EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Get Hash of Certificate Request

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#7589
Posted: 09/12/2008 13:27:10
by Thanh Nguyen Trung (Priority Standard support level)
Joined: 09/12/2008
Posts: 73

Hi

You know that Debian has just reported the vulnerability of the OpenSSL, I would like to check if the uploaded pkcs10 request is generated by vulnerable OpenSSL using an online service "http://www.heise-online.co.uk/news/DNS-blacklist-for-weak-SSL-keys--/111034". Making a dns enquiry in the format "<hash>.weakSSLkeys.dnsbl.manitu.net" will help us to verify if the pkcs request is generated by vulnerable openssl or not.

My program will receive a uploaded request in pkcs10, please show me the way to get the hash of the request.

Thanks in advance.
#7596
Posted: 09/15/2008 02:48:07
by Ken Ivanov (EldoS Corp.)

As far as I understood from the text on the page you've specified, you need a hash of the RSA modulus rather than a hash of the PKCS10 request:
Quote
The SHA1 hash value from the certificate's modulus of the RSA key is used as the host name. All tests for weak SSL certificates use a similar fingerprinting, including the Debian Tools openssl-vulnkey and the heise networks SSL tests.

If it is so, you should extract the value of RSA modulus and pass it to the input of TElHashFunction object. Use TElCertificateRequest.GetRSAParams() method to extract the modulus from certificate request, or TElX509Certificate.KeyMaterial to extract the modulus from the X.509 certificate.
#7600
Posted: 09/15/2008 06:10:50
by Thanh Nguyen Trung (Priority Standard support level)
Joined: 09/12/2008
Posts: 73

As the instructions of yours (Mr/Ms Innokentiy Ivanov). Please help me to verify if the implementation below is correct or not
private string GetHash()
{
string sHash = string.Empty;
if (m_oRequest != null)
{
//Extract Modulus
int nLen1 = 4096;
byte[] RSAModulus = new byte[nLen1];

int nLen2 = 4096;
byte[] RSAPublicKey = new byte[nLen2];

m_oRequest.GetRSAParams(ref RSAModulus,
ref nLen1, ref RSAPublicKey, ref nLen2);

if (abyteRSAModulus.Length > 0)
{
//Get Hash

SBHashFunction.TElHashFunction oHash =
new SBHashFunction.TElHashFunction( m_oRequest.SignatureAlgorithm,
(SBCryptoProv.TElCustomCryptoProvider) null);
oHash.Update(RSAModulus, 0, RSAModulus.Length);
sHash = SBUtils.Unit.BinaryToString(oHash.Finish());
}
}
return sHash;
}

Thanks
#7604
Posted: 09/15/2008 07:33:49
by Ken Ivanov (EldoS Corp.)

It is not correct enough. The correct one looks like the following:

if ((m_oRequest != null) && (m_oRequest.PublicKeyAlgorithm == SBUtils.Unit.SB_CERT_ALGORITHM_ID_RSA_ENCRYPTION))
{
//Extract Modulus
int nLen1 = 4096;
byte[] RSAModulus = new byte[nLen1];

int nLen2 = 4096;
byte[] RSAPublicKey = new byte[nLen2];

m_oRequest.GetRSAParams(ref RSAModulus, ref nLen1, ref RSAPublicKey, ref nLen2);

if (nLen1 > 0)
{
TElHashFunction func = new TElHashFunction(SBConstants.Unit.SB_ALGORITHM_DGST_SHA1, null);
func.Update(RSAModulus, 0, nLen1);
byte[] digest = func.Finish();
string hexDigest = SBUtils.Unit.BinaryToString(digest);
}
}
#7613
Posted: 09/15/2008 10:31:27
by Thanh Nguyen Trung (Priority Standard support level)
Joined: 09/12/2008
Posts: 73

Thank you very much
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 1499 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!