クライアント証明書は発行者から発行されたものを検証したいとき、
下記の流れで確認できると思います。
発行者(ROOTまたは中間CA証明書)のPUBKEY取得
# openssl x509 -noout -pubkey -in chain1.cert.pem > chain1-pub.pem
|
発行されたクライアント証明書の署名を取得
# openssl x509 -in test02.cert.pem -text -noout
...
Signature Algorithm: sha256WithRSAEncryption
18:e1:a1:77:36:bd:bb:af:af:e9:43:ed:65:bc:d7:30:bc:1d:
d6:f1:52:b0:06:dd:70:9b:7a:4b:80:71:c0:6e:ae:75:1e:58:
a4:ff:ad:24:58:25:a8:bf:5a:2c:88:61:ce:b0:ca:f4:b9:c2:
...
|
署名アルゴリズムが sha256WithRSAEncryption わかりました
続いて署名のそのものを取得
# openssl x509 -in test02.cert.pem -text -noout -certopt ca_default -certopt no_validity -certopt no_serial -certopt no_subject -certopt no_extensions -certopt no_signame | grep -v 'Signature Algorithm' | tr -d '[:space:]:' | xxd -r -p > test02-sig.bin
|
発行者のPUBKEYを用いて署名を復号化
# openssl rsautl -verify -inkey chain1-pub.pem -in test02-sig.bin -pubin > test02-sig-decrypted.bin
|
復号化された署名のHASHを取得
# openssl asn1parse -inform der -in test02-sig-decrypted.bin
0:d=0 hl=2 l= 49 cons: SEQUENCE
2:d=1 hl=2 l= 13 cons: SEQUENCE
4:d=2 hl=2 l= 9 prim: OBJECT :sha256
15:d=2 hl=2 l= 0 prim: NULL
17:d=1 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:172733D5B9A734686A2F3C4CDF908E489C2280659B2D64B0CD6B431B4FC177C2
|
---------------------------------------- 分 割 線 ----------------------------------------
発行されたクライアント証明書の本文を取得
まず本文の位置を取得、2行目始まるの数字
# openssl asn1parse -i -in test02.cert.pem
0:d=0 hl=4 l=1254 cons: SEQUENCE
4:d=1 hl=4 l= 718 cons: SEQUENCE
...
|
2行目始まるの数字は「4」です
# openssl asn1parse -in test02.cert.pem -strparse 4 -out test02-body.bin -noout
|
本文のHASHを取得
# openssl dgst -sha256 test02-body.bin
SHA256(test02-body.bin)= 172733d5b9a734686a2f3c4cdf908e489c2280659b2d64b0cd6b431b4fc177c2
|
署名から復号化されたHASHと本文のHASHが一致することが確認できます
クライアント証明書は発行者から発行したものを確認できます。
---------------------------------------- 分 割 線 ----------------------------------------
使っていた証明書ファイルは下記になります。
chain1.cert.pem
-----BEGIN CERTIFICATE-----
MIIFdDCCA1ygAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwQDELMAkGA1UEBhMCSlAx
DjAMBgNVBAgMBVRva3lvMRAwDgYDVQQKDAdTZWNpb3NzMQ8wDQYDVQQDDAZjaGFp
bjAwHhcNMTkwNTA3MTEyODE0WhcNMzkwNTAyMTEyODE0WjBSMQswCQYDVQQGEwJK
UDEOMAwGA1UECAwFVG9reW8xEDAOBgNVBAcMB1Rvc2hpbWExEDAOBgNVBAoMB1Nl
Y2lvc3MxDzANBgNVBAMMBmNoYWluMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
AgoCggIBAOF5gXM4/z8T9hCmlFsVsvZnlFATDGn423l4ogfNQaGm7cSZlr4X4JND
O7C5qN3bY2c4TqvJy5imo6wgqgf+/nVuJ7JuLeZx/IJJoCXHBxcFYv54xkzhlYlP
sDzOiL1m9PRTDQVqsGQTYYdnp86EQm1+Xe8TnSuN0oGJTH1QlbqDujOcIoFuTkSa
CmFBLntVE/jZDFv3tMNxQCtQGBXEo4CdpEQIPceyR9KIAfv6Rh7afNWzV8t7wWpS
GkybaUml9fniSF9JgnNVcyau2nuXizSl3hagkHjk+TvPEPyLrOKoN9295htfhxFz
uQl5mXix5JA95k60ouTte2U+US7lzqR8/jOmc8gGZwTBc1RenOJ1nVnf3OnApula
UsvhvDNhn3qO8sYd/pzMkxo+UPcbvGctV9a0eG8zB1O1W/mOxr0lvx2ny0NLqlbM
GO30jdTo/AczD1C77pwE44AVERvOOXuLdTI3yrvPQ1liOUc+yJgTutV32VsoSuqo
RPePKN1GCF5G7R3nm9QSCpG/NxcYQkNZD2zcc+AmYZ9QxIErdFfSankunZjRwBue
