證照結構
我們現在使用的 TLS 證照的標準是 X.509,版本號為 V3。版本號可從證照的 Version 欄位看到。
根據 RFC 3280 定義的證照結構,證照由三個部分組成:
- 證照主體(TBSCertificate,To Be Signed Certificate,待簽名證照)
- 簽名演算法
- 簽名值
證照主體包括版本、序列號、公鑰等內容。簽名值是對證照主體使用簽名演算法計算並經過證照籤名機構私鑰加密後的值。
證照的資料組織格式為 ASN.1 DER 格式(distinguished encoding rules)。這是一種 TLV 編碼,其中的每個元素都包含 Tag、Length、Value。通常我們獲得的證照是經由 Base64 編碼後的 PEM 檔案,為了節省不必要的麻煩,後續內容會提前將證照轉回 DER 格式。
PEM 檔案的格式是這樣的:
-----BEGIN CERTIFICATE-----
這裡是 Base64 編碼後的內容
-----END CERTIFICATE-----
證照驗證
為了驗證證照,我們需要獲取以下內容:
- 證照主體。用於通過簽名演算法得到其 hash 值
- 證照籤名值。
- CA 的公鑰。用於解密簽名,得到證照主體的 hash 值
如果 1 和 3 的 hash 值相等,則說明此次驗證通過。
我們以部落格園的證照為例。
證照下載
- 下載部落格園證照
證照原文是用 Base64 編碼後的 PEM 格式檔案,這裡將其直接轉換為 DER 格式。echo -n | openssl s_client -connect www.cnblogs.com:443 | openssl x509 -outform DER > www.cnblogs.com.crt - 檢視部落格園的 CA 證照地址
得到:openssl x509 -inform DER -in www.cnblogs.com.crt -noout -text | grep "CA Issuers"CA Issuers - URI:http://cacerts.digicert.com/EncryptionEverywhereDVTLSCA-G1.crt - 下載 CA 證照
這個證照已經是 DER 格式,無需轉換。curl -O http://cacerts.digicert.com/EncryptionEverywhereDVTLSCA-G1.crt
現在,我們得到了:
- 部落格園證照
- 給部落格園證照籤名的 CA 的證照
DER 證照解析
在開始驗證之前,再次瞭解證照的格式,便於理解後續的獲取操作。
證照由證照主體、簽名演算法和簽名值三個部分組成。DER 格式每個元素以 SEQUENCE 作為開頭。由於完整的證照是一個 SEQUENCE,因此證照最外層有個 SEQUENCE。裡面三個部分都各自有一個 SEQUENCE。
執行命令檢視內容:
openssl asn1parse -i -inform DER -in www.cnblogs.com.crt
解析的格式為:開頭數字是偏移量,d 表示深度(depth),d 相同的表示是同一個層級。hl 表示頭部長度(header length),l 表示不包含頭部的資料長度(lenght)。
0:d=0 hl=4 l=1534 cons: SEQUENCE
4:d=1 hl=4 l=1254 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 16 prim: INTEGER :03E3AC5347CD4A3862C2855A71A6F94F
31:d=2 hl=2 l= 13 cons: SEQUENCE
33:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
44:d=3 hl=2 l= 0 prim: NULL
46:d=2 hl=2 l= 110 cons: SEQUENCE
48:d=3 hl=2 l= 11 cons: SET
50:d=4 hl=2 l= 9 cons: SEQUENCE
52:d=5 hl=2 l= 3 prim: OBJECT :countryName
57:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
61:d=3 hl=2 l= 21 cons: SET
63:d=4 hl=2 l= 19 cons: SEQUENCE
65:d=5 hl=2 l= 3 prim: OBJECT :organizationName
70:d=5 hl=2 l= 12 prim: PRINTABLESTRING :DigiCert Inc
84:d=3 hl=2 l= 25 cons: SET
86:d=4 hl=2 l= 23 cons: SEQUENCE
88:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
93:d=5 hl=2 l= 16 prim: PRINTABLESTRING :www.digicert.com
111:d=3 hl=2 l= 45 cons: SET
113:d=4 hl=2 l= 43 cons: SEQUENCE
115:d=5 hl=2 l= 3 prim: OBJECT :commonName
120:d=5 hl=2 l= 36 prim: PRINTABLESTRING :Encryption Everywhere DV TLS CA - G1
158:d=2 hl=2 l= 30 cons: SEQUENCE
160:d=3 hl=2 l= 13 prim: UTCTIME :220228000000Z
175:d=3 hl=2 l= 13 prim: UTCTIME :230301235959Z
190:d=2 hl=2 l= 24 cons: SEQUENCE
192:d=3 hl=2 l= 22 cons: SET
