Openssl-vianselvittely
Yhteyskokeilu
OpenSSL:n s_client-ohjelmalla on helppo testata TLS-yhteyden muodostuminen ja tulostaa sen tiedot. Käytettäessä state-parametria työkalu tulostaa TLS-yhteyden tilat. TLS-protokollan tilojen tunteminen (ks.esim. Handshake Protocol Overview) auttaa vianselvityksessä merkittävästi.
Työkalulle täytyy kertoa varmenteista, jos ne eivät ole käyttöjärjestelmän oletushakemistoissa.
$ openssl s_client -connect markonnakkijadata.fi:443 -state -CAfile markonnakkijaCA.fi.crt
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 C = FI, L = Helsinki, O = Markon Nakki ja CA, CN = markonnakkijaca
verify return:1
depth=0 C = FI, L = Helsinki, O = Markon Nakki ja Data, CN = markonnakkijadata.fi
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read server session ticket A
139754251569016:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40
139754251569016:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
0 s:/C=FI/L=Helsinki/O=Markon Nakki ja Data/CN=markonnakkijadata.fi
i:/C=FI/L=Helsinki/O=Markon Nakki ja CA/CN=markonnakkijaca
1 s:/C=FI/L=Helsinki/O=Markon Nakki ja CA/CN=markonnakkijaca
i:/C=FI/L=Helsinki/O=Markon Nakki ja CA/CN=markonnakkijaca
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB4TCCAWgCCQDizDucXVchLzAKBggqhkjOPQQDAjBXMQswCQYDVQQGEwJGSTER
MA8GA1UEBwwISGVsc2lua2kxGzAZBgNVBAoMEk1hcmtvbiBOYWtraSBqYSBDQTEY
MBYGA1UEAwwPbWFya29ubmFra2lqYWNhMB4XDTE3MDcwNTEwMzgyNFoXDTE4MDYz
MDEwMzgyNFowXjELMAkGA1UEBhMCRkkxETAPBgNVBAcMCEhlbHNpbmtpMR0wGwYD
VQQKDBRNYXJrb24gTmFra2kgamEgRGF0YTEdMBsGA1UEAwwUbWFya29ubmFra2lq
YWRhdGEuZmkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARpfpHeAuTwG1OE9g96NAdN
WkltKHNlhXCeunJ6VyGDCEPhCjRMAzlrkL47H7rQHZpvq9dKP26v2mNyKwZdPVKx
Jlz1h49gXmcxEvZnKzmWZ9/Q3QgqMl7VmB5j37+XMmYwCgYIKoZIzj0EAwIDZwAw
ZAIwUrhwUQPKGDe5HsN1cBQyydTnrJCmhkVnOaNZBiLNplekEUYcy6BZOiCokdGo
1tUMAjAwnS5ZF8wIY0h12eXP/KxIW30g1iZyhNuds1WjkyVNh8RrB9/XaHPoaPIt
cQ+t9+c=
-----END CERTIFICATE-----
subject=/C=FI/L=Helsinki/O=Markon Nakki ja Data/CN=markonnakkijadata.fi
issuer=/C=FI/L=Helsinki/O=Markon Nakki ja CA/CN=markonnakkijaca
---
Acceptable client certificate CA names
/C=FI/L=Helsinki/O=Markon Nakki ja CA/CN=markonnakkijaca
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1474 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 384 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: C9780940BB8D54AB544B974E75424A06C935FFCA86DBF518C94F0915BC3C6FFA51D282BBCC611B39E95CEC56D186E034
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1499360697
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Esimerkkiyhteyden kättely onnistui, mutta palvelin lähetti kättelyn päätteeksi virheilmoituksen SSL alert number 40. Syynä on asiakasvarmenteen puuttuminen, mikä olisi ollut korjattavissa parametreilla key ja cert. Lisäksi tulosteesta selviävät palvelimen tukemat salausalgoritmin ja palvelimen varmenne (PKCS#8 PEM-muodossa, suoraan kopioitavissa).
