Skip to main content
すべてのクラウドプロバイダ
  • Amazon Web Services の
  • Google Cloud
  • Microsoft Azure
  • すべてのクラウドプロバイダ
日本語は機械翻訳による参考訳です。内容に矛盾や不一致があった場合には、英語の内容が優先されます。

OpenSSLを使用したdisk.rawファイルおよびダイジェストファイルの内容の検証

共同作成者

Google Cloudでダウンロードしたdisk.rawファイルを、で使用できるダイジェストファイルの内容と照合して確認できます "NSS" OpenSSLを使用しています。

メモ イメージがLinux、Mac OS、およびWindowsマシンと互換性があるかどうかを検証するOpenSSLコマンド。
手順
  1. OpenSSLを使用して証明書を確認します。

    クリックして表示
    # Step 1 - Optional, but recommended: Verify the certificate using OpenSSL
    
    # Step 1.1 - Copy the Certificate and certificate chain to a directory
    $ openssl version
    LibreSSL 3.3.6
    $ ls -l
    total 48
    -rw-r--r--@ 1 example-user  engr  8537 Jan 19 15:42 Certificate-Chain-GCP-CVO-20230119-0XXXXX.pem
    -rw-r--r--@ 1 example-user  engr  2365 Jan 19 15:42 Certificate-GCP-CVO-20230119-0XXXXX.pem
    
    # Step 1.2 - Get the OSCP URL
    $ oscp_url=$(openssl x509 -noout -ocsp_uri -in <Certificate-Chain.pem>)
    $ oscp_url=$(openssl x509 -noout -ocsp_uri -in Certificate-Chain-GCP-CVO-20230119-0XXXXX.pem)
    $ echo $oscp_url
    http://ocsp.entrust.net
    
    # Step 1.3 - Generate an OCSP request for the certificate
    $ openssl ocsp -issuer <Certificate-Chain.pem> -CAfile <Certificate-Chain.pem> -cert <Certificate.pem> -reqout <request.der>
    $ openssl ocsp -issuer Certificate-Chain-GCP-CVO-20230119-0XXXXX.pem -CAfile Certificate-Chain-GCP-CVO-20230119-0XXXXX.pem -cert Certificate-GCP-CVO-20230119-0XXXXX.pem -reqout req.der
    
    # Step 1.4 - Optional: Check the new file "req.der" has been generated
    $ ls -l
    total 56
    -rw-r--r--@ 1 example-user  engr  8537 Jan 19 15:42 Certificate-Chain-GCP-CVO-20230119-0XXXXX.pem
    -rw-r--r--@ 1 example-user  engr  2365 Jan 19 15:42 Certificate-GCP-CVO-20230119-0XXXXX.pem
    -rw-r--r--  1 example-user  engr   120 Jan 19 16:50 req.der
    
    # Step 1.5 - Connect to the OCSP Manager using openssl to send the OCSP request
    $ openssl ocsp -issuer <Certificate-Chain.pem> -CAfile <Certificate-Chain.pem> -cert <Certificate.pem> -url ${ocsp_url} -resp_text -respout <response.der>
    $ openssl ocsp -issuer Certificate-Chain-GCP-CVO-20230119-0XXXXX.pem -CAfile Certificate-Chain-GCP-CVO-20230119-0XXXXX.pem -cert Certificate-GCP-CVO-20230119-0XXXXX.pem  -url ${ocsp_url} -resp_text -respout resp.der
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: C = US, O = "Entrust, Inc.", CN = Entrust Extended Validation Code Signing CA - EVCS2
        Produced At: Jan 19 15:14:00 2023 GMT
        Responses:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 69FA640329AB84E27220FE0927647B8194B91F2A
          Issuer Key Hash: CE894F8251AA15A28462CA312361D261FBF8FE78
          Serial Number: 5994B3D01D26D594BD1D0FA7098C6FF5
        Cert Status: good
        This Update: Jan 19 15:00:00 2023 GMT
        Next Update: Jan 26 14:59:59 2023 GMT
    
