为了学习,我尝试使用c#手动验证TLS证书链(仅签名)
我想算法应该是这样的:
- 从证书中计算哈希值;
- 从证书中读取签名哈希值;
- 使用父公钥对哈希值和签名执行RSA.Verify()方法。
所以我尝试了以下代码:
var myCert = new X509Certificate2(@"Z:springer.com.crt");
var parentCert = new X509Certificate2(@"Z:R3.crt");
var certHash = myCert.GetCertHash(HashAlgorithmName.SHA256);
var certSignature = new byte[] {
0xAA, 0xF7, 0x2A, 0x84, 0x95, 0x17, 0x2E, 0xCD, 0x58, 0x84, 0x66,
0x9A, 0xC0, 0x0B, 0x3E, 0x13, 0x0C, 0x94, 0x34, 0x35, 0x31, 0x85, 0xA3, 0x43, 0xBC, 0xDA, 0xFC, 0x00, 0x3F, 0xB3, 0x6D, 0x9E,
0x4A, 0xAB, 0xEE, 0xDB, 0x34, 0xCB, 0xCE, 0x8F, 0xD2, 0x04, 0x73, 0x4B, 0xE7, 0x11, 0x5E, 0x9E, 0xDC, 0x6B, 0x8A, 0xDB, 0xDD,
0xB2, 0x6B, 0x1A, 0x7C, 0xE3, 0xFA, 0x97, 0xCC, 0xDF, 0x03, 0xAE, 0xFC, 0x41, 0xDC, 0x5D, 0x6E, 0x70, 0x71, 0x2D, 0x67, 0x96,
0x0D, 0x94, 0xC0, 0x41, 0xD9, 0xD0, 0x4E, 0xD7, 0x88, 0x99, 0xED, 0xDB, 0x84, 0x9D, 0x35, 0x73, 0xB0, 0x4B, 0x0A, 0x28, 0x19,
0xAE, 0x62, 0xD4, 0xEE, 0x17, 0xF9, 0x83, 0xFA, 0xDF, 0x56, 0xBE, 0xBB, 0xE9, 0x8F, 0x78, 0x85, 0x11, 0x57, 0x0C, 0xC4, 0x46,
0xEC, 0xDA, 0xE2, 0xD3, 0x14, 0x86, 0xEA, 0x65, 0xC0, 0x19, 0xDA, 0x9B, 0x8D, 0x21, 0x7D, 0x34, 0xBA, 0x0E, 0xD4, 0xC5, 0xD2,
0x20, 0x32, 0x15, 0xAA, 0x2C, 0x3B, 0x72, 0x95, 0x8E, 0xA7, 0x72, 0x26, 0x99, 0xA0, 0x5F, 0x43, 0xAC, 0xF9, 0x42, 0x91, 0x35,
0x0C, 0xB0, 0x0E, 0xE9, 0xF4, 0xBC, 0x25, 0x64, 0x59, 0x98, 0x5E, 0x34, 0x65, 0x9B, 0x28, 0x28, 0x3D, 0x88, 0x23, 0x25, 0x00,
0x97, 0x38, 0xE1, 0x76, 0xBC, 0x74, 0xB9, 0xFF, 0xBD, 0x17, 0x60, 0x1F, 0x07, 0x05, 0xF0, 0xCF, 0xB4, 0x5E, 0x13, 0x8F, 0xBE,
0x48, 0x52, 0xF2, 0xD7, 0xBA, 0xEC, 0x44, 0xDC, 0x93, 0x7D, 0x16, 0x82, 0x8F, 0xE5, 0xC3, 0x55, 0x31, 0x99, 0x0A, 0xE1, 0xB1,
0xC4, 0xE4, 0xCE, 0x31, 0xA5, 0x91, 0xFD, 0x71, 0xF6, 0xF7, 0x01, 0x6D, 0x30, 0x2E, 0xFA, 0x30, 0x41, 0x11, 0xBB, 0x96, 0x4B,
0xA1, 0xF0, 0x10, 0x71, 0x60, 0x07, 0x5B, 0xD2, 0x30, 0xA0, 0xC2, 0x29, 0x0E, 0x71 };
var result =
parentCert.GetRSAPublicKey().VerifyHash(certHash, certSignature, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
然而,我不能让result返回True。缺失的是什么?
注1:我使用了来自https://springer.com
的TLS证书注2:我硬编码证书的签名值,因为没有方法来提取它使用本机。net X509Certificate类,使用BouncyCastle将是多余的。
我终于找到了答案:
GetCertHash(HashAlgorithmName.SHA256)函数返回整个DER(或PEM)证书文件的哈希值(即已经包含签名的文件的哈希值)。
我们首先需要知道的是,DER编码的证书包含以下结构:
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING }
我们需要计算tbcertificate(待签名)的哈希值,而不是整个序列的哈希值。
之后,我们可以计算certHash = Sha256Sum(tbsCertificate),这样我们就可以使用父节点的公钥来验证这个哈希值。
您硬编码的签名与证书透明度发布的当前证书不匹配。也许你在一家代理公司做交通检查?
验证您有正确的openssl x509 -in springer.com.crt -text -noout签名。你应该看到
Signature Value:
9f:f5:c4:c5:43:00:9e:2c:d0:54:31:3b:6c:10:45:d4:c3:d4:
77:48:53:e9:4f:08:f5:96:8a:7b:c2:c1:f2:0f:50:66:39:82:
36:3f:72:85:e1:c8:45:62:5a:19:70:66:54:12:8b:14:b8:1c:
d6:6e:ae:98:5a:e9:32:85:6b:de:eb:54:d0:44:c6:1f:af:74:
70:24:c6:a9:25:0d:3e:63:a9:50:97:41:04:1b:36:9f:3c:0f:
77:c4:c6:4b:f9:27:7e:8f:c1:25:d5:24:4a:fc:72:08:1a:bf:
f5:eb:eb:c0:8f:08:c4:6b:9e:1d:6e:23:07:f2:c9:95:38:94:
b9:cb:95:11:45:fc:a1:de:ce:db:f3:4e:31:db:02:3a:0a:94:
21:84:65:dc:a8:e0:e5:e5:2c:c7:50:af:92:b9:10:15:ec:af:
1e:10:34:e3:68:8f:78:68:50:00:09:d4:c6:45:e6:66:5a:07:
ab:38:a0:3f:75:64:41:5e:13:ea:fe:71:af:27:ca:b0:45:f4:
e9:c6:0a:7f:89:76:19:a4:37:40:62:f5:a5:fd:44:5a:c6:89:
b8:d5:db:4d:2d:90:ed:36:80:af:d8:c5:61:88:38:5a:ce:79:
32:0f:15:1a:4a:1f:9e:1a:c2:91:79:88:ab:b3:1a:49:f2:44:
dd:3b:20:9a
要注意,Springer使用Let's Encrypt证书颁发机构的许多证书,看起来他们每3个月左右轮换一次证书,所以确保你的硬编码签名与证书同步。