Uusi yritys asiakasvarmenteiden kanssa toimii paremmin. Komentoon on lisätty lisäksi crlf-parametri, joka muuttaa rivinvaihdot web-palvelimen paremmin ymmärtämään muotoon. Yhteyden muodostumisen jälkeen esimerkissä on kirjoitettu juurisivun / latauspyyntö, johon web-palvelin vastaa antamalla web-palvelimen oletussivun.
$ openssl s_client -connect markonnakkijadata.fi:443 -state -CAfile markonnakkijaCA.fi.crt -key mikko.key -cert mikko.crt -crlf
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 C = FI, L = Helsinki, O = Markon Nakki ja CA, CN = markonnakkijaca
verify return:1
depth=0 C = FI, L = Helsinki, O = Markon Nakki ja Data, CN = markonnakkijadata.fi
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=FI/L=Helsinki/O=Markon Nakki ja Data/CN=markonnakkijadata.fi
i:/C=FI/L=Helsinki/O=Markon Nakki ja CA/CN=markonnakkijaca
1 s:/C=FI/L=Helsinki/O=Markon Nakki ja CA/CN=markonnakkijaca
i:/C=FI/L=Helsinki/O=Markon Nakki ja CA/CN=markonnakkijaca
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB4TCCAWgCCQDizDucXVchLzAKBggqhkjOPQQDAjBXMQswCQYDVQQGEwJGSTER
MA8GA1UEBwwISGVsc2lua2kxGzAZBgNVBAoMEk1hcmtvbiBOYWtraSBqYSBDQTEY
MBYGA1UEAwwPbWFya29ubmFra2lqYWNhMB4XDTE3MDcwNTEwMzgyNFoXDTE4MDYz
MDEwMzgyNFowXjELMAkGA1UEBhMCRkkxETAPBgNVBAcMCEhlbHNpbmtpMR0wGwYD
VQQKDBRNYXJrb24gTmFra2kgamEgRGF0YTEdMBsGA1UEAwwUbWFya29ubmFra2lq
YWRhdGEuZmkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARpfpHeAuTwG1OE9g96NAdN
WkltKHNlhXCeunJ6VyGDCEPhCjRMAzlrkL47H7rQHZpvq9dKP26v2mNyKwZdPVKx
Jlz1h49gXmcxEvZnKzmWZ9/Q3QgqMl7VmB5j37+XMmYwCgYIKoZIzj0EAwIDZwAw
ZAIwUrhwUQPKGDe5HsN1cBQyydTnrJCmhkVnOaNZBiLNplekEUYcy6BZOiCokdGo
1tUMAjAwnS5ZF8wIY0h12eXP/KxIW30g1iZyhNuds1WjkyVNh8RrB9/XaHPoaPIt
cQ+t9+c=
-----END CERTIFICATE-----
subject=/C=FI/L=Helsinki/O=Markon Nakki ja Data/CN=markonnakkijadata.fi
issuer=/C=FI/L=Helsinki/O=Markon Nakki ja CA/CN=markonnakkijaca
---
Acceptable client certificate CA names
/C=FI/L=Helsinki/O=Markon Nakki ja CA/CN=markonnakkijaca
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2187 bytes and written 1481 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 384 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES256-GCM-SHA384
Session-ID: 8CA7B78B9E039AC8267A33747CBCD221858128AA8001B2980BDAE836F78D2958
Session-ID-ctx:
Master-Key: 05D57F478B879CF8CDB5460C9AFC15B9C6281DFC5EE1DF58C122802DBECB329B88661F12784115AD1577AA51D7837D76
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - cf 16 b7 98 8e fc 14 c4-1c e2 b0 55 b5 be d4 f0 ...........U....
0010 - b4 d1 8c 06 b4 8d b4 69-19 4d cc 01 41 43 f2 bb .......i.M..AC..
0020 - 50 12 b4 6e 96 86 a5 56-ef cd 1c 91 85 e9 2f 1c P..n...V....../.
