVR0j
BBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJKoZIhvcNAQEFBQADggEBAFYi
5jSkxGHLSLkBrVaoZA/ZjJHEu8wM5a16oCJ/30c4Si1s0X9xGnzscKmx8E/kDwxT
+hVe/nSYSSSFgSYckRRHsExjjLuhNNTGRegNhSZzA9CpjGRt3HGS5kUFYBVZUTn8
WBRr/tSk7XlrCAxBcuc3IgYJviPpP0SaHulhncyxkFz8PdKNrEI9ZTbUtD1AKI+b
EM8jJsxLIMuQH12MTDTKPNjlN9ZvpSC9NOsm2a4N58Wa96G0IZEzb4boWLslfHQO
WP51G2M/zjF8m48blp7FU3aEW5ytkfqs7ZO6XcghU8KCU2OvEg1QhxEbPVRSloos
nD2SGgiaBS7Hk6VIkdM=
-----END CERTIFICATE-----

2.root.verisign.cer

$ openssl x509 -in 2.root.verisign.cer -noout -fingerprint
SHA1 Fingerprint=4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5

$ openssl x509 -in 2.root.verisign.cer -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Validity
            Not Before: Nov  8 00:00:00 2006 GMT
            Not After : Jul 16 23:59:59 2036 GMT
        Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:af:24:08:08:29:7a:35:9e:60:0c:aa:e7:4b:3b:
                    4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:
                    08:a3:64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:
                    2a:aa:a6:42:b3:8f:f8:b9:55:b7:b1:b7:4b:b3:fe:
                    8f:7e:07:57:ec:ef:43:db:66:62:15:61:cf:60:0d:
                    a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:
                    54:85:26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:
                    d8:43:63:6a:52:4b:d2:8f:e8:70:51:4d:d1:89:69:
                    7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b:56:d3:96:
                    bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:
                    f4:06:04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:
                    ba:f4:3c:ee:e0:8b:eb:37:8b:ec:f4:d7:ac:f2:f6:
                    f0:3d:af:dd:75:91:33:19:1d:1c:40:cb:74:24:19:
                    21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:
                    63:47:88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:
                    ae:0e:9d:d4:d1:43:c0:67:73:e3:14:08:7e:e5:3f:
                    9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a:ee:53:e8:
                    25:15
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            1.3.6.1.5.5.7.1.12: 
                0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
            X509v3 Subject Key Identifier: 
                7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
    Signature Algorithm: sha1WithRSAEncryption
         93:24:4a:30:5f:62:cf:d8:1a:98:2f:3d:ea:dc:99:2d:bd:77:
         f6:a5:79:22:38:ec:c4:a7:a0:78:12:ad:62:0e:45:70:64:c5:
         e7:97:66:2d:98:09:7e:5f:af:d6:cc:28:65:f2:01:aa:08:1a:
         47:de:f9:f9:7c:92:5a:08:69:20:0d:d9:3e:6d:6e:3c:0d:6e:
         d8:e6:06:91:40:18:b9:f8:c1:ed:df:db:41:aa:e0:96:20:c9:
         cd:64:15:38:81:c9:94:ee:a2:84:29:0b:13:6f:8e:db:0c:dd:
         25:02:db:a4:8b:19:44:d2:41:7a:05:69:4a:58:4f:60:ca:7e:
         82:6a:0b:02:aa:25:17:39:b5:db:7f:e7:84:65:2a:95:8a:bd:
         86:de:5e:81:16:83:2d:10:cc:de:fd:a8:82:2a:6d:28:1f:0d:
         0b:c4:e5:e7:1a:26:19:e1:f4:11:6f:10:b5:95:fc:e7:42:05:
         32:db:ce:9d:51:5e:28:b6:9e:85:d3:5b:ef:a5:7d:45:40:72:
         8e:b7:0e:6b:0e:06:fb:33:35:48:71:b8:9d:27:8b:c4:65:5f:
         0d:86:76:9c:44:7a:f6:95:5c:f6:5d:32:08:33:a4:54:b6:18:
         3f:68:5c:f2:42:4a:85:38:54:83:5f:d1:e8:2c:f2:ac:11:d6:
         a8:ed:63:6a
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy
aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv
MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y
5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
-----END CERTIFICATE-----
    
risposta data 20.09.2015 - 20:17
fonte