194:d=4 hl=2 l= 20 cons: SEQUENCE
196:d=5 hl=2 l= 3 prim: OBJECT :commonName
201:d=5 hl=2 l= 13 prim: UTF8STRING :*.cnblogs.com
216:d=2 hl=4 l= 290 cons: SEQUENCE
220:d=3 hl=2 l= 13 cons: SEQUENCE
222:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
233:d=4 hl=2 l= 0 prim: NULL
235:d=3 hl=4 l= 271 prim: BIT STRING
510:d=2 hl=4 l= 748 cons: cont [ 3 ]
514:d=3 hl=4 l= 744 cons: SEQUENCE
518:d=4 hl=2 l= 31 cons: SEQUENCE
520:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
525:d=5 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:3016801455744FB2724FF560BA50D1D7E6515C9A01871AD7
551:d=4 hl=2 l= 29 cons: SEQUENCE
553:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
558:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:04149DE559358AA4C25E1A52193A745F007F101B1C17
582:d=4 hl=2 l= 37 cons: SEQUENCE
584:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
589:d=5 hl=2 l= 30 prim: OCTET STRING [HEX DUMP]:301C820D2A2E636E626C6F67732E636F6D820B636E626C6F67732E636F6D
621:d=4 hl=2 l= 14 cons: SEQUENCE
623:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
628:d=5 hl=2 l= 1 prim: BOOLEAN :255
631:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
637:d=4 hl=2 l= 29 cons: SEQUENCE
639:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
644:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030106082B06010505070302
668:d=4 hl=2 l= 62 cons: SEQUENCE
670:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Certificate Policies
675:d=5 hl=2 l= 55 prim: OCTET STRING [HEX DUMP]:30353033060667810C0102013029302706082B06010505070201161B687474703A2F2F7777772E64696769636572742E636F6D2F435053
732:d=4 hl=3 l= 128 cons: SEQUENCE
735:d=5 hl=2 l= 8 prim: OBJECT :Authority Information Access
745:d=5 hl=2 l= 116 prim: OCTET STRING [HEX DUMP]:3072302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D304A06082B06010505073002863E687474703A2F2F636163657274732E64696769636572742E636F6D2F456E6372797074696F6E457665727977686572654456544C5343412D47312E637274
863:d=4 hl=2 l= 9 cons: SEQUENCE
865:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
870:d=5 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000
874:d=4 hl=4 l= 384 cons: SEQUENCE
878:d=5 hl=2 l= 10 prim: OBJECT :CT Precertificate SCTs