0030 - 58 25 ae 27 78 a8 a6 a4-16 f5 af 1f dc ee b6 ca X%.'x...........
0040 - fb d0 00 22 56 70 d2 82-01 0f f2 df 85 21 86 e2 ..."Vp.......!..
0050 - 60 01 49 9e 16 99 82 cd-1c f6 e1 be 59 64 a2 08 `.I.........Yd..
0060 - ee ec 6f 53 09 b9 2e 66-b2 5e e4 5c 4e 5b a4 1a ..oS...f.^.\N[..
0070 - 73 50 49 e5 bc 71 0a 4b-40 ba 70 bb d6 80 08 d9 [email protected].....
0080 - 33 e4 04 5f f6 60 96 f5-c8 3b 40 56 c9 d2 0b 49 3.._.`...;@V...I
0090 - 92 ec 86 81 dd ea e2 f7-88 a8 60 11 9a ee 85 7a ..........`....z
00a0 - 98 2d 94 c0 8a 1e 0a 81-35 42 2d 64 b4 d3 38 50 .-......5B-d..8P
00b0 - eb c3 87 73 bf 56 f6 a1-aa da 93 38 59 1c 12 26 ...s.V.....8Y..&
00c0 - 31 cc c5 f1 fa 9a 34 6c-71 a7 70 ac a5 9a 4c 91 1.....4lq.p...L.
00d0 - e5 ee a6 9b c8 61 59 d7-12 27 92 c2 36 f2 83 03 .....aY..'..6...
00e0 - 6f ed 65 d8 b2 60 8b 5f-2b b5 53 cd 87 d6 59 f0 o.e..`._+.S...Y.
00f0 - 4c 26 52 d9 c3 72 8a 79-93 bc 7d 4e c6 8b 07 f5 L&R..r.y..}N....
0100 - 07 f9 62 36 e6 e4 03 46-6c d6 11 d2 56 ff 4c 0f ..b6...Fl...V.L.
0110 - b2 c8 2e 15 82 eb 22 41-d0 1b e1 53 2b 2f 37 95 ......"A...S+/7.
0120 - 2e 57 05 49 60 ac 09 b2-7c 83 81 e4 1d 94 31 bf .W.I`...|.....1.
0130 - 54 2f ad a2 63 90 22 2c-ec 77 c5 81 07 39 a7 4c T/..c.",.w...9.L
0140 - 81 eb 3c 45 c3 59 f8 a5-21 13 cc 55 33 04 d3 64 ..<E.Y..!..U3..d
0150 - 5c 92 b5 1e 79 d2 ea 59-a8 b8 40 fb 17 b9 28 9d \...y..Y..@...(.
0160 - 8d 7a 75 b2 a7 7f 90 d9-00 33 19 5c 15 c3 6a 18 .zu......3.\..j.
0170 - d7 b1 0d cb 32 80 12 e1-cb e0 11 a7 a4 e3 ab c4 ....2...........
0180 - 35 f2 8f 9e 34 e2 b0 04-fd d3 3a 50 ab b4 f2 d1 5...4.....:P....
0190 - bb 92 31 71 88 14 a0 0d-34 7f ac 2e 8e 78 f6 77 ..1q....4....x.w
01a0 - 90 9d 22 4f 56 f6 9b 99-c7 6c 3b 27 0e 7a df e2 .."OV....l;'.z..
01b0 - ad 0d 9f 0f c1 e0 86 5c-53 22 7d 22 51 1f 11 a0 .......\S"}"Q...
01c0 - 94 d4 7e 68 ff 56 3b 63-41 d1 a4 6a 7a e3 af b0 ..~h.V;cA..jz...
01d0 - 3c f5 1f 26 f9 18 ca e4-91 2c ae 36 4f 5a b5 91 <..&.....,.6OZ..
01e0 - 91 fd 9c cd 33 06 4f b6-b8 1c b6 61 7e ee 3c a0 ....3.O....a~.<.
