2. 技术
    3. 使用OpenSSL模拟SSL证书验证过程

    使用OpenSSL模拟SSL证书验证过程

    技术2025-03-29  18

    准备

    准备好需要验证的两个证书,这里使用DigiCert与GeoTrust RSA CA 2018。 前者是根证书,后者是中间证书。

    可以使用Windows徽标键+R运行certmgr.msc查看存储在电脑内的证书,然后右键使用Base64格式导出。

    安装OpenSSL(自行百度)

    提取公钥、签名与被签名的数据

    命令行openssl提取根证书公钥:

    openssl x509 -in root.cer -pubkey -noout > root_pub.key

    从中间证书提取签名:

    首先查看openssl对证书的分析

    openssl x509 -in intermediate.cer -text -noout 输出: Certificate: Data: Version: 3 (0x2) Serial Number: 05:46:fe:18:23:f7:e1:94:1d:a3:9f:ce:14:c4:61:73 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA Validity Not Before: Nov 6 12:23:45 2017 GMT Not After : Nov 6 12:23:45 2027 GMT Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:bf:8a:d1:63:4d:e1:18:ea:87:5d:e8:16:3c:8f: 7f:b6:be:87:17:37:a4:0c:f8:31:3f:9f:45:54:40: 21:d7:9d:07:9b:ca:03:23:4a:bd:9b:ed:85:02:63: 3f:9f:85:b9:ec:28:ef:f2:86:22:db:f8:4d:54:41: c5:b4:42:7f:cf:33:17:01:0e:82:90:52:d3:c7:34: a4:c1:a1:01:da:32:a0:40:ad:1f:59:e4:33:fc:a0: c3:96:ac:68:6c:d3:e8:99:73:8c:26:10:77:cb:b7: 3f:39:32:e8:d2:59:28:ee:07:86:e2:09:3b:85:f8: aa:69:f6:a9:6b:9f:58:ad:72:c8:5b:87:66:ae:08: e0:74:fb:2d:53:43:62:83:3d:8f:85:4c:11:97:dc: 1e:fc:50:30:b8:83:08:32:5e:5c:5c:c4:e1:75:20: 4a:eb:a5:d6:75:2d:dc:2d:7d:7c:e0:d0:fe:7c:75: a1:4e:40:02:84:9a:d9:0d:5a:2e:a0:ac:f3:35:8a: 2a:ea:d6:5a:5a:6c:8e:2c:ab:f6:de:fd:78:47:26: 79:7a:aa:22:ea:a9:e6:71:12:03:d3:f8:ba:53:d2: 79:9c:bd:64:ac:f6:1b:63:bb:4d:8f:38:02:f8:f0: 57:5d:c5:aa:25:5a:0c:5d:c5:30:fe:20:53:19:6c: e9:c3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 90:58:FF:B0:9C:75:A8:51:54:77:B1:ED:F2:A3:43:16:38:9E:6C:C5 X509v3 Authority Key Identifier: keyid:03:DE:50:35:56:D1:4C:BB:66:F0:A3:E2:1B:1B:C3:97:B2:3D:D1:55 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 Authority Information Access: OCSP - URI:http://ocsp.digicert.com X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/DigiCertGlobalRootCA.crl X509v3 Certificate Policies: Policy: X509v3 Any Policy CPS: https://www.digicert.com/CPS Signature Algorithm: sha256WithRSAEncryption 30:f1:87:55:3d:84:08:fc:2e:5e:6a:ba:7c:d2:cd:d5:2c:e3: be:02:da:5d:89:77:ed:f4:e9:56:c0:92:f0:2a:55:2d:45:f7: 1c:2a:3f:10:5b:f3:e9:e1:be:e1:e9:00:25:b9:f7:a3:c1:03: 1b:e3:9e:4e:8e:92:1b:09:95:52:f9:ac:18:fd:1f:29:01:8b: 17:0a:73:34:f4:67:12:55:ee:22:bc:cb:30:ca:80:99:3f:fb: cf:12:7f:cb:3d:18:47:85:d8:14:3e:4f:0c:94:3f:7b:f5:11: a8:51:6c:fb:a8:60:30:a8:90:a1:8b:6f:2e:45:db:37:b6:1c: 7e:bd:16:59:21:b1:32:67:ad:8d:a3:4b:49:3f:3b:12:19:2c: fc:9d:0f:ff:8c:ff:01:23:0a:f3:04:05:07:e5:67:01:01:b9: af:81:67:eb:29:cb:af:f8:fc:86:3e:a4:5c:73:84:f9:e5:39: 73:ac:19:f3:03:36:77:a0:29:68:f5:f4:ef:3b:d3:ee:88:73: 0a:ac:2e:95:ea:68:22:d2:cd:ac:6b:f8:1b:5e:53:c2:0f:d6: 76:e1:75:0c:c4:91:25:c0:85:53:0e:e2:81:d1:0e:18:30:c9: 67:a4:df:d0:0a:12:78:07:40:05:b1:0f:83:53:43:42:3b:e7: fb:f1:77:fb

