PKIX — Public Key Infrastructure Using X.509 Certificates
This is an installment to the series of stories describing PKI.
So, till now, what we know? There has to be a certificate authority, whom our browser(or us) needs to trust, and whenever we connect to a website over HTTPS, we receive a certificate, which, our browser validates against something or some information about the certificate authority. Let us briefly discuss what actually the browser validates and how.
Digital Signatures
A digital signature is a cryptographic primitive that ascertains non-repudiation. In other words, anyone can validate the source of some information as well as the authenticity. Digital signatures are based on Public Key Cryptography, where, there is a public-private key pair. There is a signer, who uses her private key to sign some information, thus generating a signature, essentially an octet sequence of a fixed length. Under the hood, it just boils down to computing the hash of the information to be signed and encrypting the hash with the private key. The signature thus generated is decryptable by the public key.
So, for verification, anyone who has access to the data, the signature and the public key corresponding to the private key can validate the source. That is, one can compute the hash of the info, and then decipher the signature to get the hash from the signature using the public key, and then match it with the hash one computed. If they match, it is guaranteed, that the owner of the public key has signed the information. There are a few common known algorithms available in the public domain such as sha2WithRSA — (hash the info with SHA2 and encrypt using RSA), sha1WithRSA and so on..
The X.509 Certificate
Now, as in the previous installment we discussed what a certificate does, it basically binds the credentials to an entity. Now you would ask what credentials, basically the public key. So, a certificate binds a public key to its owner. And how does it do that? The answer is, it contains a signature by a trusted certificate authority. The signature is computed on the information present in the certificate signing request with some additional information. Which is, a public key, the DN(Distinguished Name — refer X.500 directory services rfc) of the entity owning the public key and a few other details like address fields, and majorly the IssuerDN. Once the certificate authority computes the signature, it produces a digital certificate primarily containing the public key, the distinguished name of the owner, the issuer’s distinguished name, the validity, the signature, signature algorithm. The information is encoded in ASN.1 format.
So, if you know the public key of the Issuer and you have the certificate, you can easily validate the signature and ascertain that the information in the certificate is authentic, i.e. the public key present in the certificate, indeed belongs to the owner claiming to own it. Once you have validated the public key, you can go ahead and encrypt your data and send it to the recipient(often a server) which/who has the private key to decrypt the information you sent. Though in the ideal world, there is much more to secure communication with a server over https than this. But, I guess you get the basic mechanics.
The Trust Chain
One point to note is, often the CA that signs a CSR is an intermediate one. That is, there is a root CA whose private key is used to sign the certificate of an intermediate CA. Once the signing is done, the private key of the root CA is kept in a very secure location. The public key of the root CA is distributed in the form a self signed certificate, i.e. the root CA signs its own certificate before it is distributed. All the certificates after that are signed using the intermediate CA, also called subordinate CA.
To ensure trust, one has to validate the certificate chain. That is, once a certificate is received, intermediate CA’s public key is used to validate the signature. Once that is done, intermediate CA’s signature is validated with the root CA’s public key that was distributed earlier and is present with everyone(often stored in our browser’s trust store). Thus the root CA certificate, since it acts as the root of the trust chain, is called the trust anchor.
Fields In An X.509 Certificate
Since the X.509 certificate is basically a data structure that binds the credential with the identity with the help of a signature and a trusted certificate authority. It contains some fields, let’s discuss the major ones:
Issuer: It is the distinguished name of the entity that issued the certificate, or in other words, computed the signature present in the certificate.
Subject: The distinguished name of the entity to which the credential belongs(usually the public key).
Signature Algorithm: It is the algorithm that was used to compute the digital signature.
Version: The version of the certificate. The older versions were not flexible but v3 supports extensions.
Common X.509v3 Extensions
There are a few extension fields that help in the formation of the certification chain, that we referred to in the first installment.
Authority Key Identifier(AKI): It is basically a SHA1 hash of the issuer’s public key and is used to identify a specific public key if there are multiple.
Subject Key Identifier(SKI): It is the SHA1 hash of the public key held by the subject.
Subject Alternative Names: This is optional and represents any other names to which the certificate might be bound to, and is generally used with websites(i.e. with certificates issued to be used with websites containing the domain name).
Relation Between SKI and AKI
Now, how do these fields related among the certificates forming a trust chain? It is quite simple, AKI simply is a hash of the parent’s public key, and, the SKI is the hash of the subject’s public key. So, we can easily derive a relation, the AKI of a child certificate will be equal to the SKI of the parent certificate. The only exception to this rule is, the root CA certificate, which has an AKI equal to its own SKI, and indeed, the root CA is a self signed certificate, so the issuer has issued the certificate to itself.
The AKI is also used to identify the issuer’s certificate, when there are many valid certificates belonging to the Issuer’s DN.
CRL (Certificate Revocation Lists)
Not too often, but there may arise a need to revoke the validity of certificate before it actually expires. For reasons, such as a key compromise or compromise of the whole CA(of which many instances have occurred) or even unspecified(ya, that is also a supported revocation reason that can be specified.
If you open up a PEM encoded CRL, it kinda looks similar to a similarly encoded X.509 certificate or a Certificate Signing Request or any PEM encoded file. It just starts with
The complete stuff may look something like the following:
Underneath all this, its the same old ASN1 encoded binary data representing something.
Well, what is that something?
A signed list of revoked certificates issued by the CA. Yes, it can be verified using the public key obtained from the certificate of the issuer represented by the Subject DN of the the CRL. So, Let’s inspect the fields of a CRL file using our favorite, the OPENSSL command line tool.
As you might have already guessed, the US treasury doesn’t like giving the real reasons behind all those revocations. But you can observe a revocation entry comprises of a the certificate serial number, a revocation date and the reason behind the revocation. And finally there is the signature algorithm and the signature itself. And not oddly enough, yes,
We can verify the signature.
The only trouble being,
And the number of revoked certificates in the CRL?
Imagine the browser downloading that 5.1 MB CRL file from a URL to check if the certificate presented by the server is present among the 142600 certificates revoked by the CA after identifying the CA and validating the signature of the CRL.
A certificate may contain a CRL Distribution Point extension containing the exact URL from where to get the CRL from.
Obviously this is not scalable for CAs which might have thousands and even millions of revoked certificates.
A scalable alternative was thus necessary, and thus it became the mother of OCSP i.e. Online Certificate Status Protocol.
OCSP (Online Certificate Status Protocol)
As the name suggests, it is online. There is a server that is running somewhere capable of giving the current status of a certificate. And how would you come to know where is the OCSP responder server for a specific certificate? You might have already guessed. An X.509 extension!
For example let us take the Google’s public certificate.
-----BEGIN CERTIFICATE-----
MIIN1jCCDL6gAwIBAgIRAKxpCb0iO1BbCljQ+AiZIYAwDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjIwNzE4MDgxODU3WhcNMjIxMDEw
MDgxODU2WjAXMRUwEwYDVQQDDAwqLmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAASKyFqL6/uUI8Iqr9Pb3QoulQSmyKmk5WMzCExEd6jjGWPPjQOA
yXTWmkZJf1EPq5kBejwIrziszgwnRwQ7uoxEo4ILtzCCC7MwDgYDVR0PAQH/BAQD
AgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
FDdCwiDQVy+TrKLAabdAOTQfR7HxMB8GA1UdIwQYMBaAFIp0f6+Fze6VzT2c0OJG
FPNxNR0nMGoGCCsGAQUFBwEBBF4wXDAnBggrBgEFBQcwAYYbaHR0cDovL29jc3Au
cGtpLmdvb2cvZ3RzMWMzMDEGCCsGAQUFBzAChiVodHRwOi8vcGtpLmdvb2cvcmVw
by9jZXJ0cy9ndHMxYzMuZGVyMIIJaAYDVR0RBIIJXzCCCVuCDCouZ29vZ2xlLmNv
bYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYIJKi5iZG4uZGV2ghIqLmNsb3VkLmdv
b2dsZS5jb22CGCouY3Jvd2Rzb3VyY2UuZ29vZ2xlLmNvbYIYKi5kYXRhY29tcHV0
ZS5nb29nbGUuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUuY2yCDiouZ29vZ2xl
LmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28udWuCDyouZ29vZ2xl
LmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5jb20uYnKCDyouZ29v
Z2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2dsZS5jb20udHKCDyou
Z29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xlLmVzggsqLmdvb2ds
ZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdvb2dsZS5ubIILKi5n
b29nbGUucGyCCyouZ29vZ2xlLnB0ghIqLmdvb2dsZWFkYXBpcy5jb22CDyouZ29v
Z2xlYXBpcy5jboIRKi5nb29nbGV2aWRlby5jb22CDCouZ3N0YXRpYy5jboIQKi5n
c3RhdGljLWNuLmNvbYIPZ29vZ2xlY25hcHBzLmNughEqLmdvb2dsZWNuYXBwcy5j
boIRZ29vZ2xlYXBwcy1jbi5jb22CEyouZ29vZ2xlYXBwcy1jbi5jb22CDGdrZWNu
YXBwcy5jboIOKi5na2VjbmFwcHMuY26CEmdvb2dsZWRvd25sb2Fkcy5jboIUKi5n
b29nbGVkb3dubG9hZHMuY26CEHJlY2FwdGNoYS5uZXQuY26CEioucmVjYXB0Y2hh
Lm5ldC5jboIQcmVjYXB0Y2hhLWNuLm5ldIISKi5yZWNhcHRjaGEtY24ubmV0ggt3
aWRldmluZS5jboINKi53aWRldmluZS5jboIRYW1wcHJvamVjdC5vcmcuY26CEyou
YW1wcHJvamVjdC5vcmcuY26CEWFtcHByb2plY3QubmV0LmNughMqLmFtcHByb2pl
Y3QubmV0LmNughdnb29nbGUtYW5hbHl0aWNzLWNuLmNvbYIZKi5nb29nbGUtYW5h
bHl0aWNzLWNuLmNvbYIXZ29vZ2xlYWRzZXJ2aWNlcy1jbi5jb22CGSouZ29vZ2xl
YWRzZXJ2aWNlcy1jbi5jb22CEWdvb2dsZXZhZHMtY24uY29tghMqLmdvb2dsZXZh
ZHMtY24uY29tghFnb29nbGVhcGlzLWNuLmNvbYITKi5nb29nbGVhcGlzLWNuLmNv
bYIVZ29vZ2xlb3B0aW1pemUtY24uY29tghcqLmdvb2dsZW9wdGltaXplLWNuLmNv
bYISZG91YmxlY2xpY2stY24ubmV0ghQqLmRvdWJsZWNsaWNrLWNuLm5ldIIYKi5m
bHMuZG91YmxlY2xpY2stY24ubmV0ghYqLmcuZG91YmxlY2xpY2stY24ubmV0gg5k
b3VibGVjbGljay5jboIQKi5kb3VibGVjbGljay5jboIUKi5mbHMuZG91YmxlY2xp
Y2suY26CEiouZy5kb3VibGVjbGljay5jboIRZGFydHNlYXJjaC1jbi5uZXSCEyou
ZGFydHNlYXJjaC1jbi5uZXSCHWdvb2dsZXRyYXZlbGFkc2VydmljZXMtY24uY29t
gh8qLmdvb2dsZXRyYXZlbGFkc2VydmljZXMtY24uY29tghhnb29nbGV0YWdzZXJ2
aWNlcy1jbi5jb22CGiouZ29vZ2xldGFnc2VydmljZXMtY24uY29tghdnb29nbGV0
YWdtYW5hZ2VyLWNuLmNvbYIZKi5nb29nbGV0YWdtYW5hZ2VyLWNuLmNvbYIYZ29v
Z2xlc3luZGljYXRpb24tY24uY29tghoqLmdvb2dsZXN5bmRpY2F0aW9uLWNuLmNv
bYIkKi5zYWZlZnJhbWUuZ29vZ2xlc3luZGljYXRpb24tY24uY29tghZhcHAtbWVh
c3VyZW1lbnQtY24uY29tghgqLmFwcC1tZWFzdXJlbWVudC1jbi5jb22CC2d2dDEt
Y24uY29tgg0qLmd2dDEtY24uY29tggtndnQyLWNuLmNvbYINKi5ndnQyLWNuLmNv
bYILMm1kbi1jbi5uZXSCDSouMm1kbi1jbi5uZXSCFGdvb2dsZWZsaWdodHMtY24u
bmV0ghYqLmdvb2dsZWZsaWdodHMtY24ubmV0ggxhZG1vYi1jbi5jb22CDiouYWRt
b2ItY24uY29tgg0qLmdzdGF0aWMuY29tghQqLm1ldHJpYy5nc3RhdGljLmNvbYIK
Ki5ndnQxLmNvbYIRKi5nY3BjZG4uZ3Z0MS5jb22CCiouZ3Z0Mi5jb22CDiouZ2Nw
Lmd2dDIuY29tghAqLnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUu
Y29tggsqLnl0aW1nLmNvbYILYW5kcm9pZC5jb22CDSouYW5kcm9pZC5jb22CEyou
Zmxhc2guYW5kcm9pZC5jb22CBGcuY26CBiouZy5jboIEZy5jb4IGKi5nLmNvggZn
b28uZ2yCCnd3dy5nb28uZ2yCFGdvb2dsZS1hbmFseXRpY3MuY29tghYqLmdvb2ds
ZS1hbmFseXRpY3MuY29tggpnb29nbGUuY29tghJnb29nbGVjb21tZXJjZS5jb22C
FCouZ29vZ2xlY29tbWVyY2UuY29tgghnZ3BodC5jboIKKi5nZ3BodC5jboIKdXJj
aGluLmNvbYIMKi51cmNoaW4uY29tggh5b3V0dS5iZYILeW91dHViZS5jb22CDSou
eW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29tghYqLnlvdXR1YmVlZHVj
YXRpb24uY29tgg95b3V0dWJla2lkcy5jb22CESoueW91dHViZWtpZHMuY29tggV5
dC5iZYIHKi55dC5iZYIaYW5kcm9pZC5jbGllbnRzLmdvb2dsZS5jb22CG2RldmVs
b3Blci5hbmRyb2lkLmdvb2dsZS5jboIcZGV2ZWxvcGVycy5hbmRyb2lkLmdvb2ds
ZS5jboIYc291cmNlLmFuZHJvaWQuZ29vZ2xlLmNuMCEGA1UdIAQaMBgwCAYGZ4EM
AQIBMAwGCisGAQQB1nkCBQMwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybHMu
cGtpLmdvb2cvZ3RzMWMzL3pkQVR0MEV4X0ZrLmNybDCCAQMGCisGAQQB1nkCBAIE
gfQEgfEA7wB1AEalVet1+pEgMLWiiWn0830RLEF0vv1JuIWr8vxw/m1HAAABghCd
FPkAAAQDAEYwRAIgTUddrRHTEXgiuzUni+ScxMuf5UISiRlE+juDXR2ZS8YCIFna
ci7NjHn9xO4+5WMOCyw7t0DtXSdobp5OfsBeX+0oAHYA36Veq2iCTx9sre64X04+
WurNohKkal6OOxLAIERcKnMAAAGCEJ0U1AAABAMARzBFAiBYcVdZ3Dgf+0idJW8d
/Fv5frVEMUWYSakdmONyHhM+TAIhAJGAYGispfhPjqZzzqKi3keMuqa7e1LlPWPz
OAYI7D+AMA0GCSqGSIb3DQEBCwUAA4IBAQA2EnjwDeBfH/9s6/k88rkK/jzL8w08
O2M0Y+7k96+gMey0B3lFCuuw3DDqBBD4UJThaZ5KEC0s6zvo/Jh7K6po9TL1EwkK
t2C8C7kdlZgIKBnfTpBwVN8VSehiA6wnW4arXenjbrhp45QMP5CkLniYHojkKHFZ
F3l1be6II8NmYbzguTCgCVdABjVU27OGXiGFg2LD6Jmyn/bM6YysZ9a4N1VgA2wh
huzSdy/yZo216mrtIOv3MP/Rozw3ftvF0mVukQ89wR17sf2R6zxKfpCAppUo8u0+
bBypB+T/PYjkMdsYUdJn7GPIVigXXqsh5siS9XPj6o89ClkzlvsO7ePG
-----END CERTIFICATE-----A hell big of a certificate. Well, besides containing the 256 bit Elliptic Curve Public Key(more to come on that later), it contains a lot of SANs or Subject Alternate Names and that is where the majority of the bulk, in this certificate, comes from.
Anyways, if you inspect this certificate using openssl x509 utility like I did:
openssl x509 -in google-cert.pem -textYou will see an X.509 extension:
And there you go, you have the OCSP responder for this certificate, and well, the CA Issuers field points to something. Though not a convention, but google seems to be following one here, the OCSP responder endpoint is gts1c3 having the same name as the file that is hosted at http://pki.goog/repo/certs/gtsr1.der
So, I went ahead and downloaded the gtsr1.der file from that pki.goog url and tried cat’ing it, and it was some binary junk. And since the extension was der, suspecting it to be a DER encoded file, I happily ran:
openssl x509 -in gts1c3.der -inform DER -textAnd voila! It indeed was the issuer certificate containing the public key that could be used to verify the OCSP responder’s response.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:03:bc:53:59:6b:34:c7:18:f5:01:50:66
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Google Trust Services LLC, CN = GTS Root R1
Validity
Not Before: Aug 13 00:00:42 2020 GMT
Not After : Sep 30 00:00:42 2027 GMT
Subject: C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f5:88:df:e7:62:8c:1e:37:f8:37:42:90:7f:6c:
87:d0:fb:65:82:25:fd:e8:cb:6b:a4:ff:6d:e9:5a:
23:e2:99:f6:1c:e9:92:03:99:13:7c:09:0a:8a:fa:
42:d6:5e:56:24:aa:7a:33:84:1f:d1:e9:69:bb:b9:
74:ec:57:4c:66:68:93:77:37:55:53:fe:39:10:4d:
b7:34:bb:5f:25:77:37:3b:17:94:ea:3c:e5:9d:d5:
bc:c3:b4:43:eb:2e:a7:47:ef:b0:44:11:63:d8:b4:
41:85:dd:41:30:48:93:1b:bf:b7:f6:e0:45:02:21:
e0:96:42:17:cf:d9:2b:65:56:34:07:26:04:0d:a8:
fd:7d:ca:2e:ef:ea:48:7c:37:4d:3f:00:9f:83:df:
ef:75:84:2e:79:57:5c:fc:57:6e:1a:96:ff:fc:8c:
9a:a6:99:be:25:d9:7f:96:2c:06:f7:11:2a:02:80:
80:eb:63:18:3c:50:49:87:e5:8a:ca:5f:19:2b:59:
96:81:00:a0:fb:51:db:ca:77:0b:0b:c9:96:4f:ef:
70:49:c7:5c:6d:20:fd:99:b4:b4:e2:ca:2e:77:fd:
2d:dc:0b:b6:6b:13:0c:8c:19:2b:17:96:98:b9:f0:
8b:f6:a0:27:bb:b6:e3:8d:51:8f:bd:ae:c7:9b:b1:
89:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
8A:74:7F:AF:85:CD:EE:95:CD:3D:9C:D0:E2:46:14:F3:71:35:1D:27
X509v3 Authority Key Identifier:
E4:AF:2B:26:71:1A:2B:48:27:85:2F:52:66:2C:EF:F0:89:13:71:3E
Authority Information Access:
OCSP - URI:http://ocsp.pki.goog/gtsr1
CA Issuers - URI:http://pki.goog/repo/certs/gtsr1.der
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.pki.goog/gtsr1/gtsr1.crl
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.11129.2.5.3
CPS: https://pki.goog/repository/
Policy: 2.23.140.1.2.1
Policy: 2.23.140.1.2.2So, the next step was to hit the OCSP responder and verify the respone against the certificate in file “gts1c3.der”. For this also openssl comes with the ocsp tool, and by invoking the following command, I was able to not only retrieve the OCSP response, the tool also validated the signature of the response as well.
openssl ocsp -issuer gts1c3.der -cert google-cert.pem -text -url http://ocsp.pki.goog/gts1c3And, the response was good:
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: C72E798ADDFF6134B3BAED4742B8BBC6C0240763
Issuer Key Hash: 8A747FAF85CDEE95CD3D9CD0E24614F371351D27
Serial Number: AC6909BD223B505B0A58D0F808992180
Request Extensions:
OCSP Nonce:
041040330F1127136CEC205EDE075EBE7018
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 8A747FAF85CDEE95CD3D9CD0E24614F371351D27
Produced At: Aug 16 14:09:56 2022 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: C72E798ADDFF6134B3BAED4742B8BBC6C0240763
Issuer Key Hash: 8A747FAF85CDEE95CD3D9CD0E24614F371351D27
Serial Number: AC6909BD223B505B0A58D0F808992180
Cert Status: good
This Update: Aug 16 14:09:54 2022 GMT
Next Update: Aug 23 13:09:53 2022 GMT<Omitting Signature Info>Response verify OK
google-cert.pem: good
This Update: Aug 16 14:09:54 2022 GMT
Next Update: Aug 23 13:09:53 2022 GMT
Adios!