01f0 - 50 d7 56 8b c6 de 07 d0-c5 20 08 28 ae f1 c5 6f P.V...... .(...o
0200 - eb a9 80 de ae 8a 43 cc-ec 23 58 00 38 27 21 bb ......C..#X.8'!.
0210 - 81 7b 97 82 de d0 e5 c6-4e 08 7b 8e fa ef 34 5a .{......N.{...4Z
0220 - 77 72 97 b7 ac e6 72 48-1e 25 67 1b 66 18 a5 25 wr....rH.%g.f..%
0230 - 36 fb 11 d3 df 0e 01 d2-a3 a7 b6 dc 20 b6 f9 e8 6........... ...
0240 - bf ab 1a d4 c2 65 ea 7b-5a fc b4 ff 6b 66 11 8a .....e.{Z...kf..
0250 - cb 58 ea a4 be f4 7d f7-ec 55 a2 5f 0e ec 37 78 .X....}..U._..7x
0260 - 7b c7 4f fd 63 30 61 05-9e 56 0b 86 32 82 8b d6 {.O.c0a..V..2...
0270 - 99 80 df dd 3e ce 63 35-38 59 eb f1 26 fc 6d 7b ....>.c58Y..&.m{
0280 - ac 52 0d ab 6e ba 6d 20-13 40 58 1a 81 9b 06 94 .R..n.m .@X.....
Start Time: 1499362754
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET / HTTP/1.0
Host: markonnakkijadata.fi
HTTP/1.1 403 Forbidden
Date: Thu, 06 Jul 2017 17:39:14 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips
Strict-Transport-Security: max-age=15768000
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Apache HTTP Server Test Page powered by CentOS</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<!-- Bootstrap -->
<link href="/noindex/css/bootstrap.min.css" rel="stylesheet">
<link rel="stylesheet" href="noindex/css/open-sans.css" type="text/css" />
<style type="text/css"><!--
body {
font-family: "Open Sans", Helvetica, sans-serif;
font-weight: 100;
color: #ccc;
background: rgba(10, 24, 55, 1);
font-size: 16px;
}
h2, h3, h4 {
font-weight: 200;
}
h2 {
font-size: 28px;
}
.jumbotron {
margin-bottom: 0;
color: #333;
background: rgb(212,212,221); /* Old browsers */
background: radial-gradient(ellipse at center top, rgba(255,255,255,1) 0%,rgba(174,174,183,1) 100%); /* W3C */
}
.jumbotron h1 {
font-size: 128px;
font-weight: 700;
color: white;
text-shadow: 0px 2px 0px #abc,
0px 4px 10px rgba(0,0,0,0.15),
0px 5px 2px rgba(0,0,0,0.1),
0px 6px 30px rgba(0,0,0,0.1);
}
.jumbotron p {
font-size: 28px;
font-weight: 100;
}
.main {
background: white;
color: #234;
border-top: 1px solid rgba(0,0,0,0.12);
padding-top: 30px;
padding-bottom: 40px;
}
.footer {
border-top: 1px solid rgba(255,255,255,0.2);
padding-top: 30px;
}
--></style>
</head>
<body>
<div class="jumbotron text-center">
<div class="container">
<h1>Testing 123..</h1>
<p class="lead">This page is used to test the proper operation of the <a href="http://apache.org">Apache HTTP server</a> after it has been installed. If you can read this page it means that this site is working properly. This server is powered by <a href="http://centos.org">CentOS</a>.</p>
</div>
</div>
<div class="main">
<div class="container">
<div class="row">
<div class="col-sm-6">
<h2>Just visiting?</h2>
<p class="lead">The website you just visited is either experiencing problems or is undergoing routine maintenance.</p>
<p>If you would like to let the administrators of this website know that you've seen this page instead of the page you expected, you should send them e-mail. In general, mail sent to the name "webmaster" and directed to the website's domain should reach the appropriate person.</p>
<p>For example, if you experienced problems while visiting www.example.com, you should send e-mail to "[email protected]".</p>
</div>
<div class="col-sm-6">
<h2>Are you the Administrator?</h2>
<p>You should add your website content to the directory <tt>/var/www/html/</tt>.</p>
<p>To prevent this page from ever being used, follow the instructions in the file <tt>/etc/httpd/conf.d/welcome.conf</tt>.</p>
<h2>Promoting Apache and CentOS</h2>
<p>You are free to use the images below on Apache and CentOS Linux powered HTTP servers. Thanks for using Apache and CentOS!</p>
<p><a href="http://httpd.apache.org/"><img src="images/apache_pb.gif" alt="[ Powered by Apache ]"></a> <a href="http://www.centos.org/"><img src="images/poweredby.png" alt="[ Powered by CentOS Linux ]" height="31" width="88"></a></p>
</div>
</div>
</div>
</div>
</div>
<div class="footer">
<div class="container">
<div class="row">
<div class="col-sm-6">
<h2>Important note:</h2>
<p class="lead">The CentOS Project has nothing to do with this website or its content,
it just provides the software that makes the website run.</p>
<p>If you have issues with the content of this site, contact the owner of the domain, not the CentOS project.
