解密CFSSL生成的CRL数据
2024年11月16日...大约 3 分钟
解密CFSSL生成的CRL数据
CFSSL 是一个强大的工具,有证书吊销列表(CRL),可是它是加密的。
本文将详细介绍如何使用
curl
、jq
、base64
和openssl
工具解密 CFSSL 生成的 CRL 数据。解密的步骤具体有
- 从json数据中提取加密的base64数据
- 解密base64数据获得encode数据
- 使用openssl进行decode获得pem数据
- 从pem数据解码获得明文数据
其中得益于openssl的功能强大,第三步和第四步可以一步到位,下面将会说明。
发送请求获取原始数据
请求
curl --location --request GET 'http://83.229.120.34:8888/api/v1/cfssl/crl?expiry'
请求来的数据如下,其中的result部分是我们需要的base64加密数据。
{
"success": true,
"result": "MIIBRTCB7AIBATAKBggqhkjOPQQDAjCBlTELMAkGA1UEBhMCQ04xEDAOBgNVBAcTB0JlaWppbmcxKTAnBgNVBAoTIFBhcGVyRHJhZ29uIFRlY2hub2xvZ3kgQ28uLCBMdGQuMSMwIQYDVQQLExpJbnRlcm1lZGlhdGUgQ0EgRGVwYXJ0bWVudDEkMCIGA1UEAxMbUGFwZXJEcmFnb24gSW50ZXJtZWRpYXRlIENBFw0yNDExMTYxNjIzMzZaFw0yNTA5MTIxNjIzMzZaMACgIzAhMB8GA1UdIwQYMBaAFJAzuMyI4AKwil7C6Xj4rPVln4AvMAoGCCqGSM49BAMCA0gAMEUCIQC0xb6UcoCMT5Z7GD6avEbWnRxvdAPVmMZPZqUavmw0YwIgdbF7gsCgF6fUNZm2HXNEzxvHALp0A3WqD20p+13/7X0=",
"errors": [],
"messages": []
}
我们需要的数据是
MIIBRTCB7AIBATAKBggqhkjOPQQDAjCBlTELMAkGA1UEBhMCQ04xEDAOBgNVBAcTB0JlaWppbmcxKTAnBgNVBAoTIFBhcGVyRHJhZ29uIFRlY2hub2xvZ3kgQ28uLCBMdGQuMSMwIQYDVQQLExpJbnRlcm1lZGlhdGUgQ0EgRGVwYXJ0bWVudDEkMCIGA1UEAxMbUGFwZXJEcmFnb24gSW50ZXJtZWRpYXRlIENBFw0yNDExMTYxNjIzMzZaFw0yNTA5MTIxNjIzMzZaMACgIzAhMB8GA1UdIwQYMBaAFJAzuMyI4AKwil7C6Xj4rPVln4AvMAoGCCqGSM49BAMCA0gAMEUCIQC0xb6UcoCMT5Z7GD6avEbWnRxvdAPVmMZPZqUavmw0YwIgdbF7gsCgF6fUNZm2HXNEzxvHALp0A3WqD20p+13/7X0=
解密第一层base64
尝试使用命令解密,得到数据放到了标准输出,这是不可读的,所以我们要把数据流放到文件里。
错误的解密示范
echo MIIBRTCB7AIBATAKBggqhkjOPQQDAjCBlTELMAkGA1UEBhMCQ04xEDAOBgNVBAcTB0JlaWppbmcxKTAnBgNVBAoTIFBhcGVyRHJhZ29uIFRlY2hub2xvZ3kgQ28uLCBMdGQuMSMwIQYDVQQLExpJbnRlcm1lZGlhdGUgQ0EgRGVwYXJ0bWVudDEkMCIGA1UEAxMbUGFwZXJEcmFnb24gSW50ZXJtZWRpYXRlIENBFw0yNDExMTYxNjIzMzZaFw0yNTA5MTIxNjIzMzZaMACgIzAhMB8GA1UdIwQYMBaAFJAzuMyI4AKwil7C6Xj4rPVln4AvMAoGCCqGSM49BAMCA0gAMEUCIQC0xb6UcoCMT5Z7GD6avEbWnRxvdAPVmMZPZqUavmw0YwIgdbF7gsCgF6fUNZm2HXNEzxvHALp0A3WqD20p+13/7X0= | base64 -d
0�E0��0
*�H�=0��1
0 UCN10UBeijing1)0'U
PaperDragon Technology Co., Ltd.1#0!U
Intermediate CA Department1$0"U0��3�̈���^��x���e��/0
正确的解密
echo MIIBRTCB7AIBATAKBggqhkjOPQQDAjCBlTELMAkGA1UEBhMCQ04xEDAOBgNVBAcTB0JlaWppbmcxKTAnBgNVBAoTIFBhcGVyRHJhZ29uIFRlY2hub2xvZ3kgQ28uLCBMdGQuMSMwIQYDVQQLExpJbnRlcm1lZGlhdGUgQ0EgRGVwYXJ0bWVudDEkMCIGA1UEAxMbUGFwZXJEcmFnb24gSW50ZXJtZWRpYXRlIENBFw0yNDExMTYxNjIzMzZaFw0yNTA5MTIxNjIzMzZaMACgIzAhMB8GA1UdIwQYMBaAFJAzuMyI4AKwil7C6Xj4rPVln4AvMAoGCCqGSM49BAMCA0gAMEUCIQC0xb6UcoCMT5Z7GD6avEbWnRxvdAPVmMZPZqUavmw0YwIgdbF7gsCgF6fUNZm2HXNEzxvHALp0A3WqD20p+13/7X0= | base64 -d > crl.der
这是我们获取了人类无法读取的数据流 crl.der
第二层解密为pem文件
openssl crl -inform DER -in crl.der -outform PEM -out crl.pem
这时我们得到了pem文件如下
-----BEGIN X509 CRL-----
MIIBRjCB7AIBATAKBggqhkjOPQQDAjCBlTELMAkGA1UEBhMCQ04xEDAOBgNVBAcT
B0JlaWppbmcxKTAnBgNVBAoTIFBhcGVyRHJhZ29uIFRlY2hub2xvZ3kgQ28uLCBM
dGQuMSMwIQYDVQQLExpJbnRlcm1lZGlhdGUgQ0EgRGVwYXJ0bWVudDEkMCIGA1UE
AxMbUGFwZXJEcmFnb24gSW50ZXJtZWRpYXRlIENBFw0yNDExMTYxNjMyMjFaFw0y
