• Renton1
  • NEWBIE
  • 0 Points
  • Member since 2013

  • Chatter
    Feed
  • 0
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 1
    Questions
  • 2
    Replies

Issue with SalesForce Cert.
---------------------------

The Salesforce cert is dumped below with linenumbers in text using
"openssl x509 -text -noout | nl" for convenience.

Line 38-41 show the Authority Key Identifier - this is used to identify
the public key used to sign this cert (which in practice disambiguates two
potential issuing certificates with the same subject id, but different
keys.)

This can be done in two separate ways

(a) using a "keyid" to specify the key itself, matching a "subject
key" in the issuer's cert

(b) using a serial number and issuer name.

(Note in the second case, that's the issuer's issuer, not the subject's
issuer, and for a self-signed cert, the subject, issuer, and issuer's
issuer are all the same cert.)

Lines 38-41 therefore give two distinct ways to locate the issuing
certificate. It's either

(a) one with subject key Id
A6:E0:FA:0A:4B:47:F5:E0:7F:69:BA:E3:62:5E:D7:17:FB:B4:D5:59

(b) one with serial:01:3E:54:E9:2C:EE:00:00:00:00:5A:A5:E1:D7
and issuer /CN=BT Consumer Complaints/OU=00DW0000003idkb/
O=Salesforce.com/L=San Francisco/ST=CA/C=USA

Look at the serial number of the subject cert:
01:3e:54:e9:2c:ca:00:00:00:00:5a:a5:e1:d7

This is actually _not_ the same as the subject key Id in the subject cert
(the 6th octet differs - "CA" vs "EE"), so by that definition, the key
used to sign this certificate is not the same as the subject's own key,
certificate, and it is not a self-signed cert. This issue causes the
OpenSSL stack to fail, and reasonably so.

It's done this since 2006, at least: If another product is using OpenSSL,
and is _not_ failing this verification of such a problematic salesforce
cert, then it may not be verifying peer certificates properly at all
(eg, by installing a handler with SSL_CTX_set_cert_verify_callback() that
does not properly verify the cert chain, or calling SSL_CTX_set_verify()
with SSL_VERIFY_NONE)

Cert follows:

1 Certificate:
2 Data:
3 Version: 3 (0x2)
4 Serial Number:
5 01:3e:54:e9:2c:ca:00:00:00:00:5a:a5:e1:d7
6 Signature Algorithm: sha1WithRSAEncryption
7 Issuer: CN=BT Consumer Complaints, OU=00DW0000003idkb, O=Salesforce.com, L=San Francisco, ST=CA, C=USA
8 Validity
9 Not Before: Apr 29 08:29:27 2013 GMT
10 Not After : Apr 29 08:29:27 2015 GMT
11 Subject: CN=BT Consumer Complaints, OU=00DW0000003idkb, O=Salesforce.com, L=San Francisco, ST=CA, C=USA
12 Subject Public Key Info:
13 Public Key Algorithm: rsaEncryption
14 Public-Key: (2048 bit)
15 Modulus:
16 00:aa:9f:24:20:28:ef:a5:b0:2b:18:df:69:cf:51:
17 f6:bc:5a:83:44:1d:9a:4a:50:95:c3:8a:21:c1:6f:
18 a0:f6:ae:13:d9:0a:d2:72:22:0c:f3:95:84:af:05:
19 cb:ce:42:b4:52:48:1e:fa:ae:14:a0:b8:7a:31:d3:
20 de:d5:c0:66:9e:2d:d4:74:32:ad:35:91:cf:6d:30:
21 8d:7c:1c:48:8e:af:a3:46:7d:2e:e2:c8:4d:0e:c7:
22 bb:64:54:0c:6f:8e:f0:c5:be:3d:17:67:b2:45:b0:
23 45:57:d8:36:e7:87:0d:1e:5e:71:c0:d0:f7:6f:91:
24 90:13:ef:71:34:bd:73:82:49:86:bb:8c:fe:72:8c:
25 2a:26:67:1d:c3:16:e4:d9:0a:9d:d0:58:55:6e:78:
26 1d:48:6b:3a:f2:00:76:a5:86:6e:f3:64:c5:8a:05:
27 08:c6:5f:3d:dc:07:72:9c:82:72:bd:2f:5d:69:ca:
28 d3:82:f1:7a:43:4a:c4:2d:3d:cf:5e:6b:c7:07:0a:
29 5d:5d:86:41:28:cf:b9:15:2f:2f:78:0f:58:85:01:
30 80:69:54:37:32:2e:86:cf:53:d8:63:42:f7:cf:0e:
31 53:c6:14:d0:be:98:36:bc:2d:f8:80:35:fb:0c:ab:
32 b7:b8:44:44:fb:51:8c:d1:ef:b3:5a:03:c0:a4:af:
33 98:df
34 Exponent: 65537 (0x10001)
35 X509v3 extensions:
36 X509v3 Subject Key Identifier:
37 A6:E0:FA:0A:4B:47:F5:E0:7F:69:BA:E3:62:5E:D7:17:FB:B4:D5:59
38 X509v3 Authority Key Identifier:
39 keyid:A6:E0:FA:0A:4B:47:F5:E0:7F:69:BA:E3:62:5E:D7:17:FB:B4:D5:59
40 DirName:/CN=BT Consumer Complaints/OU=00DW0000003idkb/O=Salesforce.com/L=San Francisco/ST=CA/C=USA
41 serial:01:3E:54:E9:2C:EE:00:00:00:00:5A:A5:E1:D7