Unless you intended to visit CentOS.org, the CentOS Project does not have anything to do with this website,
the content or the lack of it.</p>
<p>For example, if this website is www.example.com, you would find the owner of the example.com domain at the following WHOIS server:</p>
<p><a href="http://www.internic.net/whois.html">http://www.internic.net/whois.html</a></p>
</div>
<div class="col-sm-6">
<h2>The CentOS Project</h2>
<p>The CentOS Linux distribution is a stable, predictable, manageable and reproduceable platform derived from
the sources of Red Hat Enterprise Linux (RHEL).<p>
<p>Additionally to being a popular choice for web hosting, CentOS also provides a rich platform for open source communities to build upon. For more information
please visit the <a href="http://www.centos.org/">CentOS website</a>.</p>
</div>
</div>
</div>
</div>
</div>
</body></html>
read:errno=0
SSL3 alert write:warning:close notify
Komento päättyi palvelimen suljettua yhteyden ja ilman virhekoodeja (read:errno=0).
Yksityisen avaimen ja varmenteen tietojen tarkastaminen
Yksityisen avaimen tietoja voidaan tarkastella seuraavalla komennolla. Yksityisen avaimen sisältämät tiedot eivät ole kovinkaan kiinnostavia, mutta tulostamalla tiedot on mahdollista tarkastaa tiedoston eheys.
$ openssl ecparam -in private_key.pem -text
Field Type: prime-field
Prime:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff
A:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:fc
B:
51:95:3e:b9:61:8e:1c:9a:1f:92:9a:21:a0:b6:85:
40:ee:a2:da:72:5b:99:b3:15:f3:b8:b4:89:91:8e:
f1:09:e1:56:19:39:51:ec:7e:93:7b:16:52:c0:bd:
3b:b1:bf:07:35:73:df:88:3d:2c:34:f1:ef:45:1f:
d4:6b:50:3f:00
Generator (uncompressed):
04:00:c6:85:8e:06:b7:04:04:e9:cd:9e:3e:cb:66:
23:95:b4:42:9c:64:81:39:05:3f:b5:21:f8:28:af:
60:6b:4d:3d:ba:a1:4b:5e:77:ef:e7:59:28:fe:1d:
c1:27:a2:ff:a8:de:33:48:b3:c1:85:6a:42:9b:f9:
7e:7e:31:c2:e5:bd:66:01:18:39:29:6a:78:9a:3b:
c0:04:5c:8a:5f:b4:2c:7d:1b:d9:98:f5:44:49:57:
9b:44:68:17:af:bd:17:27:3e:66:2c:97:ee:72:99:
5e:f4:26:40:c5:50:b9:01:3f:ad:07:61:35:3c:70:
86:a2:72:c2:40:88:be:94:76:9f:d1:66:50
Order:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:fa:51:86:87:83:bf:2f:96:6b:7f:cc:01:
48:f7:09:a5:d0:3b:b5:c9:b8:89:9c:47:ae:bb:6f:
b7:1e:91:38:64:09
Cofactor: 1 (0x1)
Seed:
d0:9e:88:00:29:1c:b8:53:96:cc:67:17:39:32:84:
aa:a0:da:64:ba
-----BEGIN EC PARAMETERS-----
MIIBwgIBATBNBgcqhkjOPQEBAkIB////////////////////////////////////
//////////////////////////////////////////////////8wgZ4EQgH/////