890:d=5 hl=4 l= 368 prim: OCTET STRING [HEX DUMP]:0482016C016A007700E83ED0DA3EF5063532E75728BC896BC903D3CBD1116BECEB69E1777D6D06BD6E0000017F3E1A44D10000040300483046022100D8162F949F2820F1C3CCF73AD2826F04CDD3EA09C16BAD2441AE07C69D149DE1022100AC4C3B8EB60C5613C32B85C5303ACC67F62888DFB7925861088B21B550E16E9600760035CF191BBFB16C57BF0FAD4C6D42CBBBB627202651EA3FE12AEFA803C33BD64C0000017F3E1A45110000040300473045022100A4D6915799132F3997B16F009F7011520A3BB30A040DAE42B73D905975DBADBD02206165D6DA0CB72F87B8FA7F309806919893FA962126F6D94512DB700CDF019B84007700B3737707E18450F86386D605A9DC11094A792DB1670C0B87DCF0030E7936A59A0000017F3E1A45370000040300483046022100B31A83931E8A4D8BD4FD2F28E8C42D3B1083D79E9F5E7F9F8B8D1C4D33DE8C65022100E6D91B7986CA850272265DEDBD4C40180BB73B69447304F423BDA19B29F4ADE3
1262:d=1 hl=2 l= 13 cons: SEQUENCE
1264:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
1275:d=2 hl=2 l= 0 prim: NULL
1277:d=1 hl=4 l= 257 prim: BIT STRING
例如第一行:
0:d=0 hl=4 l=1534 cons: SEQUENCE
開頭 0 表示偏移量為 0,就是整個檔案的開頭。d=0 表示最頂層,為整個證照的物件。頭部長度為 4 位元組,資料欄位(也就是三個部分)總共 1534 位元組,加起來整個檔案共 1538 位元組。
再看最後一行,
1277:d=1 hl=4 l= 257 prim: BIT STRING
開頭 1277 表示偏移量,d=1 表示頂層的下一層,而這個位置在最後一部分,那麼就代表是簽名值。頭部長度為 4 位元組,資料長度為 257 位元組,加起來共 261 位元組。加上偏移量 1277 + 261 = 1538 位元組,與第一行的計算結果吻合。
獲取證照主體(待簽名證照)
根據定義,第一個部分就是待簽名證照。因此從第一個 d=1 的地方開始,即檔案的第二行。
4:d=1 hl=4 l=1254 cons: SEQUENCE
表示偏移量為 4,頭部 4 位元組,資料 1254 位元組。hash 的時候會連頭部都算上,所以總共獲取 1258 位元組。
dd if=www.cnblogs.com.crt of=www.cnblogs.com.tbs bs=1 skip=4 count=1258
這裡 bs=1 表示每次讀取一個位元組,count 表示讀取 1258 次,兩者組合起來就是讀取 1258 個位元組。
計算證照 hash 值
獲取簽名和加密演算法:
openssl x509 -inform DER -in www.cnblogs.com.crt -noout -text | grep 'Signature Algorithm' | tail -n 1
sha256WithRSAEncryption 表示使用 sha256 hash,並使用 RSA 加密。
計算:
sha256sum www.cnblogs.com.tbs
得到結果:
bca9d80920262764ca037b51a1f7bfd8a240c8059c7564dafdaf12ded366d6f5 www.cnblogs.com.tbs
簽名值
從 ASN.1 解析後的資料,可以知道簽名值的偏移量是 1277。
擷取簽名值:
openssl asn1parse -inform DER -in www.cnblogs.com.crt --strparse 1277 -noout -out www.cnblogs.com.sig
驗證這個資料:
xxd -p www.cnblogs.com.sig | tr -d '\n'
得到:
49aa4a0ff0052f53f27fd1681b11f6247a75b6da247b589a8cec50a7abd3e1ddc9cbbd09a221e529466bdacb34d3bf9555fa4714731b33326cf341d2cd5ac6b5996d22a682dcd8a97ea2245b3318fddc423d17d16318cd925c6d5873a40f16d9b0a6393c18e66d57be6c30688d10faf55b833479cb2735835210c7c6869bc2c33edf7acb531e1e96d3a47796d0f2fe3c3784d3f35e0e7824094bb4b388e8d95861b864a71c50e3b6da9512be585a14196dc7ec2e80f74a06fead44b7340f1a6c3fa1451bd64eadf8ec71d866dee43e44cfcaae3ecc9804e12037400e6548ce77c080d2b09840aa7297aa862679f228a7fac1187a68355946d49a5ae7389d6a38
檢視得到的結果是否與以下命令的最後一部分一致:
openssl x509 -inform DER -in www.cnblogs.com.crt -noout -text
49:aa:4a:0f:f0:05:2f:53:f2:7f:d1:68:1b:11:f6:24:7a:75:
b6:da:24:7b:58:9a:8c:ec:50:a7:ab:d3:e1:dd:c9:cb:bd:09:
a2:21:e5:29:46:6b:da:cb:34:d3:bf:95:55:fa:47:14:73:1b:
33:32:6c:f3:41:d2:cd:5a:c6:b5:99:6d:22:a6:82:dc:d8:a9:
7e:a2:24:5b:33:18:fd:dc:42:3d:17:d1:63:18:cd:92:5c:6d:
58:73:a4:0f:16:d9:b0:a6:39:3c:18:e6:6d:57:be:6c:30:68:
8d:10:fa:f5:5b:83:34:79:cb:27:35:83:52:10:c7:c6:86:9b:
c2:c3:3e:df:7a:cb:53:1e:1e:96:d3:a4:77:96:d0:f2:fe:3c:
37:84:d3:f3:5e:0e:78:24:09:4b:b4:b3:88:e8:d9:58:61:b8:
64:a7:1c:50:e3:b6:da:95:12:be:58:5a:14:19:6d:c7:ec:2e:
80:f7:4a:06:fe:ad:44:b7:34:0f:1a:6c:3f:a1:45:1b:d6:4e:
ad:f8:ec:71:d8:66:de:e4:3e:44:cf:ca:ae:3e:cc:98:04:e1:
20:37:40:0e:65:48:ce:77:c0:80:d2:b0:98:40:aa:72:97:aa:
86:26:79:f2:28:a7:fa:c1:18:7a:68:35:59:46:d4:9a:5a:e7:
38:9d:6a:38
這部分直接從完整的 text 中複製然後手動編輯也可以。
CA 證照公鑰
解析並檢視位置:
openssl asn1parse -i -inform DER -in EncryptionEverywhereDVTLSCA-G1.crt
0:d=0 hl=4 l=1194 cons: SEQUENCE
4:d=1 hl=4 l= 914 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 16 prim: INTEGER :0279AC458BC1B245ABF98053CD2C9BB1
31:d=2 hl=2 l= 13 cons: SEQUENCE
33:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
44:d=3 hl=2 l= 0 prim: NULL
46:d=2 hl=2 l= 97 cons: SEQUENCE
48:d=3 hl=2 l= 11 cons: SET
50:d=4 hl=2 l= 9 cons: SEQUENCE
52:d=5 hl=2 l= 3 prim: OBJECT :countryName
57:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
61:d=3 hl=2 l= 21 cons: SET
63:d=4 hl=2 l= 19 cons: SEQUENCE
65:d=5 hl=2 l= 3 prim: OBJECT :organizationName
70:d=5 hl=2 l= 12 prim: PRINTABLESTRING :DigiCert Inc
84:d=3 hl=2 l= 25 cons: SET
86:d=4 hl=2 l= 23 cons: SEQUENCE
88:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
93:d=5 hl=2 l= 16 prim: PRINTABLESTRING :www.digicert.com
111:d=3 hl=2 l= 32 cons: SET
113:d=4 hl=2 l= 30 cons: SEQUENCE
115:d=5 hl=2 l= 3 prim: OBJECT :commonName
120:d=5 hl=2 l= 23 prim: PRINTABLESTRING :DigiCert Global Root CA
145:d=2 hl=2 l= 30 cons: SEQUENCE
147:d=3 hl=2 l= 13 prim: UTCTIME :171127124610Z
162:d=3 hl=2 l= 13 prim: UTCTIME :271127124610Z
177:d=2 hl=2 l= 110 cons: SEQUENCE
179:d=3 hl=2 l= 11 cons: SET
181:d=4 hl=2 l= 9 cons: SEQUENCE
183:d=5 hl=2 l= 3 prim: OBJECT :countryName
188:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
192:d=3 hl=2 l= 21 cons: SET
194:d=4 hl=2 l= 19 cons: SEQUENCE
196:d=5 hl=2 l= 3 prim: OBJECT :organizationName
201:d=5 hl=2 l= 12 prim: PRINTABLESTRING :DigiCert Inc
215:d=3 hl=2 l= 25 cons: SET
217:d=4 hl=2 l= 23 cons: SEQUENCE
219:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
224:d=5 hl=2 l= 16 prim: PRINTABLESTRING :www.digicert.com
242:d=3 hl=2 l= 45 cons: SET
244:d=4 hl=2 l= 43 cons: SEQUENCE
246:d=5 hl=2 l= 3 prim: OBJECT :commonName
251:d=5 hl=2 l= 36 prim: PRINTABLESTRING :Encryption Everywhere DV TLS CA - G1
289:d=2 hl=4 l= 290 cons: SEQUENCE
293:d=3 hl=2 l= 13 cons: SEQUENCE
295:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