        Signature Algorithm: sha512WithRSAEncryption
             0b:b6:61:e4:03:5f:98:6f:10:1c:9a:f7:5f:6f:c7:e3:f4:72:
             f2:30:f4:86:88:9a:b9:ba:1e:d6:f6:47:af:dc:ea:e4:cd:31:
             af:e3:7a:20:35:9e:60:db:28:9c:7f:2e:17:7b:a5:11:40:4f:
             1e:72:f7:f8:ef:e3:23:43:1b:bb:28:1a:6f:c6:9c:c5:0c:14:
             d3:5d:bd:9b:6b:28:fb:94:5e:8a:ef:40:20:72:a4:41:df:55:
             cf:f3:db:1b:39:e0:30:63:c9:c7:1f:38:7e:7f:ec:f4:25:7b:
             1e:95:4c:70:6c:83:17:c3:db:b2:47:e1:38:53:ee:0a:55:c0:
             15:6a:82:20:b2:ea:59:eb:9c:ea:7e:97:aa:50:d7:bc:28:60:
             8c:d4:21:92:1c:13:19:b4:e0:66:cb:59:ed:2e:f8:dc:7b:49:
             e3:40:f2:b6:dc:d7:2d:2e:dd:21:82:07:bb:3a:55:99:f7:59:
             5d:4a:4d:ca:e7:8f:1c:d3:9a:3f:17:7b:7a:c4:57:b2:57:a8:
             b4:c0:a5:02:bd:59:9c:50:32:ff:16:b1:65:3a:9c:8c:70:3b:
             9e:be:bc:4f:f9:86:97:b1:62:3c:b2:a9:46:08:be:6b:1b:3c:
             24:14:59:28:c6:ae:e8:d5:64:b2:f8:cc:28:24:5c:b2:c8:d8:
             5a:af:9d:55:48:96:f6:3e:c6:bf:a6:0c:a4:c0:ab:d6:57:03:
             2b:72:43:b0:6a:9f:52:ef:43:bb:14:6a:ce:66:cc:6c:4e:66:
             17:20:a3:64:e0:c6:d1:82:0a:d7:41:8a:cc:17:fd:21:b5:c6:
             d2:3a:af:55:2e:2a:b8:c7:21:41:69:e1:44:ab:a1:dd:df:6d:
             15:99:90:cc:a0:74:1e:e5:2e:07:3f:50:e6:72:a6:b9:ae:fc:
             44:15:eb:81:3d:1a:f8:17:b6:0b:ff:05:76:9d:30:06:40:72:
             cf:d5:c4:6f:8b:c9:14:76:09:6b:3d:6a:70:2c:5a:c4:51:92:
             e5:cd:84:b6:f9:d9:d5:bc:8d:72:b7:7c:13:9c:41:89:a8:97:
             6f:4a:11:5f:8f:b6:c9:b5:df:00:7e:97:20:e7:29:2e:2b:12:
             77:dc:e2:63:48:87:42:49:1d:fc:d0:94:a8:8d:18:f9:07:85:
             e4:d0:3e:9a:4a:d7:d5:d0:02:51:c3:51:1c:73:12:96:2d:75:
             22:83:a6:70:5a:4a:2b:f2:98:d9:ae:1b:57:53:3d:3b:58:82:
             38:fc:fa:cb:57:43:3f:3e:7e:e0:6d:5b:d6:fc:67:7e:07:7e:
             fb:a3:76:43:26:8f:d1:42:d6:a6:33:4e:9e:e0:a0:51:b4:c4:
             bc:e3:10:0d:bf:23:6c:4b
    WARNING: no nonce in response
    Response Verify OK
    Certificate-GCP-CVO-20230119-0XXXXX.pem: good
        This Update: Jan 19 15:00:00 2023 GMT
        Next Update: Jan 26 14:59:59 2023 GMT
    