////////////////////////////////////////////////////////////////
/////////////////ARBUZU+uWGOHJofkpohoLaFQO6i2nJbmbMV87i0iZGO8Qnh
Vhk5Uex+k3sWUsC9O7G/BzVz34g9LDTx70Uf1GtQPwADFQDQnogAKRy4U5bMZxc5
MoSqoNpkugSBhQQAxoWOBrcEBOnNnj7LZiOVtEKcZIE5BT+1Ifgor2BrTT26oUte
d+/nWSj+HcEnov+o3jNIs8GFakKb+X5+McLlvWYBGDkpaniaO8AEXIpftCx9G9mY
9URJV5tEaBevvRcnPmYsl+5ymV70JkDFULkBP60HYTU8cIaicsJAiL6Udp/RZlAC
QgH///////////////////////////////////////////pRhoeDvy+Wa3/MAUj3
CaXQO7XJuImcR667b7cekThkCQIBAQ==
-----END EC PARAMETERS-----
Varmenteen tietojen tulostaminen on hyödyllisempää ja se onnistuu seuraavalla komennolla. Tietoja voidaan tarvita yleisesti vianselvityksessä.
$ openssl x509 -in markonnakkijadata.fi.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
cb:23:d6:53:cb:75:05:86
Signature Algorithm: ecdsa-with-SHA512
Issuer: C=FI, L=Helsinki, O=Markon Nakki ja Data, CN=markonnakkijadata.fi/[email protected]
Validity
Not Before: Jul 3 10:16:35 2017 GMT
Not After : Jul 3 10:16:35 2018 GMT
Subject: C=FI, L=Helsinki, O=Markon Nakki ja Data, CN=markonnakkijadata.fi/[email protected]
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:00:e2:0a:ea:04:60:d0:e5:71:06:ed:4d:cc:93:
b5:51:34:4b:9b:77:57:4f:0c:cb:06:54:42:fc:5d:
3b:f4:99:e9:b7:65:2f:62:36:9f:ee:21:9c:9a:8a:
48:62:04:4f:c7:f8:3a:27:d8:59:0b:91:34:d4:00:
65:a4:d7:9b:d7:1f:88:01:87:71:e5:1d:8a:ec:77:
df:25:ad:46:75:2c:0f:50:f7:c6:5e:93:5c:5e:6f:
df:47:7e:ad:6d:e7:32:ef:42:35:7b:3c:10:2f:4c:
c6:15:ee:f1:5b:95:87:ff:1d:0b:ea:02:b9:69:70:
dd:5f:15:c2:ac:e7:84:eb:a6:63:79:45:34
Field Type: prime-field
Prime:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff
A:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:fc
B:
51:95:3e:b9:61:8e:1c:9a:1f:92:9a:21:a0:b6:85:
40:ee:a2:da:72:5b:99:b3:15:f3:b8:b4:89:91:8e:
f1:09:e1:56:19:39:51:ec:7e:93:7b:16:52:c0:bd:
3b:b1:bf:07:35:73:df:88:3d:2c:34:f1:ef:45:1f:
d4:6b:50:3f:00
Generator (uncompressed):
04:00:c6:85:8e:06:b7:04:04:e9:cd:9e:3e:cb:66:
23:95:b4:42:9c:64:81:39:05:3f:b5:21:f8:28:af:
60:6b:4d:3d:ba:a1:4b:5e:77:ef:e7:59:28:fe:1d:
c1:27:a2:ff:a8:de:33:48:b3:c1:85:6a:42:9b:f9:
7e:7e:31:c2:e5:bd:66:01:18:39:29:6a:78:9a:3b:
c0:04:5c:8a:5f:b4:2c:7d:1b:d9:98:f5:44:49:57:
9b:44:68:17:af:bd:17:27:3e:66:2c:97:ee:72:99:
5e:f4:26:40:c5:50:b9:01:3f:ad:07:61:35:3c:70:
86:a2:72:c2:40:88:be:94:76:9f:d1:66:50
Order:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:fa:51:86:87:83:bf:2f:96:6b:7f:cc:01:
48:f7:09:a5:d0:3b:b5:c9:b8:89:9c:47:ae:bb:6f:
b7:1e:91:38:64:09
Cofactor: 1 (0x1)
