Comments (6)
bdewater
commented on July 24, 2024
1
https://www.apple.com/certificateauthority/ lists various CRLs - the question is which one applies? Can you share the x5c header value and/or list the certificate chain from x5c to the Apple Root CA - G3 Root? The root will most certainly not have signed your x5c leaf certificate directly and the intermediate(s) probably have the crlDistributionPoints extension.
This seems to be working as expected and I don't think changes are needed. It's been a while since I wrote this code but if I remember correctly V_FLAG_CRL_CHECK and V_FLAG_CRL_CHECK_ALL means OpenSSL enforces CRL checks that it would normally not do, and the JWT RFC mentions it should be validated this way. So this error means somewhere in the chain there is a CRL specified and it fails on checking it since it's absent. Cross checking with the CLI options looks to confirm this.
Side bar: I think it's normal for a root CA to not have a CRL. The trust in a root comes from it being included in your browser/OS trust store since it's self-signed. If a root needs to be revoked that'll be done by these vendors (see eg DigiNotar) and not by the root itself. Imagine if a root is compromised, would you trust the CRL it signed? 😉
Back to the problem at hand: I searched for a bit and based on this announcement and the CN in the error you mentioned, it looks like the App Store receipt signing cert is signed by the Worldwide Developer Relations (WWDR) intermediate, which in turned is signed by "Apple Inc. Root" (not "Apple Root CA - G3 Root")?
Checking out "Worldwide Developer Relations - G8":
wwdr = OpenSSL::X509::Certificate.new File.read 'AppleWWDRCAG8.cer'
wwdr.find_extension('authorityKeyIdentifier').value
=> "2B:D0:69:47:94:76:09:FE:F4:6B:8D:2E:40:A6:F7:47:4D:7F:08:5E"
wwdr.crl_uris
=> ["http://crl.apple.com/root.crl"]That CRL is listed on Apple's site. And for fun let's look at "Apple Inc. Root":
root = OpenSSL::X509::Certificate.new File.read 'AppleIncRootCertificate.cer'
root.find_extension('subjectKeyIdentifier').value
=> "2B:D0:69:47:94:76:09:FE:F4:6B:8D:2E:40:A6:F7:47:4D:7F:08:5E"
root.crl_uris
=> nilIf it actually is "Apple Root CA - G3 Root", the above should hopefully help us debug the situation further.
from ruby-jwt.
anakinj
commented on July 24, 2024
@bdewater Sorry to bother you but do you have some insight on this one?
Is it really so that this Apple Root CA - G3 Root certificate does not have a CRL. Not that familiar what the requirements for CAs are, but maybe CRLs are optional? What about OCSP, does Apple support that to check for revoked certificates?
From the provided options I would prefer something proposed in 4.
from ruby-jwt.
epaew
commented on July 24, 2024
This is the raw header of the JWS I received.
encoded_header, = signed_transaction.split('.')
header = JSON.parse(Base64.decode64(encoded_header))
pp header{"alg"=>"ES256",
"x5c"=>
