我正在尝试从公钥证书中读取 sha256。证书如下所示。
我正在运行以下命令来读取 sha256 哈希,但它没有给出正确的结果:
openssl x509 -in test.crt -pubkey -noout | openssl rsa -pubin -outform der | \
openssl dgst -sha256 -binary | openssl enc -base64
我得到了一些错误的值 RTy7aSpufwRDWUudgZCwR5Xc7NETd6Imk4YlzvgKTRU=
正确的值是:
sha256/i1RfARNCYn9+K3xmRNTaXG9sVSK6TMgY9l8SDm3MUZ4=
sha256/7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=
sha256/h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU=
我想知道三个值是如何产生的,是的,只有一个是正确的,但为了验证这些值,我运行了下面给出的示例程序:
public class Main {
public static void main(String[] args) throws IOException {
HttpLoggingInterceptor interceptor = new HttpLoggingInterceptor();
interceptor.setLevel(HttpLoggingInterceptor.Level.BODY);
String hostName = "www.google.com";
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add(hostName, "sha256/pqrmt")
.build();
OkHttpClient client = new OkHttpClient.Builder()
.addNetworkInterceptor(interceptor)
.certificatePinner(certificatePinner)
.build();
Request request = new Request.Builder()
.url("https://" + hostName)
.build();
client.newCall(request).execute();
}
}
添加错误的 key 散列可以让我在错误日志中找到正确的 key 哈希值,使用正确的 key 哈希值可以让我轻松沟通。
-----BEGIN CERTIFICATE-----
MIIISDCCBzCgAwIBAgIILbxyxVw1oQAwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwODAyMTk0NTM5WhcNMTcxMDI1MTkyMzAw
WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvqjgh7NP
S0DNdmqg94u9ecHsxtCCNH5K7RQDbT7stPZaftCBuCXEDbhmqP44ne7kKkKyHqVx
OxzDyMrvMly/qDvd17X33kXjEdte3YOWTENQ7R//LIQ2qwxOCd7LcDhRLnbhV61k
yDJIPzjM79BX8b0u9+e2KAYfhYFANB+iZrk0/sLXmlv+T+E1bm4D19H55BstEPM8
SOTUj0cntYaN+5Rcy1s9p5CjWb1Sy/JXyBv+QLkrbj2JyQ+KlG2Fil4ue3ooF2iA
LZM+k2OgCizz5Kh6za1oKkL08/wJCaqHQJMhxX1ajXW93DwyojOqt40+6tF43rEU
Uxy87Joi+ZZNOQIDAQABo4IFFTCCBREwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMIID4QYDVR0RBIID2DCCA9SCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lk
LmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29t
ghQqLmRiODMzOTUzLmdvb2dsZS5jboIGKi5nLmNvgg4qLmdjcC5ndnQyLmNvbYIW
Ki5nb29nbGUtYW5hbHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNs
gg4qLmdvb2dsZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVr
gg8qLmdvb2dsZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29t
LmJygg8qLmdvb2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUu
Y29tLnRygg8qLmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5l
c4ILKi5nb29nbGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29n
bGUubmyCCyouZ29vZ2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMu
Y29tgg8qLmdvb2dsZWFwaXMuY26CFCouZ29vZ2xlY29tbWVyY2UuY29tghEqLmdv
b2dsZXZpZGVvLmNvbYIMKi5nc3RhdGljLmNugg0qLmdzdGF0aWMuY29tggoqLmd2
dDEuY29tggoqLmd2dDIuY29tghQqLm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNo
aW4uY29tghAqLnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUuY29t
gg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tggcqLnl0LmJl
ggsqLnl0aW1nLmNvbYIaYW5kcm9pZC5jbGllbnRzLmdvb2dsZS5jb22CC2FuZHJv
aWQuY29tghtkZXZlbG9wZXIuYW5kcm9pZC5nb29nbGUuY26CHGRldmVsb3BlcnMu
YW5kcm9pZC5nb29nbGUuY26CBGcuY2+CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGlj
cy5jb22CCmdvb2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIYc291cmNlLmFu
ZHJvaWQuZ29vZ2xlLmNuggp1cmNoaW4uY29tggp3d3cuZ29vLmdsggh5b3V0dS5i
ZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29tggV5dC5iZTBoBggr
BgEFBQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9H
SUFHMi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5nb29nbGUuY29t
L29jc3AwHQYDVR0OBBYEFJsK+1wBuADqH695FkUxvBBxBD13MAwGA1UdEwEB/wQC
MAAwHwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wIQYDVR0gBBowGDAM
BgorBgEEAdZ5AgUBMAgGBmeBDAECAjAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8v
cGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCWfamc
vElR0WkzwdaofPD66PsmqihYbgMAEOJBtt4isDLcVqG0tE8xwAYZO+EksklR6nXq
Pi8021W/qgh2XDmyGajc/psjSBdfAi2bw/kIMcXpQsJSR33n0kLJe4/5z5YwSJEt
M7f6DKlBzxalGrHc2rnkOw4xZEKYZ+nJQ5E3Lms0NKHFPxj3c5QvUYfiWhC4lY1m
RZRPIDQc9Bmcu+gJseRGYd8g+USo0829CMq42KaQM7nshxmwexXPv9ic9nV6f+Qi
nw1hL6RdI3+yHRSZCBPnlfpQfLLJatJmpwddP2ibT56zDDT4BQsP4/QeAbEOJ+Bp
0nJ0S+1OpCbjQXYL
-----END CERTIFICATE-----
最佳答案
sha256/i1RfARNCYn9+K3xmRNTaXG9sVSK6TMgY9l8SDm3MUZ4=
此 pin 与访问 www.google.com 时返回的叶证书相匹配:
$ openssl s_client -connect www.google.com:443 |\
openssl x509 -pubkey -noout |\
openssl pkey -pubin -outform der |\
openssl dgst -sha256 -binary |\
openssl enc -base64
...
depth=0 ... CN = www.google.com
i1RfARNCYn9+K3xmRNTaXG9sVSK6TMgY9l8SDm3MUZ4=
但是,如果您仔细查看访问 www.google.com 时返回的证书,您会发现它的 CN 为 www.google.com。相反,您在问题中包含的证书的 CN 为 *.google.com,即是不同的证书。例如,如果您访问 google.com 而不是 www.google.com,则会返回此证书:
$ openssl s_client -connect google.com:443 |\
openssl x509 -pubkey -noout |\
openssl pkey -pubin -outform der |\
openssl dgst -sha256 -binary |\
openssl enc -base64
...
depth=0 ... CN = *.google.com
RTy7aSpufwRDWUudgZCwR5Xc7NETd6Imk4YlzvgKTRU=
如您所见,您计算出的公钥指纹是正确的。只有您对正确指纹的假设不正确,因为您已针对错误的站点检查了这些指纹。
关于java - 来自公钥的 sha256 哈希,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/45668105/