准备
一
准备好需要验证的两个证书,这里使用DigiCert与GeoTrust RSA CA 2018。
前者是根证书,后者是中间证书。
可以使用Windows徽标键+R运行certmgr.msc查看存储在电脑内的证书,然后右键使用Base64格式导出。
二
安装OpenSSL(自行百度)
提取公钥、签名与被签名的数据
命令行openssl提取根证书公钥:
openssl x509 -in root.cer -pubkey -noout > root_pub.key
从中间证书提取签名:
首先查看openssl对证书的分析
openssl x509 -in intermediate.cer -text -noout
输出:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
05:46:fe:18:23:f7:e1:94:1d:a3:9f:ce:14:c4:61:73
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
Validity
Not Before: Nov 6 12:23:45 2017 GMT
Not After : Nov 6 12:23:45 2027 GMT
Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bf:8a:d1:63:4d:e1:18:ea:87:5d:e8:16:3c:8f:
7f:b6:be:87:17:37:a4:0c:f8:31:3f:9f:45:54:40:
21:d7:9d:07:9b:ca:03:23:4a:bd:9b:ed:85:02:63:
3f:9f:85:b9:ec:28:ef:f2:86:22:db:f8:4d:54:41:
c5:b4:42:7f:cf:33:17:01:0e:82:90:52:d3:c7:34:
a4:c1:a1:01:da:32:a0:40:ad:1f:59:e4:33:fc:a0:
c3:96:ac:68:6c:d3:e8:99:73:8c:26:10:77:cb:b7:
3f:39:32:e8:d2:59:28:ee:07:86:e2:09:3b:85:f8:
aa:69:f6:a9:6b:9f:58:ad:72:c8:5b:87:66:ae:08:
e0:74:fb:2d:53:43:62:83:3d:8f:85:4c:11:97:dc:
1e:fc:50:30:b8:83:08:32:5e:5c:5c:c4:e1:75:20:
4a:eb:a5:d6:75:2d:dc:2d:7d:7c:e0:d0:fe:7c:75:
a1:4e:40:02:84:9a:d9:0d:5a:2e:a0:ac:f3:35:8a:
2a:ea:d6:5a:5a:6c:8e:2c:ab:f6:de:fd:78:47:26:
79:7a:aa:22:ea:a9:e6:71:12:03:d3:f8:ba:53:d2:
79:9c:bd:64:ac:f6:1b:63:bb:4d:8f:38:02:f8:f0:
57:5d:c5:aa:25:5a:0c:5d:c5:30:fe:20:53:19:6c:
e9:c3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
90:58:FF:B0:9C:75:A8:51:54:77:B1:ED:F2:A3:43:16:38:9E:6C:C5
X509v3 Authority Key Identifier:
keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/DigiCertGlobalRootCA.crl
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
CPS: https://www.digicert.com/CPS
Signature Algorithm: sha256WithRSAEncryption
30:f1:87:55:3d:84:08:fc:2e:5e:6a:ba:7c:d2:cd:d5:2c:e3:
be:02:da:5d:89:77:ed:f4:e9:56:c0:92:f0:2a:55:2d:45:f7:
1c:2a:3f:10:5b:f3:e9:e1:be:e1:e9:00:25:b9:f7:a3:c1:03:
1b:e3:9e:4e:8e:92:1b:09:95:52:f9:ac:18:fd:1f:29:01:8b:
17:0a:73:34:f4:67:12:55:ee:22:bc:cb:30:ca:80:99:3f:fb:
cf:12:7f:cb:3d:18:47:85:d8:14:3e:4f:0c:94:3f:7b:f5:11:
a8:51:6c:fb:a8:60:30:a8:90:a1:8b:6f:2e:45:db:37:b6:1c:
7e:bd:16:59:21:b1:32:67:ad:8d:a3:4b:49:3f:3b:12:19:2c:
fc:9d:0f:ff:8c:ff:01:23:0a:f3:04:05:07:e5:67:01:01:b9:
af:81:67:eb:29:cb:af:f8:fc:86:3e:a4:5c:73:84:f9:e5:39:
73:ac:19:f3:03:36:77:a0:29:68:f5:f4:ef:3b:d3:ee:88:73:
0a:ac:2e:95:ea:68:22:d2:cd:ac:6b:f8:1b:5e:53:c2:0f:d6:
76:e1:75:0c:c4:91:25:c0:85:53:0e:e2:81:d1:0e:18:30:c9:
67:a4:df:d0:0a:12:78:07:40:05:b1:0f:83:53:43:42:3b:e7:
fb:f1:77:fb
最后Signature Algorithm:sha256WithRSAEncryption后的字节就是签名(\x30~\xfb)
使用WinHex、Ultraedit以纯二进制保存这256个字节
从中间证书提取被签名部分
- 转换证书为二进制
使用工具将base64形式的证书转为纯二进制
Python代码:
import base64
f = open("intermediate.cer","r")
#删除Begin Certificate和End Certificate
list1 = f.read().split("\n")
encoded = "".join(list1[2:-2])
decoded = base64.b64decode(encoded)
f2 = open("binary.bin","wb")
f2.write(decoded)
f2.close()
- 提取被签名部分
在得到的二进制证书的开头删去4个字节,末尾删去签名x+20个字节(x为签名的字节数,在本证书中为256)
最后得到(这是hex stream,保存仍需以二进制保存)
30820373A00302010202100546FE1823F7E1941DA39FCE14C46173300D06092A864886F70D01010B05003061310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3120301E06035504031317446967694365727420476C6F62616C20526F6F74204341301E170D3137313130363132323334355A170D3237313130363132323334355A305E310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D311D301B0603550403131447656F547275737420525341204341203230313830820122300D06092A864886F70D01010105000382010F003082010A0282010100BF8AD1634DE118EA875DE8163C8F7FB6BE871737A40CF8313F9F45544021D79D079BCA03234ABD9BED8502633F9F85B9EC28EFF28622DBF84D5441C5B4427FCF3317010E829052D3C734A4C1A101DA32A040AD1F59E433FCA0C396AC686CD3E899738C261077CBB73F3932E8D25928EE0786E2093B85F8AA69F6A96B9F58AD72C85B8766AE08E074FB2D534362833D8F854C1197DC1EFC5030B88308325E5C5CC4E175204AEBA5D6752DDC2D7D7CE0D0FE7C75A14E4002849AD90D5A2EA0ACF3358A2AEAD65A5A6C8E2CABF6DEFD784726797AAA22EAA9E6711203D3F8BA53D2799CBD64ACF61B63BB4D8F3802F8F0575DC5AA255A0C5DC530FE2053196CE9C30203010001A38201403082013C301D0603551D0E041604149058FFB09C75A8515477B1EDF2A34316389E6CC5301F0603551D2304183016801403DE503556D14CBB66F0A3E21B1BC397B23DD155300E0603551D0F0101FF040403020186301D0603551D250416301406082B0601050507030106082B0601050507030230120603551D130101FF040830060101FF020100303406082B0601050507010104283026302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D30420603551D1F043B30393037A035A0338631687474703A2F2F63726C332E64696769636572742E636F6D2F4469676943657274476C6F62616C526F6F7443412E63726C303D0603551D200436303430320604551D2000302A302806082B06010505070201161C68747470733A2F2F7777772E64696769636572742E636F6D2F435053
使用OpenSSL验证
现在已经得到根证书公钥、中间证书的签名和被签名部分,已经可以验证
命令行openssl验证:
openssl dgst -sha256 -verify root_pub.key -signature intermediate.sig binary.bin
输出:Verified OK
root_pub.key:根证书公钥
intermediate.sig:中间证书签名
binary.bin:中间证书被签名部分