["MIIEMDCCA7agAwIBAgIQfTlfd0fNvFWvzC1YIANsXjAKBggqhkjOPQQDAzB1MUQwQgYDVQQDDDtBcHBsZSBXb3JsZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9ucyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTELMAkGA1UECwwCRzYxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTIzMDkxMjE5NTE1M1oXDTI1MTAxMTE5NTE1MlowgZIxQDA+BgNVBAMMN1Byb2QgRUNDIE1hYyBBcHAgU3RvcmUgYW5kIGlUdW5lcyBTdG9yZSBSZWNlaXB0IFNpZ25pbmcxLDAqBgNVBAsMI0FwcGxlIFdvcmxkd2lkZSBEZXZlbG9wZXIgUmVsYXRpb25zMRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEFEYe/JqTqyQv/dtXkauDHCScV129FYRV/0xiB24nCQkzQf3asHJONR5r0RA0aLvJ432hy1SZMouvyfpm26jXSjggIIMIICBDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFD8vlCNR01DJmig97bB85c+lkGKZMHAGCCsGAQUFBwEBBGQwYjAtBggrBgEFBQcwAoYhaHR0cDovL2NlcnRzLmFwcGxlLmNvbS93d2RyZzYuZGVyMDEGCCsGAQUFBzABhiVodHRwOi8vb2NzcC5hcHBsZS5jb20vb2NzcDAzLXd3ZHJnNjAyMIIBHgYDVR0gBIIBFTCCAREwggENBgoqhkiG92NkBQYBMIH+MIHDBggrBgEFBQcCAjCBtgyBs1JlbGlhbmNlIG9uIHRoaXMgY2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5jZSBvZiB0aGUgdGhlbiBhcHBsaWNhYmxlIHN0YW5kYXJkIHRlcm1zIGFuZCBjb25kaXRpb25zIG9mIHVzZSwgY2VydGlmaWNhdGUgcG9saWN5IGFuZCBjZXJ0aWZpY2F0aW9uIHByYWN0aWNlIHN0YXRlbWVudHMuMDYGCCsGAQUFBwIBFipodHRwOi8vd3d3LmFwcGxlLmNvbS9jZXJ0aWZpY2F0ZWF1dGhvcml0eS8wHQYDVR0OBBYEFAMs8Pjs6VhWGQlzE2ZOE+GX4Oo/MA4GA1UdDwEB/wQEAwIHgDAQBgoqhkiG92NkBgsBBAIFADAKBggqhkjOPQQDAwNoADBlAjEA8yRNdskp506DFdPLghLLJwAv5J8hBGLaI8DExdcPX+aBKjjO8eUo9KpfpcNYUY5YAjAPXmMXEZL+Q02adrmmshNxz3NnKm+ouQwU7vBTn0LvlM7vps2YslVTamRYL4aSs5k=",
"MIIDFjCCApygAwIBAgIUIsGhRwp0c2nvU4YSycafPTjzbNcwCgYIKoZIzj0EAwMwZzEbMBkGA1UEAwwSQXBwbGUgUm9vdCBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMjEwMzE3MjAzNzEwWhcNMzYwMzE5MDAwMDAwWjB1MUQwQgYDVQQDDDtBcHBsZSBXb3JsZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9ucyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTELMAkGA1UECwwCRzYxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEbsQKC94PrlWmZXnXgtxzdVJL8T0SGYngDRGpngn3N6PT8JMEb7FDi4bBmPhCnZ3/sq6PF/cGcKXWsL5vOteRhyJ45x3ASP7cOB+aao90fcpxSv/EZFbniAbNgZGhIhpIo4H6MIH3MBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAUu7DeoVgziJqkipnevr3rr9rLJKswRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vb2NzcC5hcHBsZS5jb20vb2NzcDAzLWFwcGxlcm9vdGNhZzMwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL2NybC5hcHBsZS5jb20vYXBwbGVyb290Y2FnMy5jcmwwHQYDVR0OBBYEFD8vlCNR01DJmig97bB85c+lkGKZMA4GA1UdDwEB/wQEAwIBBjAQBgoqhkiG92NkBgIBBAIFADAKBggqhkjOPQQDAwNoADBlAjBAXhSq5IyKogMCPtw490BaB677CaEGJXufQB/EqZGd6CSjiCtOnuMTbXVXmxxcxfkCMQDTSPxarZXvNrkxU3TkUMI33yzvFVVRT4wxWJC994OsdcZ4+RGNsYDyR5gmdr0nDGg=",
"MIICQzCCAcmgAwIBAgIILcX8iNLFS5UwCgYIKoZIzj0EAwMwZzEbMBkGA1UEAwwSQXBwbGUgUm9vdCBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMTQwNDMwMTgxOTA2WhcNMzkwNDMwMTgxOTA2WjBnMRswGQYDVQQDDBJBcHBsZSBSb290IENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzB2MBAGByqGSM49AgEGBSuBBAAiA2IABJjpLz1AcqTtkyJygRMc3RCV8cWjTnHcFBbZDuWmBSp3ZHtfTjjTuxxEtX/1H7YyYl3J6YRbTzBPEVoA/VhYDKX1DyxNB0cTddqXl5dvMVztK517IDvYuVTZXpmkOlEKMaNCMEAwHQYDVR0OBBYEFLuw3qFYM4iapIqZ3r6966/ayySrMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2gAMGUCMQCD6cHEFl4aXTQY2e3v9GwOAEZLuN+yRhHFD/3meoyhpmvOwgPUnPWTxnS4at+qIxUCMG1mihDK1A3UT82NQz60imOlM27jbdoXt2QfyFMm+YhidDkLF1vLUagM6BgD56KyKA=="]}
I found the URL of the CRL corresponding to the intermediate cert, thanks.
