Buscar este blog

jueves, 15 de agosto de 2019

Determine OCSP provider from certificate

Given a certificate, if you want to know whether there is an OCSP provider associated with it, you can get this information from the own certificate.

OCSP information is encoded inside " Authority Information Access" field. Open de certificate with some tool, for example, windows default program, and look for its value. You can also use openssl:
# openssl x509 -in PF_ACTIVO_EIDAS.cer -text -noout | grep OCSP
               OCSP - URI:http://ocspusu.cert.fnmt.es/ocspusu/OcspResponder

# openssl x509 -in PF_ACTIVO_EIDAS.cer -ocsp_uri -noout
http://ocspusu.cert.fnmt.es/ocspusu/OcspResponder


Note that the certificate must be in PEM format.

In order to call the OCSP service you need the certificate serial number (the one you want to check) and the CA chain, as described in a previous post:
# openssl x509 -in PF_ACTIVO_EIDAS.cer -serial -noout
serial=0902999F8486CAA55821C9A36BFAA499

# openssl ocsp -issuer AC_FNMT_Usuarios.pem -serial 0x0902999F8486CAA55821C9A36BFAA499 -url http://ocspusu.cert.fnmt.es/ocspusu/OcspResponder -CAfile AC_Raiz_FNMT-RCM_SHA256.pem
Response verify OK
0x0902999F8486CAA55821C9A36BFAA499: good
        This Update: Aug 15 17:04:27 2019 GMT
        Next Update: Aug 15 18:04:27 2019 GMT


Another important subject with OCSP is that when you ask for a certificate, often, the response is signed by the provider. If you need to determine wich certificate it is, for example, in order to store it in a truststore, you can add the "-resp_text" flag:
# openssl ocsp -resp_text -issuer AC_FNMT_Usuarios.pem -serial 0x0902999F8486CAA55821C9A36BFAA499 -url http://ocspusu.cert.fnmt.es/ocspusu/OcspResponder -CAfile AC_Raiz_FNMT-RCM_SHA256.pem
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = ES, O = FNMT-RCM, OU = Ceres, CN = Servidor OCSP AC FNMT Usuarios
    Produced At: Aug 15 17:08:28 2019 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: ACB3EDC1572E4DA000C62307BEBBC1953AA27423
      Issuer Key Hash: B1D44FC42379FA440509C6EB39CFE835B0B82064
      Serial Number: 0902999F8486CAA55821C9A36BFAA499
    Cert Status: good
    This Update: Aug 15 17:08:28 2019 GMT
    Next Update: Aug 15 18:08:28 2019 GMT

    Response Extensions:
        OCSP Nonce:
            04109B882F00D026E282BE6D2194DFC96845
    Signature Algorithm: sha256WithRSAEncryption
         14:87:45:a1:ad:37:14:7e:d4:3b:7f:bf:7d:6a:cc:2e:5f:01:
         81:2a:fc:20:96:b4:b7:27:01:64:6d:fd:ab:09:a8:26:49:b1:
         15:16:86:c9:7c:c1:3c:79:d8:d7:a2:55:10:be:2d:a5:b9:ba:
         f8:db:19:7f:9c:8a:ba:44:3e:ec:5d:9a:62:8e:85:1b:6b:7e:
         e9:b9:e0:ce:b2:45:0b:fa:9c:ad:bd:5e:5e:14:0c:ae:15:89:
         68:83:77:92:a7:80:b2:7f:37:94:cc:98:26:73:c8:53:86:4f:
         6a:45:5a:70:0f:30:ce:83:66:72:2c:ae:0f:06:93:17:15:1d:
         9f:1f:14:53:ae:a9:32:cb:7f:14:5f:4d:e9:29:fc:6d:f0:a2:
         f2:c1:fb:e4:1b:b9:ea:6e:5f:2d:0b:9b:e5:5f:6b:58:c8:5a:
         09:43:f6:27:91:db:da:56:c1:dc:48:aa:4a:86:a5:28:5f:94:
         65:f9:36:fe:d1:b3:0c:be:66:ad:5f:3b:26:38:25:a4:67:ff:
         1e:4c:b3:5d:88:46:c0:5a:2b:67:42:47:4e:d8:67:0e:2d:2c:
         45:c2:43:f4:33:4e:ca:bc:df:ff:a9:e0:79:b0:d3:6f:90:c7:
         8b:29:6f:14:52:d9:5a:82:c4:b3:a6:31:9b:12:96:33:dd:41:
         c2:51:9d:92
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:f0:a3:e9:d7:e3:93:01:5c:d2:91:e3:26:66:bc:43
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=ES, O=FNMT-RCM, OU=Ceres, CN=AC FNMT Usuarios
        Validity
            Not Before: May  8 08:22:59 2019 GMT
            Not After : Nov  8 09:22:59 2019 GMT
        Subject: C=ES, O=FNMT-RCM, OU=Ceres, CN=Servidor OCSP AC FNMT Usuarios
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d7:49:d2:98:b6:41:60:3d:28:1b:06:ce:f9:10:
                    53:b6:7b:ff:01:29:43:fc:64:58:22:7b:90:7b:79:
                    07:f5:41:db:e7:ec:3e:27:88:5c:c0:d1:7e:8f:3c:
                    c8:68:c6:8e:33:b4:78:3d:9d:65:30:ec:77:a9:6f:
                    65:ca:c9:62:78:3e:36:d6:1b:eb:cb:da:33:c8:35:
                    94:02:03:60:53:75:df:34:37:42:65:c7:9d:d8:bf:
                    b8:a3:18:5a:ea:17:9d:18:e6:80:0e:6e:5f:27:32:
                    04:93:6c:05:d2:db:ee:aa:dc:98:3f:af:39:ec:aa:
                    f9:eb:39:13:c5:7e:9b:cd:7e:d6:21:82:72:22:46:
                    d5:e1:9d:30:f1:fc:c2:02:3b:32:a5:f8:87:4f:e1:
                    a1:8a:3c:08:7f:e1:e3:84:17:29:2a:d2:7d:f8:82:
                    9b:88:13:38:d1:c1:a8:fd:71:e8:59:d4:e5:6f:9d:
                    97:a8:ef:fa:d3:b7:20:4f:3d:e1:55:19:62:96:1e:
                    94:53:80:18:42:08:6e:24:9c:e6:fd:6e:9e:08:34:
                    f9:fa:75:1d:34:dc:55:89:2e:bf:55:52:9c:ce:0e:
                    8e:bb:2f:9b:91:c5:91:84:cb:06:74:8e:41:54:2a:
                    b3:7e:dc:ee:05:1a:cf:07:8d:62:8f:d7:43:5a:0c:
                    ad:eb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation
            X509v3 Extended Key Usage: critical
                OCSP Signing
            X509v3 Subject Key Identifier:
                BB:6F:79:C3:04:25:98:D6:62:C7:CD:71:25:AF:C9:61:B0:12:3A:8B
            X509v3 Authority Key Identifier:
                keyid:B1:D4:4F:C4:23:79:FA:44:05:09:C6:EB:39:CF:E8:35:B0:B8:20:64