Seed:
d0:9e:88:00:29:1c:b8:53:96:cc:67:17:39:32:84:
aa:a0:da:64:ba
Signature Algorithm: ecdsa-with-SHA512
30:81:88:02:42:01:ba:a2:93:68:47:7b:d9:a8:47:db:de:06:
da:4d:74:b9:e6:97:c9:77:c6:78:09:7d:46:fd:a1:f8:e3:a7:
37:ce:f3:dd:53:8a:a3:d6:0a:ca:78:7c:a0:2a:25:fb:80:36:
80:d9:c1:96:df:03:35:ab:5f:05:78:a7:a4:cc:ab:7a:e8:02:
42:00:fd:65:ad:ba:7b:ec:12:ba:c8:56:5c:7d:32:8a:10:72:
51:58:00:f9:11:6a:09:ac:be:e8:57:f1:df:81:d3:95:a7:c4:
7f:f5:17:d9:fd:31:bf:f4:2f:c3:34:cc:a2:6c:3b:dd:2c:01:
c5:4b:a7:99:bb:8e:98:71:62:f7:ec:e2:08
Varmennepyynnön tietojen tarkastaminen
OpenSSL:n avulla voidaan tarkastaa varmenteen allekirjoituspyynnön tiedot, esimerkiksi:
$ openssl asn1parse -i -in markonnakkijadata.fi.csr
0:d=0 hl=4 l= 915 cons: SEQUENCE
4:d=1 hl=4 l= 757 cons: SEQUENCE
8:d=2 hl=2 l= 1 prim: INTEGER :00
11:d=2 hl=3 l= 141 cons: SEQUENCE
14:d=3 hl=2 l= 11 cons: SET
16:d=4 hl=2 l= 9 cons: SEQUENCE
18:d=5 hl=2 l= 3 prim: OBJECT :countryName
23:d=5 hl=2 l= 2 prim: PRINTABLESTRING :FI
27:d=3 hl=2 l= 17 cons: SET
29:d=4 hl=2 l= 15 cons: SEQUENCE
31:d=5 hl=2 l= 3 prim: OBJECT :localityName
36:d=5 hl=2 l= 8 prim: UTF8STRING :Helsinki
46:d=3 hl=2 l= 29 cons: SET
48:d=4 hl=2 l= 27 cons: SEQUENCE
50:d=5 hl=2 l= 3 prim: OBJECT :organizationName
55:d=5 hl=2 l= 20 prim: UTF8STRING :Markon Nakki ja Data
77:d=3 hl=2 l= 29 cons: SET
79:d=4 hl=2 l= 27 cons: SEQUENCE
81:d=5 hl=2 l= 3 prim: OBJECT :commonName
86:d=5 hl=2 l= 20 prim: UTF8STRING :markonnakkijadata.fi
108:d=3 hl=2 l= 45 cons: SET
110:d=4 hl=2 l= 43 cons: SEQUENCE
112:d=5 hl=2 l= 9 prim: OBJECT :emailAddress
123:d=5 hl=2 l= 30 prim: IA5STRING :[email protected]
155:d=2 hl=4 l= 604 cons: SEQUENCE
159:d=3 hl=4 l= 463 cons: SEQUENCE
163:d=4 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
172:d=4 hl=4 l= 450 cons: SEQUENCE
176:d=5 hl=2 l= 1 prim: INTEGER :01
179:d=5 hl=2 l= 77 cons: SEQUENCE
181:d=6 hl=2 l= 7 prim: OBJECT :prime-field
190:d=6 hl=2 l= 66 prim: INTEGER :01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
258:d=5 hl=3 l= 158 cons: SEQUENCE
261:d=6 hl=2 l= 66 prim: OCTET STRING [HEX DUMP]:01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC
329:d=6 hl=2 l= 65 prim: OCTET STRING [HEX DUMP]:51953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00
396:d=6 hl=2 l= 21 prim: BIT STRING
419:d=5 hl=3 l= 133 prim: OCTET STRING [HEX DUMP]:0400C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650
555:d=5 hl=2 l= 66 prim: INTEGER :01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409
