我使用SSL_get_peer_certificate(),X509_get_pubkey() API获取网站(www.google.com)https证书公钥,当我转储公钥时如下:
00:bb:cb:8a:0e:b6:df:3f:0a:ba:a4:7b:20:9f:e9:
0a:f2:81:04:84:ed:d0:9e:c9:fd:2a:ec:39:9f:11:
56:c3:2e:33:39:8f:da:32:d7:84:54:55:5c:99:2f:
56:61:73:17:2d:26:15:bc:8b:89:12:b8:78:73:17:
1d:c5:32:a2:e3:f1:b5:c4:d8:41:67:41:72:16:74:
81:c8:4f:f3:a8:57:31:cd:69:73:7b:96:41:2d:be:
66:15:f0:eb:f7:33:7c:79:4a:00:40:0e:c6:df:71:
66:1a:a7:12:79:e8:7e:89:c2:04:cc:09:b0:1f:9b:
67:81:ec:5f:26:2d:09:c3:ce:1c:a6:96:e9:0f:de:
6f:aa:b1:07:82:be:a9:18:2e:2b:a5:c5:17:a1:91:
75:7b:0a:86:cc:1d:bc:91:10:1d:5b:3b:fd:49:37:
04:65:5a:c8:4a:41:17:37:63:ab:a1:83:11:58:c8:
24:74:c2:e4:ae:8e:d6:90:98:5a:d7:b7:96:4e:d4:
d8:21:e9:45:43:0b:e0:0b:07:dd:0f:79:47:4a:06:
44:17:97:59:c9:b1:e0:1b:2b:55:d8:bf:3c:07:f1:
be:56:5e:da:53:78:e2:c3:cb:6a:21:f5:83:66:66:
bd:eb:6f:27:da:aa:91:30:93:eb:40:52:e0:24:a5:
4d:b9
我发现哪个与我在浏览器中看到的不一样(在Chrome中,点击网址栏中的挂锁-> Connection -> Certificate information -> Certificate->Details -> Public Key (field))。如下
30 82 01 0a 02 82 01 01 00 bb cb 8a 0e b6 df
3f 0a ba a4 7b 20 9f e9 0a f2 81 04 84 ed d0
9e c9 fd 2a ec 39 9f 11 56 c3 2e 33 39 8f da
32 d7 84 54 55 5c 99 2f 56 61 73 17 2d 26 15
bc 8b 89 12 b8 78 73 17 1d c5 32 a2 e3 f1 b5
c4 d8 41 67 41 72 16 74 81 c8 4f f3 a8 57 31
cd 69 73 7b 96 41 2d be 66 15 f0 eb f7 33 7c
79 4a 00 40 0e c6 df 71 66 1a a7 12 79 e8 7e
89 c2 04 cc 09 b0 1f 9b 67 81 ec 5f 26 2d 09
c3 ce 1c a6 96 e9 0f de 6f aa b1 07 82 be a9
18 2e 2b a5 c5 17 a1 91 75 7b 0a 86 cc 1d bc
91 10 1d 5b 3b fd 49 37 04 65 5a c8 4a 41 17
37 63 ab a1 83 11 58 c8 24 74 c2 e4 ae 8e d6
90 98 5a d7 b7 96 4e d4 d8 21 e9 45 43 0b e0
0b 07 dd 0f 79 47 4a 06 44 17 97 59 c9 b1 e0
1b 2b 55 d8 bf 3c 07 f1 be 56 5e da 53 78 e2
c3 cb 6a 21 f5 83 66 66 bd eb 6f 27 da aa 91
30 93 eb 40 52 e0 24 a5 4d b9 02 03 01 00 01
为什么这两个公钥不同?
我很好奇这两种公钥数据是什么?
