5

Sometime back Google Chrome had announced plans to distrust Symantec certificates. I am trying to figure out how this is done for a POC.

When I visit chase.com on Google Chrome, I get the following message in the dev console:

The SSL certificate used to load resources from https://www.chase.com will be distrusted in M70. Once distrusted, users will be prevented from loading these resources. See https://g.co/chrome/symantecpkicerts for more information.

From the Chromium source, I could see that they have a list of hashes that they check against - symantec_certs.cc and in this README.md they use the following openssl command to get the hashes from the certificates.

for f in roots/*.pem; 
do openssl x509 -noout -pubkey -in "${f}" | openssl asn1parse -inform pem -out /tmp/pubkey.out -noout; 
digest=`cat /tmp/pubkey.out | openssl dgst -sha256 -c | awk -F " " '{print $2}' | sed s/:/,0x/g `; 
echo "0x${digest} ${f##*/}"; 
done | sort

Now for chase.com, I got the certs using the following command

openssl s_client -host chase.com -port 443 -prexit -showcerts

This outputs two certs both of which I copied to separate files (from 'begin certificate' to 'end certificate') cert1.cert and cert2.cert

To get the hashes, executed the following

for f in ./*.cert; 
do cat "${f}" | openssl x509 -noout -pubkey | openssl asn1parse -inform pem -out /tmp/pubkey.out -noout; 
digest=`cat /tmp/pubkey.out | openssl dgst -sha256 -c | awk -F " " '{print $2}' | sed s/:/,0x/g `; 
echo "0x${digest}"; 
done

which gives

0x14,0x72,0x0b,0x47,0x2b,0x12,0x3d,0xc2,0xfd,0xcc,0x13,0x2a,0x81,0x09,0xc7,0x29,0x97,0x13,0x36,0xaf,0x95,0x38,0x9f,0x89,0x12,0xa4,0x71,0xa8,0x78,0xdd,0xb7,0x37
0x80,0xcc,0x56,0x3a,0xb5,0xf8,0x3c,0xc4,0x1e,0xb0,0xaf,0x6a,0x14,0xd6,0xd8,0x07,0x18,0xc1,0x7e,0x35,0x2f,0x96,0x49,0xff,0xbc,0xdd,0x67,0xf8,0xbf,0x65,0x13,0x91

both of which aren't in symantec_certs.cc

I believe the certificate chain doesn't contain the Root CA certificate, am I supposed calculate the Root's public key hash also and check it against the know distrusted roots? If yes, how to get the Root certificate?

Krishnaraj
  • 163
  • 4
  • 1
    You might want to look at this question to get the root: https://unix.stackexchange.com/questions/368123/how-to-extract-the-root-ca-and-subordinate-ca-from-a-certificate-chain-in-linux – user2313067 Dec 28 '17 at 09:41
  • @krishnaraj: Did you manage to solve this question? – StackzOfZtuff Aug 13 '18 at 12:47
  • @StackzOfZtuff Yes, I did have to check with the root CA's hash and I wrote the solution in Java. – Krishnaraj Aug 14 '18 at 07:03
  • See https://github.com/DanielRuf/symantecpkicerts/blob/master/ca-list.json which I have extracte from all child CAs from https://crt.sh/ base on the affected roots. Chrome checks them all. – Daniel Ruf Nov 18 '18 at 14:20

0 Answers0