search

phpseclib / phpseclib

PHP Secure Communications Library
http://phpseclib.com/
MIT License
5.33k stars 890 forks source link

Get the attributes of a certificate with entity validation #1073

Open freekmurze opened 7 years ago

freekmurze commented 7 years ago

I've created a package that can download all the certificates in the trust chain. Under the hood X509 is used

Certificates that provider only domain validation work perfectly. Unfortunately this does not work with certificates with entity validation.

In those cases X509 throws an error 1.3.6.1.4.1.11129.2.4.2 is not a currently supported extension. More info here: https://github.com/spatie/ssl-certificate-chain-resolver/issues/6

Also, X509 does not like Let's Encrypt certificates: https://github.com/spatie/ssl-certificate-chain-resolver/issues/5

I'd appreciate any help in getting this to work in the ssl-certificate-chain-resolver package.

terrafrost commented 7 years ago

Does https://github.com/phpseclib/phpseclib/pull/1076 fix the issue for you?

Also, could you post a cert that has that extension? Reading the RFC can sometimes be a poor substitute for being able to actually look at a real world example.

bantu commented 7 years ago

@terrafrost Here's a Let's Encrypt certificate.

-----BEGIN CERTIFICATE-----
MIIGFTCCBP2gAwIBAgISA8xEXxRqvPUHOFKAKKu/B2psMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEyMDMxMjIyMDBaFw0x
NzAzMDMxMjIyMDBaMBwxGjAYBgNVBAMTEXd3dy5waHBzZWNsaWIub3JnMIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4RDVivyzWvfpliBpGQy1W+I6JBy5
vnzAzqLLDPGH6JGqIRzjysXiOlemiDXa1KCaUSXpyPlgBNz7qAvWS4F3nl7gE8UN
eH6vlwXo0DhVdrW8uj22sV1/mbcqcqYU+28qkiOMJiqzpMFN/4/gKMpFcHxOD1aA
DqmuEzP8LjxhAJRj+AxGOiHloNDQqrVbf61dSIo4GNSo/o5D8ShTYbBu+SOnH8GT
VQ6bkTEOs96Rwc18EIuA5cXllEdA7n8FEQD0tH2urxsKsGcdz4FWMAxLYcFyvLJ9
JamGy27BlsknzQaKM9aZ7Cm9SszpNY7KBsaK3O/J3mmZi0R3PEl+mw1tY+qkKoLB
I+YzyyMW64IJPGhMhl7qykY1tSlNpvmqd73Oyj0Ta88U9uaCgcUB4z/mPyqVHK/m
p0eyGfh+3zXf6faikv3SVmyNS9mPt5rTdBhGfqGwh55X3m0nq21VhOWz7BQhGaWu
PGAlsFMBfVieOjNn9C9ESHRgdQ5+AtsfOxd0+3k8IwZH71eyZ+fExE0tI7TDWWVw
Zj39Czr35YUBZsLnCl9GLy7LrvUKFGjy8Em1HxvYL8ftWNqphPG57YxfgBRa/pPn
yP+eHGde7eQkg3iqfwXnSkJZQxrTOG0hTFV9k78580AgtLvukKSHy6ycWOPF7Q3a
d7goe0YkYV8/YCUCAwEAAaOCAiEwggIdMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
kSHoWs6/XfWPXnlB4D9vkDjBgE8wHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl
7/Oo7KEwcAYIKwYBBQUHAQEEZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5p
bnQteDMubGV0c2VuY3J5cHQub3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQu
aW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wKwYDVR0RBCQwIoINcGhwc2VjbGliLm9y
Z4IRd3d3LnBocHNlY2xpYi5vcmcwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYG
CysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNy
eXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBv
bmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBp
biBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBh
dCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0B
AQsFAAOCAQEABTa4Oo6pk+OSF2a1dl3166Z/Nr5mFbUideeddztxFM2ejtoirETD
K+CF0B06OGUVVROrOpRiP3Ud1PxolOe5v8E3b1fvcJ6nXBUpHfzrlSGjVP/bJeob
MGc3TrWDFU2ymM2ctUjOQGzHyTyqP0gCvOlbSQHKaoVmj41adEbaKG3zhU9EtOBz
NWO6qSgPX7xMkHxx9XA5bJmW/MVM7kWN6ezDwu2GUMvNl7PpFDxNvHGsPRwHDMQz
NNp2He/8NSedvZNTEL1OPaxk8dL4p+KPCmDVKoCRV347CpsQPdPNuEDEvxoFjH/g
wq7j/xlj1WswUdpQoJ3kuP9OxXdv6AUgxA==
-----END CERTIFICATE-----
freekmurze commented 7 years ago

@terrafrost using dev-master I was able to get the properties of a certificate issued by Let's Encrypt. Thanks.

Do you know how, using X509, to get the properties of this certificate downloaded from https://coolblue.be?

terrafrost commented 7 years ago

The certificate you linked to decoded just fine for me. The 1.3.6.1.4.1.11129.2.4.2 extension didn't decode but the cert itself did. The 1.3.6.1.4.1.11129.2.4.2 extension... is complicated. Quoting RFC6962

   At least one SCT MUST be included.  Server operators MAY include more
   than one SCT.

   Similarly, a certificate authority MAY submit a Precertificate to
   more than one log, and all obtained SCTs can be directly embedded in
   the final certificate, by encoding the SignedCertificateTimestampList
   structure as an ASN.1 OCTET STRING and inserting the resulting data
   in the TBSCertificate as an X.509v3 certificate extension (OID
   1.3.6.1.4.1.11129.2.4.2).  Upon receiving the certificate, clients
   can reconstruct the original TBSCertificate to verify the SCT
   signature.

   The contents of the ASN.1 OCTET STRING embedded in an OCSP extension
   or X509v3 certificate extension are as follows:

        opaque SerializedSCT<1..2^16-1>;

        struct {
            SerializedSCT sct_list <1..2^16-1>;
        } SignedCertificateTimestampList;

   Here, "SerializedSCT" is an opaque byte string that contains the
   serialized TLS structure.  This encoding ensures that TLS clients can
   decode each SCT individually (i.e., if there is a version upgrade,
   out-of-date clients can still parse old SCTs while skipping over new
   SCTs whose versions they don't understand).

At the top of that RFC it says this:

Data structures are defined according to the conventions laid out in
   Section 4 of [RFC5246].

RFC5246 defines TLS v1.2.

Basically, I think fully supporting that extension is gonna be complicated. For the time being I think I'll let the current behavior of decoding the cert - but not the extension - stand.