F5 Sites
  • F5.com
  • LearnF5
  • NGINX
  • MyF5
  • Partner Central
Contact
  • Under Attack?
  • F5 Support
  • DevCentral Support
  • F5 Sales
  • NGINX Sales
  • F5 Professional Services
Skip to contentBrand Logo
Forums
CrowdSRC
Articles
Groups
EventsSuggestionsHow Do I...?
RegisterSign In
  1. DevCentral
  2. Articles
  3. Technical Articles

OCSP through an outbound explicit proxy

Hey DC community, Kevin Stewart here with a fun little project I'd like to share. There have been countless questions about this over the years: how to pass LTM or APM OCSP requests through an out...
Published Dec 05, 2017
Version 1.0
BIG-IP Access Policy Manager (APM)
LTM
ocsp
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Joined March 16, 2006
View Profile
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Joined March 16, 2006
View Profile
Piotr_Biesiada's avatar
Piotr_Biesiada
Icon for Nimbostratus rankNimbostratus
Nov 08, 2019

Hi,

small improvement about issuer object length in Application iRule

when CLIENTSSL_CLIENTCERT {
   ## Get the SHA1 hash of the DER-formatted issuer value
   ## X509 certificates are ASN.1-formatted, which is not easy to parse.
   ## Based on RFC5280 (https://tools.ietf.org/html/rfc5280), the issuer field is a mandatory value in the X509 certificate
   ## that comes directly after the signature algorithmIdentifier value. So we'll start by finding the object identifier (OID)
   ## of the signature algorithm, and then walk down the ASN.1 blob to the next item, which is the issuer.
   if { [SSL::cert count] > 0 } {
  
           if { [catch {
            ## sigAlg OID (1.2.840.113549.1.1.5) = sha1WithRSAEncryption = HEX \x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05
            ## sigAlg OID (1.2.840.113549.1.1.11) = sha256WithRSAEncryption = HEX \x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B
            ## Find the initial offset at the position of sigAlg OID in the certificate
            ## Here's an online tool to convert OID to Hex: https://misc.daniel-marschall.de/asn.1/oid-converter/online.php
            
            # do not care about last byte x05 or x0B           
            if { [expr [set offset [string first \x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01 [SSL::cert 0]]] > 100] } {
                log local0. "ERR:SigAlg-unknown"
            }
 
            ## Offset this position by the size of the sigAlg
            
            #13 bytes, size of this ASN.1 object 
            set newoffset [expr {$offset + 13}]
            
            ## Get the length of the issuer value - ASN.1 values start with a type and a length, so this extracts the length value.
            binary scan [string range [SSL::cert 0] ${newoffset} [expr {$newoffset + 5}]] c1c1c1c1 type issuer_len_dec issuer_len_dec_ext1 issuer_len_dec_ext2
 
            #RFC https://tools.ietf.org/html/rfc5280 p.124 issuer length could be more than 256 bytes (322 + asn1 encoding)  
 
            #c1 is signed byte, we need to & 0xFF        
            set issuer_len_dec [expr {$issuer_len_dec & 0xff}]
          
            #x81  
            if {${issuer_len_dec} == 129 } {
                set issuer_len_dec_ext1 [expr {$issuer_len_dec_ext1 & 0xff}]
                set issuer_len_dec [expr {$issuer_len_dec_ext1 + 1}]
            } elseif { ${issuer_len_dec} == 130 } {
                #x82
                set issuer_len_dec_ext1 [expr {$issuer_len_dec_ext1 & 0xff}]
                set issuer_len_dec_ext2 [expr {$issuer_len_dec_ext2 & 0xff}]
                set issuer_len_dec [expr { $issuer_len_dec_ext1 << 8 + $issuer_len_dec_ext2 + 2} ]
            }
            
            ## SHA1-encode the DER-formatted issuer value - this is the value that will be present in an OCSP request
        
            binary scan [sha1 [string range [SSL::cert 0] ${newoffset} [expr {${newoffset} + ${issuer_len_dec} + 1}]]] H* issuer_hash
 
            ## Store the SHA1 issuer hash:cert serial in a short-lived table with the AIA URL
            set AIA [findstr [X509::extensions [SSL::cert 0]] "OCSP - URI:" 11 "\n"]
            
            #remove : from serial 
            set serial [string map { ":" "" } [X509::serial_number [SSL::cert 0]]]
            
            table set -subtable OCSP_AIA "${issuer_hash}:${serial}" "${AIA}" 300 300
            
            } error]
         } {
            log local0. "error = $error"
         } 
   }
}

ABOUT DEVCENTRAL

DevCentral NewsTechnical ForumTechnical ArticlesTechnical CrowdSRCCommunity GuidelinesDevCentral EULAGet a Developer Lab LicenseBecome a DevCentral MVP

RESOURCES

Product DocumentationWhite PapersGlossaryCustomer StoriesWebinarsFree Online CoursesF5 CertificationLearnF5 Training

SUPPORT

Manage SubscriptionsProfessional ServicesProfessional ServicesCreate a Service RequestSoftware DownloadsSupport Portal

PARTNERS

Find a Reseller PartnerTechnology AlliancesBecome an F5 PartnerLogin to Partner Central

F5 logo©2024 F5, Inc. All rights reserved.
TrademarksPoliciesPrivacyCalifornia PrivacyDo Not Sell My Personal Information