在花了两天时间搜索并找到我的问题的答案之后,才意识到这些答案只会制造出我无法解决的更多问题和问题,因此我决定在这里寻求帮助,希望我不会错过正在寻找某处的信息。

我刚刚开始一个项目,在该项目中,我必须先与客户端交换X.509证书,然后才能开始使用此客户端。
我已经很好地理解了如何以及为什么制作X.509证书:


从私钥进行CSR;
该CSR包含数字身份和从私钥中提取的公钥;
CSR是自签名的或发送给CA的,后者使用自己的私钥对其进行签名,以验证发送者的身份;
CA发回与X.509标准匹配的证书,证明您没有伪造身份,因此X.509中包含的公钥是可靠的。


因此,X.509证书是与某人交换您的公钥以抵抗潜在的中间人攻击的一种方法。
使用OpenSSL,我已经能够单独模拟那些操作,以了解这些步骤的功能。

我的第一个问题是,当我从私钥(privateKey.pem)进行CSR,然后检查此私钥是否与CSR匹配时,它不匹配。
然后,我使用另一个私钥(signingPrivateKey.pem)对CSR进行自签名,再次检查X.509证书是否与私钥匹配,但仍然不匹配(这似乎很正常,因为CSR既不签名,但两者都应该匹配,不是吗?)。

这是OpenSSL命令:

@echo off

echo "Generates private key and puts it in SigningPrivateKey.pem"
echo.
openssl genrsa -out SigningPrivateKey.pem 1024

echo "Generates private key and puts it in privateKey.pem, then create CSR"
echo.
openssl req -newkey rsa:1024 -keyout privateKey.pem -out CSR_TEST.csr -nodes


echo "Checks if CSR and privateKey matches
echo.
openssl x509 -noout -modulus -in CSR_TEST.csr | openssl md5
openssl rsa -noout -modulus -in privateKey.pem | openssl md5

echo "Self sign CSR with private key"
echo.
openssl x509 -in CSR_TEST.csr -out CSR_TEST.pem -req -signkey
SigningPrivateKey.pem -days 1

echo. "Checks again if certificate and private key matches
openssl x509 -noout -modulus -in CSR_TEST.pem | openssl md5
openssl rsa -noout -modulus -in privateKey.pem | openssl md5


这是摘要输入:

stdin = d41d8....8427e
stdin = f3213....4538c
Signature ok
stdin = 82baf...a0863
stdin = f3213...4538c


我的第二个问题是验证X.509的方法。
假设我设法通过输入私钥制作了X.509证书,并且提取的公钥与此匹配。我将其发送给我的客户,后者向其发送证书。
我们怎么知道X.509是可靠的?我读过某个地方,我们需要使用CA的公钥“取消签名” X.509证书,并将输出与哈希证书进行比较,但是每个人似乎都说X.509证书是自给自足的,并且它证明自己的身份。我们只需要使用OpenSSL命令检查其真实性?
请在这一点上减轻我的负担。

感谢您抽出宝贵的时间阅读和理解我的问题,我希望我不是唯一面对这些问题的人,并且希望这篇帖子对其他人有所帮助。
抱歉,我还不允许在此帖子中放置更多链接,否则我会更加准确。

最佳答案

CSR /密钥比较

$ openssl req -in test.csr -modulus -noout | openssl md5
(stdin)= 76d44c1a05f535f5e78a648b41bdaf73
$ openssl rsa -in test.key -modulus -noout | openssl md5
(stdin)= 76d44c1a05f535f5e78a648b41bdaf73


您在CSR上使用了openssl x509。他们不一样。通过MD5运行输出之前,您显然没有查看输出:

$ openssl x509 -in test.csr -modulus -noout
unable to load certificate
139958187611800:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE


您尚未将其放入证书中,因此x509命令不起作用。

制作完证书并再次检查之后,您会得到不同的答案,因为您使用了-signkeydocumentation表示-signkey用作自签名密钥,这意味着它将替换原始请求中的公共密钥。如果使用-signkey privateKey.pem,则命令应显示对齐方式。

廉正

每个X.509证书都包含提供的数据(包括公用密钥)和签名。对于“真实”的CA,通常会有一个注释(“机构信息访问”扩展名),其中说明了如何查找CA的证书。无论您是手头上的还是必须从互联网上检索它,签名证书中的公钥都可用于验证原始证书中的数据没有更改。

签名CA本身具有证书,因此您可以进一步进行证明它没有被更改。

最终您获得了根/自签名证书。要么您已经拥有它并认为它是受信任的,要么您就不信任它,您就称它为Malarkey。

关于不属于内置信任库的自签名证书的唯一可以真正验证的事情是,它在创建后并未被修改。这样做唯一的安全好处是拒绝:如果有人编辑了您创建的证书,并添加了扩展名,说明“您的母亲是臭驴销售员!”您可以证明自签名无效。

