[ipxe-devel] Embedding certificates

Nicolas Sylvain nsylvain at gmail.com
Wed May 6 21:06:01 UTC 2015 

Thanks to Michael, I was able to answer this question.

If anyone is interested, here is how I solved it:

A .der file in the crosscert path is made of your own private CA and the
cross-signed root CA.  They are joined together using an ASN.1 SET
directive.

In python, it's as simple as this:

import pyasn1

from pyasn1.codec.der import decoder
from pyasn1.codec.der import encoder


def CreateFinalSet(certs):
  s = pyasn1.type.univ.Set()
  for i, c in enumerate(certs):
    s.setComponentByPosition(i, decoder.decode(c)[0])

  return encoder.encode(s)



The input "certs" is a list of certificates (the data, not the filenames)
in .der format.
the output is the actual content of the final der file you need to write in
your crosscert path.

The next step is to be able to find the name of the .der file in the
crosscert path.  It's a checksum of something, but it was not clear to me
what it was.

Here's the code that given an original root CA (not modified, der format),
returns the filename to use for its crosscert.


  # Decode the ASN
  decoded_data = decoder.decode(ca_data)

  # Enter the ASN.1 sequence.
  decoded_data = decoded_data[0]

  # Enter the inner sequence.
  assert isinstance(decoded_data, pyasn1.type.univ.Sequence)
  decoded_data = decoded_data[0]

  # Skip one or two Integer items, then take the forth Sequence.
  base = 0
  assert isinstance(decoded_data[base], pyasn1.type.univ.Integer)
  if isinstance(decoded_data[base + 1], pyasn1.type.univ.Integer):
    base += 1

  assert isinstance(decoded_data[base + 1], pyasn1.type.univ.Sequence)
  assert isinstance(decoded_data[base + 2], pyasn1.type.univ.Sequence)
  assert isinstance(decoded_data[base + 3], pyasn1.type.univ.Sequence)
  assert isinstance(decoded_data[base + 4], pyasn1.type.univ.Sequence)

  subject = decoded_data[base + 4]


  checksum = binascii.crc32(encoder.encode(subject))
  return '%08x.der' % ((checksum & 0xffffffff) ^ 0xffffffff)



Thanks again,

Nicolas

On Mon, Apr 13, 2015 at 4:59 PM, Nicolas Sylvain <nsylvain at gmail.com> wrote:

> Here's a slightly simpler question:
>
> How are the .der files on ca.ipxe.org/auto generated?
>
> I don't seem to be able to look at them :
>
> $ wget http://ca.ipxe.org/auto/5df65e6d.der
> $ openssl x509 -inform der -in 5df65e6d.der -text
> unable to load certificate
> 140302646982304:error:0D0680A8:asn1 encoding
> routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1337:
> 140302646982304:error:0D07803A:asn1 encoding
> routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:388:Type=X509
>
>
> If I create my own cross-signed certificates using the commands in
> ipxe.org/crypto and convert them to .der files using openssl, I get this
> error :
>
>
>
> https://SOMETHING.appspot.com/somepath...
> TLS 0xe9fb4 using protocol version 3.3
> TLS 0xe9fb4 selected rsa-aes_cbc-128-sha256
> [...]
> CERTSTORE added certificate *.appspot.com
> X509 chain 0xe9cd4 added X509 0xed6f4 "*.appspot.com"
> TLS 0xe9fb4 found certificate *.appspot.com
> [...]
> CERTSTORE added certificate Google Internet Authority G2
> X509 chain 0xe9cd4 added X509 0xedc84 "Google Internet Authority G2"
> TLS 0xe9fb4 found certificate Google Internet Authority G2
> [...]
> CERTSTORE added certificate GeoTrust Global CA
> X509 chain 0xe9cd4 added X509 0xee134 "GeoTrust Global CA"
> TLS 0xe9fb4 found certificate GeoTrust Global CA
> .X509 chain 0xe9cd4 found no usable certificates
> VALIDATOR 0xea264 downloading cross-signed certificate from
> http://10.0.0.1/5df65e6d.der?subject=ME4xCzAJBgNVBAYTAlVTM
>
> RAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHk=
> HTTP 0xea6c4 response "HTTP/1.0 200 OK"
> HTTP 0xea6c4 header "Server: SimpleHTTP/0.6 Python/2.7.6"
> HTTP 0xea6c4 header "Date: Mon, 13 Apr 2015 23:52:37 GMT"
> HTTP 0xea6c4 header "Content-type: application/octet-stream"
> HTTP 0xea6c4 header "Content-Length: 769"
> HTTP 0xea6c4 header "Last-Modified: Mon, 13 Apr 2015 23:51:41 GMT"
> HTTP 0xea6c4 start of data
> ASN1 0x17d560 type mismatch (expected 49, got 48)
> VALIDATOR 0xea264 could not enter certificateSet: Error 0x3e00e03b (
> http://ipxe.org/3e00e03b)
> TLS 0xe9fb4 certificate validation failed: Error 0x3e00e03b (
> http://ipxe.org/3e00e03b)
> Error 0x3e00e03b (http://ipxe.org/3e00e03b)
>
> Somehow it wanted a "set" and I sent a "sequence", but I'm afraid I don't
> understand the difference yet.
>
> Thank you,
>
> Nicolas
>
>
>
>
> On Thu, Apr 9, 2015 at 2:41 PM, Nicolas Sylvain <nsylvain at gmail.com>
> wrote:
>
>> Hello,
>>
>> Since my firewall blocks pretty much everything, including ca.ipxe.org.
>> I got around to making https connections with iPXE by mirroring
>> ca.ipxe.org and using the crosscert command.  Unfortunately, to make
>> that work, I had to disable OCSP in the code.
>>
>> I'd like to unfork my code, and to do that, I believe I need to create my
>> own CA and cross signed certificates.
>>
>> Right now I'm only accessing some resources hosted on Google servers.
>> (appengine, google cloud storage). It seems like all those servers have
>> certificates trusted by GeoTrust Global CA.
>>
>> Here's what I tried to do:
>>
>> 1. Follow the instructions on http://ipxe.org/crypto to create my own CA
>>
>> 2. Download the Geotrust Global CA certs from http://ca.ipxe.org/raw/
>>
>> 3. Cross sign those certs using the instructions on the page above.
>>
>> 4. Build iPXE using :
>>
>>
>>  make bin/ipxe.usb EMBED=startup.ipxe
>> CERT=geotrust-global-ca-2-cross.crt,geotrust-global-ca-cross.crt,ca.crt
>> TRUST=ca.crt
>>
>> Then during boot, on the first attempt at using https, I get this error :
>> http://ipxe.org/err/0216eb
>>
>>
>> I also tried to pass the geotrust certs as-in on both CERT and TRUST, but
>> that did not work either.
>>
>> Any idea what I'm doing wrong? I assume it's pretty obvious, as I don't
>> understand much about certificates yet...  but if you need more verbose
>> logs, let me know and I can provide them.
>>
>> Thanks
>>
>> Nicolas
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20150506/9954df2a/attachment.htm>

More information about the ipxe-devel mailing list