更新
从Chrome浏览器更新公钥字段值。
答案 0 :(得分:1)
非常有趣。我在那个领域做了一些调查。
您提供的第一个证书链:30 82 01 0a 02 82 01 01 00 b2 56 ae e5 f2 a3 (...) 未按预期指向“* .google.com”证书但是对于GeoTrust Global CA Cert (https://www.tbs-certificates.co.uk/FAQ/en/602.html,详情请参阅此处 - http://geotrust.tbs-certificats.com/GeoTrust_Global_CA.cer)
我从www.google.com:443中提取了pubkey,然后将其转换为'模数'
$ openssl s_client -connect www.google.com:443 | openssl x509 -pubkey -noout
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu8uKDrbfPwq6pHsgn+kK
8oEEhO3Qnsn9Kuw5nxFWwy4zOY/aMteEVFVcmS9WYXMXLSYVvIuJErh4cxcdxTKi
4/G1xNhBZ0FyFnSByE/zqFcxzWlze5ZBLb5mFfDr9zN8eUoAQA7G33FmGqcSeeh+
icIEzAmwH5tngexfJi0Jw84cppbpD95vqrEHgr6pGC4rpcUXoZF1ewqGzB28kRAd
Wzv9STcEZVrISkEXN2OroYMRWMgkdMLkro7WkJha17eWTtTYIelFQwvgCwfdD3lH
SgZEF5dZybHgGytV2L88B/G+Vl7aU3jiw8tqIfWDZma9628n2qqRMJPrQFLgJKVN
uQIDAQAB
-----END PUBLIC KEY-----
$ openssl rsa -pubin -inform PEM -text -noout < public.key
Public-Key: (2048 bit)
Modulus:
00:bb:cb:8a:0e:b6:df:3f:0a:ba:a4:7b:20:9f:e9:
0a:f2:81:04:84:ed:d0:9e:c9:fd:2a:ec:39:9f:11:
56:c3:2e:33:39:8f:da:32:d7:84:54:55:5c:99:2f:
56:61:73:17:2d:26:15:bc:8b:89:12:b8:78:73:17:
1d:c5:32:a2:e3:f1:b5:c4:d8:41:67:41:72:16:74:
81:c8:4f:f3:a8:57:31:cd:69:73:7b:96:41:2d:be:
66:15:f0:eb:f7:33:7c:79:4a:00:40:0e:c6:df:71:
66:1a:a7:12:79:e8:7e:89:c2:04:cc:09:b0:1f:9b:
67:81:ec:5f:26:2d:09:c3:ce:1c:a6:96:e9:0f:de:
6f:aa:b1:07:82:be:a9:18:2e:2b:a5:c5:17:a1:91:
75:7b:0a:86:cc:1d:bc:91:10:1d:5b:3b:fd:49:37:
04:65:5a:c8:4a:41:17:37:63:ab:a1:83:11:58:c8:
24:74:c2:e4:ae:8e:d6:90:98:5a:d7:b7:96:4e:d4:
d8:21:e9:45:43:0b:e0:0b:07:dd:0f:79:47:4a:06:
44:17:97:59:c9:b1:e0:1b:2b:55:d8:bf:3c:07:f1:
be:56:5e:da:53:78:e2:c3:cb:6a:21:f5:83:66:66:
bd:eb:6f:27:da:aa:91:30:93:eb:40:52:e0:24:a5:
4d:b9
Exponent: 65537 (0x10001)
结论 - 很好,看起来我们都在使用相同的pubkey(www.google.com:443)
然后我创建了与www.google.com:443(python / M2Crypt)的示例SSL连接并列出了“peer cert chain”,这是输出:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1227750 (0x12bbe6)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Validity
Not Before: May 21 04:00:00 2002 GMT
Not After : Aug 21 04:00:00 2018 GMT
Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:da:cc:18:63:30:fd:f4:17:23:1a:56:7e:5b:df:
3c:6c:38:e4:71:b7:78:91:d4:bc:a1:d8:4c:f8:a8:
43:b6:03:e9:4d:21:07:08:88:da:58:2f:66:39:29:
bd:05:78:8b:9d:38:e8:05:b7:6a:7e:71:a4:e6:c4:
60:a6:b0:ef:80:e4:89:28:0f:9e:25:d6:ed:83:f3:
ad:a6:91:c7:98:c9:42:18:35:14:9d:ad:98:46:92:
2e:4f:ca:f1:87:43:c1:16:95:57:2d:50:ef:89:2d:
80:7a:57:ad:f2:ee:5f:6b:d2:00:8d:b9:14:f8:14:
15:35:d9:c0:46:a3:7b:72:c8:91:bf:c9:55:2b:cd:
d0:97:3e:9c:26:64:cc:df:ce:83:19:71:ca:4e:e6:
d4:d5:7b:a9:19:cd:55:de:c8:ec:d2:5e:38:53:e5:
5c:4f:8c:2d:fe:50:23:36:fc:66:e6:cb:8e:a4:39:
19:00:b7:95:02:39:91:0b:0e:fe:38:2e:d1:1d:05:
9a:f6:4d:3e:6f:0f:07:1d:af:2c:1e:8f:60:39:e2:
fa:36:53:13:39:d4:5e:26:2b:db:3d:a8:14:bd:32:
eb:18:03:28:52:04:71:e5:ab:33:3d:e1:38:bb:07:
36:84:62:9c:79:ea:16:30:f4:5f:c0:2b:e8:71:6b:
e4:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
X509v3 Subject Key Identifier:
C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.geotrust.com/crls/secureca.crl
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
CPS: https://www.geotrust.com/resources/repository
Signature Algorithm: sha1WithRSAEncryption
76:e1:12:6e:4e:4b:16:12:86:30:06:b2:81:08:cf:f0:08:c7:
c7:71:7e:66:ee:c2:ed:d4:3b:1f:ff:f0:f0:c8:4e:d6:43:38:
b0:b9:30:7d:18:d0:55:83:a2:6a:cb:36:11:9c:e8:48:66:a3:
6d:7f:b8:13:d4:47:fe:8b:5a:5c:73:fc:ae:d9:1b:32:19:38:
ab:97:34:14:aa:96:d2:eb:a3:1c:14:08:49:b6:bb:e5:91:ef:
83:36:eb:1d:56:6f:ca:da:bc:73:63:90:e4:7f:7b:3e:22:cb:
3d:07:ed:5f:38:74:9c:e3:03:50:4e:a1:af:98:ee:61:f2:84:
3f:12
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 146038 (0x23a76)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Validity
Not Before: Apr 5 15:15:55 2013 GMT
Not After : Dec 31 23:59:59 2016 GMT
Subject: C=US, O=Google Inc, CN=Google Internet Authority G2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9c:2a:04:77:5c:d8:50:91:3a:06:a3:82:e0:d8:
50:48:bc:89:3f:f1:19:70:1a:88:46:7e:e0:8f:c5:
f1:89:ce:21:ee:5a:fe:61:0d:b7:32:44:89:a0:74:
0b:53:4f:55:a4:ce:82:62:95:ee:eb:59:5f:c6:e1:
05:80:12:c4:5e:94:3f:bc:5b:48:38:f4:53:f7:24:
e6:fb:91:e9:15:c4:cf:f4:53:0d:f4:4a:fc:9f:54:
de:7d:be:a0:6b:6f:87:c0:d0:50:1f:28:30:03:40:
da:08:73:51:6c:7f:ff:3a:3c:a7:37:06:8e:bd:4b:
11:04:eb:7d:24:de:e6:f9:fc:31:71:fb:94:d5:60:
f3:2e:4a:af:42:d2:cb:ea:c4:6a:1a:b2:cc:53:dd:
15:4b:8b:1f:c8:19:61:1f:cd:9d:a8:3e:63:2b:84:
35:69:65:84:c8:19:c5:46:22:f8:53:95:be:e3:80:
4a:10:c6:2a:ec:ba:97:20:11:c7:39:99:10:04:a0:
f0:61:7a:95:25:8c:4e:52:75:e2:b6:ed:08:ca:14:
fc:ce:22:6a:b3:4e:cf:46:03:97:97:03:7e:c0:b1:
de:7b:af:45:33:cf:ba:3e:71:b7:de:f4:25:25:c2:
0d:35:89:9d:9d:fb:0e:11:79:89:1e:37:c5:af:8e:
72:69
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
X509v3 Subject Key Identifier:
4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 CRL Distribution Points:
Full Name:
URI:http://g.symcb.com/crls/gtglobal.crl
Authority Information Access:
OCSP - URI:http://g.symcd.com
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.11129.2.5.1
Signature Algorithm: sha1WithRSAEncryption
27:8c:cf:e9:c7:3b:be:c0:6f:e8:96:84:fb:9c:5c:5d:90:e4:
77:db:8b:32:60:9b:65:d8:85:26:b5:ba:9f:1e:de:64:4e:1f:
c6:c8:20:5b:09:9f:ab:a9:e0:09:34:45:a2:65:25:37:3d:7f:
5a:6f:20:cc:f9:fa:f1:1d:8f:10:0c:02:3a:c4:c9:01:76:96:
be:9b:f9:15:d8:39:d1:c5:03:47:76:b8:8a:8c:31:d6:60:d5:
e4:8f:db:fa:3c:c6:d5:98:28:f8:1c:8f:17:91:34:cb:cb:52:
7a:d1:fb:3a:20:e4:e1:86:b1:d8:18:0f:be:d6:87:64:8d:c5:
0a:25:42:51:ef:b2:38:b8:e0:1d:d0:e1:fc:e6:f4:af:46:ba:
ef:c0:bf:c5:b4:05:f5:94:75:0c:fe:a2:be:02:ba:ea:86:5b:
f9:35:b3:66:f5:c5:8d:85:a1:1a:23:77:1a:19:17:54:13:60:
9f:0b:e1:b4:9c:28:2a:f9:ae:02:34:6d:25:93:9c:82:a8:17:
7b:f1:85:b0:d3:0f:58:e1:fb:b1:fe:9c:a1:a3:e8:fd:c9:3f:
f4:d7:71:dc:bd:8c:a4:19:e0:21:23:23:55:13:8f:a4:16:02:
09:7e:b9:af:ee:db:53:64:bd:71:2f:b9:39:ce:30:b7:b4:bc:
54:e0:47:07
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 299822383261939216 (0x4292ede7a09f610)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
Validity
Not Before: Oct 15 10:57:54 2014 GMT
Not After : Jan 13 00:00:00 2015 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bb:cb:8a:0e:b6:df:3f:0a:ba:a4:7b:20:9f:e9:
0a:f2:81:04:84:ed:d0:9e:c9:fd:2a:ec:39:9f:11:
56:c3:2e:33:39:8f:da:32:d7:84:54:55:5c:99:2f:
56:61:73:17:2d:26:15:bc:8b:89:12:b8:78:73:17:
1d:c5:32:a2:e3:f1:b5:c4:d8:41:67:41:72:16:74:
81:c8:4f:f3:a8:57:31:cd:69:73:7b:96:41:2d:be:
66:15:f0:eb:f7:33:7c:79:4a:00:40:0e:c6:df:71:
66:1a:a7:12:79:e8:7e:89:c2:04:cc:09:b0:1f:9b:
67:81:ec:5f:26:2d:09:c3:ce:1c:a6:96:e9:0f:de:
6f:aa:b1:07:82:be:a9:18:2e:2b:a5:c5:17:a1:91:
75:7b:0a:86:cc:1d:bc:91:10:1d:5b:3b:fd:49:37:
04:65:5a:c8:4a:41:17:37:63:ab:a1:83:11:58:c8:
24:74:c2:e4:ae:8e:d6:90:98:5a:d7:b7:96:4e:d4:
d8:21:e9:45:43:0b:e0:0b:07:dd:0f:79:47:4a:06:
44:17:97:59:c9:b1:e0:1b:2b:55:d8:bf:3c:07:f1:
be:56:5e:da:53:78:e2:c3:cb:6a:21:f5:83:66:66:
bd:eb:6f:27:da:aa:91:30:93:eb:40:52:e0:24:a5:
4d:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:www.google.com
Authority Information Access:
CA Issuers - URI:http://pki.google.com/GIAG2.crt
OCSP - URI:http://clients1.google.com/ocsp
X509v3 Subject Key Identifier:
65:C6:9C:EA:E1:99:17:E6:31:43:41:43:C8:9E:EA:94:D8:25:71:2E
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.11129.2.5.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.google.com/GIAG2.crl
Signature Algorithm: sha1WithRSAEncryption
4d:bf:54:df:29:e6:f6:9d:7f:43:f7:91:13:ca:9c:98:41:70:
ea:89:bc:87:a6:92:dd:e5:c6:46:fd:11:da:15:07:54:bd:e2:
70:0f:97:f8:6a:b1:1c:d3:81:d5:c8:e6:39:b7:ee:c1:18:0f:
45:44:68:17:09:8a:76:6a:51:38:ba:27:33:e4:9b:5d:17:03:
e6:70:72:91:24:b9:84:e7:eb:01:97:21:11:2e:8e:61:ce:57:
fa:4b:92:ba:7c:62:4a:54:fa:77:8e:4f:a9:3a:7a:a4:45:df:
95:4a:12:03:ed:9e:e8:73:d1:b0:9b:b4:7f:e6:5f:9b:62:59:
74:d7:48:06:11:87:1b:c6:b0:e4:83:39:56:e3:75:a4:26:12:
35:45:66:b8:4f:7b:cb:23:5f:15:2e:b0:10:44:12:67:82:24:
19:28:85:5b:1e:c6:0c:87:2a:55:64:67:dc:b0:0e:27:87:16:
e2:aa:72:69:77:a1:fa:d4:d1:75:ec:51:1f:95:e1:5c:a8:9c:
a4:ad:19:5a:04:f7:42:dd:a7:9d:47:96:40:c6:7f:55:74:54:
cb:60:79:ca:82:72:d5:7b:b2:3b:28:fb:ef:7c:eb:16:6b:f6:
cc:4b:1e:0a:ff:79:69:30:c9:19:07:7a:dc:51:26:06:8f:58:
dc:4e:55:cf
结论 - 看起来我的连接使用itermediate CA证书(GeoTrust Global CA(交叉),https://www.tbs-certificates.co.uk/FAQ/en/615.html)
答案 1 :(得分:1)
我认为您可能会看到的是,当您从浏览器获取密钥时,您将获得整个ASN.1原始密钥(由30 82表示),但您正在获得一些浇水来自SSL_get_peer_certificate()和/或X509_get_pubkey()的已删除此标头并向您提供其余密钥(不包含前导30 82 01 0a 02 82 01 01或尾随02 03 01 00 01)的版本。
我试着查看究竟x509_get_pubkey()返回的内容,但没有太多运气,但这是我要开始的地方 - 研究为什么你从浏览器获取原始密钥,但是有些东西被截断了功能。