$ openssl x509 -in test.cer -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11195357966677484939 (0x9b5de6c15126a58b)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=.NET Framework (CoreFX), CN=localhost
        Validity
            Not Before: Mar  2 01:48:00 2016 GMT
            Not After : Mar  2 01:48:00 2017 GMT
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=.NET Framework (CoreFX), CN=localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:af:81:c1:cb:d8:20:3f:62:4a:53:9e:d6:60:81:
                    75:37:23:93:a2:83:7d:48:90:e4:8a:19:de:d3:69:
                    73:11:56:20:96:8d:6b:e0:d3:da:a3:8a:a7:77:be:
                    02:ee:0b:6b:93:b7:24:e8:dc:c1:2b:63:2b:4f:a8:
                    0b:bc:92:5b:ce:62:4f:4c:a7:cc:60:63:06:b3:94:
                    03:e2:8c:93:2d:24:dd:54:6f:fe:4e:f6:a3:7f:10:
                    77:0b:22:15:ea:8c:bb:5b:f4:27:e8:c4:d8:9b:79:
                    eb:33:83:75:10:0c:5f:83:e5:5d:e9:b4:46:6d:df:
                    be:ee:42:53:9a:ef:33:ef:18:7b:77:60:c3:b1:a1:
                    b2:10:3c:2d:81:44:56:4a:0c:10:39:a0:9c:85:cf:
                    6b:59:74:eb:51:6f:c8:d6:62:3c:94:ae:3a:5a:0b:
                    b3:b4:c7:92:95:7d:43:23:91:56:6c:f3:e2:a5:2a:
                    fb:0c:14:2b:9e:06:81:b8:97:26:71:af:2b:82:dd:
                    39:0a:39:b9:39:cf:71:95:68:68:7e:49:90:a6:30:
                    50:ca:77:68:dc:d6:b3:78:84:2f:18:fd:b1:f6:d9:
                    ff:09:6b:af:7b:eb:98:dc:f9:30:d6:6f:cf:d5:03:
                    f5:8d:41:bf:f4:62:12:e2:4e:3a:fc:45:ea:42:bd:
                    88:47
                Exponent: 8589935681 (0x200000441)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                78:A5:C7:5D:51:66:73:31:D5:A9:69:24:11:4C:9B:5F:A0:0D:7B:CB
            X509v3 Authority Key Identifier:
                keyid:78:A5:C7:5D:51:66:73:31:D5:A9:69:24:11:4C:9B:5F:A0:0D:7B:CB

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         77:75:6d:05:ff:a6:ad:fe:d5:b6:d4:af:b5:40:84:0c:6d:01:
         cf:6b:3f:a6:c9:73:df:d6:1f:ca:a0:a8:14:fa:1e:24:69:01:
         9d:94:b1:d8:56:d0:7d:d2:b9:5b:85:50:df:d2:08:59:53:a4:
         94:b9:9e:fc:ba:a7:98:2c:e7:71:98:4f:9d:4a:44:5f:fe:e0:
         62:e8:a0:49:73:6a:39:fd:99:4e:1f:da:0a:5d:c2:b5:b0:e5:
         7a:0b:10:c4:1b:c7:fe:6a:40:b2:4f:85:97:73:02:59:3e:60:
         b9:8d:d4:81:1d:47:d9:48:ed:f8:d6:e6:b5:af:80:a1:82:74:
         96:e2:0b:fd:24:0e:46:76:74:50:4d:4e:47:03:33:1d:64:70:
         5c:36:fb:6e:14:ba:bf:d9:cb:ee:c4:4b:33:a8:d7:b3:64:79:
         90:0f:3c:5b:ba:b6:9c:5e:45:3d:18:07:83:e2:50:80:51:b9:
         98:c0:38:e4:62:25:71:d2:ab:89:1d:89:8e:54:58:82:8c:f1:
         86:79:51:7d:28:db:ca:bf:72:e8:13:07:bf:d7:21:b7:3d:db:
         17:51:12:3f:99:d8:fc:0d:53:37:98:c4:db:d1:47:19:d5:d8:
         a8:5b:00:a1:44:a3:67:67:7b:48:89:1a:9b:56:f0:45:33:48:
         11:ba:cb:7a




