Verifica firma certificato

Naviga le tue risposte
1

Ecco il mio problema: sto tentando di abilitare HTTPS su un sito locale per motivi di apprendimento. Il fatto è che non voglio generare il certificato con alcune applicazioni note, ma voglio crearne uno fatto in casa. Ho fatto un certificato autofirmato perché non ho bisogno di alcuna catena di fiducia.

Il .crt che ho creato: 

$ openssl x509 -in server.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            06:31:4c:1a:04:d2:19:e4:eb:6c:a7:6f:47:74:63:67:b4:ac
    Signature Algorithm: rsassaPss
         Hash Algorithm: sha256
         Mask Algorithm: mgf1 with sha256
         Salt Length: 0x20
         Trailer Field: 0x01
        Issuer: C=FR, ST=Aquitaine, L=Bordeaux, O=Cyebrens, OU=Cyberens Test, CN=192.168.2.149
        Validity
            Not Before: Apr  6 12:36:16 2018 GMT
            Not After : Apr  6 12:36:16 2019 GMT
        Subject: C=FR, ST=Aquitaine, L=Bordeaux, O=Cyebrens, OU=Cyberens Test, CN=192.168.2.149
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:8c:7c:3c:68:f6:0d:d1:eb:64:df:a2:4d:1a:0b:
                    65:6c:27:15:c3:a5:33:3e:59:78:63:c3:21:62:6c:
                    73:35:dc:ff:02:8f:b8:d8:01:7f:97:4d:a3:90:8e:
                    3d:90:49:af:65:12:66:19:e7:35:1d:ee:de:ee:98:
                    8f:68:12:6d:6c:fc:a6:41:bd:72:f6:39:dd:55:63:
                    50:98:e5:d9:72:3d:32:55:5b:ca:21:1a:97:3c:af:
                    bb:85:1c:32:a2:dc:7c:ae:48:15:5a:ad:f9:00:47:
                    16:89:b9:14:30:85:06:cb:1e:80:c7:ec:5c:d4:d5:
                    72:90:37:67:4b:70:0c:2f:05:ae:de:1b:2c:cb:9c:
                    3a:93:2c:5e:54:8b:72:67:42:eb:b9:dc:bd:83:e8:
                    cd:40:55:17:4a:59:08:80:6e:81:e7:74:e5:70:47:
                    40:d9:d3:d5:d2:77:7b:8f:84:d9:18:75:ea:d3:f3:
                    2c:f1:8a:8a:bf:40:0a:c1:1c:4f:52:41:31:ca:93:
                    88:2f:31:68:52:59:4d:60:a1:14:e8:31:0f:db:54:
                    87:bd:27:1d:55:b5:fa:a4:98:24:06:f2:93:c4:85:
                    58:ec:57:7a:b9:8d:1b:1a:ef:9d:85:f8:df:89:29:
                    5c:2c:d3:32:42:15:75:14:4f:b9:36:33:fc:62:54:
                    47:13
                Exponent:
                    40:00:10:00:40:20:00:00:08:00:00:02:00:00:00:
                    00:00:00:00:00:00:00:00:00:00:00:d7
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                01:02:06
            X509v3 Authority Key Identifier:
                keyid:01:02:06

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: rsassaPss
         Hash Algorithm: sha256
         Mask Algorithm: mgf1 with sha256
         Salt Length: 0x20
         Trailer Field: 0x01