306:d=4 hl=2 l= 0 prim: NULL
308:d=3 hl=4 l= 271 prim: BIT STRING
583:d=2 hl=4 l= 335 cons: cont [ 3 ]
587:d=3 hl=4 l= 331 cons: SEQUENCE
591:d=4 hl=2 l= 29 cons: SEQUENCE
593:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
598:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:041455744FB2724FF560BA50D1D7E6515C9A01871AD7
622:d=4 hl=2 l= 31 cons: SEQUENCE
624:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
629:d=5 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:3016801403DE503556D14CBB66F0A3E21B1BC397B23DD155
655:d=4 hl=2 l= 14 cons: SEQUENCE
657:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
662:d=5 hl=2 l= 1 prim: BOOLEAN :255
665:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020186
671:d=4 hl=2 l= 29 cons: SEQUENCE
673:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
678:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030106082B06010505070302
702:d=4 hl=2 l= 18 cons: SEQUENCE
704:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
709:d=5 hl=2 l= 1 prim: BOOLEAN :255
712:d=5 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020100
722:d=4 hl=2 l= 52 cons: SEQUENCE
724:d=5 hl=2 l= 8 prim: OBJECT :Authority Information Access
734:d=5 hl=2 l= 40 prim: OCTET STRING [HEX DUMP]:3026302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D
776:d=4 hl=2 l= 66 cons: SEQUENCE
778:d=5 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
783:d=5 hl=2 l= 59 prim: OCTET STRING [HEX DUMP]:30393037A035A0338631687474703A2F2F63726C332E64696769636572742E636F6D2F4469676943657274476C6F62616C526F6F7443412E63726C
844:d=4 hl=2 l= 76 cons: SEQUENCE
846:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Certificate Policies
851:d=5 hl=2 l= 69 prim: OCTET STRING [HEX DUMP]:3043303706096086480186FD6C0102302A302806082B06010505070201161C68747470733A2F2F7777772E64696769636572742E636F6D2F4350533008060667810C010201
922:d=1 hl=2 l= 13 cons: SEQUENCE
924:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
935:d=2 hl=2 l= 0 prim: NULL
937:d=1 hl=4 l= 257 prim: BIT STRING
找到 rsaEncryption,它在 d=4 的層級,公鑰所在位置為下方的 d=3 層級的 BIT STRING:
308:d=3 hl=4 l= 271
根據 rfc 3279 的定義,RSA PublickKey 由係數 (modulus) 和指數 (exponent) 兩部分組成。因此 271 位元組裡面的兩部分要分開獲取。這兩部分也是使用 DER 格式編碼的,可以直接使用工具解析:
openssl asn1parse -inform DER -in EncryptionEverywhereDVTLSCA-G1.crt --strparse 308 -noout -out EncryptionEverywhereDVTLSCA-G1.rsa
openssl asn1parse -i -inform DER -in EncryptionEverywhereDVTLSCA-G1.rsa
得到:
0:d=0 hl=4 l= 266 cons: SEQUENCE