    最后Signature Algorithm:sha256WithRSAEncryption后的字节就是签名(\x30~\xfb) 使用WinHex、Ultraedit以纯二进制保存这256个字节

    从中间证书提取被签名部分

    转换证书为二进制 使用工具将base64形式的证书转为纯二进制 Python代码: import base64 f = open("intermediate.cer","r") #删除Begin Certificate和End Certificate list1 = f.read().split("\n") encoded = "".join(list1[2:-2]) decoded = base64.b64decode(encoded) f2 = open("binary.bin","wb") f2.write(decoded) f2.close() 提取被签名部分 在得到的二进制证书的开头删去4个字节,末尾删去签名x+20个字节(x为签名的字节数,在本证书中为256) 最后得到(这是hex stream,保存仍需以二进制保存) 30820373A00302010202100546FE1823F7E1941DA39FCE14C46173300D06092A864886F70D01010B05003061310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3120301E06035504031317446967694365727420476C6F62616C20526F6F74204341301E170D3137313130363132323334355A170D3237313130363132323334355A305E310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D311D301B0603550403131447656F547275737420525341204341203230313830820122300D06092A864886F70D01010105000382010F003082010A0282010100BF8AD1634DE118EA875DE8163C8F7FB6BE871737A40CF8313F9F45544021D79D079BCA03234ABD9BED8502633F9F85B9EC28EFF28622DBF84D5441C5B4427FCF3317010E829052D3C734A4C1A101DA32A040AD1F59E433FCA0C396AC686CD3E899738C261077CBB73F3932E8D25928EE0786E2093B85F8AA69F6A96B9F58AD72C85B8766AE08E074FB2D534362833D8F854C1197DC1EFC5030B88308325E5C5CC4E175204AEBA5D6752DDC2D7D7CE0D0FE7C75A14E4002849AD90D5A2EA0ACF3358A2AEAD65A5A6C8E2CABF6DEFD784726797AAA22EAA9E6711203D3F8BA53D2799CBD64ACF61B63BB4D8F3802F8F0575DC5AA255A0C5DC530FE2053196CE9C30203010001A38201403082013C301D0603551D0E041604149058FFB09C75A8515477B1EDF2A34316389E6CC5301F0603551D2304183016801403DE503556D14CBB66F0A3E21B1BC397B23DD155300E0603551D0F0101FF040403020186301D0603551D250416301406082B0601050507030106082B0601050507030230120603551D130101FF040830060101FF020100303406082B0601050507010104283026302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D30420603551D1F043B30393037A035A0338631687474703A2F2F63726C332E64696769636572742E636F6D2F4469676943657274476C6F62616C526F6F7443412E63726C303D0603551D200436303430320604551D2000302A302806082B06010505070201161C68747470733A2F2F7777772E64696769636572742E636F6D2F435053

    使用OpenSSL验证

    现在已经得到根证书公钥、中间证书的签名和被签名部分,已经可以验证 命令行openssl验证:

    openssl dgst -sha256 -verify root_pub.key -signature intermediate.sig binary.bin 输出:Verified OK

    root_pub.key:根证书公钥 intermediate.sig:中间证书签名 binary.bin:中间证书被签名部分

    验证完毕

    Processed: 0.010, SQL: 9