         24:b8:30:d6:7e:49:a7:cc:a0:77:e1:b6:cd:37:70:18:74:1b:
         1f:17:61:a4:f7:47:22:f5:50:ee:e7:c8:4f:2c:55:a8:7a:e8:
         16:63:ae:28:72:ab:2e:b2:98:7c:c9:9f:6c:a6:22:94:04:7b:
         c6:f2:15:4e:9b:f1:b7:0f:9b:7d:d2:e4:b7:b0:0f:b6:7d:2e:
         f9:64:b7:ce:cf:bd:51:7e:ae:96:7e:54:2c:46:a3:8e:87:c6:
         09:cf:4b:f1:18:85:eb:7e:01:a1:71:9b:80:53:d1:ca:c6:a0:
         1c:c7:86:06:0b:9b:70:40:62:5d:49:13:82:1f:1f:34:36:4f:
         91:91:e0:e2:1b:b4:ab:4d:a9:5e:ff:f5:be:ec:e0:e9:62:6d:
         bf:9d:6a:45:66:19:f0:54:4a:83:e4:ca:21:d2:a7:0e:c1:33:
         ed:6f:bb:3c:d1:9f:0f:e2:19:18:a5:d9:be:61:c4:7c:cd:03:
         d0:fa:be:31:57:8e:59:45:f3:90:00:79:0e:eb:0e:61:94:e0:
         95:ca:8d:8d:9a:02:84:a1:26:23:b4:ca:57:43:a1:0f:79:0c:
         12:27:e9:9f:74:da:88:c0:ed:76:2d:36:60:e5:57:ee:b3:4b:
         04:2b:37:6a:4d:4e:f1:25:25:81:b1:68:84:f8:30:41:48:39:
         0e:c2:1e:63
-----BEGIN CERTIFICATE-----
MIIEMzCCAuKgAwIBAgISBjFMGgTSGeTrbKdvR3RjZ7SsMEYGCSqGSIb3DQEBCjA5
oA8wDQYJYIZIAWUDBAIBBQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAIBBQCi
AwIBIKMDAgEBMHcxCzAJBgNVBAYTAkZSMRIwEAYDVQQIEwlBcXVpdGFpbmUxETAP
BgNVBAcTCEJvcmRlYXV4MREwDwYDVQQKEwhDeWVicmVuczEWMBQGA1UECxMNQ3li
ZXJlbnMgVGVzdDEWMBQGA1UEAxMNMTkyLjE2OC4yLjE0OTAeFw0xODA0MDYxMjM2
MTZaFw0xOTA0MDYxMjM2MTZaMHcxCzAJBgNVBAYTAkZSMRIwEAYDVQQIEwlBcXVp
dGFpbmUxETAPBgNVBAcTCEJvcmRlYXV4MREwDwYDVQQKEwhDeWVicmVuczEWMBQG
A1UECxMNQ3liZXJlbnMgVGVzdDEWMBQGA1UEAxMNMTkyLjE2OC4yLjE0OTCCATsw
DQYJKoZIhvcNAQEBBQADggEoADCCASMCggEBAIx8PGj2DdHrZN+iTRoLZWwnFcOl
Mz5ZeGPDIWJsczXc/wKPuNgBf5dNo5COPZBJr2USZhnnNR3u3u6Yj2gSbWz8pkG9
cvY53VVjUJjl2XI9MlVbyiEalzyvu4UcMqLcfK5IFVqt+QBHFom5FDCFBssegMfs
XNTVcpA3Z0twDC8Frt4bLMucOpMsXlSLcmdC67ncvYPozUBVF0pZCIBuged05XBH
QNnT1dJ3e4+E2Rh16tPzLPGKir9ACsEcT1JBMcqTiC8xaFJZTWChFOgxD9tUh70n
HVW1+qSYJAbyk8SFWOxXermNGxrvnYX434kpXCzTMkIVdRRPuTYz/GJURxMCHABA
ABAAQCAAAAgAAAIAAAAAAAAAAAAAAAAAANejLjAsMAwGA1UdDgQFBAMBAgYwDgYD
VR0jBAcwBYADAQIGMAwGA1UdEwQFMAMBAf8wRgYJKoZIhvcNAQEKMDmgDzANBglg
hkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgowMC
AQEDggEBACS4MNZ+SafMoHfhts03cBh0Gx8XYaT3RyL1UO7nyE8sVah66BZjrihy
qy6ymHzJn2ymIpQEe8byFU6b8bcPm33S5LewD7Z9Lvlkt87PvVF+rpZ+VCxGo46H
xgnPS/EYhet+AaFxm4BT0crGoBzHhgYLm3BAYl1JE4IfHzQ2T5GR4OIbtKtNqV7/
9b7s4Olibb+dakVmGfBUSoPkyiHSpw7BM+1vuzzRnw/iGRil2b5hxHzNA9D6vjFX
jllF85AAeQ7rDmGU4JXKjY2aAoShJiO0yldDoQ95DBIn6Z902ojA7XYtNmDlV+6z
SwQrN2pNTvElJYGxaIT4MEFIOQ7CHmM=
-----END CERTIFICATE-----

e il .key: 