4:d=1 hl=4 l= 257 prim: INTEGER :B3DE3FAC2469BE35772421EA629CA07AADDE3448C56E4C0EF7FD43288E47B55F1702BAE7A7ACD1416221BEF837DA519EDCC5D54818CC31AEDE9A5954C76895BC619BA7564BD38AFE515E84A353D0E608F5AAA4E85F94EDC03A8F1482FA20C13D7C1D178AECDCA472A776909FAA63A69D72AFB201E98E33BFBD847BF3E567FEAB2BA2270BA5A92B49CF54E611EE7F620EE3DED44E08C543011FF4F7DFEDE1CAE1F776F7E089650E5248DDA4C6F2C57F973657B9B84222C81B22E08BDB7130A1F2BBA27C2222E660D7919AE7313F27C1F60257ABFA90375791B80644B2AC478A6E71B26D6CAA889141B1B99236B7BA5F7B02917399D679CBC30597F7FA9D4CA40F
265:d=1 hl=2 l= 3 prim: INTEGER :010001
其中第一個 INTEGER 是 modulus,第二個 INTEGER 是 exponent。由於可以直接複製,不再使用 xxd 命令。
驗證這個資訊:
openssl x509 -inform DER -in EncryptionEverywhereDVTLSCA-G1.crt -noout -text
在 Subject Public Key Info 一節裡可以看到:
00:b3:de:3f:ac:24:69:be:35:77:24:21:ea:62:9c:
a0:7a:ad:de:34:48:c5:6e:4c:0e:f7:fd:43:28:8e:
47:b5:5f:17:02:ba:e7:a7:ac:d1:41:62:21:be:f8:
37:da:51:9e:dc:c5:d5:48:18:cc:31:ae:de:9a:59:
54:c7:68:95:bc:61:9b:a7:56:4b:d3:8a:fe:51:5e:
84:a3:53:d0:e6:08:f5:aa:a4:e8:5f:94:ed:c0:3a:
8f:14:82:fa:20:c1:3d:7c:1d:17:8a:ec:dc:a4:72:
a7:76:90:9f:aa:63:a6:9d:72:af:b2:01:e9:8e:33:
bf:bd:84:7b:f3:e5:67:fe:ab:2b:a2:27:0b:a5:a9:
2b:49:cf:54:e6:11:ee:7f:62:0e:e3:de:d4:4e:08:
c5:43:01:1f:f4:f7:df:ed:e1:ca:e1:f7:76:f7:e0:
89:65:0e:52:48:dd:a4:c6:f2:c5:7f:97:36:57:b9:
b8:42:22:c8:1b:22:e0:8b:db:71:30:a1:f2:bb:a2:
7c:22:22:e6:60:d7:91:9a:e7:31:3f:27:c1:f6:02:
57:ab:fa:90:37:57:91:b8:06:44:b2:ac:47:8a:6e:
71:b2:6d:6c:aa:88:91:41:b1:b9:92:36:b7:ba:5f:
7b:02:91:73:99:d6:79:cb:c3:05:97:f7:fa:9d:4c:
a4:0f
以及: Exponent: 65537 (0x10001)。
與上述獲取的一致。
使用 CA 公鑰解密
已知的內容:
-
簽名值 sig :
49aa4a0ff0052f53f27fd1681b11f6247a75b6da247b589a8cec50a7abd3e1ddc9cbbd09a221e529466bdacb34d3bf9555fa4714731b33326cf341d2cd5ac6b5996d22a682dcd8a97ea2245b3318fddc423d17d16318cd925c6d5873a40f16d9b0a6393c18e66d57be6c30688d10faf55b833479cb2735835210c7c6869bc2c33edf7acb531e1e96d3a47796d0f2fe3c3784d3f35e0e7824094bb4b388e8d95861b864a71c50e3b6da9512be585a14196dc7ec2e80f74a06fead44b7340f1a6c3fa1451bd64eadf8ec71d866dee43e44cfcaae3ecc9804e12037400e6548ce77c080d2b09840aa7297aa862679f228a7fac1187a68355946d49a5ae7389d6a38 -
CA 公鑰係數 modulus:
B3DE3FAC2469BE35772421EA629CA07AADDE3448C56E4C0EF7FD43288E47B55F1702BAE7A7ACD1416221BEF837DA519EDCC5D54818CC31AEDE9A5954C76895BC619BA7564BD38AFE515E84A353D0E608F5AAA4E85F94EDC03A8F1482FA20C13D7C1D178AECDCA472A776909FAA63A69D72AFB201E98E33BFBD847BF3E567FEAB2BA2270BA5A92B49CF54E611EE7F620EE3DED44E08C543011FF4F7DFEDE1CAE1F776F7E089650E5248DDA4C6F2C57F973657B9B84222C81B22E08BDB7130A1F2BBA27C2222E660D7919AE7313F27C1F60257ABFA90375791B80644B2AC478A6E71B26D6CAA889141B1B99236B7BA5F7B02917399D679CBC30597F7FA9D4CA40F -