But I couldn't find the CRL for leaf cert.
header["x5c"].each do
cert = OpenSSL::X509::Certificate.new(Base64.decode64(_1))
pp cert
pp cert.crl_uris
end#<OpenSSL::X509::Certificate
subject=#<OpenSSL::X509::Name C=US,O=Apple Inc.,OU=Apple Worldwide Developer Relations,CN=Prod ECC Mac App Store and iTunes Store Receipt Signing>,
issuer=#<OpenSSL::X509::Name C=US,O=Apple Inc.,OU=G6,CN=Apple Worldwide Developer Relations Certification Authority>,
serial=#<OpenSSL::BN 166451396673336810269824643773700992094>,
not_before=2023-09-12 19:51:53 UTC,
not_after=2025-10-11 19:51:52 UTC>
nil
#<OpenSSL::X509::Certificate
subject=#<OpenSSL::X509::Name C=US,O=Apple Inc.,OU=G6,CN=Apple Worldwide Developer Relations Certification Authority>,
issuer=#<OpenSSL::X509::Name C=US,O=Apple Inc.,OU=Apple Certification Authority,CN=Apple Root CA - G3>,
serial=#<OpenSSL::BN 198423779283306946140152871826990384204123172055>,
not_before=2021-03-17 20:37:10 UTC,
not_after=2036-03-19 00:00:00 UTC>
["http://crl.apple.com/applerootcag3.crl"]
#<OpenSSL::X509::Certificate
subject=#<OpenSSL::X509::Name C=US,O=Apple Inc.,OU=Apple Certification Authority,CN=Apple Root CA - G3>,
issuer=#<OpenSSL::X509::Name C=US,O=Apple Inc.,OU=Apple Certification Authority,CN=Apple Root CA - G3>,
serial=#<OpenSSL::BN 3298319966700653461>,
not_before=2014-04-30 18:19:06 UTC,
not_after=2039-04-30 18:19:06 UTC>
nil
I passed the CRL of intermediate cert to .decode, but still I got JWT::VerificationError.
ROOT_CERT_URL = "https://www.apple.com/certificateauthority/AppleRootCA-G3.cer"
CRL_URL = "http://crl.apple.com/applerootcag3.crl"
root_certificates = [
OpenSSL::X509::Certificate.new(Faraday.get(ROOT_CERT_URL).body)
]
crls = [
OpenSSL::X509::CRL.new(Faraday.get(CRL_URL).body)
]
JWT.decode(
jws, nil, true, { algorithm: 'ES256', x5c: { root_certificates: root_certificates, crls: crls } }
)/home/epaew/.rbenv/versions/3.2.0/lib/ruby/gems/3.2.0/gems/jwt-2.8.1/lib/jwt/x5c_key_finder.rb:27:in `from': Certificate verification failed: unable to get certificate CRL. Certificate subject: /CN=Prod ECC Mac App Store and iTunes Store Receipt Signing/OU=Apple Worldwide Developer Relations/O=Apple Inc./C=US. (JWT::VerificationError)
I may understand that it is because Apple doesn't include the URL of CRL on the leaf cert, but what should I do in this case...?
Write the publickey finder like this or #471 ?
from ruby-jwt.
epaew
commented on July 24, 2024
Although it is unrelated to this issue, I feel uncomfortable with this I/F that requires decoding JWS by myself in order to obtain a CRL to calling .decode.
from ruby-jwt.
bdewater
commented on July 24, 2024
Thanks for sharing! So the intermediate CA is "Worldwide Developer Relations - G6" which is issued by "Apple Root CA - G3 Root" CA after all.