            OCSP No Check:

            Authority Information Access:
                CA Issuers - URI:http://www.cert.fnmt.es/certs/ACUSU.crt

            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.5734.3.10.15
                  CPS: http://www.cert.fnmt.es/dpcs/
                  User Notice:
                    Explicit Text: Sujeto a las condiciones de uso expuestas en la DPC de la FNMT-RCM (C/Jorge Juan 106-28009-Madrid-España)

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:ldap://ldapusu.cert.fnmt.es/cn=CRL2503,cn=AC%20FNMT%20Usuarios,ou=CERES,o=FNMT-RCM,c=ES?certificateRevocationList;binary?base?objectclass=cRLDistributionPoint

    Signature Algorithm: sha256WithRSAEncryption
         2f:32:00:b2:e7:42:86:81:9b:87:c8:7c:fe:ff:99:d9:9c:fe:
         31:a1:92:db:2c:cf:6b:38:bd:d2:c4:0d:2d:fb:1e:35:ef:87:
         9f:30:ab:c0:45:3c:ea:e2:e2:67:b4:f2:90:f7:a3:cb:ed:17:
         38:17:c7:06:8e:b9:50:d0:4e:66:c4:89:cf:cb:3a:d8:ac:a3:
         85:18:ba:e4:75:54:66:f3:4c:3c:99:3f:cd:6d:6e:a0:18:c9:
         25:35:cb:4f:1c:42:a8:14:35:61:37:04:c8:e4:41:2f:4f:6a:
         cf:2a:78:7d:a6:2d:00:03:a7:36:c7:1e:cd:98:cc:b2:db:a8:
         82:25:a8:b2:7c:9c:53:54:48:84:f8:36:17:ac:f9:9e:ba:5e:
         18:18:d7:35:ea:a5:4f:68:30:d2:04:fc:fb:ca:95:c8:0b:86:
         6e:16:68:b7:b6:f5:6a:b1:8e:0e:b3:bf:ef:95:65:2a:ef:5e:
         2c:67:f0:80:e0:c3:dd:95:e3:dc:89:46:00:74:73:33:df:77:
         c9:b5:e1:42:0c:fa:76:a2:19:06:d4:73:e5:9e:43:d2:79:b5:
         10:da:d1:3d:e1:64:08:05:ad:04:b0:bd:3e:69:67:88:0f:93:
         66:c5:ab:9f:f2:87:6a:76:bf:ad:30:96:8a:8d:af:c2:2e:00:
         93:52:8c:4e
-----BEGIN CERTIFICATE-----
MIIFejCCBGKgAwIBAgIQAfCj6dfjkwFc0pHjJma8QzANBgkqhkiG9w0BAQsFADBL
MQswCQYDVQQGEwJFUzERMA8GA1UECgwIRk5NVC1SQ00xDjAMBgNVBAsMBUNlcmVz
MRkwFwYDVQQDDBBBQyBGTk1UIFVzdWFyaW9zMB4XDTE5MDUwODA4MjI1OVoXDTE5
MTEwODA5MjI1OVowWTELMAkGA1UEBhMCRVMxETAPBgNVBAoMCEZOTVQtUkNNMQ4w
DAYDVQQLDAVDZXJlczEnMCUGA1UEAwweU2Vydmlkb3IgT0NTUCBBQyBGTk1UIFVz
dWFyaW9zMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA10nSmLZBYD0o
GwbO+RBTtnv/ASlD/GRYInuQe3kH9UHb5+w+J4hcwNF+jzzIaMaOM7R4PZ1lMOx3
qW9lyslieD421hvry9ozyDWUAgNgU3XfNDdCZced2L+4oxha6hedGOaADm5fJzIE
