1. 首页
  2. 问答
  3. sha256公钥的哈希

sha256公钥的哈希

2017-08-14 237 views
0

我想读取sha256从公钥证书。证书如下所示。sha256公钥的哈希

我运行下面的命令来读取SHA256哈希值,但它是不是给正确的结果:

openssl x509 -in test.crt -pubkey -noout | openssl rsa -pubin -outform der | \ 
    openssl dgst -sha256 -binary | openssl enc -base64

我得到了一些错误的价值RTy7aSpufwRDWUudgZCwR5Xc7NETd6Imk4YlzvgKTRU=

正确的价值观是:

sha256/i1RfARNCYn9+K3xmRNTaXG9sVSK6TMgY9l8SDm3MUZ4= 
sha256/7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y= 
sha256/h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU=

我想知道三个值是如何进来的,是的只有一个是正确的,但为了验证这些值,我运行下面给出的示例程序:

public class Main { 

    public static void main(String[] args) throws IOException { 
     HttpLoggingInterceptor interceptor = new HttpLoggingInterceptor(); 
     interceptor.setLevel(HttpLoggingInterceptor.Level.BODY); 
     String hostName = "www.google.com"; 
     CertificatePinner certificatePinner = new CertificatePinner.Builder() 
       .add(hostName, "sha256/pqrmt") 
       .build(); 
     OkHttpClient client = new OkHttpClient.Builder() 
       .addNetworkInterceptor(interceptor) 
       .certificatePinner(certificatePinner) 
       .build(); 
     Request request = new Request.Builder() 
       .url("https://" + hostName) 
       .build(); 
     client.newCall(request).execute(); 

    } 
}

添加错误的密钥哈希给我一个错误日志,并使用适当的一个让我轻松沟通。

-----BEGIN CERTIFICATE----- 
MIIISDCCBzCgAwIBAgIILbxyxVw1oQAwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE 
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl 
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwODAyMTk0NTM5WhcNMTcxMDI1MTkyMzAw 
WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN 
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n 
b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvqjgh7NP 
S0DNdmqg94u9ecHsxtCCNH5K7RQDbT7stPZaftCBuCXEDbhmqP44ne7kKkKyHqVx 
OxzDyMrvMly/qDvd17X33kXjEdte3YOWTENQ7R//LIQ2qwxOCd7LcDhRLnbhV61k 
yDJIPzjM79BX8b0u9+e2KAYfhYFANB+iZrk0/sLXmlv+T+E1bm4D19H55BstEPM8 
SOTUj0cntYaN+5Rcy1s9p5CjWb1Sy/JXyBv+QLkrbj2JyQ+KlG2Fil4ue3ooF2iA 
LZM+k2OgCizz5Kh6za1oKkL08/wJCaqHQJMhxX1ajXW93DwyojOqt40+6tF43rEU 
Uxy87Joi+ZZNOQIDAQABo4IFFTCCBREwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG 
AQUFBwMCMIID4QYDVR0RBIID2DCCA9SCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lk 
LmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29t 
ghQqLmRiODMzOTUzLmdvb2dsZS5jboIGKi5nLmNvgg4qLmdjcC5ndnQyLmNvbYIW 
Ki5nb29nbGUtYW5hbHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNs 
gg4qLmdvb2dsZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVr 
gg8qLmdvb2dsZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29t 
LmJygg8qLmdvb2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUu 
Y29tLnRygg8qLmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5l 
c4ILKi5nb29nbGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29n 
bGUubmyCCyouZ29vZ2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMu 
Y29tgg8qLmdvb2dsZWFwaXMuY26CFCouZ29vZ2xlY29tbWVyY2UuY29tghEqLmdv 
b2dsZXZpZGVvLmNvbYIMKi5nc3RhdGljLmNugg0qLmdzdGF0aWMuY29tggoqLmd2 
dDEuY29tggoqLmd2dDIuY29tghQqLm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNo 
aW4uY29tghAqLnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUuY29t 
gg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tggcqLnl0LmJl 
ggsqLnl0aW1nLmNvbYIaYW5kcm9pZC5jbGllbnRzLmdvb2dsZS5jb22CC2FuZHJv 
aWQuY29tghtkZXZlbG9wZXIuYW5kcm9pZC5nb29nbGUuY26CHGRldmVsb3BlcnMu 
YW5kcm9pZC5nb29nbGUuY26CBGcuY2+CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGlj 
cy5jb22CCmdvb2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIYc291cmNlLmFu 
ZHJvaWQuZ29vZ2xlLmNuggp1cmNoaW4uY29tggp3d3cuZ29vLmdsggh5b3V0dS5i 
ZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29tggV5dC5iZTBoBggr 
BgEFBQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9H 
SUFHMi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5nb29nbGUuY29t 
L29jc3AwHQYDVR0OBBYEFJsK+1wBuADqH695FkUxvBBxBD13MAwGA1UdEwEB/wQC 
MAAwHwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wIQYDVR0gBBowGDAM 
BgorBgEEAdZ5AgUBMAgGBmeBDAECAjAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8v 
cGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCWfamc 
vElR0WkzwdaofPD66PsmqihYbgMAEOJBtt4isDLcVqG0tE8xwAYZO+EksklR6nXq 
Pi8021W/qgh2XDmyGajc/psjSBdfAi2bw/kIMcXpQsJSR33n0kLJe4/5z5YwSJEt 
M7f6DKlBzxalGrHc2rnkOw4xZEKYZ+nJQ5E3Lms0NKHFPxj3c5QvUYfiWhC4lY1m 
RZRPIDQc9Bmcu+gJseRGYd8g+USo0829CMq42KaQM7nshxmwexXPv9ic9nV6f+Qi 
nw1hL6RdI3+yHRSZCBPnlfpQfLLJatJmpwddP2ibT56zDDT4BQsP4/QeAbEOJ+Bp 
0nJ0S+1OpCbjQXYL 
-----END CERTIFICATE-----