I've done some testing locally, and with this change validation succeeds:
- store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL + store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
However this skips verification of the leaf certificate ("Prod ECC Mac App Store and iTunes Store Receipt Signing") and AFAICS using the -crl_check_all command line flag sets both: https://github.com/openssl/openssl/blob/e97f468589e807e7f4722b150458edd53f374cd0/apps/lib/opt.c#L806-L809 so this is not a valid solution.
I noticed a couple of other things:
First, http://crl.apple.com/applerootcag3.crl contains no entries (it's total file size is only 323 bytes).
Second, the leaf certificate does have this information in the authorityInfoAccess extension:
CA Issuers - URI:http://certs.apple.com/wwdrg6.der
OCSP - URI:http://ocsp.apple.com/ocsp03-wwdrg602
it seems OCSP is the only way to verify this certificate.
I did a quick check using https://akshayranganath.github.io/OCSP-Validation-With-Openssl/ as a guide:
require 'openssl'
require 'base64'
encoded_certs = ["MIIEMDCCA7agAwIBAgIQfTlfd0fNvFWvzC1YIANsXjAKBggqhkjOPQQDAzB1MUQwQgYDVQQDDDtBcHBsZSBXb3JsZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9ucyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTELMAkGA1UECwwCRzYxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTIzMDkxMjE5NTE1M1oXDTI1MTAxMTE5NTE1MlowgZIxQDA+BgNVBAMMN1Byb2QgRUNDIE1hYyBBcHAgU3RvcmUgYW5kIGlUdW5lcyBTdG9yZSBSZWNlaXB0IFNpZ25pbmcxLDAqBgNVBAsMI0FwcGxlIFdvcmxkd2lkZSBEZXZlbG9wZXIgUmVsYXRpb25zMRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEFEYe/JqTqyQv/dtXkauDHCScV129FYRV/0xiB24nCQkzQf3asHJONR5r0RA0aLvJ432hy1SZMouvyfpm26jXSjggIIMIICBDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFD8vlCNR01DJmig97bB85c+lkGKZMHAGCCsGAQUFBwEBBGQwYjAtBggrBgEFBQcwAoYhaHR0cDovL2NlcnRzLmFwcGxlLmNvbS93d2RyZzYuZGVyMDEGCCsGAQUFBzABhiVodHRwOi8vb2NzcC5hcHBsZS5jb20vb2NzcDAzLXd3ZHJnNjAyMIIBHgYDVR0gBIIBFTCCAREwggENBgoqhkiG92NkBQYBMIH+MIHDBggrBgEFBQcCAjCBtgyBs1JlbGlhbmNlIG9uIHRoaXMgY2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0YW5jZSBvZiB0aGUgdGhlbiBhcHBsaWNhYmxlIHN0YW5kYXJkIHRlcm1zIGFuZCBjb25kaXRpb25zIG9mIHVzZSwgY2VydGlmaWNhdGUgcG9saWN5IGFuZCBjZXJ0aWZpY2F0aW9uIHByYWN0aWNlIHN0YXRlbWVudHMuMDYGCCsGAQUFBwIBFipodHRwOi8vd3d3LmFwcGxlLmNvbS9jZXJ0aWZpY2F0ZWF1dGhvcml0eS8wHQYDVR0OBBYEFAMs8Pjs6VhWGQlzE2ZOE+GX4Oo/MA4GA1UdDwEB/wQEAwIHgDAQBgoqhkiG92NkBgsBBAIFADAKBggqhkjOPQQDAwNoADBlAjEA8yRNdskp506DFdPLghLLJwAv5J8hBGLaI8DExdcPX+aBKjjO8eUo9KpfpcNYUY5YAjAPXmMXEZL+Q02adrmmshNxz3NnKm+ouQwU7vBTn0LvlM7vps2YslVTamRYL4aSs5k=",