NDExMjMxNjMyMjFaMACgIzAhMB8GA1UdIwQYMBaAFJAzuMyI4AKwil7C6Xj4rPVl
n4AvMAoGCCqGSM49BAMCA0kAMEYCIQCn8fMuUiVjNrB6m082QRP4muCVkqE/beTX
56lLYe2P9wIhALrbC6BiaTlxG66vmnDIANCFGrQavpbQ9utJDTG/fBHv
-----END X509 CRL-----
第三次解密为明文
openssl crl -in crl.pem -noout -text
得到数据如下
openssl crl -in crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = CN, L = Beijing, O = "PaperDragon Technology Co., Ltd.", OU = Intermediate CA Department, CN = PaperDragon Intermediate CA
Last Update: Nov 16 16:32:21 2024 GMT
Next Update: Nov 23 16:32:21 2024 GMT
CRL extensions:
X509v3 Authority Key Identifier:
90:33:B8:CC:88:E0:02:B0:8A:5E:C2:E9:78:F8:AC:F5:65:9F:80:2F
No Revoked Certificates.
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:46:02:21:00:a7:f1:f3:2e:52:25:63:36:b0:7a:9b:4f:36:
41:13:f8:9a:e0:95:92:a1:3f:6d:e4:d7:e7:a9:4b:61:ed:8f:
f7:02:21:00:ba:db:0b:a0:62:69:39:71:1b:ae:af:9a:70:c8:
00:d0:85:1a:b4:1a:be:96:d0:f6:eb:49:0d:31:bf:7c:11:ef
第二层加密和第三层加密合集
这里我们使用 DER
格式输入,并输出为文本格式。
openssl crl -inform DER -in crl.der -noout -text
同样直接得到目标的数据
openssl crl -inform DER -in crl.der -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = CN, L = Beijing, O = "PaperDragon Technology Co., Ltd.", OU = Intermediate CA Department, CN = PaperDragon Intermediate CA
Last Update: Nov 16 16:32:21 2024 GMT
Next Update: Nov 23 16:32:21 2024 GMT
CRL extensions:
X509v3 Authority Key Identifier:
90:33:B8:CC:88:E0:02:B0:8A:5E:C2:E9:78:F8:AC:F5:65:9F:80:2F
No Revoked Certificates.
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:46:02:21:00:a7:f1:f3:2e:52:25:63:36:b0:7a:9b:4f:36:
41:13:f8:9a:e0:95:92:a1:3f:6d:e4:d7:e7:a9:4b:61:ed:8f:
f7:02:21:00:ba:db:0b:a0:62:69:39:71:1b:ae:af:9a:70:c8:
00:d0:85:1a:b4:1a:be:96:d0:f6:eb:49:0d:31:bf:7c:11:ef
一键解密脚本
curl --location --request GET 'http://83.229.120.34:8888/api/v1/cfssl/crl?expiry' | jq -r '.result' | base64 -d | openssl crl -inform DER -noout -text
结果是
curl --location --request GET 'http://83.229.120.34:8888/api/v1/cfssl/crl?expiry' | jq -r '.result' | base64 -d | openssl crl -inform DER -noout -text
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 495 100 495 0 0 139k 0 --:--:-- --:--:-- --:--:-- 161k
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = CN, L = Beijing, O = "PaperDragon Technology Co., Ltd.", OU = Intermediate CA Department, CN = PaperDragon Intermediate CA
Last Update: Nov 16 16:36:22 2024 GMT
Next Update: Nov 23 16:36:22 2024 GMT
CRL extensions:
X509v3 Authority Key Identifier:
90:33:B8:CC:88:E0:02:B0:8A:5E:C2:E9:78:F8:AC:F5:65:9F:80:2F
No Revoked Certificates.
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:45:02:20:26:c6:50:ad:51:71:c6:cf:62:b7:13:33:a5:04:
d3:c5:82:50:79:08:3d:b7:5b:3b:27:39:77:e6:5d:89:dc:69:
02:21:00:ec:eb:b2:2e:29:12:50:44:59:e0:83:da:22:ab:15:
77:f9:a2:42:8d:3c:de:55:9a:b8:12:81:e3:35:ed:dd:3a
你认为这篇文章怎么样?
- 0
- 0
- 0
- 0
- 0
- 0
Powered by Waline v3.4.2