来源

2017-08-14 sector11

+2

证书中只有一个公钥,您从哪里获取3个“正确”值? –

+0

HI Robbey,我添加了更多的代码,从这些生成更多的哈希,以及我如何验证我生成的哈希是正确的,请看看。 – sector11

+0

您计算值的方式看起来正确,并与[由Mozilla记录](https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning)相匹配。是什么让你认为你认为正确的价值观是正确的 - 特别是这三个价值中的哪一个是正确的? –

回答

3

SHA256/i1RfARNCYn9 + K3xmRNTaXG9sVSK6TMgY9l8SDm3MUZ4 =

该引脚相匹配的叶证书返回访问时www.google.com:

$ openssl s_client -connect www.google.com:443 |\ 
    openssl x509 -pubkey -noout |\ 
    openssl pkey -pubin -outform der |\ 
    openssl dgst -sha256 -binary |\ 
    openssl enc -base64 
... 
depth=0 ... CN = www.google.com 
i1RfARNCYn9+K3xmRNTaXG9sVSK6TMgY9l8SDm3MUZ4=

但是,如果你仔细查看访问www.google.com时返回的证书,你会发现它是哈是www.google.com的CN。相反,您在问题中包含的证书的CN为*.google.com,即为不同的证书。

$ openssl s_client -connect google.com:443 |\ 
    openssl x509 -pubkey -noout |\ 
    openssl pkey -pubin -outform der |\ 
    openssl dgst -sha256 -binary |\ 
    openssl enc -base64 
... 
depth=0 ... CN = *.google.com 
RTy7aSpufwRDWUudgZCwR5Xc7NETd6Imk4YlzvgKTRU=

正如你所看到的,你已经计算出的公钥指纹是正确的:如果你访问google.com,而不是www.google.com的此证书返回例子。只有您对正确指纹的假设不正确,因为您已经在错误的网站上检查了这些指纹。

来源

2017-08-14 06:22:37

+0

感谢您的详细解答,是否为所有子子域访问设置根证书是一个好主意, – sector11

+0

@ sector11:请不要在评论中提出新问题(即使是后续)因为没有人会期望出现新的问题和答案。相反,问一个新问题。除此之外,在security.stackexchange.com上可能会更好地询问这个问题,但请首先查看有关此主题的现有问题和解答。 –

+0

好的也没问题。 – sector11

相关问题

 相关问题