Decoding OCSP GET requests
Many clients default to OCSP requests via HTTP GET, encoding the request details as part of the URL. These kind of requests can be found in the logs:
As per RFC 6960, the request is constructed as:
GET {url}/{url-encoding of base-64 encoding of the DER encoding of the OCSPRequest}
So in order to find out the details of the request we have to:
1. Remove the URL encoding
This can be done with different tools, depending on the OS/platform being used.Given the input above:
MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ1uvBCJo3G3TPBvK%2BGVqszOaLAawQUb38ZjesMwNeYLEzdGvP%2FZi9TlkACE3cAEdYaIhMmuymSdxoAAAAR1ho%3D
the output would be:
MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ1uvBCJo3G3TPBvK+GVqszOaLAawQUb38ZjesMwNeYLEzdGvP/Zi9TlkACE3cAEdYaIhMmuymSdxoAAAAR1ho=
We can then create a text file with it, e.g.:
$ echo "MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ1uvBCJo3G3TPBvK+GVqszOaLAawQUb38ZjesMwNeYLEzdGvP/Zi9TlkACE3cAEdYaIhMmuymSdxoAAAAR1ho=" > ocsprequest.txt
2. Convert to DER (binary)
With the OpenSSL "enc" command we can convert it from Base64 to binary:
$ openssl enc -d -A -base64 -in ocsprequest.txt -out ocsprequest.bin
3. Parse the request
With the OpenSSL "ocsp" command we can then parse the OCSP request:
$ openssl ocsp -reqin ocsprequest.bin -req_text
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 35BAF042268DC6DD33C1BCAF8656AB3339A2C06B
Issuer Key Hash: 6F7F198DEB0CC0D7982C4CDD1AF3FF662F539640
Serial Number: 770011D61A221326BB2992771A00000011D61A
Now we have the serial number of the certificate in scope of the request and the issuer key hash (matching the value of the "Authority Key Identifier" in the end entity certificate or the "Subject Key Identifier" value of the issuing CA certificate).
With those 2 values we can identify the issuing CA (in case multiple CAs are involved) and the end entity certificate the request is for, which can be useful.
Comments
Post a Comment