2018年3月29日 星期四

libpcap - Dump DNS header and message(18)


這篇一兩年前答應了同學要放出來,結果一直忘記XD。

DNS(Domain Name System)的功能最基本就是查詢domain或ip的資訊,目前可以解析的Type有:A、NS、CNAME、SOA、PTR、MX、TXT、AAAA、LOC以及SRV。

DNS解析有兩個重點,DNS domain儲存方式並不是一般字串而已,詳細可以看DNS and BIND, 5th Edition - O'Reilly Media的第15.2章。

大概說一下:

第一個,儲存方式:
假設一個domain為「www.facebook.com」,那麼在封包裡會以表示成「\x03www\x08facebook\x03com\x00」,每一層前面一個byte表示後面的字串的長度。

第二個,壓縮:
在response封包裡,同一個domain可能會出現多次,上面講的儲存方式中的表示長度的byte,假設最高兩個bit都是1(0xc0),表示接下來一個byte是offset,這個offset是從DNS封包開頭開始算的offset,就是接下來這層domain字串的位置。

如果稍微了解過DNS會知道,每一層domain長度最大是63,這個數字剛好是八個bit扣除表達壓縮的兩個bit後的長度。

那麼還是要講一下,這個範例只是練習而已,實際上有現成的library(libresolv)可以解析DNS表頭,要拿出去實戰的工具記得還是要用現成的東西,別造輪子。

執行結果(Type A):
192.168.1.10(54884) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:      633| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: www.google.com
    Type: A
    Class: IN



8.8.8.8(53) -> 192.168.1.10(54884)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:      633| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                1|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: www.google.com
    Type: A
    Class: IN


Answers:
    Name: www.google.com
    Type: A
    Class: IN
    TTL: 160
    Data Length: 4
    Address: 216.58.200.36


執行結果(Type NS):
192.168.1.10(49693) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    29648| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: isc.org
    Type: NS
    Class: IN



8.8.8.8(53) -> 192.168.1.10(49693)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    29648| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                4|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: isc.org
    Type: NS
    Class: IN


Answers:
    Name: isc.org
    Type: NS
    Class: IN
    TTL: 4601
    Data Length: 13
    Name Server: ord.sns-pb.isc.org

    Name: isc.org
    Type: NS
    Class: IN
    TTL: 4601
    Data Length: 7
    Name Server: sfba.sns-pb.isc.org

    Name: isc.org
    Type: NS
    Class: IN
    TTL: 4601
    Data Length: 25
    Name Server: ns.isc.afilias-nst.info

    Name: isc.org
    Type: NS
    Class: IN
    TTL: 4601
    Data Length: 6
    Name Server: ams.sns-pb.isc.org

執行結果(Type CNAME):
192.168.1.10(49923) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    62928| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: 5-edge-chat.facebook.com
    Type: A
    Class: IN



8.8.8.8(53) -> 192.168.1.10(49923)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    62928| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                2|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: 5-edge-chat.facebook.com
    Type: A
    Class: IN


Answers:
    Name: 5-edge-chat.facebook.com
    Type: CNAME
    Class: IN
    TTL: 1834
    Data Length: 12
    CNAME: star.c10r.facebook.com

    Name: star.c10r.facebook.com
    Type: A
    Class: IN
    TTL: 16
    Data Length: 4
    Address: 157.240.15.16

執行結果(Type SOA):
192.168.1.10(55659) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    43230| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: www.google.com
    Type: SOA
    Class: IN



8.8.8.8(53) -> 192.168.1.10(55659)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    43230| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             1| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: www.google.com
    Type: SOA
    Class: IN


Authority:
    Name: google.com
    Type: SOA
    Class: IN
    TTL: 59
    Data Length: 38
    Primary Name Server: ns1.google.com
    Responsible Authority's Mailbox: dns-admin.google.com
    Serial Number: 190759656
    Refresh Interval: 900
    Retry Interval: 900
    Expire Time: 1800
    Minimum TTL: 60

執行結果(Type PTR):
192.168.1.10(52005) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:     8319| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: 8.8.8.8.in-addr.arpa
    Type: PTR
    Class: IN