"MIIDFjCCApygAwIBAgIUIsGhRwp0c2nvU4YSycafPTjzbNcwCgYIKoZIzj0EAwMwZzEbMBkGA1UEAwwSQXBwbGUgUm9vdCBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMjEwMzE3MjAzNzEwWhcNMzYwMzE5MDAwMDAwWjB1MUQwQgYDVQQDDDtBcHBsZSBXb3JsZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9ucyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTELMAkGA1UECwwCRzYxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEbsQKC94PrlWmZXnXgtxzdVJL8T0SGYngDRGpngn3N6PT8JMEb7FDi4bBmPhCnZ3/sq6PF/cGcKXWsL5vOteRhyJ45x3ASP7cOB+aao90fcpxSv/EZFbniAbNgZGhIhpIo4H6MIH3MBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAUu7DeoVgziJqkipnevr3rr9rLJKswRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vb2NzcC5hcHBsZS5jb20vb2NzcDAzLWFwcGxlcm9vdGNhZzMwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL2NybC5hcHBsZS5jb20vYXBwbGVyb290Y2FnMy5jcmwwHQYDVR0OBBYEFD8vlCNR01DJmig97bB85c+lkGKZMA4GA1UdDwEB/wQEAwIBBjAQBgoqhkiG92NkBgIBBAIFADAKBggqhkjOPQQDAwNoADBlAjBAXhSq5IyKogMCPtw490BaB677CaEGJXufQB/EqZGd6CSjiCtOnuMTbXVXmxxcxfkCMQDTSPxarZXvNrkxU3TkUMI33yzvFVVRT4wxWJC994OsdcZ4+RGNsYDyR5gmdr0nDGg=",
"MIICQzCCAcmgAwIBAgIILcX8iNLFS5UwCgYIKoZIzj0EAwMwZzEbMBkGA1UEAwwSQXBwbGUgUm9vdCBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMTQwNDMwMTgxOTA2WhcNMzkwNDMwMTgxOTA2WjBnMRswGQYDVQQDDBJBcHBsZSBSb290IENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzB2MBAGByqGSM49AgEGBSuBBAAiA2IABJjpLz1AcqTtkyJygRMc3RCV8cWjTnHcFBbZDuWmBSp3ZHtfTjjTuxxEtX/1H7YyYl3J6YRbTzBPEVoA/VhYDKX1DyxNB0cTddqXl5dvMVztK517IDvYuVTZXpmkOlEKMaNCMEAwHQYDVR0OBBYEFLuw3qFYM4iapIqZ3r6966/ayySrMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2gAMGUCMQCD6cHEFl4aXTQY2e3v9GwOAEZLuN+yRhHFD/3meoyhpmvOwgPUnPWTxnS4at+qIxUCMG1mihDK1A3UT82NQz60imOlM27jbdoXt2QfyFMm+YhidDkLF1vLUagM6BgD56KyKA=="]
signing_certificate, *certificate_chain = encoded_certs.map { OpenSSL::X509::Certificate.new(Base64.decode64(_1)) }
File.open("leaf.pem", "w") { |f| f.write signing_certificate }
File.open("chain.pem", "w") { |f| f.write certificate_chain.join }openssl ocsp -issuer chain.pem -cert leaf.pem -text -url http://ocsp.apple.com/ocsp03-wwdrg602
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 08326B2D26CA9EBD00B81EBADC08BB6A175148EF
Issuer Key Hash: 3F2F942351D350C99A283DEDB07CE5CFA5906299
Serial Number: 7D395F7747CDBC55AFCC2D5820036C5E
Request Extensions:
OCSP Nonce:
0410ED8E992F17097EBB2D71954360197A85
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 2096C0D4932D4EF2DB7B8F91BF9AE2B0ACD57442
Produced At: Apr 1 19:54:40 2024 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 08326B2D26CA9EBD00B81EBADC08BB6A175148EF
Issuer Key Hash: 3F2F942351D350C99A283DEDB07CE5CFA5906299
Serial Number: 7D395F7747CDBC55AFCC2D5820036C5E
Cert Status: good
This Update: Apr 1 19:54:40 2024 GMT
Next Update: Apr 2 07:54:39 2024 GMT
Response Extensions:
OCSP Nonce:
0410ED8E992F17097EBB2D71954360197A85
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:66:02:31:00:d7:d5:51:3b:86:69:c5:3d:72:03:df:a2:90:
3d:fb:26:53:b0:df:07:73:9f:30:63:6b:bd:aa:50:e9:1e:85:
cb:62:e0:95:98:4f:85:05:e0:ed:4f:4b:8d:b3:8c:b3:ab:02:
31:00:bd:fa:1b:0c:79:7c:34:eb:cb:e6:bf:f4:7d:85:75:dd:
dd:84:dd:1e:2e:61:0a:c9:33:ca:a6:d1:4f:cf:4f:77:45:53:
bf:e1:c0:16:28:3e:10:c6:f8:da:62:a8:d3:74
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6f:dd:b0:3f:46:fe:b2:8f:03:7b:6f:18:b1:22:f2:97
Signature Algorithm: ecdsa-with-SHA384
Issuer: CN=Apple Worldwide Developer Relations Certification Authority, OU=G6, O=Apple Inc., C=US
Validity
Not Before: Mar 21 20:39:35 2024 GMT
Not After : May 2 20:39:34 2024 GMT
Subject: CN=Apple Worldwide Developer Relations Certification Authority G6 OCSP Responder MG1 20240321, O=Apple Inc., C=US
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:c4:f5:b4:38:af:14:77:9e:2a:4a:26:5a:ef:b1:
10:56:3b:f6:2b:75:e7:a4:79:11:eb:ff:0f:72:5b:
43:f7:89:76:03:43:56:0f:b3:04:45:87:5b:50:fc:
84:22:17:bf:c8:da:97:2a:69:ab:87:49:c3:4a:7b:
ba:d4:aa:b0:df:a6:02:c3:f6:5e:76:bf:2a:5d:9e:
f8:73:62:0d:39:40:6d:95:00:a1:75:7e:43:99:55:
8a:42:16:ed:31:52:30
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
3F:2F:94:23:51:D3:50:C9:9A:28:3D:ED:B0:7C:E5:CF:A5:90:62:99
OCSP No Check:
X509v3 Extended Key Usage:
OCSP Signing
X509v3 Subject Key Identifier:
20:96:C0:D4:93:2D:4E:F2:DB:7B:8F:91:BF:9A:E2:B0:AC:D5:74:42
X509v3 Key Usage: critical
Digital Signature
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:65:02:30:2d:d9:97:eb:2b:4c:ce:4e:87:e1:a7:42:ae:bd:
30:29:b8:1d:12:26:90:d3:ed:54:ff:49:9e:c4:44:f0:cc:45:
b1:47:15:2d:b9:ee:d3:25:02:d9:3f:58:1e:1e:52:b7:02:31:
00:e6:c5:86:6e:6c:b1:87:ab:c4:42:05:8b:9a:f1:62:70:70:
87:93:e1:fd:5a:2a:7d:3f:29:d1:ee:18:1d:5a:61:c8:a9:c0:
d3:ae:b6:3f:77:be:b7:29:6a:5a:68:e9:24
-----BEGIN CERTIFICATE-----
MIICwDCCAkagAwIBAgIQb92wP0b+so8De28YsSLylzAKBggqhkjOPQQDAzB1MUQw
QgYDVQQDDDtBcHBsZSBXb3JsZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9ucyBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTELMAkGA1UECwwCRzYxEzARBgNVBAoMCkFwcGxl
IEluYy4xCzAJBgNVBAYTAlVTMB4XDTI0MDMyMTIwMzkzNVoXDTI0MDUwMjIwMzkz
NFowgYcxYzBhBgNVBAMMWkFwcGxlIFdvcmxkd2lkZSBEZXZlbG9wZXIgUmVsYXRp
b25zIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IEc2IE9DU1AgUmVzcG9uZGVyIE1H
MSAyMDI0MDMyMTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwdjAQ
BgcqhkjOPQIBBgUrgQQAIgNiAATE9bQ4rxR3nipKJlrvsRBWO/YrdeekeRHr/w9y
W0P3iXYDQ1YPswRFh1tQ/IQiF7/I2pcqaauHScNKe7rUqrDfpgLD9l52vypdnvhz
Yg05QG2VAKF1fkOZVYpCFu0xUjCjgYcwgYQwDAYDVR0TAQH/BAIwADAfBgNVHSME
GDAWgBQ/L5QjUdNQyZooPe2wfOXPpZBimTAPBgkrBgEFBQcwAQUEAgUAMBMGA1Ud
JQQMMAoGCCsGAQUFBwMJMB0GA1UdDgQWBBQglsDUky1O8tt7j5G/muKwrNV0QjAO
BgNVHQ8BAf8EBAMCB4AwCgYIKoZIzj0EAwMDaAAwZQIwLdmX6ytMzk6H4adCrr0w
KbgdEiaQ0+1U/0mexETwzEWxRxUtue7TJQLZP1geHlK3AjEA5sWGbmyxh6vEQgWL