623:d=5 hl=2 l= 1 prim: INTEGER :01
626:d=3 hl=3 l= 134 prim: BIT STRING
763:d=2 hl=2 l= 0 cons: cont [ 0 ]
765:d=1 hl=2 l= 10 cons: SEQUENCE
767:d=2 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA512
777:d=1 hl=3 l= 139 prim: BIT STRING
Tämä on hyödyllistä erityisesti, jos tuotetun varmenteen tiedot eivät ole odotetunlaiset.
Wireshark-purku
PKCS#11
PKCS#11-pohjaisten laitteiden vianselvityksessä pkcs11-tool kykenee mm. listaamaan laitteet, niiden sisältämät palvelut, varmenteet, salausavaimet ja ottamaan objektien sisällön ulos laitteesta. Listan lukijoista/laitteista saa esimerkiksi seuraavalla komennolla.
$ pkcs11-tool --module /usr/lib64/libcryptoki.so --list-slots
Available slots:
Slot 0 (0x1): Identiv SCR3310 uTrust 2700 R
token label : Organisaatiokortti
token manufacturer : VRK-FINEID
token model : FinEID IAS-ECC
token flags : token initialized, PIN initialized, other flags=0x800
hardware version : 1.0
firmware version : 1.0
serial num : 4600017003459293
Slot 1 (0x2): Identiv SCR3310 (PIN2-slot)
token label : Organisaatiokortti (PIN2)
token manufacturer : VRK-FINEID
token model : FinEID IAS-ECC
token flags : token initialized, PIN initialized, other flags=0x800
hardware version : 1.0
firmware version : 1.0
serial num : 4600017003459293
Kortin sisältämät objektit voidaan listat seuraavalla komennolla.
$ pkcs11-tool --module /usr/lib64/libcryptoki.so -O -l
Using slot 0 with a present token (0x1)
Logging in to "Organisaatiokortti".
Please enter User PIN:
Certificate Object, type = X.509 cert
label: todentamis- ja salausvarmenne
ID: 45
Certificate Object, type = X.509 cert
label: allekirjoitusvarmenne
ID: 46
Certificate Object, type = X.509 cert
label: VRK Gov. Root CA
ID: 48
Certificate Object, type = X.509 cert
label: VRK CA for Qualified Certificates - G2
ID: 47
Private Key Object; RSA
label: todentamis- ja salausavain
ID: 45
Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
label: todentamis- ja salausavain
ID: 45
Usage: none
Lisäksi työkalulla pystyy sekä lukemaan että kirjoittamaan laitteiden sisältöä, ellei sitä ole erikseen estetty.
$ pkcs11-tool --module /usr/lib64/libcryptoki.so -r -y cert -d 48 -o vrkroota.der
$ openssl x509 -in vrkroota.der -outform PEM -out vrkroota.pem
$ pkcs11-tool --module /usr/lib64/libcryptoki.so -r -y cert -d 47 -o vrkqc2c.der
$ openssl x509 -in vrkqc2c.der -outform PEM -out vrkqc2c.pem
Säilöformaatin tunnistaminen
openssl pkcs12 -export -inkey mikko.key -in mikko.crt -certfile markonnakkijadata.fi.crt -out mikko.pfx