c-jimenez/open-ocpp

Parsing of certificates in the certificate management module

JamesLebron opened this issue · 1 comments

JamesLebron commented

Dear author, hello. I have some questions about certificate management and would like to seek your assistance.

  1. Currently, I am conducting test cases related to the "Security Whitepaper." I am currently testing the InstallCertificate and DeleteCertificate test cases. I have received a certificate in PEM format from the server, and it is as follows:
-----BEGIN CERTIFICATE-----
MIIBwzCCAWmgAwIBAgIBBDAKBggqhkjOPQQDAjBIMRUwEwYDVQQDDAxSb290IENB
IEVEU0ExDDAKBgNVBAoMA09DQTELMAkGA1UEBhMCTkwxFDASBgoJkiaJk/IsZAEZ
FgRPQ1RUMCAXDTIwMDIxMjE4MTAyOFoYDzIwNjAwMjAyMTgxMDI4WjBIMRUwEwYD
VQQDDAxSb290IENBIEVEU0ExDDAKBgNVBAoMA09DQTELMAkGA1UEBhMCTkwxFDAS
BgoJkiaJk/IsZAEZFgRPQ1RUMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE29Hr
M7bR+VZ+jY9Z7IgLKJw7/A3OQWGY5B05wEO2V1V3Z3VrZINHADdOz7BNc/5ZyCTB
W/OgFDvXym1/gV/NY6NCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AQYwHQYDVR0OBBYEFC6gycssqInCC/9PJY9F43M7B224MAoGCCqGSM49BAMCA0gA
MEUCIAK3aLaF12sAkvQCluO835VbXGDuWZQWYBgZOtkiHb1NAiEAvmmT8us14HWN
iLgObzzsqf7crpqXctWBDkvN2e5WeBU=
-----END CERTIFICATE-----
  1. The data content after saving the certificate is as follows:
"certificateHashData": [
{
"hashAlgorithm": "SHA256",
"issuerNameHash": "54f4257fbdeeb44e068971a08eb5ba3401612055ed4b3eac7fad036d31387e4d",
"issuerKeyHash": "5eb367725b386513ee5d250023dccc8ce802f8cd476b142436042380c836fb29",
"serialNumber": "04"
}
  1. Currently, two issues have been raised:

3.1 The first issue is that the serialNumber data is "04" after saving, and it is suggested that the certificate serial number should not start with 0. However, I believe this is a minor issue.

3.2 The second issue is that the parsed issuerNameHash data does not match the one issued by the server. The data for deleting the certificate issued by the server is as follows, where it can be seen that the issuerNameHash is inconsistent:

"certificateHashData": {
"hashAlgorithm": "SHA256",
"issuerNameHash": "72a509445ee1f05435358832f9a06bf0ddb3d21dfa68ed8ff45f1362a3cbd58e",
"issuerKeyHash": "5eb367725b386513ee5d250023dccc8ce802f8cd476b142436042380c836fb29",
"serialNumber": "4"
}

  1. Currently, I have read the code for SecurityManager::fillHashInfo and Sha2. However, I found that they internally call the EVP_DigestUpdate method of OpenSSL. Additionally, issuerKeyHash also uses the same method but obtains the correct result.

  2. I tried using another programming language (Python) to parse the certificate and obtain the issuerNameHash. The printed value is also "72a509445ee1f05435358832f9a06bf0ddb3d21dfa68ed8ff45f1362a3cbd58e".

import OpenSSL.crypto
import hashlib

Read the PEM format certificate file
cert_file = "/Users/james/Downloads/pem/1.pem"
with open(cert_file, 'rt') as f:
pem_data = f.read()

Parse the PEM format certificate
cert = OpenSSL.crypto.loadcertificate(OpenSSL.crypto.FILETYPE_PEM, pem_data)

Get the issuer name of the certificate
issuer_name = cert.get_issuer().der()

Calculate the issuerNameHash
hash_value = hashlib.sha256(issuer_name).hexdigest()

Print the complete issuerNameHash value
print("issuerNameHash: " + hash_value)
  1. In conclusion, could you provide some assistance? How can I resolve the issue of inconsistent issuerNameHash?
c-jimenez commented

Hi,

From what I see, the issue seems to be that I hash the issuer name string instead of hashing the raw binary data from the certificate which contains the issuer name.
I will try to implement the fix and keep you updated if I obtain the same hash.

For your serial number issue, this seems to be on the server side since the PEM certificate contents is the following :

$ openssl x509 -in cert.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4 (0x4)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = Root CA EDSA, O = OCA, C = NL, DC = OCTT
        Validity
            Not Before: Feb 12 18:10:28 2020 GMT
            Not After : Feb  2 18:10:28 2060 GMT
        Subject: CN = Root CA EDSA, O = OCA, C = NL, DC = OCTT
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:db:d1:eb:33:b6:d1:f9:56:7e:8d:8f:59:ec:88:
                    0b:28:9c:3b:fc:0d:ce:41:61:98:e4:1d:39:c0:43:
                    b6:57:55:77:67:75:6b:64:83:47:00:37:4e:cf:b0:
                    4d:73:fe:59:c8:24:c1:5b:f3:a0:14:3b:d7:ca:6d:
                    7f:81:5f:cd:63
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                2E:A0:C9:CB:2C:A8:89:C2:0B:FF:4F:25:8F:45:E3:73:3B:07:6D:B8
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:20:02:b7:68:b6:85:d7:6b:00:92:f4:02:96:e3:bc:
         df:95:5b:5c:60:ee:59:94:16:60:18:19:3a:d9:22:1d:bd:4d:
         02:21:00:be:69:93:f2:eb:35:e0:75:8d:88:b8:0e:6f:3c:ec:
         a9:fe:dc:ae:9a:97:72:d5:81:0e:4b:cd:d9:ee:56:78:15