$ openssl x509 -in alsotest.cer -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11195357966677484939 (0x9b5de6c15126a58b)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=.NET Framework (CoreFX), CN=localhost
        Validity
            Not Before: Mar  2 01:48:00 2016 GMT
            Not After : Mar  2 01:48:00 2019 GMT
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=.NET Framework (CoreFX), CN=localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:af:81:c1:cb:d8:20:3f:62:4a:53:9e:d6:60:81:
                    75:37:23:93:a2:83:7d:48:90:e4:8a:19:de:d3:69:
                    73:11:56:20:96:8d:6b:e0:d3:da:a3:8a:a7:77:be:
                    02:ee:0b:6b:93:b7:24:e8:dc:c1:2b:63:2b:4f:a8:
                    0b:bc:92:5b:ce:62:4f:4c:a7:cc:60:63:06:b3:94:
                    03:e2:8c:93:2d:24:dd:54:6f:fe:4e:f6:a3:7f:10:
                    77:0b:22:15:ea:8c:bb:5b:f4:27:e8:c4:d8:9b:79:
                    eb:33:83:75:10:0c:5f:83:e5:5d:e9:b4:46:6d:df:
                    be:ee:42:53:9a:ef:33:ef:18:7b:77:60:c3:b1:a1:
                    b2:10:3c:2d:81:44:56:4a:0c:10:39:a0:9c:85:cf:
                    6b:59:74:eb:51:6f:c8:d6:62:3c:94:ae:3a:5a:0b:
                    b3:b4:c7:92:95:7d:43:23:91:56:6c:f3:e2:a5:2a:
                    fb:0c:14:2b:9e:06:81:b8:97:26:71:af:2b:82:dd:
                    39:0a:39:b9:39:cf:71:95:68:68:7e:49:90:a6:30:
                    50:ca:77:68:dc:d6:b3:78:84:2f:18:fd:b1:f6:d9:
                    ff:09:6b:af:7b:eb:98:dc:f9:30:d6:6f:cf:d5:03:
                    f5:8d:41:bf:f4:62:12:e2:4e:3a:fc:45:ea:42:bd:
                    88:47
                Exponent: 8589935681 (0x200000441)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                78:A5:C7:5D:51:66:73:31:D5:A9:69:24:11:4C:9B:5F:A0:0D:7B:CB
            X509v3 Authority Key Identifier:
                keyid:78:A5:C7:5D:51:66:73:31:D5:A9:69:24:11:4C:9B:5F:A0:0D:7B:CB

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         77:75:6d:05:ff:a6:ad:fe:d5:b6:d4:af:b5:40:84:0c:6d:01:
         cf:6b:3f:a6:c9:73:df:d6:1f:ca:a0:a8:14:fa:1e:24:69:01:
         9d:94:b1:d8:56:d0:7d:d2:b9:5b:85:50:df:d2:08:59:53:a4:
         94:b9:9e:fc:ba:a7:98:2c:e7:71:98:4f:9d:4a:44:5f:fe:e0:
         62:e8:a0:49:73:6a:39:fd:99:4e:1f:da:0a:5d:c2:b5:b0:e5:
         7a:0b:10:c4:1b:c7:fe:6a:40:b2:4f:85:97:73:02:59:3e:60:
         b9:8d:d4:81:1d:47:d9:48:ed:f8:d6:e6:b5:af:80:a1:82:74:
         96:e2:0b:fd:24:0e:46:76:74:50:4d:4e:47:03:33:1d:64:70:
         5c:36:fb:6e:14:ba:bf:d9:cb:ee:c4:4b:33:a8:d7:b3:64:79:
         90:0f:3c:5b:ba:b6:9c:5e:45:3d:18:07:83:e2:50:80:51:b9:
         98:c0:38:e4:62:25:71:d2:ab:89:1d:89:8e:54:58:82:8c:f1:
         86:79:51:7d:28:db:ca:bf:72:e8:13:07:bf:d7:21:b7:3d:db:
         17:51:12:3f:99:d8:fc:0d:53:37:98:c4:db:d1:47:19:d5:d8:
         a8:5b:00:a1:44:a3:67:67:7b:48:89:1a:9b:56:f0:45:33:48:
         11:ba:cb:7a


为了避免您的眼睛疲劳:其中一个具有当前过期时间,另一个具有当前过期时间。 (我懒得注入扩展名)。

哪一个是正确的?

$ openssl verify test.cer
test.cer: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = .NET Framework (CoreFX), CN = localhost
error 18 at 0 depth lookup:self signed certificate
C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = .NET Framework (CoreFX), CN = localhost
error 10 at 0 depth lookup:certificate has expired
OK

$ openssl verify alsotest.cer
alsotest.cer: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = .NET Framework (CoreFX), CN = localhost
error 18 at 0 depth lookup:self signed certificate
OK


德拉特,他们都是对的。还是他们?请稍等,openssl verify通常不会检查自签名,因为这通常无关紧要。

$ openssl verify -check_ss_sig test.cer
test.cer: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = .NET Framework (CoreFX), CN = localhost
error 18 at 0 depth lookup:self signed certificate
C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = .NET Framework (CoreFX), CN = localhost
error 10 at 0 depth lookup:certificate has expired
OK

$ openssl verify -check_ss_sig alsotest.cer
alsotest.cer: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = .NET Framework (CoreFX), CN = localhost
error 18 at 0 depth lookup:self signed certificate
C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = .NET Framework (CoreFX), CN = localhost
error 7 at 0 depth lookup:certificate signature failure
140450704717464:error:04091068:rsa routines:INT_RSA_VERIFY:bad signature:rsa_sign.c:278:
140450704717464:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:218:


好了Alsotest.cer已被修改(没有被辞职)以延长其到期日期。

关于ssl - 对CSR和X.509功能的误解,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/43515538/

10-10 10:41