问题:
如何获取https网站证书公钥
蓝夕
我使用< code > SSL _ get _ peer _ certificate(),< code > X509 _ get _ pubkey() API获取网站(www.google.com)https证书公钥,转储公钥时如下:
00:bb:cb:8a:0e:b6:df:3f:0a:ba:a4:7b:20:9f:e9:
0a:f2:81:04:84:ed:d0:9e:c9:fd:2a:ec:39:9f:11:
56:c3:2e:33:39:8f:da:32:d7:84:54:55:5c:99:2f:
56:61:73:17:2d:26:15:bc:8b:89:12:b8:78:73:17:
1d:c5:32:a2:e3:f1:b5:c4:d8:41:67:41:72:16:74:
81:c8:4f:f3:a8:57:31:cd:69:73:7b:96:41:2d:be:
66:15:f0:eb:f7:33:7c:79:4a:00:40:0e:c6:df:71:
66:1a:a7:12:79:e8:7e:89:c2:04:cc:09:b0:1f:9b:
67:81:ec:5f:26:2d:09:c3:ce:1c:a6:96:e9:0f:de:
6f:aa:b1:07:82:be:a9:18:2e:2b:a5:c5:17:a1:91:
75:7b:0a:86:cc:1d:bc:91:10:1d:5b:3b:fd:49:37:
04:65:5a:c8:4a:41:17:37:63:ab:a1:83:11:58:c8:
24:74:c2:e4:ae:8e:d6:90:98:5a:d7:b7:96:4e:d4:
d8:21:e9:45:43:0b:e0:0b:07:dd:0f:79:47:4a:06:
44:17:97:59:c9:b1:e0:1b:2b:55:d8:bf:3c:07:f1:
be:56:5e:da:53:78:e2:c3:cb:6a:21:f5:83:66:66:
bd:eb:6f:27:da:aa:91:30:93:eb:40:52:e0:24:a5:
4d:b9
我发现这和我在浏览器中看到的不一样(在Chrome中,点击URL地址栏中的挂锁,<代码>-
30 82 01 0a 02 82 01 01 00 bb cb 8a 0e b6 df
3f 0a ba a4 7b 20 9f e9 0a f2 81 04 84 ed d0
9e c9 fd 2a ec 39 9f 11 56 c3 2e 33 39 8f da
32 d7 84 54 55 5c 99 2f 56 61 73 17 2d 26 15
bc 8b 89 12 b8 78 73 17 1d c5 32 a2 e3 f1 b5
c4 d8 41 67 41 72 16 74 81 c8 4f f3 a8 57 31
cd 69 73 7b 96 41 2d be 66 15 f0 eb f7 33 7c
79 4a 00 40 0e c6 df 71 66 1a a7 12 79 e8 7e
89 c2 04 cc 09 b0 1f 9b 67 81 ec 5f 26 2d 09
c3 ce 1c a6 96 e9 0f de 6f aa b1 07 82 be a9
18 2e 2b a5 c5 17 a1 91 75 7b 0a 86 cc 1d bc
91 10 1d 5b 3b fd 49 37 04 65 5a c8 4a 41 17
37 63 ab a1 83 11 58 c8 24 74 c2 e4 ae 8e d6
90 98 5a d7 b7 96 4e d4 d8 21 e9 45 43 0b e0
0b 07 dd 0f 79 47 4a 06 44 17 97 59 c9 b1 e0
1b 2b 55 d8 bf 3c 07 f1 be 56 5e da 53 78 e2
c3 cb 6a 21 f5 83 66 66 bd eb 6f 27 da aa 91
30 93 eb 40 52 e0 24 a5 4d b9 02 03 01 00 01
为什么这两种公钥不一样?
我很好奇这两种公钥数据是什么?
