OpenSSL non è in grado di verificare il certificato emesso dalla CA locale

1

Abbiamo un'applicazione che emette (e mantiene) i certificati SSL per vari usi. Lo fa usando la libreria Bouncycastle in .NET.

Creiamo un certificato CA e quindi utilizziamo questo certificato per firmare ulteriormente i certificati downstream normali.

Ho notato un problema simile riscontrato da qualcuno a < OpenSSL" impossibile ottenere il certificato emittente locale "anche quando si passa all'autorità di certificazione ) e ho assicurato che la mia CA abbia i bit KeyUsage richiesti impostati .

Per semplicità, estrai i dettagli di implementazione e fornisco qui i due certificati:

CA:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7084791601844488517 (0x62523c6ccf9c8945)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = 177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
        Validity
            Not Before: Jun 28 00:00:00 2018 GMT
            Not After : Jun 28 00:00:00 2028 GMT
        Subject: CN = 177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a7:e1:11:5f:4b:82:ac:77:d9:ae:e7:95:a0:e4:
                    3c:d8:e4:84:07:88:a8:4e:fe:f2:ce:5c:c8:4d:26:
                    69:c7:33:29:39:b3:fc:c8:e5:15:e1:74:85:d9:14:
                    ac:f8:e4:18:08:21:8f:2e:a3:c8:6f:98:8e:50:8d:
                    d0:e7:09:67:f2:85:74:a9:73:c6:5b:51:69:f6:eb:
                    a1:0d:be:a3:a8:17:09:bd:73:4d:7f:14:75:d8:3e:
                    fd:80:5f:45:5c:9a:e4:27:81:c7:4f:af:2e:3e:c9:
                    d0:29:61:f7:8c:6c:92:5f:6f:6b:c5:0c:b6:7f:5a:
                    8c:09:ab:91:1e:1b:bb:82:79:a6:91:84:5f:da:8a:
                    d6:86:3c:b1:ee:8a:64:16:57:b7:9b:fb:2c:ef:3e:
                    d8:a5:b9:42:7e:89:14:92:dc:6d:ab:32:70:70:c7:
                    ee:19:eb:bf:c1:26:95:fa:46:27:6e:6c:9e:8f:1f:
                    98:91:7f:1d:f6:90:b6:be:1f:06:74:42:0d:f9:ef:
                    24:20:78:c7:fa:32:23:49:85:98:3e:14:38:8f:a7:
                    1b:23:3e:db:2c:67:81:a3:56:33:e1:79:c3:3a:d2:
                    b9:d7:bf:2f:32:c7:4c:73:2f:8b:aa:23:b3:87:0b:
                    b9:f5:fe:01:ee:d0:c5:c8:31:13:dd:8f:23:0a:b5:
                    68:65
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:B5:2D:8B:07:09:99:5A:15:F3:EB:21:2E:9A:FB:98:AF:E3:4E:EE:E1
                DirName:/CN=177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
                serial:62:52:3C:6C:CF:9C:89:45

            X509v3 Subject Key Identifier:
                B5:2D:8B:07:09:99:5A:15:F3:EB:21:2E:9A:FB:98:AF:E3:4E:EE:E1
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Extended Key Usage:
                Any Extended Key Usage
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         14:a8:4b:02:89:b2:a6:0e:6a:78:a5:fe:99:6c:3d:02:7a:a5:
         5e:ca:48:d2:89:f5:1e:f8:e5:42:3c:51:ab:ac:ba:6a:27:74:
         2a:3f:b4:22:59:fd:56:a1:52:4f:07:c4:cd:6d:8f:63:0a:2d:
         e6:c5:7a:4e:52:9d:32:2e:cb:37:7a:23:96:8f:95:9f:17:ac:
         34:62:43:2e:26:86:50:c1:1e:0e:5e:cf:22:62:bb:9e:33:50:
         69:be:16:cb:99:e6:8b:2a:2f:d5:0c:1e:b7:b5:db:b2:6c:c9:
         d6:81:d7:5d:e6:15:4f:a4:2c:3f:8c:8d:41:d9:6a:56:85:b1:
         2b:d4:69:1f:73:cf:b1:ad:a4:c5:36:c7:5c:c6:76:6f:2e:09:
         26:04:21:ea:65:09:70:e5:22:4c:b0:35:01:bf:39:cc:b4:87:
         45:14:47:c4:52:1a:40:3c:36:1e:55:23:55:0b:25:d9:8d:5b:
         45:46:d9:9a:69:3e:5e:07:e3:6f:52:e3:6f:41:1f:e5:31:f0:
         78:07:aa:88:d0:d2:aa:ae:e5:34:f3:80:71:54:75:02:89:08:
         e3:23:97:9b:36:f8:e4:94:88:5c:34:59:bd:74:41:a2:91:68:
         93:63:90:e4:b0:da:c0:77:84:c4:db:10:b3:d3:56:c2:43:e5:
         d5:29:0e:4a

