$3$

$.$

$6$

$$Task

$6$

: Manually Verifying an X

$.$

$5$

$0$

$9$

$$Certificate

$$In this task, we will manually verify an X

$.$

$5$

$0$

$9$

$$certificate using our program. An X

$.$

$5$

$0$

$9$

$$contains data about

$$a public key and an issuer

$$

s signature on the data. We will download a real X

$.$

$5$

$0$

$9$

$$certific

ate from a web

$$server$,$ get its issuer

$$

s public key, and then use this public key to verify the signature on the certificate.

$$Step

$1$

: Download a certificate from a real web server. We use the www

$.$

example.org server in

$$this document. Students should choose a different web server that has a different certificate than the

$$one used in this document

$($

it should be noted that www

$.$

example.com share the same certificate with

$$www

$.$

example.org

$)$

$.$

$$We can download certificates using browsers or use the following command:

$$$ openssl s

$\_$

client

$-$

connect www

$.$

example.org:

$4$

$4$

$3$

$-$

showcerts

$$Certificate chain

$$

$0$

$$s:

$/$

C

$=$

US

$/$

ST

$=$

California

$/$

L

$=$

Los Angeles

$/$

O

$=$

Internet Corporation for Assigned

$$Names and Numbers

$/$

OU

$=$

Technology

$/$

CN

$=$

www

$.$

example.org

$$i:

$/$

C

$=$

US

$/$

O

$=$

DigiCert Inc

$/$

OU

$=$

www

$.$

digicert.com

$/$

CN

$=$

DigiCert SHA

$2$

$$High Assurance

$$Server CA

$-$

$-$

$-$

$-$

$-$

BEGIN CERTIFICATE

$-$

$-$

$-$

$-$

MIIF

$8$

jCCBNqgAwIBAgIQDmTF

$+$

$8$

I

$2$

reFLFyrrQceMsDANBgkqhkiG

$9$

w

$0$

BAQsFADBw

$$MQswCQYDVQQGEwJVUzEVMBMGA

$1$

UEChMMRGlnaUNlcnQgSW

$5$

jMRkwFwYDVQQLExB

$3$

$$

$.$

$.$

$.$

$.$

$.$

$.$

$$wDSiIIWIWJiJGbEeIO

$0$

TIFwEVWTOnbNl

$/$

faPXpk

$5$

IRXicapqiII

$=$

$-$

$-$

$-$

$-$

$-$

END CERTIFICATE

$-$

$-$

$-$

$-$

$1$

$$s:

$/$

C

$=$

US

$/$

O

$=$

DigiCert Inc

$/$

OU

$=$

www

$.$

digicert.com

$/$

CN

$=$

DigiCert SHA

$2$

$$High

$$Assurance Server CA

$$i:

$/$

C

$=$

US

$/$

O

$=$

DigiCert Inc

$/$

OU

$=$

www

$.$

digicert.com

$/$

CN

$=$

DigiCert High Assurance

$$EV Root CA

$-$

$-$

$-$

$-$

$-$

BEGIN CERTIFICATE

$-$

$-$

$-$

$-$

MIIEsTCCA

$5$

mgAwIBAgIQBOHnpNxc

$8$

vNtwCtCuF

$0$

VnzANBgkqhkiG

$9$

w

$0$

BAQsFADBs

$$MQswCQYDVQQGEwJVUzEVMBMGA

$1$

UEChMMRGlnaUNlcnQgSW

$5$

jMRkwFwYDVQQLExB

$3$

$$

$.$

$.$

$.$

$.$

$.$

$.$

$$cPUeybQ

$=$

$-$

$-$

$-$

$-$

$-$

END CERTIFICATE

$-$

$-$

$-$

$-$

The result of the command contains two certificates. The subject field

$($

the entry starting with s:

$)$

$$of

$$the certificate is www

$.$

example.org, i

$.$

e

$.$

$,$

$$this is www

$.$

example.org

$$

s certificate. The issuer field

$($

the

$$entry starting with i:

$)$

$$provides the issuer

$$

s information. The subject field of the second certificate is the

$$same as the issuer field of the first certificate. Basically, the second certificate belongs to an intermediate

$$CA

$.$

$$In this task, we will use CA

$$

s certificate to verify a server certificate.

$$If you only get one certificate back using the above command, that means the certificate you get is signed

$$by aroot CA

$.$

$$Root CAs

$$

$$certificates can be obtained from the Firefox browser installed in our pre

$-$

built VM

$.$

$$Gotothe Edit Preferences PrivacyandthenSecurity View Certificates. Search

$$for the name of the issuer and download its certificate.

$$Copy and paste each of the certificate

$($

the text between the line containing "Begin CERTIFICATE"

$$and the line containing "END CERTIFICATE", including these two lines

$)$

$$to a file. Let us call the first one

$$c

$0$

$.$

pem and the second one c

$1$

$.$

pem.

$$Step

$2$

: Extract the public key

$($

e

$,$

$$n

$)$

$$from the issuer

$$

s certificate. Openssl provides commands to

$$extract certain attributes from the x

$5$

$0$

$9$

$$certificates$.$ We can extract the value of n using

$-$

modulus. There

$$is no specific command to extract e

$,$

$$but we can print out all the fields and can easily find the value of e

$.$

SEEDLabs

$$

RSAPublic

$-$

KeyEncryptionandSignatureLab

$7$

$$Formodulus

$($

n

$)$

:

$$$opensslx

$5$

$0$

$9$

$-$

inc

$1$

$.$

pem

$-$

noout

$-$

modulus

$$Printoutallthefields$,$find theexponent

$($

e

$)$

:

$$$opensslx

$5$

$0$

$9$

$-$

inc

$1$

$.$

pem

$-$

text

$-$

noout

$$Step

$3$

:Extractthesignaturefromtheserver

$$

scertificate

$.$

$$Thereisnospecificopensslcommandto

$$extract thesignaturefield. However,wecanprintoutall thefieldsandthencopyandpastethesignature

$$blockintoafile

$($

note: ifthesignaturealgorithmusedinthecertificateisnotbasedonRSA,youcanfind

$$anothercertificate

$)$

$.$

$$$opensslx

$5$

$0$

$9$

$-$

inc

$0$

$.$

pem

$-$

text

$-$

noout

$$

$.$

$.$

$.$

$$SignatureAlgorithm:sha

$2$

$5$

$6$

WithRSAEncryption

$$

$8$

$4$

:a

$8$

:

$9$

a:

$1$

$1$

:a

$7$

:d

$8$

:bd:

$0$

b:

$2$

$6$

:

$7$

e:

$5$

$2$

:

$2$

$4$

:

$7$

b:b

$2$

:

$5$

$5$

:

$9$

d:ea:

$3$

$0$

:

$$

$8$

$9$

:

$5$

$1$

:

$0$

$8$

:

$8$

$7$

:

$6$

f:a

$9$

:ed:

$1$

$0$

:ea:

$5$

b:

$3$

e:

$0$

b:c

$7$

:

$2$

d:

$4$

$7$

:

$0$

$4$

:

$4$

e:dd:

$$

$.$

$.$

$.$

$.$

$.$

$.$

$$

$5$

c:

$0$

$4$

:

$5$

$5$

:

$6$

$4$

:ce:

$9$

d:b

$3$

:

$6$

$5$

:fd:f

$6$

:

$8$

f:

$5$

e:

$9$

$9$

:

$3$

$9$

:

$2$

$1$

:

$1$

$5$

:e

$2$

:

$7$

$1$

:

$$aa:

$6$

a:

$8$

$8$

:

$8$

$2$

$$Weneedtoremovethespacesandcolonsfromthedata$,$sowecangetahex

$-$

stringthatwecanfeedinto

$$ourprogram$.$Thef