-----BEGIN RSA PRIVATE KEY-----
MIIEvwIBAAKCAQEAjHw8aPYN0etk36JNGgtlbCcVw6UzPll4Y8MhYmxzNdz/Ao+4
2AF/l02jkI49kEmvZRJmGec1He7e7piPaBJtbPymQb1y9jndVWNQmOXZcj0yVVvK
IRqXPK+7hRwyotx8rkgVWq35AEcWibkUMIUGyx6Ax+xc1NVykDdnS3AMLwWu3hss
y5w6kyxeVItyZ0Lrudy9g+jNQFUXSlkIgG6B53TlcEdA2dPV0nd7j4TZGHXq0/Ms
8YqKv0AKwRxPUkExypOILzFoUllNYKEU6DEP21SHvScdVbX6pJgkBvKTxIVY7Fd6
uY0bGu+dhfjfiSlcLNMyQhV1FE+5NjP8YlRHEwIcAEAAEABAIAAACAAAAgAAAAAA
AAAAAAAAAAAA1wKCAQEACqFAUPXhScdULAvgx1kSqb3j9BlACmEH+Vv5IE3lywD+
hOOEPrynLT/yNdszOk6u/UvKi8+hpyechnWhCZ9rZwIJ3ohZNaN5UCXK9CkU0PHS
sl4MbUhL71qRMnR7euGO36bOqrEB2P0b5SIf4o6V8hPtnp37JN8woI4CrGGfq7T6
3W5274PSCaDuDaOH9YUvP9qB/jxoYh6FjaeRrYrnkJ98PHWp8tGVxV5nyABQ8COH
F+9QrsUe7RUA67exXaRxQ2Jcrl92CjZY+2vGKkYHxp2HYdDh4B1fXP3M6iWfEunk
b1v4HnK2L0lrUIqjkP45sxGA4eRnyINl1pDi3Zkx3wKBgQDbLCKD8YPgVJPZSO0v
MNovh3GJNr+L9TJ4dIfKNb45tnPiOaJrAJY2hMju912N5OXvmt99TzggJQlCgMUa
fMgjhawyXuO7DUBDAbh1GYFjzfdJHRi9gwUqyfg9ESTiySJUg1eyJxmbmnayMB3f
+Me0aVbTaRyJ3aQmus+s/UAvzwKBgQCkF1D7wmJAydmm5Ha428e6xMUziWpPA6bQ
gYkoyxBJkLb/LfbPBsYqD/iG3hm5JTtltl/FtcclejgatdOKUz3vo5H7+j+G1xT6
IGSdTrUPW6YXafYHSaO01I9dT/1Q0+Y5o6ePRr4H4Cd8nHVDtEPASaQkPrI0SSut
18QL9ojhfQKBgQBbfT7kUuaDFoQLGPhLX2d18iT8Ju81KHUhGRZLCHkS8H9MiD4f
Xh08OJaRvgt/xmRArPJz28hCZztqokjT60abwbXNqC1AZawNuSiqQk7m2CZPCcnV
ApTWwB7beF9v8jN9hYBj3aKgkIZi1zJ2TWSteAJpkaH8PfzQdKLfi/ZZZQKBgQAB
whqd4GMHvDsUbVp7oclCutbb5huSUfpAW5P1z/LRztxMs4brMvkd1oqjhCOtkFcR
nIvZh5UjwSFyIzOTkD54h1YtyPBMWGKsaojnZsQ+bRoUw8uqVDu0AXEQCwUsb5Hj
JAgjxJ0YtaYspDQc5dxrkO7/0AEsS21gXC7IV/76IwKBgQB2BcMO4hK1Cuu/g5L7
R2F4Kdjnt/a88sfstEAWXQJAa4NMAst0egoH+JD78k8Cei99xkrC+rt2GFSr4fh5
HgbPBikTmPtC9C3n996W0KXg3CocG1xihvs1iQIvYbtLfzi3NBf6jlSCe3fhU8Uo
hp6GlXSB9sDgqS88rtx3yK+D0A==
-----END RSA PRIVATE KEY-----

Il problema è che ho ottenuto un "SEC_ERROR_BAD_SIGNATURE" su Mozilla quando provo ad andare sul mio sito. Ho usato un'implementazione fatta in casa per firmarla ( RSASSA-PSS ), quindi il problema potrebbe venire dalla mia implementazione.

Ma quando apro il certificato facendo doppio clic su di esso, la firma sembra valida, altrimenti avrei qualche messaggio che dice che il certificato è corrotto.

Quindi 2 domande:

  1. Come posso verificare che la mia firma sia valida? Non riesco a trovare un modo semplice per farlo.

  2. Se la firma è valida, qual è il problema?

posta Pierre-Arnaud Lpt 06.04.2018 - 19:43
fonte

1 risposta

3

I used a homemade implementation to sign it (RSASSA-PSS), so the problem may come from my implementation.

RSASSA-PSS non è attualmente supportato da Firefox. Vedi questo problema per ulteriori informazioni. In caso di dubbio, guarda l'estensione signature_algorithm nell'handshake TLS 1.2 dove pubblicizza quali algoritmi sono supportati.

    
risposta data 06.04.2018 - 20:29
fonte

Leggi altre domande sui tag

Campo di sicurezza standard ISO Come funziona l'attacco "QuantumInsert"?