更新:
从Chrome浏览器更新公钥字段值。
共有2个答案
路阳华
非常有趣。我在那个领域做了一些调查。
您提供的铬链中的第一个证书:30 82 01 0a 02 82 01 01 00 b2 56 ae e5 f2 a3 (...) 没有像您预期的那样指向“*.google.com”证书,而是指向 GeoTrust Global CA 证书(https://www.tbs-certificates.co.uk/FAQ/en/602.html,详细信息在这里 - http://geotrust.tbs-certificats.com/GeoTrust_Global_CA.cer)
我从www.google.com:443中提取了pubkey,然后将其转换为模数
$ openssl s_client -connect www.google.com:443 | openssl x509 -pubkey -noout
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu8uKDrbfPwq6pHsgn+kK
8oEEhO3Qnsn9Kuw5nxFWwy4zOY/aMteEVFVcmS9WYXMXLSYVvIuJErh4cxcdxTKi
4/G1xNhBZ0FyFnSByE/zqFcxzWlze5ZBLb5mFfDr9zN8eUoAQA7G33FmGqcSeeh+
icIEzAmwH5tngexfJi0Jw84cppbpD95vqrEHgr6pGC4rpcUXoZF1ewqGzB28kRAd
Wzv9STcEZVrISkEXN2OroYMRWMgkdMLkro7WkJha17eWTtTYIelFQwvgCwfdD3lH
SgZEF5dZybHgGytV2L88B/G+Vl7aU3jiw8tqIfWDZma9628n2qqRMJPrQFLgJKVN
uQIDAQAB
-----END PUBLIC KEY-----
$ openssl rsa -pubin -inform PEM -text -noout < public.key
Public-Key: (2048 bit)
Modulus:
00:bb:cb:8a:0e:b6:df:3f:0a:ba:a4:7b:20:9f:e9:
0a:f2:81:04:84:ed:d0:9e:c9:fd:2a:ec:39:9f:11:
56:c3:2e:33:39:8f:da:32:d7:84:54:55:5c:99:2f:
56:61:73:17:2d:26:15:bc:8b:89:12:b8:78:73:17:
1d:c5:32:a2:e3:f1:b5:c4:d8:41:67:41:72:16:74:
81:c8:4f:f3:a8:57:31:cd:69:73:7b:96:41:2d:be:
66:15:f0:eb:f7:33:7c:79:4a:00:40:0e:c6:df:71:
66:1a:a7:12:79:e8:7e:89:c2:04:cc:09:b0:1f:9b:
67:81:ec:5f:26:2d:09:c3:ce:1c:a6:96:e9:0f:de:
6f:aa:b1:07:82:be:a9:18:2e:2b:a5:c5:17:a1:91:
75:7b:0a:86:cc:1d:bc:91:10:1d:5b:3b:fd:49:37:
04:65:5a:c8:4a:41:17:37:63:ab:a1:83:11:58:c8:
24:74:c2:e4:ae:8e:d6:90:98:5a:d7:b7:96:4e:d4:
d8:21:e9:45:43:0b:e0:0b:07:dd:0f:79:47:4a:06:
44:17:97:59:c9:b1:e0:1b:2b:55:d8:bf:3c:07:f1:
be:56:5e:da:53:78:e2:c3:cb:6a:21:f5:83:66:66:
bd:eb:6f:27:da:aa:91:30:93:eb:40:52:e0:24:a5:
4d:b9
Exponent: 65537 (0x10001)
结论-很好,看起来我们都在同一个公钥上工作(www.google.com:443)
然后我创建了到www.google.com:443的SSL连接示例(python/M2Crypt)并列出“对等证书链”,下面是输出:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1227750 (0x12bbe6)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Validity
Not Before: May 21 04:00:00 2002 GMT
Not After : Aug 21 04:00:00 2018 GMT
Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:da:cc:18:63:30:fd:f4:17:23:1a:56:7e:5b:df:
3c:6c:38:e4:71:b7:78:91:d4:bc:a1:d8:4c:f8:a8:
43:b6:03:e9:4d:21:07:08:88:da:58:2f:66:39:29:
bd:05:78:8b:9d:38:e8:05:b7:6a:7e:71:a4:e6:c4:
60:a6:b0:ef:80:e4:89:28:0f:9e:25:d6:ed:83:f3:
ad:a6:91:c7:98:c9:42:18:35:14:9d:ad:98:46:92:
2e:4f:ca:f1:87:43:c1:16:95:57:2d:50:ef:89:2d:
80:7a:57:ad:f2:ee:5f:6b:d2:00:8d:b9:14:f8:14:
15:35:d9:c0:46:a3:7b:72:c8:91:bf:c9:55:2b:cd:
d0:97:3e:9c:26:64:cc:df:ce:83:19:71:ca:4e:e6:
d4:d5:7b:a9:19:cd:55:de:c8:ec:d2:5e:38:53:e5:
5c:4f:8c:2d:fe:50:23:36:fc:66:e6:cb:8e:a4:39:
19:00:b7:95:02:39:91:0b:0e:fe:38:2e:d1:1d:05:
9a:f6:4d:3e:6f:0f:07:1d:af:2c:1e:8f:60:39:e2:
fa:36:53:13:39:d4:5e:26:2b:db:3d:a8:14:bd:32:
eb:18:03:28:52:04:71:e5:ab:33:3d:e1:38:bb:07:
36:84:62:9c:79:ea:16:30:f4:5f:c0:2b:e8:71:6b:
e4:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
X509v3 Subject Key Identifier:
C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.geotrust.com/crls/secureca.crl
X509v3 Certificate Policies:
Policy: X509v3 Any Policy
CPS: https://www.geotrust.com/resources/repository
Signature Algorithm: sha1WithRSAEncryption
76:e1:12:6e:4e:4b:16:12:86:30:06:b2:81:08:cf:f0:08:c7:
c7:71:7e:66:ee:c2:ed:d4:3b:1f:ff:f0:f0:c8:4e:d6:43:38:
b0:b9:30:7d:18:d0:55:83:a2:6a:cb:36:11:9c:e8:48:66:a3:
6d:7f:b8:13:d4:47:fe:8b:5a:5c:73:fc:ae:d9:1b:32:19:38:
ab:97:34:14:aa:96:d2:eb:a3:1c:14:08:49:b6:bb:e5:91:ef:
83:36:eb:1d:56:6f:ca:da:bc:73:63:90:e4:7f:7b:3e:22:cb:
3d:07:ed:5f:38:74:9c:e3:03:50:4e:a1:af:98:ee:61:f2:84:
3f:12
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 146038 (0x23a76)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Validity
Not Before: Apr 5 15:15:55 2013 GMT
Not After : Dec 31 23:59:59 2016 GMT
Subject: C=US, O=Google Inc, CN=Google Internet Authority G2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9c:2a:04:77:5c:d8:50:91:3a:06:a3:82:e0:d8:
50:48:bc:89:3f:f1:19:70:1a:88:46:7e:e0:8f:c5:
f1:89:ce:21:ee:5a:fe:61:0d:b7:32:44:89:a0:74:
0b:53:4f:55:a4:ce:82:62:95:ee:eb:59:5f:c6:e1:
05:80:12:c4:5e:94:3f:bc:5b:48:38:f4:53:f7:24:
e6:fb:91:e9:15:c4:cf:f4:53:0d:f4:4a:fc:9f:54:
de:7d:be:a0:6b:6f:87:c0:d0:50:1f:28:30:03:40:
da:08:73:51:6c:7f:ff:3a:3c:a7:37:06:8e:bd:4b:
11:04:eb:7d:24:de:e6:f9:fc:31:71:fb:94:d5:60:
f3:2e:4a:af:42:d2:cb:ea:c4:6a:1a:b2:cc:53:dd:
15:4b:8b:1f:c8:19:61:1f:cd:9d:a8:3e:63:2b:84:
35:69:65:84:c8:19:c5:46:22:f8:53:95:be:e3:80:
4a:10:c6:2a:ec:ba:97:20:11:c7:39:99:10:04:a0:
f0:61:7a:95:25:8c:4e:52:75:e2:b6:ed:08:ca:14:
fc:ce:22:6a:b3:4e:cf:46:03:97:97:03:7e:c0:b1:
de:7b:af:45:33:cf:ba:3e:71:b7:de:f4:25:25:c2:
0d:35:89:9d:9d:fb:0e:11:79:89:1e:37:c5:af:8e:
72:69