mvFicHCHk+H9Wip9PynR7hgdWmHIqcDTrrY/d763KWpaaOkk
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
22:c1:a1:47:0a:74:73:69:ef:53:86:12:c9:c6:9f:3d:38:f3:6c:d7
Signature Algorithm: ecdsa-with-SHA384
Issuer: CN=Apple Root CA - G3, OU=Apple Certification Authority, O=Apple Inc., C=US
Validity
Not Before: Mar 17 20:37:10 2021 GMT
Not After : Mar 19 00:00:00 2036 GMT
Subject: CN=Apple Worldwide Developer Relations Certification Authority, OU=G6, O=Apple Inc., C=US
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:6e:c4:0a:0b:de:0f:ae:55:a6:65:79:d7:82:dc:
73:75:52:4b:f1:3d:12:19:89:e0:0d:11:a9:9e:09:
f7:37:a3:d3:f0:93:04:6f:b1:43:8b:86:c1:98:f8:
42:9d:9d:ff:b2:ae:8f:17:f7:06:70:a5:d6:b0:be:
6f:3a:d7:91:87:22:78:e7:1d:c0:48:fe:dc:38:1f:
9a:6a:8f:74:7d:ca:71:4a:ff:c4:64:56:e7:88:06:
cd:81:91:a1:22:1a:48
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Authority Key Identifier:
BB:B0:DE:A1:58:33:88:9A:A4:8A:99:DE:BE:BD:EB:AF:DA:CB:24:AB
Authority Information Access:
OCSP - URI:http://ocsp.apple.com/ocsp03-applerootcag3
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.apple.com/applerootcag3.crl
X509v3 Subject Key Identifier:
3F:2F:94:23:51:D3:50:C9:9A:28:3D:ED:B0:7C:E5:CF:A5:90:62:99
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
1.2.840.113635.100.6.2.1:
..
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:65:02:30:40:5e:14:aa:e4:8c:8a:a2:03:02:3e:dc:38:f7:
40:5a:07:ae:fb:09:a1:06:25:7b:9f:40:1f:c4:a9:91:9d:e8:
24:a3:88:2b:4e:9e:e3:13:6d:75:57:9b:1c:5c:c5:f9:02:31:
00:d3:48:fc:5a:ad:95:ef:36:b9:31:53:74:e4:50:c2:37:df:
2c:ef:15:55:51:4f:8c:31:58:90:bd:f7:83:ac:75:c6:78:f9:
11:8d:b1:80:f2:47:98:26:76:bd:27:0c:68
-----BEGIN CERTIFICATE-----
MIIDFjCCApygAwIBAgIUIsGhRwp0c2nvU4YSycafPTjzbNcwCgYIKoZIzj0EAwMw
ZzEbMBkGA1UEAwwSQXBwbGUgUm9vdCBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBD
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkG
A1UEBhMCVVMwHhcNMjEwMzE3MjAzNzEwWhcNMzYwMzE5MDAwMDAwWjB1MUQwQgYD
VQQDDDtBcHBsZSBXb3JsZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9ucyBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eTELMAkGA1UECwwCRzYxEzARBgNVBAoMCkFwcGxlIElu
Yy4xCzAJBgNVBAYTAlVTMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEbsQKC94PrlWm
ZXnXgtxzdVJL8T0SGYngDRGpngn3N6PT8JMEb7FDi4bBmPhCnZ3/sq6PF/cGcKXW
sL5vOteRhyJ45x3ASP7cOB+aao90fcpxSv/EZFbniAbNgZGhIhpIo4H6MIH3MBIG
A1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAUu7DeoVgziJqkipnevr3rr9rL
JKswRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vb2NzcC5hcHBs
ZS5jb20vb2NzcDAzLWFwcGxlcm9vdGNhZzMwNwYDVR0fBDAwLjAsoCqgKIYmaHR0
cDovL2NybC5hcHBsZS5jb20vYXBwbGVyb290Y2FnMy5jcmwwHQYDVR0OBBYEFD8v
lCNR01DJmig97bB85c+lkGKZMA4GA1UdDwEB/wQEAwIBBjAQBgoqhkiG92NkBgIB
BAIFADAKBggqhkjOPQQDAwNoADBlAjBAXhSq5IyKogMCPtw490BaB677CaEGJXuf