3LpBpUY9PYTMwCev5nJngAGoj8w3HecuEIhWmCaqf+O1sg5zd4a47pEC8CSMCeA2
Avwz+Tu8sTisd+wf31mOwcWLdtt0PF5vqGsqswgDlMJ/UyO97U/fAgMBAAGjZjBk
MB0GA1UdDgQWBBRBdwsw5eiNloaLdVewNSDBPRCD0jAfBgNVHSMEGDAWgBRyMbn7
GvhXq0fUkl+Zq1nqFBQumTASBgNVHRMBAf8ECDAGAQH/AgEDMA4GA1UdDwEB/wQE
AwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAT5FUsnQn+4FYM2s+LIoyTzf/a+h4+45I
wwA3xiSDFVEu5bF6FBSi8SWO6rGAxaxNpspIR7zSI0TJandlGDdhP84aU1+fxcid
xoLht5i7A5/o4F0THovc7rsb+49wOuLnzRi22YJNZfRm1U8v7Y9GMvwTr9KaODt+
qqQ6V0HieHEN9uQQkmd4seQluk0jhhQCK0ThaHUK93Ufe/COocLNepbYePSM6Nt+
PmJutkrHad944rZF1vfNSGj+7rzZEcaeU6+KrqlsG1wu5PjGOxh8AAJBN72CM1d9
uxYt2iQ9h5Ec+tQsJPaPAk9XsSmo9ZXFemMdaHC8/dMgxqDDcOK9uKM3GQm8XuJC
KVjbHiC5SJV3C/StuRg//wZE5xn0fqljPkroXlqjKHevemBCHHwdx06g/GF+mVyD
hiLDeRBWOGl2Ip4K8O0o2o6Ls6wpSYWdr9+1QZueZndAxORkpXJvggbTgsi81byv
41wKJSdEqETHAvnw6GPKJ3pVtpFXB1NsHsQyWDuwcmJLGLW6EdHQHmNsiCDU/YBR
ocNekMFLBMnM1s6KPmYUx62pqcnisv/ZzGrprLrWsI2oG+k4b57055C7tkFDKNfr
NubkuZ9PHLgScol+7aX8HgC1KOpbVgoQd0GyopKUeMk9oISXWihiXYPeFZi4QPL/
BD1O1Tp1jtU=
-----END CERTIFICATE-----
|
test02.cert.pem
-----BEGIN CERTIFICATE-----
MIIE5jCCAs6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwUjELMAkGA1UEBhMCSlAx
DjAMBgNVBAgMBVRva3lvMRAwDgYDVQQHDAdUb3NoaW1hMRAwDgYDVQQKDAdTZWNp
b3NzMQ8wDQYDVQQDDAZjaGFpbjEwHhcNMTkwNTA3MTE0NDAyWhcNMzkwNTAyMTE0
NDAyWjBSMQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xEDAOBgNVBAcMB1Rv
c2hpbWExEDAOBgNVBAoMB1NlY2lvc3MxDzANBgNVBAMMBnRlc3QwMjCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMghwQ760GSLjkn+QFuFQSVvVFZIryG0
pXhydjUAD1gHHzBCi5MN5QVUcCHHzAeeW6PEvYTgm8mlJm6DMkpqYTvVnA6dNnbn
6wJpM0UZ2NW7LBdBKnF/hzddpPNsscR5NdioAF4+/qd4OKDjqNAq3X9NfZvwUnX2
LOwuGf86GrJGpuVkA/QzYJ2xWgRP4YN9ULWx7XnvJV7fWEJEQLlFWu7vD/Cl53Yp
HvzeM2UKsetpYhSfT+zWxarlElfgk2tnxtGp3ynu0rwl6n5f2tB8Bh8VO+0f6KY6
ok6K/AWiTt/fUpQhxXsYVZ9CK+YjX0mJz8JkhRJ89HN7fqTEdzz9hmMCAwEAAaOB
xTCBwjAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDAzBglghkgBhvhCAQ0E
JhYkT3BlblNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQW
BBTJSar1UwGKGi3467cmQGp2/57FjzAfBgNVHSMEGDAWgBRBdwsw5eiNloaLdVew
NSDBPRCD0jAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
AQUFBwMEMA0GCSqGSIb3DQEBCwUAA4ICAQAY4aF3Nr27r6/pQ+1lvNcwvB3W8VKw
Bt1wm3pLgHHAbq51Hlik/60kWCWov1osiGHOsMr0ucIhcr1XX1WG/ihTAuGP+3Sx
jS+zEJTQKBT1etTl6g0p22C4AwIsd62pvrxTUkUfYLtvDjQyz2QCBPxDqheLpSb2
LN1UBYZPAT1s4oFGeJWBS+lAp2VU4Hg25X5cxHqPtAwxmzEiHHpzS2nw1roJAg7i
fCK/oT/SzxI5Ax34iGSCO9+Tt4kfCzx+X3RCY2HIh+UKuYbS0xrexksqj2YkgJL2
WN7nSTb6NOOjARZ+tThfIjpMKovtqnHXXQpjm5hzZRqVvQCC3eCTowa9arFepck7
8qB1/Mq5zbwpG7R5+apLLS54nVW3rv36OOYUOuUBeCcMy3z7EKDy9ynz3E/UwdmV
gdB+jQ6McjYfmm8lTESpP5vgfvLSpMebGMDTJ+CTdHOO3bYrw3TdRh2xKwMeelyf
pzg11xy0Iuesy8O0tOCX/4pe5AJlkgGJNNuKFhwtaqPt/Z9AHxnXR85QJ3gYDsUl
m+n+UGJbZyAe+TiGKNK3r7OWa8miIcH04JCDXLC1FkoY15ZeXocU/5a5L1EL8oMn
SIIW2yVwMaUmnjw5DTFiQnki97IZArowF9f/jzSY+6M38Uvu37f6aas3FHvBj27w
JRmXtqs+qBGhfA==
-----END CERTIFICATE-----
|