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
X509v3 Subject Key Identifier:
4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 CRL Distribution Points:
Full Name:
URI:http://g.symcb.com/crls/gtglobal.crl
Authority Information Access:
OCSP - URI:http://g.symcd.com
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.11129.2.5.1
Signature Algorithm: sha1WithRSAEncryption
27:8c:cf:e9:c7:3b:be:c0:6f:e8:96:84:fb:9c:5c:5d:90:e4:
77:db:8b:32:60:9b:65:d8:85:26:b5:ba:9f:1e:de:64:4e:1f:
c6:c8:20:5b:09:9f:ab:a9:e0:09:34:45:a2:65:25:37:3d:7f:
5a:6f:20:cc:f9:fa:f1:1d:8f:10:0c:02:3a:c4:c9:01:76:96:
be:9b:f9:15:d8:39:d1:c5:03:47:76:b8:8a:8c:31:d6:60:d5:
e4:8f:db:fa:3c:c6:d5:98:28:f8:1c:8f:17:91:34:cb:cb:52:
7a:d1:fb:3a:20:e4:e1:86:b1:d8:18:0f:be:d6:87:64:8d:c5:
0a:25:42:51:ef:b2:38:b8:e0:1d:d0:e1:fc:e6:f4:af:46:ba:
ef:c0:bf:c5:b4:05:f5:94:75:0c:fe:a2:be:02:ba:ea:86:5b:
f9:35:b3:66:f5:c5:8d:85:a1:1a:23:77:1a:19:17:54:13:60:
9f:0b:e1:b4:9c:28:2a:f9:ae:02:34:6d:25:93:9c:82:a8:17:
7b:f1:85:b0:d3:0f:58:e1:fb:b1:fe:9c:a1:a3:e8:fd:c9:3f:
f4:d7:71:dc:bd:8c:a4:19:e0:21:23:23:55:13:8f:a4:16:02:
09:7e:b9:af:ee:db:53:64:bd:71:2f:b9:39:ce:30:b7:b4:bc:
54:e0:47:07
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 299822383261939216 (0x4292ede7a09f610)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
Validity
Not Before: Oct 15 10:57:54 2014 GMT
Not After : Jan 13 00:00:00 2015 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bb:cb:8a:0e:b6:df:3f:0a:ba:a4:7b:20:9f:e9:
0a:f2:81:04:84:ed:d0:9e:c9:fd:2a:ec:39:9f:11:
56:c3:2e:33:39:8f:da:32:d7:84:54:55:5c:99:2f:
56:61:73:17:2d:26:15:bc:8b:89:12:b8:78:73:17:
1d:c5:32:a2:e3:f1:b5:c4:d8:41:67:41:72:16:74:
81:c8:4f:f3:a8:57:31:cd:69:73:7b:96:41:2d:be:
66:15:f0:eb:f7:33:7c:79:4a:00:40:0e:c6:df:71:
66:1a:a7:12:79:e8:7e:89:c2:04:cc:09:b0:1f:9b:
67:81:ec:5f:26:2d:09:c3:ce:1c:a6:96:e9:0f:de:
6f:aa:b1:07:82:be:a9:18:2e:2b:a5:c5:17:a1:91:
75:7b:0a:86:cc:1d:bc:91:10:1d:5b:3b:fd:49:37:
04:65:5a:c8:4a:41:17:37:63:ab:a1:83:11:58:c8:
24:74:c2:e4:ae:8e:d6:90:98:5a:d7:b7:96:4e:d4:
d8:21:e9:45:43:0b:e0:0b:07:dd:0f:79:47:4a:06:
44:17:97:59:c9:b1:e0:1b:2b:55:d8:bf:3c:07:f1:
be:56:5e:da:53:78:e2:c3:cb:6a:21:f5:83:66:66:
bd:eb:6f:27:da:aa:91:30:93:eb:40:52:e0:24:a5:
4d:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:www.google.com
Authority Information Access:
CA Issuers - URI:http://pki.google.com/GIAG2.crt