CA 公鑰指數 exponent:
0x10001
根據公式 decrypted_value = (modulus^exponent)%sig,使用 python 計算:
modulus=0xB3DE3FAC2469BE35772421EA629CA07AADDE3448C56E4C0EF7FD43288E47B55F1702BAE7A7ACD1416221BEF837DA519EDCC5D54818CC31AEDE9A5954C76895BC619BA7564BD38AFE515E84A353D0E608F5AAA4E85F94EDC03A8F1482FA20C13D7C1D178AECDCA472A776909FAA63A69D72AFB201E98E33BFBD847BF3E567FEAB2BA2270BA5A92B49CF54E611EE7F620EE3DED44E08C543011FF4F7DFEDE1CAE1F776F7E089650E5248DDA4C6F2C57F973657B9B84222C81B22E08BDB7130A1F2BBA27C2222E660D7919AE7313F27C1F60257ABFA90375791B80644B2AC478A6E71B26D6CAA889141B1B99236B7BA5F7B02917399D679CBC30597F7FA9D4CA40F
sig=0x49aa4a0ff0052f53f27fd1681b11f6247a75b6da247b589a8cec50a7abd3e1ddc9cbbd09a221e529466bdacb34d3bf9555fa4714731b33326cf341d2cd5ac6b5996d22a682dcd8a97ea2245b3318fddc423d17d16318cd925c6d5873a40f16d9b0a6393c18e66d57be6c30688d10faf55b833479cb2735835210c7c6869bc2c33edf7acb531e1e96d3a47796d0f2fe3c3784d3f35e0e7824094bb4b388e8d95861b864a71c50e3b6da9512be585a14196dc7ec2e80f74a06fead44b7340f1a6c3fa1451bd64eadf8ec71d866dee43e44cfcaae3ecc9804e12037400e6548ce77c080d2b09840aa7297aa862679f228a7fac1187a68355946d49a5ae7389d6a38
exponent=0x10001
print("%x" % pow(sig, exponent, modulus))
得到:
1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff003031300d060960864801650304020105000420bca9d80920262764ca037b51a1f7bfd8a240c8059c7564dafdaf12ded366d6f5
開頭的 1fff... 是 RSA 演算法的填充位元組,接下來的 3031300D060960864801650304020105000420 是 sha256 的填充位元組。剩下的 bca9d80920262764ca037b51a1f7bfd8a240c8059c7564dafdaf12ded366d6f5 是證照 hash 值。
我們將該值與前面手動計算的 TBS 證照 hash 值做對比,得到完全一致。
至此,驗證完畢。
證照鏈
上面只驗證了第一步。從瀏覽器中可以看出,上述 CA 證照不是根證照,還需要驗證 CA 證照的可信。步驟與上述差不多,只是根證照是安裝在裝置的作業系統上或者瀏覽器上。
參考
[1]: https://blog.yuantops.com/tech/validate_a_digital_certificate_step_by_step/ (手工驗證一張數字證照的有效性)
[2]: https://yongbingchen.github.io/blog/2015/04/09/verify-the-signature-of-a-x-dot-509-certificate/ (https://yongbingchen.github.io/blog/2015/04/09/verify-the-signature-of-a-x-dot-509-certificate/)
[3]: https://datatracker.ietf.org/doc/html/rfc3279 (RFC 3279)
[4]: https://datatracker.ietf.org/doc/html/rfc2313 (RFC 2313)
[5]: https://datatracker.ietf.org/doc/html/rfc3280 (RFC 3280)
[6]: https://docs.microsoft.com/en-us/windows/win32/seccertenroll/about-encoded-length-and-value-bytes (Encoded Length and Value Bytes)
[7]: https://linux.die.net/man/1/asn1parse (asn1parse(1) - Linux man page)
[8]: https://stackoverflow.com/questions/2614764/how-to-create-a-hex-dump-of-file-containing-only-the-hex-characters-without-spac (How to create a hex dump of file containing only the hex characters without spaces in bash?)