CERT emesso:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2613337765100360586 (0x244470d9eeeb938a)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = 177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
        Validity
            Not Before: Jun 28 00:00:00 2018 GMT
            Not After : Jun 28 00:00:00 2028 GMT
        Subject: CN = spectero.users.177dcde1-9239-40c9-9f92-5a014ca1c176.instance.spectero.io
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:85:64:af:24:5b:1e:5b:66:13:66:2a:cb:1a:0c:
                    55:bf:88:bb:51:90:2a:94:fe:d8:bd:68:6e:ed:4b:
                    0c:d2:b5:c3:76:8a:a4:05:74:0b:2b:c4:ca:23:ad:
                    69:54:b8:7e:5b:3d:1d:21:07:11:5b:e3:dd:67:23:
                    1f:96:e3:cc:fc:11:ff:70:bb:6c:16:9c:6d:d4:89:
                    23:50:8d:0e:98:dc:18:62:5f:42:b3:9d:87:be:31:
                    2d:b7:02:64:8b:26:1b:77:4d:41:ae:de:02:8e:79:
                    55:74:65:fc:6c:9c:f7:0b:cf:58:e7:ff:68:4f:60:
                    42:be:8a:6e:8f:e5:19:c8:9d:ce:55:24:8d:91:8e:
                    4b:dd:27:c9:c3:2b:24:dd:38:9f:22:ed:aa:59:a0:
                    22:ca:a3:5d:45:ed:bd:2d:c1:67:21:db:63:1b:6f:
                    a8:90:f9:d6:d1:c5:d2:49:fb:ac:47:55:a0:d5:1b:
                    1b:46:6b:f2:20:0f:2d:81:f8:ea:5a:b7:90:6a:91:
                    a9:95:e0:72:2d:a3:fc:fb:a7:2c:6e:13:a3:e5:06:
                    14:cc:64:d8:f8:1d:9b:b5:ce:fb:08:b0:64:c7:32:
                    4c:57:98:64:21:d7:a6:ad:b9:75:bc:70:05:d6:0c:
                    22:34:2a:a4:bd:ab:26:2b:44:63:49:ba:58:0b:c7:
                    1e:85
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:B5:2D:8B:07:09:99:5A:15:F3:EB:21:2E:9A:FB:98:AF:E3:4E:EE:E1
                DirName:/CN=177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
                serial:45:89:9C:CF:6C:3C:52:62

            X509v3 Subject Key Identifier:
                D3:FD:59:E5:24:4B:93:AA:6A:AA:E1:AE:65:DF:CC:06:0E:18:09:30
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
    Signature Algorithm: sha256WithRSAEncryption
         61:da:ad:d9:ed:f5:0f:4e:32:80:b5:ce:98:91:cc:f3:3f:45:
         ea:7e:1d:c3:ee:13:6f:34:74:9f:32:33:ac:55:63:d2:19:ba:
         f1:c3:c0:76:8d:b1:59:64:ca:58:e1:97:72:a2:03:36:57:b4:
         ac:b8:a9:21:22:9e:69:1a:99:0c:86:74:27:4b:48:d9:cc:8f:
         bf:3f:3b:e5:2d:91:92:f7:89:2a:32:93:92:e0:cd:b0:1b:e0:
         8f:2b:b8:80:64:7b:b3:1e:43:9b:11:ce:b1:d3:34:da:0f:26:
         d6:40:d8:a1:73:8a:a2:47:26:9b:ea:b5:bd:0d:f1:47:dc:fa:
         55:bf:92:be:98:e0:c8:f7:69:8b:f1:c1:07:bf:13:50:5e:f9:
         7d:6e:7c:56:88:ee:42:de:ff:b0:85:f2:57:cb:67:4d:06:71:
         fb:b6:8a:27:5b:de:fe:f9:46:15:88:0a:1b:51:67:7e:8f:dd:
         62:db:27:15:0b:52:fa:6b:6b:ec:46:f6:1f:8a:8d:e6:62:94:
         56:e9:a9:d2:26:bd:d3:2d:fd:f3:3e:af:b9:bc:9c:7e:6f:a9:
         ab:49:4d:36:19:34:b2:c0:06:a4:b4:9b:60:d1:a1:77:55:48:
         e7:eb:b8:cf:2a:aa:07:24:e6:30:a6:66:89:62:83:d2:7b:3c:
         9e:69:79:04

In questa fase, non sono sicuro del motivo per cui la verifica non va a buon fine:

reisende@Bleu:/mnt/c/Users/reise/Desktop/pki$ openssl verify -CAfile newCA.crt newUser.crt
CN = spectero.users.177dcde1-9239-40c9-9f92-5a014ca1c176.instance.spectero.io
error 20 at 0 depth lookup: unable to get local issuer certificate
error newUser.crt: verification failed

Qualcuno di più esperto può dare un'occhiata? Grazie!

    
posta Paul S. 28.06.2018 - 06:15
fonte

1 risposta

2

L'AuthorityKeyIdentifier nel certificato rilasciato ha il numero di serie invertito dal certificato emittente.

Emittente:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7084791601844488517 (0x62523c6ccf9c8945)
...
            X509v3 Authority Key Identifier:
                keyid:B5:2D:8B:07:09:99:5A:15:F3:EB:21:2E:9A:FB:98:AF:E3:4E:EE:E1
                DirName:/CN=177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
                serial:62:52:3C:6C:CF:9C:89:45

Edizione:

...
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:B5:2D:8B:07:09:99:5A:15:F3:EB:21:2E:9A:FB:98:AF:E3:4E:EE:E1
                DirName:/CN=177dcde1-9239-40c9-9f92-5a014ca1c176.ca.instance.spectero.io
                serial:45:89:9C:CF:6C:3C:52:62

Quindi l'emittente non corrisponde a ciò che dice l'identificatore della chiave di autorizzazione, quindi è "chiaramente" non l'emittente.

    
risposta data 28.06.2018 - 06:32
fonte

Leggi altre domande sui tag