OCSP - URI:http://clients1.google.com/ocsp
X509v3 Subject Key Identifier:
65:C6:9C:EA:E1:99:17:E6:31:43:41:43:C8:9E:EA:94:D8:25:71:2E
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.11129.2.5.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.google.com/GIAG2.crl
Signature Algorithm: sha1WithRSAEncryption
4d:bf:54:df:29:e6:f6:9d:7f:43:f7:91:13:ca:9c:98:41:70:
ea:89:bc:87:a6:92:dd:e5:c6:46:fd:11:da:15:07:54:bd:e2:
70:0f:97:f8:6a:b1:1c:d3:81:d5:c8:e6:39:b7:ee:c1:18:0f:
45:44:68:17:09:8a:76:6a:51:38:ba:27:33:e4:9b:5d:17:03:
e6:70:72:91:24:b9:84:e7:eb:01:97:21:11:2e:8e:61:ce:57:
fa:4b:92:ba:7c:62:4a:54:fa:77:8e:4f:a9:3a:7a:a4:45:df:
95:4a:12:03:ed:9e:e8:73:d1:b0:9b:b4:7f:e6:5f:9b:62:59:
74:d7:48:06:11:87:1b:c6:b0:e4:83:39:56:e3:75:a4:26:12:
35:45:66:b8:4f:7b:cb:23:5f:15:2e:b0:10:44:12:67:82:24:
19:28:85:5b:1e:c6:0c:87:2a:55:64:67:dc:b0:0e:27:87:16:
e2:aa:72:69:77:a1:fa:d4:d1:75:ec:51:1f:95:e1:5c:a8:9c:
a4:ad:19:5a:04:f7:42:dd:a7:9d:47:96:40:c6:7f:55:74:54:
cb:60:79:ca:82:72:d5:7b:b2:3b:28:fb:ef:7c:eb:16:6b:f6:
cc:4b:1e:0a:ff:79:69:30:c9:19:07:7a:dc:51:26:06:8f:58:
dc:4e:55:cf
结论-看起来我的连接使用的是< code>itermediate CA证书(GeoTrust Global CA (cross),https://www.tbs-certificates.co.uk/FAQ/en/615.html)
公冶阳德
我认为您可能会看到的是,当您从浏览器获取密钥时,您将获得整个 ASN.1 原始密钥(由 30 82 表示),但您从 SSL_get_peer_certificate() 和/或 X509_get_pubkey() 获得一些淡化版本,该版本删除了此标头并仅为您提供了其余的密钥(没有前导 30 82 010a 02 82 01 01 或尾随的 02 03 01 00 01)。
我试图研究< code>x509_get_pubkey()返回的确切内容,但运气不佳,但这是我开始研究的地方——为什么您从浏览器获得原始密钥,但从函数中截取了一些内容。
类似资料:
-
问题内容: 我在WAR中打包了一组图像,并在using中对其进行了描述。图像位于文件夹中。我希望能够选择一个图像,并在提交时将该图像的副本保存到磁盘上。 如何才能做到这一点?如何获得对此图像的参考(或其他参考)? 问题答案: 鉴于此文件夹结构, 您可以通过采用相对于webcontent的路径之一来获取它: 或通过其中获得- 的相对路径: 关于选择图像并传递其路径,只需执行以下操作:
-
接下来的步骤: 我已经使用代理启动了jeter,否则我不会记录任何东西,使用:C:\apache-jmetam-2.13\apache-jmetam-2.13\bin启动 局域网设置: 只使用代理服务器为您的局域网被选中,其他一切都在局域网设置中未被选中。 地址:localhost端口:8080 jeter网站的安全证书。
-
本文向大家介绍Tomcat9使用免费的Https证书加密网站的方法,包括了Tomcat9使用免费的Https证书加密网站的方法的使用技巧和注意事项,需要的朋友参考一下 1.概述 Apache Tomcat是一款优秀的Java Web容器,对于各个站长来说,可以很方便的使用Tomcat将自己的网站博客放在公网的服务器上,分享自己的心得以及个人博客。 那么在公网中的访问,没有被第三方公认可信的机构加密
-
我使用openam OAuth 2.0/OpenID access_tokenendpoint来获取id_token。id_token包含一个RS256签名。 我需要验证这个令牌。那么从哪里可以获得用于签署这个令牌的“公共证书”呢?
-
问题内容: 我需要通过URL对网站进行全屏拍摄,是否有用于该网站或服务的PHP程序,如果没有,是否有用于该目的的Java程序? 问题答案: 有很多方法: 使用http://khtml2png.sourceforge.net/index.php?page=faq 使用带有一些绑定的webkit引擎:http : //www.blogs.uni-osnabrueck.de/rotapken/2008/