    # Step 1.5 - Optional: Check the response file "response.der" has been generated. Verify its contents.
    $ ls -l
    total 64
    -rw-r--r--@ 1 example-user  engr  8537 Jan 19 15:42 Certificate-Chain-GCP-CVO-20230119-0XXXXX.pem
    -rw-r--r--@ 1 example-user  engr  2365 Jan 19 15:42 Certificate-GCP-CVO-20230119-0XXXXX.pem
    -rw-r--r--  1 example-user  engr   120 Jan 19 16:50 req.der
    -rw-r--r--  1 example-user  engr   806 Jan 19 16:51 resp.der
    
    # Step 1.6 - Verify the chain of trust and expiration dates against the local host
    $ openssl version -d
    OPENSSLDIR: "/private/etc/ssl"
    $ OPENSSLDIR=$(openssl version -d | cut -d '"' -f2)
    $ echo $OPENSSLDIR
    /private/etc/ssl
    
    $ openssl verify -untrusted <Certificate-Chain.pem> -CApath <OpenSSL dir> <Certificate.pem>
    $ openssl verify -untrusted Certificate-Chain-GCP-CVO-20230119-0XXXXX.pem -CApath ${OPENSSLDIR} Certificate-GCP-CVO-20230119-0XXXXX.pem
    Certificate-GCP-CVO-20230119-0XXXXX.pem: OK
  2. ダウンロードしたdisk.rawファイル、署名、および証明書をディレクトリに配置します。

  3. OpenSSLを使用して証明書から公開鍵を抽出します。

  4. 抽出した公開鍵を使用して署名を復号化し、ダウンロードしたdisk.rawファイルの内容を確認します。

    クリックして表示
    # Step 1 - Place the downloaded disk.raw, the signature and the certificates in a directory
    $ ls -l
    -rw-r--r--@ 1 example-user  staff  Jan 19 15:42 Certificate-Chain-GCP-CVO-20230119-0XXXXX.pem
    -rw-r--r--@ 1 example-user  staff  Jan 19 15:42 Certificate-GCP-CVO-20230119-0XXXXX.pem
    -rw-r--r--@ 1 example-user  staff  Jan 19 15:42 GCP_CVO_20230119-XXXXXX_digest.sig
    -rw-r--r--@ 1 example-user  staff  Jan 19 16:39 disk.raw
    
    # Step 2 - Extract the public key from the certificate
    $ openssl x509 -pubkey -noout -in (certificate.pem) > (public_key.pem)
    $ openssl x509 -pubkey -noout -in Certificate-GCP-CVO-20230119-0XXXXX.pem > CVO-GCP-pubkey.pem
    
    $ ls -l
    -rw-r--r--@ 1 example-user  staff  Jan 19 15:42 Certificate-Chain-GCP-CVO-20230119-0XXXXX.pem
    -rw-r--r--@ 1 example-user  staff  Jan 19 15:42 Certificate-GCP-CVO-20230119-0XXXXX.pem
    -rw-r--r--@ 1 example-user  staff  Jan 19 17:02 CVO-GCP-pubkey.pem
    -rw-r--r--@ 1 example-user  staff  Jan 19 15:42 GCP_CVO_20230119-XXXXXX_digest.sig
    -rw-r--r--@ 1 example-user  staff  Jan 19 16:39 disk.raw
    
    # Step 3 - Decrypt the signature using the extracted public key and verify the contents of the downloaded disk.raw
    $ openssl dgst -verify (public_key) -keyform PEM -sha256 -signature (signed digest) -binary (downloaded or obtained disk.raw)
    $ openssl dgst -verify CVO-GCP-pubkey.pem -keyform PEM -sha256 -signature GCP_CVO_20230119-XXXXXX_digest.sig -binary disk.raw
    Verified OK
    
    # A failed response would look like this
    $ openssl dgst -verify CVO-GCP-pubkey.pem -keyform PEM -sha256 -signature GCP_CVO_20230119-XXXXXX_digest.sig -binary ../sample_file.txt
    Verification Failure