https原理
https过程
服务器发送公钥给ca服务器,ca服务器使用私钥给公钥签名生成服务器证书,发送给服务器。
客户端将ca服务器的公钥证书保存在收信任的存根区
客户端连接服务器的443端口
服务器发送服务器证书给客户端
客户端使用ca公钥证书来验证服务器证书的签名
客户端使用服务器证书里的服务器公钥加密客户端公钥发送给服务器
服务器使用服务器私钥解密加密的客户端公钥,至此完成了秘钥交换
服务端使用客户端公钥加密了一个对称密钥发送给客户端
客户端使用客户端私钥解密了这个加密的对称秘钥,获得了该对称秘钥,后面通信就使用这个对称秘钥加密消息
rsa验证签名的过程?
ca服务器其实就是对服务器公钥使用hash获得hash值,然后使用ca私钥对hash值进行加密,生成签名客户端之前已经安装了ca证书,既ca公钥。使用ca公钥对签名进行解密,获得散列值,然后对服务器公钥进行hash获取另一个hash值,将两个hash值进行比较是否相同来判断是否验证成功
什么是ca证书链? 又如何找到证书链?
所谓证书链就是在服务器证书中会有一个颁发者的字段,这个表明了这个证书是谁签名的。使用父级证书对该证书进行签名验证,这个父级证书可能在 颁发者信息权限这个字段用url指向了父级证书的下载地址,也有可能根据父级证书名称去本地存根区查找。不断递归。直到ca证书的颁发者是自己为止.此时才验证成功
我们使用chatgpt的服务器证书为例:
C:\Users\czl\Downloads>"C:\Program Files\Git\usr\bin\openssl.exe" x509 -in chatgpt.txt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:76:d3:4c:d2:cb:8b:4f:08:39:83:6c:6a:f8:26:fb:ef:4a
Signature Algorithm: ecdsa-with-SHA384
Issuer: C = US, O = Let's Encrypt, CN = E1
Validity
Not Before: May 22 06:27:04 2024 GMT
Not After : Aug 20 06:27:03 2024 GMT
Subject: CN = chatgpt.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:ed:23:fc:c8:9b:f2:f0:f2:42:b5:60:d5:3f:ca:
ba:0b:a2:9d:3c:9b:f2:9e:28:d9:92:9b:54:d7:7a:
52:74:25:0a:82:f7:82:80:cf:e6:b1:70:57:c7:24:
c8:96:4a:8b:97:f0:c5:24:cc:dc:0b:d1:77:72:80:
f1:75:ea:e5:6b
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
A0:09:A7:CD:BD:58:FB:8D:23:3A:AE:FD:21:9B:01:B5:61:13:4F:27
X509v3 Authority Key Identifier:
keyid:5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC
Authority Information Access:
OCSP - URI:http://e1.o.lencr.org
CA Issuers - URI:http://e1.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:*.chatgpt.com, DNS:chatgpt.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 3F:17:4B:4F:D7:22:47:58:94:1D:65:1C:84:BE:0D:12:
ED:90:37:7F:1F:85:6A:EB:C1:BF:28:85:EC:F8:64:6E
Timestamp : May 22 07:27:04.723 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:5A:8D:85:2F:C0:8C:FE:AF:01:9A:3E:04:
4F:37:0C:B4:64:E4:0F:67:36:7A:D7:02:68:C2:D5:3D:
60:13:6B:BB:02:20:5A:A8:8C:24:F5:75:B9:03:25:20:
7A:47:24:89:7D:09:FC:6E:45:20:85:E3:2D:4B:20:E3:
76:E9:D1:C0:0F:CE
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 19:98:10:71:09:F0:D6:52:2E:30:80:D2:9E:3F:64:BB:
83:6E:28:CC:F9:0F:52:8E:EE:DF:CE:4A:3F:16:B4:CA
Timestamp : May 22 07:27:04.735 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:0D:6B:22:73:50:0F:A2:97:D6:23:92:65:
AC:6F:3D:7F:31:7D:72:70:7D:DE:3D:53:2D:A7:A0:A3:
85:4C:9B:D8:02:21:00:BD:30:0F:C8:67:2A:E7:86:14:
3D:DA:05:0D:EA:12:7C:9C:56:1E:94:6D:3A:9C:3F:32:
BB:8E:22:F0:29:A4:46
Signature Algorithm: ecdsa-with-SHA384
30:64:02:30:14:37:c7:01:34:15:3b:b4:87:dd:92:0a:36:5c:
81:2a:67:a5:27:f4:d8:01:b2:55:de:62:79:55:34:1a:50:90:
a1:ed:9a:f3:6e:75:5c:5b:2d:ab:fc:59:0e:98:d4:22:02:30:
61:62:92:24:b9:23:36:64:c9:f6:83:0d:df:a7:57:76:08:cf:
97:2e:80:d6:e8:33:5b:5f:6d:4c:af:b1:7b:33:80:9a:26:7c:
c8:7e:b6:0a:db:c2:e2:43:f3:c2:14:ff
它的颁发者字段为C = US, O = Let's Encrypt, CN = E1,和自己的证书名CN = chatgpt.com不同,并且拥有Authority Information Access,说明这个证书要使用C = US, O = Let's Encrypt, CN = E1的公钥来验证,我们在http://e1.i.lencr.org/下载到了中间证书,它是二进制格式.der的,我们将它转换为pem格式
"C:\Program Files\Git\usr\bin\openssl.exe" x509 -inform der -in E1.der -out certificate.pem
C:\Users\czl\Downloads>"C:\Program Files\Git\usr\bin\openssl.exe" x509 -in certificate.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b3:bd:df:f8:a7:84:5b:bc:e9:03:a0:41:35:b3:4a:45
Signature Algorithm: ecdsa-with-SHA384
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X2
Validity
Not Before: Sep 4 00:00:00 2020 GMT
Not After : Sep 15 16:00:00 2025 GMT
Subject: C = US, O = Let's Encrypt, CN = E1
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:24:5c:2d:a2:2a:fd:1c:4b:a6:5d:97:73:27:31:
ac:b2:a0:69:62:ef:65:e8:a6:b0:f0:ac:4b:9f:ff:
1c:0b:70:0f:d3:98:2f:4d:fc:0f:00:9b:37:f0:74:
05:57:32:97:2e:05:ef:2a:43:25:a3:fb:6e:34:27:
13:f6:4f:7e:69:d3:02:99:5e:eb:24:47:92:c1:24:
9b:e6:b1:21:8f:c1:24:81:fc:68:cc:1f:69:ba:58:
f5:19:22:f7:74:c6:16
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
5A:F3:ED:2B:FC:36:C2:37:79:B9:52:30:EA:54:6F:CF:55:CB:2E:AC
X509v3 Authority Key Identifier:
keyid:7C:42:96:AE:DE:4B:48:3B:FA:92:F8:9E:8C:CF:6D:8B:A9:72:37:95
Authority Information Access:
CA Issuers - URI:http://x2.i.lencr.org/
X509v3 CRL Distribution Points:
Full Name:
URI:http://x2.c.lencr.org/
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
Signature Algorithm: ecdsa-with-SHA384
30:64:02:30:7b:74:d5:52:13:8d:61:fe:0d:ba:3f:03:00:9d:
f3:d7:98:84:d9:57:2e:bd:e9:0f:9c:5c:48:04:21:f2:cb:b3:
60:72:8e:97:d6:12:4f:ca:44:f6:42:c9:d3:7b:86:a9:02:30:
5a:b1:b1:b4:ed:ea:60:99:20:b1:38:03:ca:3d:a0:26:b8:ee:
6e:2d:4a:f6:c6:66:1f:33:9a:db:92:4a:d5:f5:29:13:c6:70:
62:28:ba:23:8c:cf:3d:2f:cb:82:e9:7f
它的颁发者字段为C = US, O = Internet Security Research Group, CN = ISRG Root X2,和自己的证书名C = US, O = Let's Encrypt, CN = E1不同,并且拥有Authority Information Access,说明这个证书要使用C = US, O = Internet Security Research Group, CN = ISRG Root X2的公钥来验证,我们在http://x2.i.lencr.org/