k2wF0tvuqtyYP6857Kr56zkTxX6bzX7WIYJyIkbV4Z0w8fzCAjsypfiHT+GhijwI
f+HjhBcpKtJ9+IKbiBM40cGo/XHoWdTlb52XqO/607cgTz3hVRlilh6UU4AYQghu
JJzm/W6eCDT5+nUdNNxViS6/VVKczg6Ouy+bkcWRhMsGdI5BVCqzftzuBRrPB41i
j9dDWgyt6wIDAQABo4ICSjCCAkYwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBsAw
FgYDVR0lAQH/BAwwCgYIKwYBBQUHAwkwHQYDVR0OBBYEFLtvecMEJZjWYsfNcSWv
yWGwEjqLMB8GA1UdIwQYMBaAFLHUT8QjefpEBQnG6znP6DWwuCBkMA8GCSsGAQUF
BzABBQQCBQAwQwYIKwYBBQUHAQEENzA1MDMGCCsGAQUFBzAChidodHRwOi8vd3d3
LmNlcnQuZm5tdC5lcy9jZXJ0cy9BQ1VTVS5jcnQwgcIGA1UdIASBujCBtzCBtAYK
KwYBBAGsZgMKDzCBpTApBggrBgEFBQcCARYdaHR0cDovL3d3dy5jZXJ0LmZubXQu
ZXMvZHBjcy8weAYIKwYBBQUHAgIwbAxqU3VqZXRvIGEgbGFzIGNvbmRpY2lvbmVz
IGRlIHVzbyBleHB1ZXN0YXMgZW4gbGEgRFBDIGRlIGxhIEZOTVQtUkNNIChDL0pv
cmdlIEp1YW4gMTA2LTI4MDA5LU1hZHJpZC1Fc3Bhw7FhKTCBtQYDVR0fBIGtMIGq
MIGnoIGkoIGhhoGebGRhcDovL2xkYXB1c3UuY2VydC5mbm10LmVzL2NuPUNSTDI1
MDMsY249QUMlMjBGTk1UJTIwVXN1YXJpb3Msb3U9Q0VSRVMsbz1GTk1ULVJDTSxj
PUVTP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7YmluYXJ5P2Jhc2U/b2JqZWN0
Y2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwDQYJKoZIhvcNAQELBQADggEBAC8y
ALLnQoaBm4fIfP7/mdmc/jGhktssz2s4vdLEDS37HjXvh58wq8BFPOri4me08pD3
o8vtFzgXxwaOuVDQTmbEic/LOtiso4UYuuR1VGbzTDyZP81tbqAYySU1y08cQqgU
NWE3BMjkQS9Pas8qeH2mLQADpzbHHs2YzLLbqIIlqLJ8nFNUSIT4Nhes+Z66XhgY
1zXqpU9oMNIE/PvKlcgLhm4WaLe29Wqxjg6zv++VZSrvXixn8IDgw92V49yJRgB0
czPfd8m14UIM+naiGQbUc+WeQ9J5tRDa0T3hZAgFrQSwvT5pZ4gPk2bFq5/yh2p2
v60wloqNr8IuAJNSjE4=
-----END CERTIFICATE-----
Certificate:
(...)
Response verify OK
0x0902999F8486CAA55821C9A36BFAA499: good
        This Update: Aug 15 17:08:28 2019 GMT
        Next Update: Aug 15 18:08:28 2019 GMT


The first certificate in the response is the OCSP server signer certificate. You can save it in a .CER file. In this example you can see that the subject is "C=ES, O=FNMT-RCM, OU=Ceres, CN=Servidor OCSP AC FNMT Usuarios"


Another example of validation, but this time you send the whole certificate.
openssl ocsp -issuer CHAMBERS_OF_COMMERCE_ROOT-2016.cer -cert AC_CAMERFIRMA_FOR_NATURAL_PERSONS-2016.cer -text -url http://ocsp.camerfirma.com -CAfile CHAMBERS_OF_COMMERCE_ROOT-2016.cer