非常有趣。我在那个领域做了一些调查。
的第一个证书铬链您提供:30 82 01 0a 02 82 01 01 00 b2 56 ae e5 f2 a3 (...)没有指向“* .google.com”证书如你预期但GeoTrust的全球CA证书(https://www.tbs-certificates.co.uk/FAQ/en/602.html,细节在这里 - http://geotrust.tbs-certificats.com/GeoTrust_Global_CA.cer )
我已经从提取www.google.com:443 PUBKEY,然后将其转换为 '弹性模量'
$ openssl s_client -connect www.google.com:443 | openssl x509 -pubkey -noout
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu8uKDrbfPwq6pHsgn+kK
8oEEhO3Qnsn9Kuw5nxFWwy4zOY/aMteEVFVcmS9WYXMXLSYVvIuJErh4cxcdxTKi
4/G1xNhBZ0FyFnSByE/zqFcxzWlze5ZBLb5mFfDr9zN8eUoAQA7G33FmGqcSeeh+
icIEzAmwH5tngexfJi0Jw84cppbpD95vqrEHgr6pGC4rpcUXoZF1ewqGzB28kRAd
Wzv9STcEZVrISkEXN2OroYMRWMgkdMLkro7WkJha17eWTtTYIelFQwvgCwfdD3lH
SgZEF5dZybHgGytV2L88B/G+Vl7aU3jiw8tqIfWDZma9628n2qqRMJPrQFLgJKVN
uQIDAQAB
-----END PUBLIC KEY-----
$ openssl rsa -pubin -inform PEM -text -noout < public.key
Public-Key: (2048 bit)
Modulus:
00:bb:cb:8a:0e:b6:df:3f:0a:ba:a4:7b:20:9f:e9:
0a:f2:81:04:84:ed:d0:9e:c9:fd:2a:ec:39:9f:11:
56:c3:2e:33:39:8f:da:32:d7:84:54:55:5c:99:2f:
56:61:73:17:2d:26:15:bc:8b:89:12:b8:78:73:17:
1d:c5:32:a2:e3:f1:b5:c4:d8:41:67:41:72:16:74:
81:c8:4f:f3:a8:57:31:cd:69:73:7b:96:41:2d:be:
66:15:f0:eb:f7:33:7c:79:4a:00:40:0e:c6:df:71:
66:1a:a7:12:79:e8:7e:89:c2:04:cc:09:b0:1f:9b:
67:81:ec:5f:26:2d:09:c3:ce:1c:a6:96:e9:0f:de:
6f:aa:b1:07:82:be:a9:18:2e:2b:a5:c5:17:a1:91:
75:7b:0a:86:cc:1d:bc:91:10:1d:5b:3b:fd:49:37:
04:65:5a:c8:4a:41:17:37:63:ab:a1:83:11:58:c8:
24:74:c2:e4:ae:8e:d6:90:98:5a:d7:b7:96:4e:d4:
d8:21:e9:45:43:0b:e0:0b:07:dd:0f:79:47:4a:06:
44:17:97:59:c9:b1:e0:1b:2b:55:d8:bf:3c:07:f1:
be:56:5e:da:53:78:e2:c3:cb:6a:21:f5:83:66:66:
bd:eb:6f:27:da:aa:91:30:93:eb:40:52:e0:24:a5:
4d:b9
Exponent: 65537 (0x10001)
结论 - 好,它看起来我们都在同一个pubkey(www.google.com:443)
上工作然后我创建了一个到www.google.com:443(python/M2Crypt)的示例SSL连接并列出了“peer cert chain”,这里是输出:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1227750 (0x12bbe6)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Validity
Not Before: May 21 04:00:00 2002 GMT
Not After : Aug 21 04:00:00 2018 GMT
Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:da:cc:18:63:30:fd:f4:17:23:1a:56:7e:5b:df:
3c:6c:38:e4:71:b7:78:91:d4:bc:a1:d8:4c:f8:a8:
43:b6:03:e9:4d:21:07:08:88:da:58:2f:66:39:29:
bd:05:78:8b:9d:38:e8:05:b7:6a:7e:71:a4:e6:c4:
60:a6:b0:ef:80:e4:89:28:0f:9e:25:d6:ed:83:f3:
ad:a6:91:c7:98:c9:42:18:35:14:9d:ad:98:46:92:
2e:4f:ca:f1:87:43:c1:16:95:57:2d:50:ef:89:2d:
80:7a:57:ad:f2:ee:5f:6b:d2:00:8d:b9:14:f8:14:
15:35:d9:c0:46:a3:7b:72:c8:91:bf:c9:55:2b:cd:
d0:97:3e:9c:26:64:cc:df:ce:83:19:71:ca:4e:e6:
d4:d5:7b:a9:19:cd:55:de:c8:ec:d2:5e:38:53:e5:
5c:4f:8c:2d:fe:50:23:36:fc:66:e6:cb:8e:a4:39:
19:00:b7:95:02:39:91:0b:0e:fe:38:2e:d1:1d:05:
9a:f6:4d:3e:6f:0f:07:1d:af:2c:1e:8f:60:39:e2:
fa:36:53:13:39:d4:5e:26:2b:db:3d:a8:14:bd:32:
eb:18:03:28:52:04:71:e5:ab:33:3d:e1:38:bb:07:
36:84:62:9c:79:ea:16:30:f4:5f:c0:2b:e8:71:6b:
e4:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
X509v3 Subject Key Identifier:
C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.geotrust.com/crls/secureca.crl
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
CPS: https://www.geotrust.com/resources/repository
Signature Algorithm: sha1WithRSAEncryption
76:e1:12:6e:4e:4b:16:12:86:30:06:b2:81:08:cf:f0:08:c7:
c7:71:7e:66:ee:c2:ed:d4:3b:1f:ff:f0:f0:c8:4e:d6:43:38:
b0:b9:30:7d:18:d0:55:83:a2:6a:cb:36:11:9c:e8:48:66:a3:
6d:7f:b8:13:d4:47:fe:8b:5a:5c:73:fc:ae:d9:1b:32:19:38:
ab:97:34:14:aa:96:d2:eb:a3:1c:14:08:49:b6:bb:e5:91:ef:
83:36:eb:1d:56:6f:ca:da:bc:73:63:90:e4:7f:7b:3e:22:cb:
3d:07:ed:5f:38:74:9c:e3:03:50:4e:a1:af:98:ee:61:f2:84:
3f:12
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 146038 (0x23a76)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Validity
Not Before: Apr 5 15:15:55 2013 GMT
Not After : Dec 31 23:59:59 2016 GMT
Subject: C=US, O=Google Inc, CN=Google Internet Authority G2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9c:2a:04:77:5c:d8:50:91:3a:06:a3:82:e0:d8:
50:48:bc:89:3f:f1:19:70:1a:88:46:7e:e0:8f:c5:
f1:89:ce:21:ee:5a:fe:61:0d:b7:32:44:89:a0:74:
0b:53:4f:55:a4:ce:82:62:95:ee:eb:59:5f:c6:e1:
05:80:12:c4:5e:94:3f:bc:5b:48:38:f4:53:f7:24:
e6:fb:91:e9:15:c4:cf:f4:53:0d:f4:4a:fc:9f:54:
de:7d:be:a0:6b:6f:87:c0:d0:50:1f:28:30:03:40:
da:08:73:51:6c:7f:ff:3a:3c:a7:37:06:8e:bd:4b:
11:04:eb:7d:24:de:e6:f9:fc:31:71:fb:94:d5:60:
f3:2e:4a:af:42:d2:cb:ea:c4:6a:1a:b2:cc:53:dd:
15:4b:8b:1f:c8:19:61:1f:cd:9d:a8:3e:63:2b:84:
35:69:65:84:c8:19:c5:46:22:f8:53:95:be:e3:80:
4a:10:c6:2a:ec:ba:97:20:11:c7:39:99:10:04:a0:
f0:61:7a:95:25:8c:4e:52:75:e2:b6:ed:08:ca:14:
fc:ce:22:6a:b3:4e:cf:46:03:97:97:03:7e:c0:b1:
de:7b:af:45:33:cf:ba:3e:71:b7:de:f4:25:25:c2:
0d:35:89:9d:9d:fb:0e:11:79:89:1e:37:c5:af:8e:
72:69
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
X509v3 Subject Key Identifier:
4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 CRL Distribution Points:
Full Name:
URI:http://g.symcb.com/crls/gtglobal.crl
Authority Information Access:
OCSP - URI:http://g.symcd.com
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.11129.2.5.1
Signature Algorithm: sha1WithRSAEncryption
27:8c:cf:e9:c7:3b:be:c0:6f:e8:96:84:fb:9c:5c:5d:90:e4:
77:db:8b:32:60:9b:65:d8:85:26:b5:ba:9f:1e:de:64:4e:1f:
c6:c8:20:5b:09:9f:ab:a9:e0:09:34:45:a2:65:25:37:3d:7f:
5a:6f:20:cc:f9:fa:f1:1d:8f:10:0c:02:3a:c4:c9:01:76:96:
be:9b:f9:15:d8:39:d1:c5:03:47:76:b8:8a:8c:31:d6:60:d5:
e4:8f:db:fa:3c:c6:d5:98:28:f8:1c:8f:17:91:34:cb:cb:52:
7a:d1:fb:3a:20:e4:e1:86:b1:d8:18:0f:be:d6:87:64:8d:c5:
0a:25:42:51:ef:b2:38:b8:e0:1d:d0:e1:fc:e6:f4:af:46:ba:
ef:c0:bf:c5:b4:05:f5:94:75:0c:fe:a2:be:02:ba:ea:86:5b:
f9:35:b3:66:f5:c5:8d:85:a1:1a:23:77:1a:19:17:54:13:60:
9f:0b:e1:b4:9c:28:2a:f9:ae:02:34:6d:25:93:9c:82:a8:17:
7b:f1:85:b0:d3:0f:58:e1:fb:b1:fe:9c:a1:a3:e8:fd:c9:3f:
f4:d7:71:dc:bd:8c:a4:19:e0:21:23:23:55:13:8f:a4:16:02:
09:7e:b9:af:ee:db:53:64:bd:71:2f:b9:39:ce:30:b7:b4:bc:
54:e0:47:07
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 299822383261939216 (0x4292ede7a09f610)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
Validity
Not Before: Oct 15 10:57:54 2014 GMT
Not After : Jan 13 00:00:00 2015 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bb:cb:8a:0e:b6:df:3f:0a:ba:a4:7b:20:9f:e9:
0a:f2:81:04:84:ed:d0:9e:c9:fd:2a:ec:39:9f:11:
56:c3:2e:33:39:8f:da:32:d7:84:54:55:5c:99:2f:
56:61:73:17:2d:26:15:bc:8b:89:12:b8:78:73:17:
1d:c5:32:a2:e3:f1:b5:c4:d8:41:67:41:72:16:74:
81:c8:4f:f3:a8:57:31:cd:69:73:7b:96:41:2d:be:
66:15:f0:eb:f7:33:7c:79:4a:00:40:0e:c6:df:71:
66:1a:a7:12:79:e8:7e:89:c2:04:cc:09:b0:1f:9b:
67:81:ec:5f:26:2d:09:c3:ce:1c:a6:96:e9:0f:de:
6f:aa:b1:07:82:be:a9:18:2e:2b:a5:c5:17:a1:91:
75:7b:0a:86:cc:1d:bc:91:10:1d:5b:3b:fd:49:37:
04:65:5a:c8:4a:41:17:37:63:ab:a1:83:11:58:c8:
24:74:c2:e4:ae:8e:d6:90:98:5a:d7:b7:96:4e:d4:
d8:21:e9:45:43:0b:e0:0b:07:dd:0f:79:47:4a:06:
44:17:97:59:c9:b1:e0:1b:2b:55:d8:bf:3c:07:f1:
be:56:5e:da:53:78:e2:c3:cb:6a:21:f5:83:66:66:
bd:eb:6f:27:da:aa:91:30:93:eb:40:52:e0:24:a5:
4d:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:www.google.com
Authority Information Access:
CA Issuers - URI:http://pki.google.com/GIAG2.crt
OCSP - URI:http://clients1.google.com/ocsp
X509v3 Subject Key Identifier:
65:C6:9C:EA:E1:99:17:E6:31:43:41:43:C8:9E:EA:94:D8:25:71:2E
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.11129.2.5.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.google.com/GIAG2.crl
Signature Algorithm: sha1WithRSAEncryption
4d:bf:54:df:29:e6:f6:9d:7f:43:f7:91:13:ca:9c:98:41:70:
ea:89:bc:87:a6:92:dd:e5:c6:46:fd:11:da:15:07:54:bd:e2:
70:0f:97:f8:6a:b1:1c:d3:81:d5:c8:e6:39:b7:ee:c1:18:0f:
45:44:68:17:09:8a:76:6a:51:38:ba:27:33:e4:9b:5d:17:03:
e6:70:72:91:24:b9:84:e7:eb:01:97:21:11:2e:8e:61:ce:57:
fa:4b:92:ba:7c:62:4a:54:fa:77:8e:4f:a9:3a:7a:a4:45:df:
95:4a:12:03:ed:9e:e8:73:d1:b0:9b:b4:7f:e6:5f:9b:62:59:
74:d7:48:06:11:87:1b:c6:b0:e4:83:39:56:e3:75:a4:26:12:
35:45:66:b8:4f:7b:cb:23:5f:15:2e:b0:10:44:12:67:82:24:
19:28:85:5b:1e:c6:0c:87:2a:55:64:67:dc:b0:0e:27:87:16:
e2:aa:72:69:77:a1:fa:d4:d1:75:ec:51:1f:95:e1:5c:a8:9c:
a4:ad:19:5a:04:f7:42:dd:a7:9d:47:96:40:c6:7f:55:74:54:
cb:60:79:ca:82:72:d5:7b:b2:3b:28:fb:ef:7c:eb:16:6b:f6:
cc:4b:1e:0a:ff:79:69:30:c9:19:07:7a:dc:51:26:06:8f:58:
dc:4e:55:cf
结论 - 它看起来像我的连接使用itermediate CA证书(GeoTrust的全球CA(交叉),https://www.tbs-certificates.co.uk/FAQ/en/615.html)
我自己没有这样做过,但是你提出了一个有趣的问题。它的可重复性如何?如果你多次运行你的应用程序,你会得到相同的结果吗? – WolfCoder 2014-10-28 10:16:54
肯定,这个结果应该始终是一样的,这也可以在常理的答案中得到证明,我们得到相同的结果。 – 2014-10-29 06:15:04