QB/EqZGd6CSjiCtOnuMTbXVXmxxcxfkCMQDTSPxarZXvNrkxU3TkUMI33yzvFVVR
T4wxWJC994OsdcZ4+RGNsYDyR5gmdr0nDGg=
-----END CERTIFICATE-----
Response Verify Failure
C0BA000702000000:error:13800065:OCSP routines:ocsp_verify_signer:certificate verify error:crypto/ocsp/ocsp_vfy.c:64:Verify error: unable to get local issuer certificate
C0BA000702000000:error:13800065:OCSP routines:ocsp_verify_signer:certificate verify error:crypto/ocsp/ocsp_vfy.c:64:Verify error: unable to get local issuer certificate
leaf.pem: good
This Update: Apr 1 19:54:40 2024 GMT
Next Update: Apr 2 07:54:39 2024 GMTThis doesn't look correct for the rest of the chain, but at least leaf.pem validates so I guess this is going in the right direction?
I may understand that it is because Apple doesn't include the URL of CRL on the leaf cert, but what should I do in this case...?
Write the publickey finder like this or #471 ?
FWIW - the (pseudo)code given in #471 looks to be reimplementing what OpenSSL::X509::Store does. I'd be wary of this possibly missing any edge cases OpenSSL is handling. If you're writing a custom keyfinder you can achieve the same by not setting store.flags.
IMO the better solution would be to implement a keyfinder that uses OCSP. https://ruby-doc.org/3.3.0/exts/openssl/OpenSSL/OCSP.html provides a starting point if you want to go down this path.
from ruby-jwt.
epaew
commented on July 24, 2024
@bdewater
Thank you for your advice. I didn't know about OCSP so this information helped me a lot.
I think it might be hard to implement support for that validation process into ruby-jwt because if it requires online validation process...
I will try creating a simple cert verifier myself and close this issue if it looks okay.
from ruby-jwt.
Related Issues (20)
- Drop the custom Base64 encode and decode to favour the built-in methods
- Are there breaking changes between 1.x and 2.x? HOT 2
- Possibility to override the alg header when encoding tokens HOT 2
- Bug: undefined method `casecmp' for nil:NilClass when invalid alg
- Support x5t in place of kid
- verification of at_hash == access_token HOT 4
- OpenSSL 3 - Unable to create OpenSSL::PKey instances from pem/der/asn sequences HOT 1
- Alg optional member Readme HOT 5
- Yeah steady stay
- 50
- 100 HOT 2
- جدة
- JWT not being signed HOT 2
- Deprecation warning for invalid base64 should only be issued if fixed base64 is valid HOT 2
- شارع الربعين HOT 5
- H
- eyJhbGciOiJub25lIn0.eyJhZGRyZXNzIjp7InppcGNvZGUiOm51bGwsInN0cmVldG5vIjpudWxsLCJjaXR5IjoiQUwtQUZMQUciLCJzdHJlZXQiOm51bGx9LCJ0b2tlblVVSUQiOiI3Zjk1Yzc0ZDA3Y2M0OGI1OWNlNzhlYzBlZTU.
- T
- ExpiredSignature should perhaps not be a subclass of DecodeError HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ruby-jwt.