-
Notifications
You must be signed in to change notification settings - Fork 202
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Example of OCSP issuer DN hash creation #136
Comments
(or if there's an |
@YuryStrozhevsky I can't find a good example, mind handling this request. |
Here's what I've got: const publicCertificateContent =
'----BEGIN CERTIFICATE----\n' +
...
'----END CERTIFICATE----';
const publicCertificate = publicCertificateContent
.replace(/-{5}([^-]+)-{5}/g, '')
.replace(/\n|\r/g, '')
const sha1 = xmldsigjs.CryptoConfig.GetHashAlgorithm('SHA-1')
const asn1 = asn1js.fromBER(new Uint8Array(Buffer.from(publicCertificate, 'base64')).buffer)
const publicCertificateInfo = new pkijs.Certificate({
schema: asn1.result
})
// d2i_X509_NAME() and i2d_X509_NAME() decode and encode an ASN.1 Name structure defined in RFC 5280 section 4.1.2.4.
const issuerNameHash = await sha1.Digest(publicCertificateInfo.issuer.toSchema().toBER()) // TODO: this gives wrong results
const authorityKeyIdentifier = _.find(publicCertificateInfo.extensions, (extension) => extension.extnID === '2.5.29.35')
const authorityKeyIdentifierValue = authorityKeyIdentifier.parsedValue.keyIdentifier.valueBlock.valueHex
const authorityInformationExtension = _.find(publicCertificateInfo.extensions, (extension) => extension.extnID === '1.3.6.1.5.5.7.1.1')
const parsedOcspValue = _.find(authorityInformationExtension.parsedValue.accessDescriptions, (parsedValue) => parsedValue.accessMethod === '1.3.6.1.5.5.7.48.1')
const ocspUrl = parsedOcspValue.accessLocation.value
const ocspRequest = new pkijs.OCSPRequest()
const serialNumberValue = publicCertificateInfo.serialNumber.valueBlock.valueHex
ocspRequest.tbsRequest.requestList = [new pkijs.Request({
reqCert: new pkijs.CertID({
hashAlgorithm: new pkijs.AlgorithmIdentifier({
algorithmId: '1.3.14.3.2.26' // SHA-1
}),
issuerNameHash: new asn1js.OctetString({ valueHex: issuerNameHash }),
issuerKeyHash: new asn1js.OctetString({ valueHex: authorityKeyIdentifierValue }),
serialNumber: new asn1js.Integer({ valueHex: serialNumberValue })
})
})]
const ocspNonceValue = crypto.randomBytes(18)
console.log('ocspNonceValue', Buffer.from(new Uint8Array(ocspNonceValue)).toString('hex'))
ocspRequest.tbsRequest.requestExtensions = [
new pkijs.Extension({
extnID: '1.3.6.1.5.5.7.48.1.2', // ocspNonce
extnValue: (new asn1js.OctetString({ valueHex: ocspNonceValue })).toBER(false)
})
]
const ocspRequestData = ocspRequest.toSchema(true).toBER(false)
console.log('ocspRequestData', Buffer.from(new Uint8Array(ocspRequestData)).toString('base64')) |
The results I get looks good, except for DN hash, it's not the same as OpenSSL creates, so I must be doing something wrong |
@alexey-pelykh How did you find the hash is wrong? Could you describe your test procedure and input data for such testing? |
https://sk.ee/upload/files/KLASS3-SK_2016_EECCRCA_SHA384.pem.crt
|
@alexey-pelykh I have a suspicious regarding "why hash is wrong". Try to use this code: const issuerNameHash = await sha1.Digest(publicCertificateInfo.issuer.valueBeforeDecode) |
@YuryStrozhevsky that was the very first thing to test, does the same due to https://github.com/PeculiarVentures/PKI.js/blob/master/src/RelativeDistinguishedNames.js#L152 |
@alexey-pelykh Just made a simple test using your certificate as a source: function test()
{
//region Initial variables
let sequence = Promise.resolve();
//endregion
const asn1 = asn1js.fromBER(stringToArrayBuffer(fromBase64(certBase64)));
if(asn1.offset === (-1))
{
console.log("Something wrong");
return;
}
const crypto = getCrypto();
const certificate = new Certificate({ schema: asn1.result });
sequence = sequence.then(() => crypto.digest({ name: "SHA-1" }, certificate.issuer.valueBeforeDecode));
sequence = sequence.then(result =>
{
// result = 797CF08C18F544B716136397E74594EAD5BE9398
console.log(`Issuer hash: ${(bufferToHexCodes(result)).toUpperCase()}`);
});
sequence = sequence.then(() => crypto.digest({ name: "SHA-1" }, certificate.subject.valueBeforeDecode));
sequence = sequence.then(result =>
{
// result = 1CC2E7AF4B76D25234E12415B453B0EB7BA6A1A5
console.log(`Subject hash: ${(bufferToHexCodes(result)).toUpperCase()}`);
});
return sequence;
} So, I do not understand how did you get the wrong
|
@YuryStrozhevsky Frankly to say, neither do I. Just checked again, same result.
gives
same on your side? Since if it's the same, the hashing did something wrong |
@alexey-pelykh Not really sure I want to check 126 bytes of the buffer :) Yes, probably the "sha1.Digest" function did something wrong. |
It did, actually, just figured it out
gave
while
gave
|
@alexey-pelykh Great, I can close the issue then. |
Heh,
also gave
|
@alexey-pelykh But no - will keep it open util example update |
@microshine any insights on what I did wrong? |
@alexey-pelykh Would be better to make a new issue in @microshine repos. |
Consider that done :) |
It would be great to have that as part of OCSP creation example
The text was updated successfully, but these errors were encountered: