openssl ocsp Responder Error: unauthorized (6) - ios

I want to verify whether the Apple p12 certificate is revoked.
Verify through OpenSSL, but the failure rate
Responder Error: unauthorized (6)
openssl s_client -connect ocsp.apple.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-------END/p' > cert.pem
openssl s_client -showcerts -connect ocsp.apple.com:443 < /dev/null 2>&1 | sed -n '/-----BEGIN/,/-----END/p' > chain.pem
openssl x509 -noout -ocsp_uri -in cert.pem
openssl ocsp -issuer chain.pem -cert cert.pem -text -url http://ocsp.apple.com/ocsp03-apevsecc1g101 -header "HOST" "ocsp.apple.com"
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 99A13D5E339D6899F2F62D3449CA0FB7AD56A71D
Issuer Key Hash: 45F2A8DA2EF4DD5AE49E079E4B7B289B3BB20B31
Serial Number: 5E652F93666E7A5B3966551A0C167BAA
Request Extensions:
OCSP Nonce:
0410AB2982A627A49BA9AC9E06A9C4FE28B2
Responder Error: unauthorized (6)


chain.pem can only contain the intermediate and root certificates. The way you invoked openssl it brought in the entire chain. So: remove your certificate from chain.pem and try again.


For what it's worth (or future instances) here was my solution:
Note: I was sending the response to a Microsoft OCSP responder.
Fix: I had to define the -CAfile and -no_nonce parameters.
openssl ocsp -no_nonce -issuer ca_chain.cer -CAfile ca_chain.cer -cert test.cer -text -url http://ocsp.myorg.com/ocsp
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 555D0C30ACDDA1D39CAFB5C0B33BD73475C903D8
Issuer Key Hash: 3E8B5EE3BF6D026D69F3005CCE08BE60C245F3EE
Serial Number: 3E002C0FFFDA2BE9708A43E3270000002C0FFF
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C012856C236D6AA6EC5F835AC25F17EBECB8BC10
Produced At: Nov 8 05:36:39 2022 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 555D0C30ACDDA1D39CAFB5C0B33BD73475C903D8
Issuer Key Hash: 3E8B5EE3BF6D026D69F3005CCE08BE60C245F3EE
Serial Number: 3E002C0FFFDA2BE9708A43E3270000002C0FFF
Cert Status: revoked
Revocation Time: Oct 27 21:26:12 2022 GMT
Revocation Reason: cessationOfOperation (0x5)
This Update: Nov 8 00:50:02 2022 GMT
Next Update: Nov 8 17:10:02 2022 GMT

Related

Requirements for root CA certificate to add in iOS

I issued my own CA certificate to enable https for my development environment.
On my Windows PC i was able to add my root CA. On iOS i can install it and it shows that it is verified but when i go to General -> About -> Certificate Trust Settings the certificate does not show up.
Some information about the root CA.
Input:
openssl x509 -in ca.pem -text -noout
Output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
[...]
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = Some-Country, ST = Some-State, O = Some-Company
Validity
Not Before: Jul 7 18:45:56 2022 GMT
Not After : Jul 4 18:45:56 2032 GMT
Subject: C = Some-Country, ST = Some-State, O = Some-Company
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
[...]
X509v3 Authority Key Identifier:
keyid:[...]
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
[...] ```

My mistake was that the root CA I created was valid for 10 years. Since 1st September 2020 Apple limits the validity period to a maximum of 397 days.
Source: https://support.apple.com/en-us/HT211025

Grep from a certificate

I can view the openSSL certifcate with this command
openssl x509 -text -in myCertificate.pem
I just wanted to see when the cert will expire only. The line which I want to read is,
Not After : Jul 28 14:09:57 2015 GMT
I tried using the grep command but it doesn't display anything.
grep "After" myCertificate.pem
Is there a way that I can read only that line of the certificate??
Thanks in advance

The short way is to use -enddate -noout (print the notAfter value, and don't re-output the cert PEM contents)
$ openssl x509 -in github.cer -enddate -noout
notAfter=Apr 12 12:00:00 2016 GMT
In order to use grep you need to continue using the -text option, because the phrase "Not After" doesn't appear in the cert, it's just an encoded representation. And then combine that with the pipe (|) operation:
$ openssl x509 -in github.cer -text -noout | grep After
Not After : Apr 12 12:00:00 2016 GMT

thin rails server/eventmachine on windows does not work with custom certificate

After building my own eventmachine/thin with SSL support on windows (Install OpenSSL with Ruby for eventmachine on Windows 7 x86) I got another problem with SSL certificate: when I use build-in self-signed one thin works fine but it does not respond to any request while using corporate certificate
Here is my path for obtaining the certificate:
I generated private key with puttygen (ssl-private.key)
I generated CSR using following command:
openssl req -out ssl.csr -key ssl-private.key -new
I sent CSR to CA and received P7B file
I converted P7B using following command:
openssl pkcs7 -inform DER -outform PEM -in cert.p7b -print_certs > cert.crt
What could go wrong here?
What have I checked:
openssl rsa -in ssl-private.key -check
says "RSA key ok"
openssl x509 -in cert.crt -text -noout
says
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
***
Signature Algorithm: sha1WithRSAEncryption
Issuer: ***
Validity
Not Before: Feb 16 08:47:25 2004 GMT
Not After : Feb 16 08:55:36 2024 GMT
Subject: ***
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
***
Exponent: 3 (0x3)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
***
1.3.6.1.4.1.311.21.1:
...
Signature Algorithm: sha1WithRSAEncryption
***
while the same check made on self-signed cert, created using
openssl genrsa -des3 -out server.orig.key 2048
openssl rsa -in server.orig.key -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
says
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
***
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org
Validity
Not Before: Jun 24 14:42:07 2015 GMT
Not After : Jun 23 14:42:07 2016 GMT
Subject: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
***
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
***
ok some change: I have changed certs order in crt file so that final cert is not last but first and the result is different: chrome drops an error of NET::ERR_CERT_INVALID, IE similar and both does not navigate further
openssl s_client output (looks ok, *** Root CA 1 is trusted in windows):
Loading 'screen' into random state - done
CONNECTED(000001E8)
depth=1 DC = com, DC = ***, CN = *** Enterprise CA 1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=***/ST=***/O=***/CN=***.com
i:/DC=com/DC=***/CN=*** Enterprise CA 1
1 s:/DC=com/DC=***/CN=*** Enterprise CA 1
i:/DC=com/DC=***/CN=*** Root CA 1
---
Server certificate
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
subject=/C=***/ST=***/O=***/CN=***.com
issuer=/DC=com/DC=***/CN=*** Enterprise CA 1
---
No client certificate CA names sent
---
SSL handshake has read 3404 bytes and written 665 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: ***
Session-ID-ctx:
Master-Key: ***
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket: ***
Start Time: 1435319943
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
I have made a simple https server (lib/emtestssl):
require 'rubygems'
require 'bundler/setup'
Bundler.require
class ServerHandler < EM::Connection
def post_init
puts "post_init"
start_tls :private_key_file => 'private.key', :cert_chain_file => 'comb.crt', :verify_peer => false
end
def receive_data(data)
puts "Received data in server: #{data}"
send_data("HTTP/1.1 200 OK\n\nHello world!")
close_connection_after_writing
end
end
EventMachine.run do
puts 'Starting server...'
EventMachine.start_server('145.245.202.233', 443, ServerHandler)
end
it works fine without tls, with tls browser won't allow to connect :(
as per http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify private key and certificate do match

it looks like (patched) eventmachine is completely fine: i have taken key/cert pair from existing server and (after a url mismatch warning from the browser) it works fine
after comparing the certificates it looks like my CA has failed and brought me a cert with wrong properties: working one is described as Server Authentication (1.3.6.1.5.5.7.3.1) while failing one is Client Authentication (1.3.6.1.5.5.7.3.2)
i will issue another csr and charge them for lost day... :/
maybe one important discovery is an order of certificates within cert file: one must go from the final cert to the root being at the end of the chain

Get certificate expiry date from the embedded.mobileprovision provisioning profile

I need to get the expiry date of our iOS enterprise certificate used in an ipa's embedded.mobileprovision file using the command line.
I've got this so far:
security cms -D -i Payload/*.app/embedded.mobileprovision > tmp.plist && /usr/libexec/PlistBuddy -c 'Print :DeveloperCertificates' tmp.plist | base64 -d - | openssl x509 -inform DER -noout -text
The response:
Apr 22 12:28:47 c01892 base64[14721] <Info>: Read 510 bytes.
Apr 22 12:28:47 c01892 base64[14721] <Info>: Wrote 680 bytes.
Apr 22 12:28:47 c01892 base64[14721] <Info>: Read 510 bytes.
Apr 22 12:28:47 c01892 base64[14721] <Info>: Wrote 680 bytes.
Apr 22 12:28:47 c01892 base64[14721] <Info>: Read 440 bytes.
Apr 22 12:28:47 c01892 base64[14721] <Info>: Wrote 588 bytes.
unable to load certificate
14722:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:/SourceCache/OpenSSL098/ OpenSSL098-52.20.2/src/crypto/asn1/tasn_dec.c:1323:
14722:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:/SourceCache/ OpenSSL098/OpenSSL098-52.20.2/src/crypto/asn1/tasn_dec.c:379:Type=X509
The openssl command works on our certificate file just fine:
openssl x509 -inform DER -noout -text -in "iPhone Distribution: XXXX.cer"
So what I am missing is getting the certificate out of the embedded.mobileprovision, decode it and save it to a file or pass it by piping.
If I split the sommand up, we get the following:
a. Get the certificate out of the embedded.mobileprovision:
security cms -D -i Payload/*.app/embedded.mobileprovision > tmp.plist && /usr/libexec/PlistBuddy -c 'Print :DeveloperCertificates' tmp.plist > encodedcert.b64
b. Decode the retrieved base64 to a .cer file:
base64 -d encodedcert.b64 certificate.cer
c. Read it with openssl:
openssl x509 -inform DER -noout -text -in certificate.cer
Unfortunatly, the generated certificate.cer file by my base64 command is zero bytes long...
Who can help me out further?

I've successfully been able to get to the certificate information.
The problem was that my PlistBuddy command was wrong. I should have used 'DeveloperCertificates:0' instead of ':DeveloperCertificates'.
I also did not need the base64 stuff.
So the working commandline to get the info from the enterprise certificate in an embedded.mobileprovision profile is
security cms -D -i Payload/*.app/embedded.mobileprovision > tmp.plist && /usr/libexec/PlistBuddy -c 'Print DeveloperCertificates:0' tmp.plist | openssl x509 -inform DER -noout -enddate
Split up into three parts:
Get a plist from the embedded.mobileprovision:
security cms -D -i Payload/*.app/embedded.mobileprovision > tmp.plist
Get the first certificate from the plist:
/usr/libexec/PlistBuddy -c 'Print DeveloperCertificates:0' tmp.plist |
Read the certificate passed through the pipe and extract the enddate (-text instead of -enddate gives you the entire certificate information):
openssl x509 -inform DER -noout -enddate
Edit: Here is the command without a temporary plist file:
/usr/libexec/PlistBuddy -c 'Print DeveloperCertificates:0' /dev/stdin <<< $(security cms -D -i Payload/*.app/embedded.mobileprovision) | openssl x509 -inform DER -noout -enddate

How to debug Apple Push Notification Response?

I wrote a python app that sends push notification to Apple devices.
Suddenly notifications are no longer received, on all the iOS apps.
It looks like Apple returns an error after sending the notification.
I would like to know if the following response looks normal?, or if there is an issue with the certificates?
$ openssl s_client -connect gateway.push.apple.com:2195 -cert /home/ubuntu/webapps/notification/certificates/relax_app/production/apns-dev-cert.pem -key /home/ubuntu/webapps/notification/certificates/relax_app/production/apns-dev-key-noenc.pem
CONNECTED(00000003)
depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C
verify error:num=20:unable to get local issuer certificate
verify return:0
140149704410784:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired:s3_pkt.c:1195:SSL alert number 45
140149704410784:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:
---
Certificate chain
0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.push.apple.com
i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFEzCCA/ugAwIBAgIETBzSBzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMjA1MDMxODIyMjhaFw0xNDA1MzEw
OTI5MDZaMIGHMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG
A1UEBxMJQ3VwZXJ0aW5vMRMwEQYDVQQKEwpBcHBsZSBJbmMuMRkwFwYDVQQLExBp
VE1TIEVuZ2luZWVyaW5nMR8wHQYDVQQDExZnYXRld2F5LnB1c2guYXBwbGUuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt4u3gyk9GeQGIH7pmYSA
604LxMLvaUZkgeXOLRzH/48LZgPD5megHhsvjj6du2xzOQKb7iCVYF4HnHf3k00R
3iXtvEmqRU87uw8K2LPu9ZfoNcJpu2e45eF27dXjvjCmvlMDsPxFBer9nAex3P4o
mGCld73SfcZuIB3bQ6BFTIM6je+0nNwP9yuSF4XjOrOx+1+ifgGwyl9T/qa1TYWW
K/LmObAmpbBYwklu33NVOR4BBrZ+GAdj1irdZqh3s3R+b/ANaAAbx2YYrScnIP15
OG7oYNKO3zzIQ0KaBjJjv30j5dXFQaIiphUWhuhQ3rRMmG7xV5UWVqHMriMLD4bS
PQIDAQABo4IBWTCCAVUwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3Qu
bmV0L2xldmVsMWMuY3JsMGUGCCsGAQUFBwEBBFkwVzAjBggrBgEFBQcwAYYXaHR0
cDovL29jc3AuZW50cnVzdC5uZXQwMAYIKwYBBQUHMAKGJGh0dHA6Ly9haWEuZW50
cnVzdC5uZXQvbDFjLWNoYWluLmNlcjBABgNVHSAEOTA3MDUGCSqGSIb2fQdLAjAo
MCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAfBgNVHSME
GDAWgBQe8auJBvhJDwEzd+4Ueu4ZfJMoTTAdBgNVHQ4EFgQULkkf+RyRucrBgaw2
Iu+V+aUctU4wCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEAPSQnfPByAF+Y
ML2kwujhbKMZw81oF3HGkdSG756Jt5cqiBJB+KS+4ZThpTgAr9EytfHtl4NPoBwZ
I0a2gLvmO2HNe5OqVSdOqyPCCFN0aBZTYwLVHM3HmoUbPn+Zh19g7Me4AC69IR9i
RoJmzSkagR+Z7z7veiSzfeUHaGa0YUsyc7iMerF1rFfYJvXFVp4D1gA672nTzctZ
0e0yItFXJrN6FL/K+NKCk/O3HCn95oVEPtnEWF2Qm91AZKoCYV1u3VzWtlZsyjQL
wqfQNpr+VUe1SQ1DInr2enCQrCBnH7R3JVscj91cfEiH1SydpRrNFICT40nphEWK
higEADTWUQ==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.push.apple.com
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
---
No client certificate CA names sent
---
SSL handshake has read 2670 bytes and written 2047 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: F2FEDB49795DA0B3084B850521A514EB60EE9959C40753AB79B799CA4F6225DAA4FE7084B8CF6D7BF9A4AEB92B9B3A06
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1385498375
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
Note
The response returns the following:
verify error:num=20:unable to get local issuer certificate
Does this error prevent sending push notifications? or can it be ignored?
Thanks in advance.

SOLUTION
The issue was related with expired and revoked certificates.
New certificates were generated according to this great tutorial:
http://www.raywenderlich.com/32960/

Resources