8.8.8.8(53) -> 192.168.1.10(52005)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:     8319| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                1|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: 8.8.8.8.in-addr.arpa
    Type: PTR
    Class: IN


Answers:
    Name: 8.8.8.8.in-addr.arpa
    Type: PTR
    Class: IN
    TTL: 21599
    Data Length: 32
    Name: google-public-dns-a.google.com

    

192.168.1.10(54936) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    54369| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: 3.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.c.0.8.0.0.4.0.0.8.6.4.0.4.2.ip6.arpa
    Type: PTR
    Class: IN



8.8.8.8(53) -> 192.168.1.10(54936)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    54369| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                1|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: 3.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.c.0.8.0.0.4.0.0.8.6.4.0.4.2.ip6.arpa
    Type: PTR
    Class: IN


Answers:
    Name: 3.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.c.0.8.0.0.4.0.0.8.6.4.0.4.2.ip6.arpa
    Type: PTR
    Class: IN
    TTL: 21599
    Data Length: 21
    Name: tj-in-x63.1e100.net

執行結果(Type MX):
192.168.1.10(64457) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    13466| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: google.com
    Type: MX
    Class: IN



8.8.8.8(53) -> 192.168.1.10(64457)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    13466| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                5|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: google.com
    Type: MX
    Class: IN


Answers:
    Name: google.com
    Type: MX
    Class: IN
    TTL: 599
    Data Length: 17
    Preference: 40
    Mail Exchange: alt3.aspmx.l.google.com

    Name: google.com
    Type: MX
    Class: IN
    TTL: 599
    Data Length: 9
    Preference: 20
    Mail Exchange: alt1.aspmx.l.google.com

    Name: google.com
    Type: MX
    Class: IN
    TTL: 599
    Data Length: 9
    Preference: 50
    Mail Exchange: alt4.aspmx.l.google.com

    Name: google.com
    Type: MX
    Class: IN
    TTL: 599
    Data Length: 9
    Preference: 30
    Mail Exchange: alt2.aspmx.l.google.com

    Name: google.com
    Type: MX
    Class: IN
    TTL: 599
    Data Length: 4
    Preference: 10
    Mail Exchange: aspmx.l.google.com

執行結果(Type TXT):
192.168.1.10(64292) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    15584| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: google.com
    Type: TXT
    Class: IN



8.8.8.8(53) -> 192.168.1.10(64292)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    15584| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                2|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: google.com
    Type: TXT
    Class: IN


Answers:
    Name: google.com
    Type: TXT
    Class: IN
    TTL: 3599
    Data Length: 36
    TXT Length: 35
    TXT: v=spf1 include:_spf.google.com ~all

    Name: google.com
    Type: TXT
    Class: IN
    TTL: 299
    Data Length: 46
    TXT Length: 45
    TXT: docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e

執行結果(Type AAAA):
192.168.1.10(51732) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:     7567| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: www.google.com
    Type: AAAA
    Class: IN



8.8.8.8(53) -> 192.168.1.10(51732)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:     7567| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                1|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: www.google.com
    Type: AAAA
    Class: IN


Answers:
    Name: www.google.com
    Type: AAAA
    Class: IN
    TTL: 146
    Data Length: 16
    Address: 2404:6800:4012::2004


執行結果(Type LOC):
192.168.1.10(55335) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    31301| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: local
    Type: SOA
    Class: IN



8.8.8.8(53) -> 192.168.1.10(55335)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:    31301| Flags:            0x8183|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             1| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: local
    Type: SOA
    Class: IN


Authority:
    Name: <root>
    Type: SOA
    Class: IN
    TTL: 12825
    Data Length: 64
    Primary Name Server: a.root-servers.net
    Responsible Authority's Mailbox: nstld.verisign-grs.com
    Serial Number: 2018032701
    Refresh Interval: 1800
    Retry Interval: 900
    Expire Time: 604800
    Minimum TTL: 86400

執行結果(Type SRV):
192.168.1.10(56361) -> 8.8.8.8(53)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:      567| Flags:            0x0100|
+-------------------------+-------------------------+
| Questions:             1| Answer:                0|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: _http._tcp.mxtoolbox.com
    Type: SRV
    Class: IN



8.8.8.8(53) -> 192.168.1.10(56361)
Protocol DNS:
+-------------------------+-------------------------+
| Transaction ID:      567| Flags:            0x8180|
+-------------------------+-------------------------+
| Questions:             1| Answer:                1|
+-------------------------+-------------------------+
| Authority:             0| Additional:            0|
+-------------------------+-------------------------+

Questions:
    Name: _http._tcp.mxtoolbox.com
    Type: SRV
    Class: IN


Answers:
    Service: _http
    Protocol: _tcp
    Name: mxtoolbox.com
    Type: SRV
    Class: IN
    TTL: 3599
    Data Length: 21
    Priority: 10
    Weight: 100
    Port: 80
    Target: mxtoolbox.com


Source code on Github



2018年3月28日 星期三

libpcap - Dump wol frame and datagram(17)


WOL(Wake-on-LAN)網路喚醒封包,現在大多數網卡在關機狀態的時候,能夠以低電量方式接收wol封包,一旦收到就可以讓電腦開機。

一般都是屬於layer 2的協定,type是0x0842,WOL也可以透過UDP走在WAN上。

執行結果:
libpcap % ./dump-wol 
Sniffing: en0
6c:40:08:bc:ae:98 -> ff:ff:ff:ff:ff:ff
+-------------------------+-------------------------+-------------------------+
| Sync stream:                                                    ffffffffffff|
+-------------------------+-------------------------+-------------------------+
| MAC Address:                                               a0:d7:95:b7:22:2f|
+-------------------------+-------------------------+-------------------------+
| Password:                                                  00:00:00:00:00:00|
+-------------------------+-------------------------+-------------------------+


Source code on Github

Re: CentOS 架 L2TP/IPsec VPN


一些設定或IP地址請參考:CentOS 架 L2TP/IPsec VPN


這陣子都在家裡工作,大部分時間都用VPN連回公司,遇到兩個問題。

  1. 家裡網段剛好跟公司網段一樣,連不進公司的設備。
  2. VPN連上後,五分鐘左右時間沒有用就會斷線。

第一個問題是假設家裡網段是192.168.1.0/24,公司網段也是,VPN配到的網段是172.30.10.0/24,如果想要連到公司那端的設備例如:「192.168.1.150」,卻會因為路由表關係是連到本地端的「192.168.1.150」,解決方法很簡單,就是增加路由表。

前一篇設定預設閘道是「172.30.10.1」,指令:
$ sudo route add -host 192.168.1.150 172.30.10.1

直接增加一筆entry讓往192.168.1.150的封包送往172.30.10.1,讓他送往另一端。


第二個問題google了一下,關鍵字是「keep alive」,在檔案「/etc/strongswan/strongswan.conf」增加「keep_alive = 30s」。

[root@vpn ~]# cat /etc/strongswan/strongswan.conf 
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
 load_modular = yes
 plugins {
  include strongswan.d/charon/*.conf
 }
 keep_alive = 30s
}

記得restart service。
[root@vpn ~]# service strongswan restart
[root@vpn ~]# service xl2tpd restart

閒聊一下


工作最近偶爾很忙偶爾很閒,然後很閒的時候想到可以更新一下blogger,但是每次想想又放棄。

每次寫文章都會非常龜毛這邊要怎樣那邊要怎樣(處女座癌),一篇文都要花很多心力寫,超級累的。

所以改變一下經營方式,以後可能還是會以筆記為主,偶爾可以還是可以寫一下教學,不然就是亂寫

2017年5月29日 星期一

OpenSSL Certificate Chain (included SAN)


憑證主要分三種:根憑證(Root Certificate),中繼憑證(Intermediate Certificate),終端憑證(End-Entity Certificate),"通常"是階級式的驗證,像資料結構的樹一樣,根憑證就是根節點,終端憑證是葉節點,其他都是中繼憑證(如果沒有意外的話)。

不過還有一種網狀的,就是根憑證是跟其他根憑證互相信任那叫做互簽憑證(Cross Certificate),不過這不是要講的。

所以就要來用OpenSSL簽一組憑證串鏈(Certificate Chain)。

chrome 58版本(應該是)中,增加一個憑證驗證:SAN(Subject Alternative Name),SAN是x509憑證可選的欄位,當一組憑證想要簽不同的common name就可以使用SAN,有點類似DNS的canonical name,雖然他是可選的欄位,但是這次chrome更新讓很多不少自簽憑證都不能用。

先講一下會用到的副檔名:

  • *.pem:是用ASCII方式表達憑證以base64編碼的憑證,我就用這格式保存公鑰以及私鑰。
  • *.crt:憑證公鑰(通常是pem格式),保存公鑰。
  • *.key:私鑰(通常是pem格式),保存私鑰。
  • *.der:二進位的憑證,只放公鑰,給user用的。
  • *.srl:憑證序號。
  • *.csr:憑證的簽名請求(不會保存)。

預計最後產生的憑證串鏈

                                     + 192.168.1.100
            +----- grism.packetx.biz + 192.168.1.150
packetx.biz +                        + 192.168.1.120
            +----- ssl.packetx.biz


這邊是用common name表示,common name主要就是用哪個hostname(或IP地址)連到該網站。
根憑證是packetx.biz,兩個中繼憑證,grism.packetx.biz底下有三個憑證,所以使用這三個網站憑證只要驗證grism.packetx.biz或packetx.biz就好了。
說"或"是因為他是一條鏈,往上驗證只要一個成功就是安全的憑證。


首先簽一個根憑證,根憑證上面已經沒有可以再驗證的對象(authority),所以是自己簽給自己。

根憑證(Root Certificate)


私鑰

首先產生一把長度為4096 bit的私鑰(既然是根憑證,可以大一點沒關係,像是8192 bit),私鑰就是root_ca.key
~ openssl genrsa -out root_ca.key 4096
Generating RSA private key, 4096 bit long modulus
.........  
..................................................  
e is 65537 (0x10001)

產生config檔

我個人不喜歡用OpenSSL的組態檔和他的互動模式(interactive mode),能夠當參數給就用參數給;但是很不幸因為SAN關係,必須要用組態檔了。
~ cat <<EOF > v3.ext
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
subjectAltName = @alt_names

[alt_names]
DNS.1 = packetx.biz
EOF

先產生要增加的額外欄位,這邊注意底下的DNS.x = XXX就是增加common name的地方,所以如果有其他要增加就以這格式,DNS.2DNS.3...。
其他欄位比較重要的是basic constraintsCA:truekey usagekey cert sign,表示這個憑證可以再往下簽(總不可能讓它無限簽吧)。
終端憑證這邊會有點不同,兩個差異可以看這邊。

What is the difference between the x.509 V3 extensions Basic Constraints and Key Usage to create a CA certificate?

接著複製預設的組態檔,然後把這個檔案append到後面。
~ cp /System/Library/OpenSSL/openssl.cnf .
~ cat v3.ext >> ./openssl.cnf
~ rm -f v3.ext

OS X預設的openssl.cnf位置在/System/Library/OpenSSL/openssl.cnf,其他系統就自己查吧。

產生自簽憑證(公鑰)

~ openssl req -new -x509 \
    -days 3650 -sha256 \
    -config ./openssl.cnf \
    -key root_ca.key -out root_ca.crt \
    -subj "/C=TW/ST=New Taipei City/L=Zhonghe Dist./O=PacketX Technology Ltd./OU=R&D/CN=packetx.biz"

-days:憑證期限,根憑證時間長一點沒關係,不然到時候整組重簽會非常麻煩。
-config:就是剛剛的組態檔。
-key:剛剛的私鑰。
-out:要產生的憑證(公鑰)。
-subj:憑證主題,C是是國家,ST是州或省,L是地點或城市,O是組織名稱,OU是部門,CN就是common name。

產生給使用者的憑證

使用者憑證給der格式,把憑證(公鑰)轉成der格式。
~ openssl x509 -in root_ca.crt -outform DER -out root_ca.der

使用者只要把這個.der加入受信任的根憑證,這憑證之後簽的所有憑證都會合法。

合併公私鑰

有些server site可以接受公私鑰放在同一個檔案,方法很簡單,直接用cat把兩個檔案合併(必須是pem格式)。
~ cat root_ca.crt root_ca.key > root_ca.pem

這樣就完成產生自簽根憑證了。
~ openssl x509 -in root_ca.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            dd:10:1d:57:89:03:e7:9d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=TW, ST=New Taipei City, L=Zhonghe Dist., O=PacketX Technology Ltd., OU=R&D, CN=packetx.biz
        Validity
            Not Before: May 29 08:46:10 2017 GMT
            Not After : May 27 08:46:10 2027 GMT
        Subject: C=TW, ST=New Taipei City, L=Zhonghe Dist., O=PacketX Technology Ltd., OU=R&D, CN=packetx.biz
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:db:05:71:21:00:72:86:c9:46:91:ba:7c:02:f5:
                    2a:b5:01:d8:59:9f:7d:21:5b:4e:aa:09:08:97:ef:
...略
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                C3:25:C1:9F:58:75:6E:18:44:13:A0:2A:70:54:4D:76:5B:6A:6E:D3
            X509v3 Authority Key Identifier: 
                keyid:C3:25:C1:9F:58:75:6E:18:44:13:A0:2A:70:54:4D:76:5B:6A:6E:D3

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Subject Alternative Name: 
                DNS:packetx.biz
    Signature Algorithm: sha256WithRSAEncryption
        95:83:7b:00:b3:c6:c1:f0:e2:b9:26:63:5e:e6:5b:49:d2:8b:
        f6:1e:ff:76:a9:88:fc:e8:53:bd:96:ee:b9:6a:a7:07:02:b7:
...略

可以看到X509v3 Subject Alternative Name有一個DNS了,這個就是SAN。

中繼憑證(Intermediate Certificate)


私鑰

產生私鑰步驟都是一樣的。
~ openssl genrsa -out sub_root_ca.key 4096
Generating RSA private key, 4096 bit long modulus
...................................................................................................................................++
........................................++
e is 65537 (0x10001)

簽名請求

接著希望這把公私鑰是長在剛剛那張根憑證底下,所以產生一個簽名請求來跟根憑證簽署。
~ openssl req -new \
    -key sub_root_ca.key -out sub_root_ca.csr \
    -subj "/C=TW/ST=New Taipei City/L=Zhonghe Dist./O=PacketX Technology Ltd./OU=R&D/CN=grism.packetx.biz"

這邊要注意,common name是不能重複的。

產生config檔

一樣先產生組態檔,這次不一樣的是不需要整個openssl.cnf,只需要增加的部分。
~ cat <<EOF > v3.ext
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
subjectAltName = @alt_names

[alt_names]
DNS.1 = grism.packetx.biz
EOF

簽名

~ openssl x509 -req \
    -days 3650 -sha256 \
    -extfile v3.ext -CAcreateserial \
    -CA root_ca.crt -CAkey root_ca.key \
    -in sub_root_ca.csr -out sub_root_ca.crt
~ rm -f v3.ext
~ rm -f sub_root_ca.csr

-extfile:剛剛產生的組態檔。
-CAcreateserial:憑證中的序號,序號不能重複;使用這個參數會先產生sub_root_ca.srl之後會利用這個檔案遞增上去。
-CA:憑證(上面的)公鑰。
-CAkey:憑證(上面的)私鑰。
-in:剛剛的簽名請求。
-out:該中繼憑證的公鑰。

產生給使用者的憑證

~ openssl x509 -in sub_root_ca.crt -outform DER -out sub_root_ca.der

合併公私鑰

~ cat sub_root_ca.crt sub_root_ca.key > sub_root_ca.pem

這樣就完成中繼憑證了。
~ openssl x509 -in sub_root_ca.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c4:94:9c:a5:f9:75:34:52
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=TW, ST=New Taipei City, L=Zhonghe Dist., O=PacketX Technology Ltd., OU=R&D, CN=packetx.biz
        Validity
            Not Before: May 29 09:32:18 2017 GMT
            Not After : May 27 09:32:18 2027 GMT
        Subject: C=TW, ST=New Taipei City, L=Zhonghe Dist., O=PacketX Technology Ltd., OU=R&D, CN=grism.packetx.biz
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:bd:06:e9:b2:27:31:8e:23:c7:74:3d:55:d7:89:
                    06:94:0b:31:ca:21:5e:25:4e:4b:65:a6:64:3f:c6:
...略
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                B2:E8:3A:64:59:33:3E:01:09:41:A1:F8:AD:06:90:62:CD:EE:0E:00
            X509v3 Authority Key Identifier: 
                keyid:C3:25:C1:9F:58:75:6E:18:44:13:A0:2A:70:54:4D:76:5B:6A:6E:D3

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Subject Alternative Name: 
                DNS:grism.packetx.biz
    Signature Algorithm: sha256WithRSAEncryption
        27:f1:5b:b3:02:70:12:5d:a0:8f:af:7a:d6:e4:ef:ca:9a:b8:
        ef:25:66:51:68:59:35:9b:4c:77:97:c2:2d:e4:34:37:98:94:
...略

Issuer是簽發人,Subject是這個憑證的一些基本資訊,一樣X509v3 Subject Alternative Name有DNS。

終端憑證(End-Entity Certificate)


私鑰

~ openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
..........+++
e is 65537 (0x10001)

簽名請求

~ openssl req -new \
    -key server.key -out server.csr \
    -subj "/C=TW/ST=New Taipei City/L=Zhonghe Dist./O=PacketX Technology Ltd./OU=R&D/CN=192.168.1.100"

簽名

~ cat <<EOF > v3.ext
basicConstraints = CA:FALSE
nsCertType = client, email
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
subjectAltName = @alt_names

[alt_names]
DNS.1 = 192.168.1.100
EOF

~ openssl x509 -req \
    -days 365 -sha256 \
    -extfile v3.ext -CAcreateserial \
    -CA sub_root_ca.crt -CAkey sub_root_ca.key \
    -in server.csr -out server.crt

~ rm -f v3.ext
~ rm -f server.csr

這邊要注意的是,basic constraintsCA:false,表示不能再往下簽了。
-CA-CAkey是上面一層的中繼憑證公私鑰。
-days最後發的憑證不用太久,通常一年就差不多了。

合併公私鑰

~ cat server.crt server.key > server.pem

這裡不需要產生給使用者的憑證是因為只要匯入他上面的中繼憑證或根憑證就好了。

~ openssl x509 -in server.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a7:42:3f:9b:28:91:45:13
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=TW, ST=New Taipei City, L=Zhonghe Dist., O=PacketX Technology Ltd., OU=R&D, CN=grism.packetx.biz
        Validity
            Not Before: May 29 10:16:14 2017 GMT
            Not After : May 29 10:16:14 2018 GMT
        Subject: C=TW, ST=New Taipei City, L=Zhonghe Dist., O=PacketX Technology Ltd., OU=R&D, CN=192.168.1.100
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:9d:0d:59:64:a4:1d:09:98:dc:c4:cc:9f:30:ad:
                    77:b2:a5:1f:e6:8b:dd:1b:bb:5d:40:23:97:65:b2:
...略
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Client, S/MIME
            X509v3 Subject Key Identifier: 
                EA:C8:69:FA:95:E4:65:12:97:FE:13:E4:F0:DD:33:0B:9E:90:ED:E4
            X509v3 Authority Key Identifier: 
                keyid:B2:E8:3A:64:59:33:3E:01:09:41:A1:F8:AD:06:90:62:CD:EE:0E:00

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection
            X509v3 Subject Alternative Name: 
                DNS:192.168.1.100
    Signature Algorithm: sha256WithRSAEncryption
        25:a4:90:00:e9:b0:06:18:79:b2:ca:ff:4b:e3:66:fb:4e:81:
        cc:df:16:aa:8c:e5:0e:4c:b8:c4:ec:55:f7:86:f4:a0:46:1b:
...略

Issuer變成中繼憑證了。


最後如果要透過指令驗證的話,需要把根憑證和中繼憑證加進來才能夠驗證。
~ cat root_ca.crt sub_root_ca.crt > tmp
~ openssl verify -CAfile tmp server.crt
server.crt: OK
~ rm -f tmp

~ openssl verify -CAfile <(cat root_ca.crt sub_root_ca.crt) server.crt
server.crt: OK


2017年1月20日 星期五