42 X509v3 Basic Constraints: critical
43 CA:TRUE
44 Signature Algorithm: sha1WithRSAEncryption
45 92:9b:4e:88:f9:af:1f:d7:ef:e8:dc:d3:21:d0:16:4f:dc:e3:
46 2b:51:08:9f:f1:79:65:7c:39:16:42:32:13:78:ec:2e:da:c4:
47 b1:21:9e:f3:74:11:1e:d9:57:9b:d4:73:16:92:c3:49:e9:79:
48 11:ee:99:b9:71:f9:7c:92:e2:c7:35:65:b4:dc:32:cd:f8:3a:
49 c9:9b:90:d2:e0:7c:f5:ca:d7:28:57:d6:39:2b:4c:f2:4a:fe:
50 53:b6:49:f4:71:34:54:35:c1:5b:fc:d3:c5:4d:cb:7c:46:c1:
51 5a:68:e1:b4:c2:97:98:45:7e:54:b0:6d:40:c1:67:1a:8d:7a:
52 db:cf:64:7a:ba:f6:9e:e9:06:c4:83:03:84:ea:ed:77:99:b9:
53 16:67:92:a7:f9:bf:0f:b2:a9:b7:26:b3:3e:a1:15:f4:84:eb:
54 8a:04:2f:6f:85:d3:4e:a6:ff:fe:7a:cd:8b:13:0e:7a:36:04:
55 4d:34:77:49:68:f6:95:ea:77:ec:43:37:ab:05:ae:c9:16:c0:
56 51:8e:f4:f1:84:81:9b:e3:48:7d:97:c3:46:82:7c:e8:5e:9d:
57 34:7b:b9:1b:85:05:68:1b:36:8c:0d:9f:a3:1c:5d:62:d2:d5:
58 ef:35:c6:ce:58:b9:88:7b:42:05:3c:ff:a9:05:bd:e2:8e:78:
59 50:dd:78:1f

  • September 12, 2013
  • Like
  • 0

Issue with SalesForce Cert.
---------------------------

The Salesforce cert is dumped below with linenumbers in text using
"openssl x509 -text -noout | nl" for convenience.

Line 38-41 show the Authority Key Identifier - this is used to identify
the public key used to sign this cert (which in practice disambiguates two
potential issuing certificates with the same subject id, but different
keys.)

This can be done in two separate ways

(a) using a "keyid" to specify the key itself, matching a "subject
key" in the issuer's cert

(b) using a serial number and issuer name.

(Note in the second case, that's the issuer's issuer, not the subject's
issuer, and for a self-signed cert, the subject, issuer, and issuer's
issuer are all the same cert.)

Lines 38-41 therefore give two distinct ways to locate the issuing
certificate. It's either

(a) one with subject key Id
A6:E0:FA:0A:4B:47:F5:E0:7F:69:BA:E3:62:5E:D7:17:FB:B4:D5:59

(b) one with serial:01:3E:54:E9:2C:EE:00:00:00:00:5A:A5:E1:D7
and issuer /CN=BT Consumer Complaints/OU=00DW0000003idkb/
O=Salesforce.com/L=San Francisco/ST=CA/C=USA

Look at the serial number of the subject cert:
01:3e:54:e9:2c:ca:00:00:00:00:5a:a5:e1:d7

This is actually _not_ the same as the subject key Id in the subject cert
(the 6th octet differs - "CA" vs "EE"), so by that definition, the key
used to sign this certificate is not the same as the subject's own key,
certificate, and it is not a self-signed cert. This issue causes the
OpenSSL stack to fail, and reasonably so.

It's done this since 2006, at least: If another product is using OpenSSL,
and is _not_ failing this verification of such a problematic salesforce
cert, then it may not be verifying peer certificates properly at all
(eg, by installing a handler with SSL_CTX_set_cert_verify_callback() that
does not properly verify the cert chain, or calling SSL_CTX_set_verify()
with SSL_VERIFY_NONE)

Cert follows:

1 Certificate:
2 Data:
3 Version: 3 (0x2)
4 Serial Number:
5 01:3e:54:e9:2c:ca:00:00:00:00:5a:a5:e1:d7
6 Signature Algorithm: sha1WithRSAEncryption
7 Issuer: CN=BT Consumer Complaints, OU=00DW0000003idkb, O=Salesforce.com, L=San Francisco, ST=CA, C=USA
8 Validity
9 Not Before: Apr 29 08:29:27 2013 GMT
10 Not After : Apr 29 08:29:27 2015 GMT
11 Subject: CN=BT Consumer Complaints, OU=00DW0000003idkb, O=Salesforce.com, L=San Francisco, ST=CA, C=USA
12 Subject Public Key Info:
13 Public Key Algorithm: rsaEncryption
14 Public-Key: (2048 bit)
15 Modulus:
16 00:aa:9f:24:20:28:ef:a5:b0:2b:18:df:69:cf:51:
17 f6:bc:5a:83:44:1d:9a:4a:50:95:c3:8a:21:c1:6f:
18 a0:f6:ae:13:d9:0a:d2:72:22:0c:f3:95:84:af:05:
19 cb:ce:42:b4:52:48:1e:fa:ae:14:a0:b8:7a:31:d3:
20 de:d5:c0:66:9e:2d:d4:74:32:ad:35:91:cf:6d:30:
21 8d:7c:1c:48:8e:af:a3:46:7d:2e:e2:c8:4d:0e:c7:
22 bb:64:54:0c:6f:8e:f0:c5:be:3d:17:67:b2:45:b0:
23 45:57:d8:36:e7:87:0d:1e:5e:71:c0:d0:f7:6f:91:
24 90:13:ef:71:34:bd:73:82:49:86:bb:8c:fe:72:8c:
25 2a:26:67:1d:c3:16:e4:d9:0a:9d:d0:58:55:6e:78:
26 1d:48:6b:3a:f2:00:76:a5:86:6e:f3:64:c5:8a:05:
27 08:c6:5f:3d:dc:07:72:9c:82:72:bd:2f:5d:69:ca:
28 d3:82:f1:7a:43:4a:c4:2d:3d:cf:5e:6b:c7:07:0a:
29 5d:5d:86:41:28:cf:b9:15:2f:2f:78:0f:58:85:01:
30 80:69:54:37:32:2e:86:cf:53:d8:63:42:f7:cf:0e:
31 53:c6:14:d0:be:98:36:bc:2d:f8:80:35:fb:0c:ab:
32 b7:b8:44:44:fb:51:8c:d1:ef:b3:5a:03:c0:a4:af:
33 98:df
34 Exponent: 65537 (0x10001)
35 X509v3 extensions:
36 X509v3 Subject Key Identifier:
37 A6:E0:FA:0A:4B:47:F5:E0:7F:69:BA:E3:62:5E:D7:17:FB:B4:D5:59
38 X509v3 Authority Key Identifier:
39 keyid:A6:E0:FA:0A:4B:47:F5:E0:7F:69:BA:E3:62:5E:D7:17:FB:B4:D5:59
40 DirName:/CN=BT Consumer Complaints/OU=00DW0000003idkb/O=Salesforce.com/L=San Francisco/ST=CA/C=USA
41 serial:01:3E:54:E9:2C:EE:00:00:00:00:5A:A5:E1:D7

42 X509v3 Basic Constraints: critical
43 CA:TRUE
44 Signature Algorithm: sha1WithRSAEncryption
45 92:9b:4e:88:f9:af:1f:d7:ef:e8:dc:d3:21:d0:16:4f:dc:e3:
46 2b:51:08:9f:f1:79:65:7c:39:16:42:32:13:78:ec:2e:da:c4:
47 b1:21:9e:f3:74:11:1e:d9:57:9b:d4:73:16:92:c3:49:e9:79:
48 11:ee:99:b9:71:f9:7c:92:e2:c7:35:65:b4:dc:32:cd:f8:3a:
49 c9:9b:90:d2:e0:7c:f5:ca:d7:28:57:d6:39:2b:4c:f2:4a:fe:
50 53:b6:49:f4:71:34:54:35:c1:5b:fc:d3:c5:4d:cb:7c:46:c1:
51 5a:68:e1:b4:c2:97:98:45:7e:54:b0:6d:40:c1:67:1a:8d:7a:
52 db:cf:64:7a:ba:f6:9e:e9:06:c4:83:03:84:ea:ed:77:99:b9:
53 16:67:92:a7:f9:bf:0f:b2:a9:b7:26:b3:3e:a1:15:f4:84:eb:
54 8a:04:2f:6f:85:d3:4e:a6:ff:fe:7a:cd:8b:13:0e:7a:36:04:
55 4d:34:77:49:68:f6:95:ea:77:ec:43:37:ab:05:ae:c9:16:c0:
56 51:8e:f4:f1:84:81:9b:e3:48:7d:97:c3:46:82:7c:e8:5e:9d:
57 34:7b:b9:1b:85:05:68:1b:36:8c:0d:9f:a3:1c:5d:62:d2:d5:
58 ef:35:c6:ce:58:b9:88:7b:42:05:3c:ff:a9:05:bd:e2:8e:78:
59 50:dd:78:1f

  • September 12, 2013
  • Like
  • 0