下载到了下一级证书,它是二进制格式.der的,我们将它转换为pem格式
"C:\Program Files\Git\usr\bin\openssl.exe" x509 -inform der -in "ISRG Root X2 signed by ISRG Root X1.der" -out "ISRG Root X2 signed by ISRG Root X1.pem"
C:\Users\czl\Downloads>"C:\Program Files\Git\usr\bin\openssl.exe" x509 -in "ISRG Root X2 signed by ISRG Root X1.pem" -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
07:9e:49:28:86:37:6f:d4:08:48:c2:3f:c6:31:e4:63
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Validity
Not Before: Sep 4 00:00:00 2020 GMT
Not After : Sep 15 16:00:00 2025 GMT
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X2
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:cd:9b:d5:9f:80:83:0a:ec:09:4a:f3:16:4a:3e:
5c:cf:77:ac:de:67:05:0d:1d:07:b6:dc:16:fb:5a:
8b:14:db:e2:71:60:c4:ba:45:95:11:89:8e:ea:06:
df:f7:2a:16:1c:a4:b9:c5:c5:32:e0:03:e0:1e:82:
18:38:8b:d7:45:d8:0a:6a:6e:e6:00:77:fb:02:51:
7d:22:d8:0a:6e:9a:5b:77:df:f0:fa:41:ec:39:dc:
75:ca:68:07:0c:1f:ea
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
7C:42:96:AE:DE:4B:48:3B:FA:92:F8:9E:8C:CF:6D:8B:A9:72:37:95
X509v3 Authority Key Identifier:
keyid:79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
Authority Information Access:
CA Issuers - URI:http://x1.i.lencr.org/
X509v3 CRL Distribution Points:
Full Name:
URI:http://x1.c.lencr.org/
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
Signature Algorithm: sha256WithRSAEncryption
1b:7f:25:2b:90:7a:08:76:00:77:18:e1:c3:2e:8a:36:4c:41:
7e:bf:17:4b:e3:30:d7:5b:0c:7e:9c:96:98:6f:7b:b0:68:c0:
24:44:cc:e2:f2:fc:d1:ea:db:d2:9f:01:f9:17:4d:0c:9d:55:
fd:a5:ad:6d:d2:2f:3f:4b:72:c0:2e:ae:73:c7:25:16:57:c2:
3e:15:ad:e0:31:d1:0a:84:84:6c:62:78:42:31:22:46:1a:ed:
7a:40:bf:97:16:81:44:77:ca:6c:7b:5d:21:5c:07:f2:11:91:
21:bf:e1:2f:c2:ef:6e:fd:05:20:e4:b4:f7:79:f3:2d:bb:37:
2a:f0:c6:b1:ac:ac:51:f5:1f:b3:5a:1e:66:ce:58:07:18:38:
7f:71:a9:3c:83:ba:d7:bc:82:9e:9a:76:0f:9e:b0:29:fd:cb:
f3:89:07:48:1b:fe:ab:93:2e:14:21:0d:5f:af:8e:b7:54:ab:
5d:0e:d4:5b:4c:71:d0:92:ea:3d:a3:36:9b:7c:1f:e0:3b:55:
b9:d8:53:53:cc:83:66:bb:4a:dc:81:06:00:18:8b:f4:b3:d7:
48:b1:13:41:b9:c4:b6:9e:cf:2c:77:8e:42:20:0b:80:7e:9f:
c5:ab:48:db:bc:6f:04:8d:6c:46:29:02:0d:70:8a:1d:f1:12:
73:b6:46:24:42:9e:2a:17:18:e3:ac:c7:98:c2:72:cc:6d:2d:
76:6d:dd:2c:2b:26:96:a5:cf:21:08:1b:e5:da:2f:cb:ef:9f:
73:93:ae:f8:36:5f:47:8f:97:28:ce:ab:e2:98:26:98:8b:fd:
ee:28:32:22:29:ed:4c:95:09:c4:20:fa:07:e1:86:2c:44:f6:
81:47:c0:e4:62:32:ed:1d:d8:3c:48:88:96:c3:5e:91:b6:af:
7b:59:a4:ee:e3:86:9c:c7:88:58:ca:28:2a:66:55:9b:85:80:
b9:1d:d8:40:2b:c9:1c:13:3c:a9:eb:de:99:c2:16:40:f6:f5:
a4:ae:2a:25:6c:52:ba:c7:04:4c:b4:32:bb:fc:38:5c:a0:0c:
61:7b:57:ec:77:4e:50:cf:af:06:a2:0f:37:8c:e1:0e:d2:d3:
2f:1a:bd:9c:71:3e:cc:e1:f8:d1:a8:a3:bd:04:f6:19:c0:f9:
86:af:f5:0e:1a:aa:95:6b:ef:ca:47:71:4b:63:1c:4d:96:db:
55:23:0a:9d:0f:81:75:a0:e6:40:f5:64:46:03:6e:ce:fa:6a:
7d:06:ec:a4:34:06:74:da:53:d8:b9:b8:c6:23:7d:a9:f8:2a:
2d:a4:82:a6:2e:2d:11:ca:e6:cd:31:58:79:85:e6:72:1c:a7:
9f:d3:4c:d0:66:d0:a7:bb
它的颁发者字段为C = US, O = Internet Security Research Group, CN = ISRG Root X1,和自己的证书名C = US, O = Internet Security Research Group, CN = ISRG Root X2不同,并且拥有Authority Information Access,说明这个证书要使用C = US, O = Internet Security Research Group, CN = ISRG Root X1的公钥来验证,我们在http://x1.i.lencr.org/
下载到了下一级证书,它是二进制格式.der的,我们将它转换为pem格式
"C:\Program Files\Git\usr\bin\openssl.exe" x509 -inform der -in "ISRG Root X1.der" -out "ISRG Root X1.pem"
C:\Users\czl\Downloads>"C:\Program Files\Git\usr\bin\openssl.exe" x509 -in "ISRG Root X1.pem" -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Validity
Not Before: Jun 4 11:04:38 2015 GMT
Not After : Jun 4 11:04:38 2035 GMT
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c:
87:be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7:
75:c2:a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86:
6c:44:93:b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31:
9b:21:7e:d1:33:3c:ba:48:f5:dd:79:df:b3:b8:ff:
12:f1:21:9a:4b:c1:8a:86:71:69:4a:66:66:6c:8f:
7e:3c:70:bf:ad:29:22:06:f3:e4:c0:e6:80:ae:e2:
4b:8f:b7:99:7e:94:03:9f:d3:47:97:7c:99:48:23:
53:e8:38:ae:4f:0a:6f:83:2e:d1:49:57:8c:80:74:
b6:da:2f:d0:38:8d:7b:03:70:21:1b:75:f2:30:3c:
fa:8f:ae:dd:da:63:ab:eb:16:4f:c2:8e:11:4b:7e:
cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a:e0:4c:12:25:
0c:70:8d:03:29:a0:e1:53:24:ec:13:d9:ee:19:bf:
10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07:94:f4:
63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79:6c:
76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10:
e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02:
07:98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb:
0e:72:b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4:
2a:d6:41:e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12:
1f:35:2f:28:17:6c:d2:98:c1:a8:09:64:77:6e:47:
37:ba:ce:ac:59:5e:68:9d:7f:72:d6:89:c5:06:41:
29:3e:59:3e:dd:26:f5:24:c9:11:a7:5a:a3:4c:40:
1f:46:a1:99:b5:a7:3a:51:6e:86:3b:9e:7d:72:a7:
12:05:78:59:ed:3e:51:78:15:0b:03:8f:8d:d0:2f:
05:b2:3e:7b:4a:1c:4b:73:05:12:fc:c6:ea:e0:50:
13:7c:43:93:74:b3:ca:74:e7:8e:1f:01:08:d0:30:
d4:5b:71:36:b4:07:ba:c1:30:30:5c:48:b7:82:3b:
98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd:83:04:1b:
a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8:7c:86:
3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5:3d:
19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db:
e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88:
ad:4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5:
33:43:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
Signature Algorithm: sha256WithRSAEncryption
55:1f:58:a9:bc:b2:a8:50:d0:0c:b1:d8:1a:69:20:27:29:08:
ac:61:75:5c:8a:6e:f8:82:e5:69:2f:d5:f6:56:4b:b9:b8:73:
10:59:d3:21:97:7e:e7:4c:71:fb:b2:d2:60:ad:39:a8:0b:ea:
17:21:56:85:f1:50:0e:59:eb:ce:e0:59:e9:ba:c9:15:ef:86:
9d:8f:84:80:f6:e4:e9:91:90:dc:17:9b:62:1b:45:f0:66:95:
d2:7c:6f:c2:ea:3b:ef:1f:cf:cb:d6:ae:27:f1:a9:b0:c8:ae:
fd:7d:7e:9a:fa:22:04:eb:ff:d9:7f:ea:91:2b:22:b1:17:0e:
8f:f2:8a:34:5b:58:d8:fc:01:c9:54:b9:b8:26:cc:8a:88:33:
89:4c:2d:84:3c:82:df:ee:96:57:05:ba:2c:bb:f7:c4:b7:c7:
4e:3b:82:be:31:c8:22:73:73:92:d1:c2:80:a4:39:39:10:33:
23:82:4c:3c:9f:86:b2:55:98:1d:be:29:86:8c:22:9b:9e:e2:
6b:3b:57:3a:82:70:4d:dc:09:c7:89:cb:0a:07:4d:6c:e8:5d:
8e:c9:ef:ce:ab:c7:bb:b5:2b:4e:45:d6:4a:d0:26:cc:e5:72:
ca:08:6a:a5:95:e3:15:a1:f7:a4:ed:c9:2c:5f:a5:fb:ff:ac:
28:02:2e:be:d7:7b:bb:e3:71:7b:90:16:d3:07:5e:46:53:7c:
37:07:42:8c:d3:c4:96:9c:d5:99:b5:2a:e0:95:1a:80:48:ae:
4c:39:07:ce:cc:47:a4:52:95:2b:ba:b8:fb:ad:d2:33:53:7d:
e5:1d:4d:6d:d5:a1:b1:c7:42:6f:e6:40:27:35:5c:a3:28:b7:
07:8d:e7:8d:33:90:e7:23:9f:fb:50:9c:79:6c:46:d5:b4:15:
b3:96:6e:7e:9b:0c:96:3a:b8:52:2d:3f:d6:5b:e1:fb:08:c2:
84:fe:24:a8:a3:89:da:ac:6a:e1:18:2a:b1:a8:43:61:5b:d3:
1f:dc:3b:8d:76:f2:2d:e8:8d:75:df:17:33:6c:3d:53:fb:7b:
cb:41:5f:ff:dc:a2:d0:61:38:e1:96:b8:ac:5d:8b:37:d7:75:
d5:33:c0:99:11:ae:9d:41:c1:72:75:84:be:02:41:42:5f:67:
24:48:94:d1:9b:27:be:07:3f:b9:b8:4f:81:74:51:e1:7a:b7:
ed:9d:23:e2:be:e0:d5:28:04:13:3c:31:03:9e:dd:7a:6c:8f:
c6:07:18:c6:7f:de:47:8e:3f:28:9e:04:06:cf:a5:54:34:77:
bd:ec:89:9b:e9:17:43:df:5b:db:5f:fe:8e:1e:57:a2:cd:40:
9d:7e:62:22:da:de:18:27
它的颁发者字段为C = US, O = Internet Security Research Group, CN = ISRG Root X1,和自己的证书名C = US, O = Internet Security Research Group, CN = ISRG Root X1相同,说明它是根证书,只要它验证完上一级由它签发的证书就完成验证过程。它自身无需被验证
