Java 来自公钥的sha256哈希
我正在尝试从公钥证书读取sha256。证书如下所示 我正在运行以下命令来读取sha256哈希,但它没有给出正确的结果:Java 来自公钥的sha256哈希,java,ssl,sha256,rsa-sha256,Java,Ssl,Sha256,Rsa Sha256,我正在尝试从公钥证书读取sha256。证书如下所示 我正在运行以下命令来读取sha256哈希,但它没有给出正确的结果: openssl x509 -in test.crt -pubkey -noout | openssl rsa -pubin -outform der | \ openssl dgst -sha256 -binary | openssl enc -base64 我得到了一些错误的值rty7aspufwrdwuudgzcr5xc7netd6imk4ylzvgktru= 正确值
openssl x509 -in test.crt -pubkey -noout | openssl rsa -pubin -outform der | \
openssl dgst -sha256 -binary | openssl enc -base64
rty7aspufwrdwuudgzcr5xc7netd6imk4ylzvgktru=sha256/i1RfARNCYn9+K3xmRNTaXG9sVSK6TMgY9l8SDm3MUZ4=
sha256/7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=
sha256/h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU=
public class Main {
public static void main(String[] args) throws IOException {
HttpLoggingInterceptor interceptor = new HttpLoggingInterceptor();
interceptor.setLevel(HttpLoggingInterceptor.Level.BODY);
String hostName = "www.google.com";
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add(hostName, "sha256/pqrmt")
.build();
OkHttpClient client = new OkHttpClient.Builder()
.addNetworkInterceptor(interceptor)
.certificatePinner(certificatePinner)
.build();
Request request = new Request.Builder()
.url("https://" + hostName)
.build();
client.newCall(request).execute();
}
}
----开始证书-----
MIIISDCCBZCGAWIBAGIILBXYXVW1OQQYJKOZHIHVCNAQELBQAWSTELMAKGA1UE
BHMCVVMXZEZARBGNVBAOTCKDVBB2DSZSBJBMMXJTAJBGNVB2DSSBJBNRL
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwODAyMTk0NTM5WhcNMTcxMDI1MTkyMzAw
WJBMMQSWCQYDVQGEWJVuzetMBEGA1UECAWKQ2FSAWZVCM5YTEWMBQGA1EBWWN
TW91BNRHAW4GVMLLDZETMBEGA1ECGWKR29VZ2XLIELUYZEVMBMGA1UEAWWMKI5N
B29NBGUY29TMIIBIJANBKQHKIG9W0BAQEFAOCAQ8AMiIBCGKCAQEAVQJGH7NP
S0DNdmqg94u9ecHsxtCCNH5K7RQDbT7stPZaftCBuCXEDbhmqP44ne7kKkKyHqVx
OxzDyMrvMly/QDVD17X33KxJetE3YOWTENQ7R//LIQ2qwxOCd7LcDhRLnbhV61k
yDJIPzjM79BX8b0u9+e2KAYfhYFANB+iZrk0/sLXmlv+T+E1BM4D19H55B步骤M8
SOTUj0cntYaN+5Rcy1s9p5CjWb1Sy/JXyBv+QLkrbj2JyQ+KlG2Fil4ue3ooF2iA
LZM+K2OGCIZZ5KH6ZA1OKL08/wJCaqHQJMhxX1ajXW93DwyojOqt40+6tF43rEU
Uxy87Joi+ZZNOQIDAQABO4IFFTCCBREWQYDVR0LBBYWFAYKWYBBQUHAWEGCSG
AQUFBWMCMIID4QYDVR0RBIID2DCA9SCDCOUZ29VZ2XLMNVBYINKI5HBMRYB2LK
LMNVBYIWKI5HCHBLBMDPBMUUZ29VZ2XLMNVBYISKI5JBG91ZC5NB29NBGUY29T
GHQLMRIODMZOTUZLMDB2DSS5JBOIGKI5NLMNVGG4QLMDC5NDNQYLMNVBYIW
KI5NB29NBGUTYW5HBHL0AWNZLMNVBYILKI5NB29NBGUY2GCCYOUZ29VZ2XLMNS
GG4QLMDVB2DS5JBY5BOIOKI5NB29NBGUY28UANCCDIOUZ29VZ2XLMNVLNVR
GG8QLMDVB2DSS5JB20UYXKCDYOUZ29VZ2XLMNVBS5HDYIPKI5NB29NBGUY29T
LMJYGG8QLMDVB2DSS5JB20UY2+CDYOUZ29VZ2XLMNVBS5TEIIPKI5NB29NBGUU
Y29TLNRYGG8QLMDVB2DSS5JB20UDM6CCYOUZ29VZ2XLMRLGGSQLMDVB2DSS5L
C4ILKI5NB29NBGUZNKCCYOUZ29VZ2XLMH1GGSQLMDVB2DS5PDIILKI5NB29N
BGUUBMYCCYOUZ29VZ2xLLNBSGGSQLMDB2DSS5WDIISKI5NB29NBGVHZGFWAXMU
Y29TGG8QLMDVB2DSWFWAXMUY26CFCOUZ29VZ2xLY29TBWVYY2UUY29TGHEQLMDV
b2dsZXZpZGVvLmNvbYIMKi5nc3RhdGljLmNugg0qLmdzdGF0aWMuY29tggoqLmd2
DDEUY29TGGOQLMD2DUY29TGHQLM1LDHJPYY5NC3RHDGLJLMNVBYIMKI51CMNO
AW4UY29TGHAQLNVYBC5NB29NBGUY29TGHYQLNLVDXR1YMUTBM9JB29RAWUY29T
GG0QLNLVDXR1YMUY29TGHYQLNLVDXR1YMVLZHVJYXRPB24UY29TGGCQLNL0LMJL
GGSQLNL0AW1NLMNVBYIAYW5KCM9PZC5JBGLLBNRZLMDB2DSS5JB22CC2FUZHJV
AWQUY29TGHTKZXZLBG9WZZYW5KCM9PZC5NB29NBGUY26CHGRLDMVSB3BLCNMU
YW5KCM9PZC5NB29NBGUY26CBGCUY2+CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGlj
CY5JB22CCMDVDB2DSZS5JB22CEMDVDB2DSZWNVW1LCMNLLMNVBYYC291CMNLMFU
ZHJVAWQUZ29VZ2XLMNUGGP1CMNOAW4UY29TGGP3D3CUZ29VLMDSGGH5B3V0DS5I
ZYILEW91DHVIZS5JB22CFHLVDXR1YMVLZHVJYXRPB24UY29TGGV5DC5IZTBGGR
BGEFBQCBAQRCMFOWKWYKWYBQUHMAKH2H0DHA6LY9WA2KUZ29VZ2XLMNVBS9H
SUFHMI5JCNQWKWYIKWYBBQUHMAGGHH2H0DHA6LY9JBGLLBNRZMS5NB29NBGUY29T
L29JC3WHQYDVR0OBBYEFJSK+1WBUADQH695FKUXVBBXBD13MAWGA1UDEWB/wQC
MAAWWYDVR0JBBGWFOAUST0GFHU89MI1DVBTRTIGRPAGS8WIQYDVR0GBBOWGDAM
BgorBgEEAdZ5AgUBMAgGBmeBDAECAjAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8v
cGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCWfamc
vElR0WkzwdaofPD66PsmqihYbgMAEOJBtt4isDLcVqG0tE8xwAYZO+EksklR6nXq
Pi8021W/qgh2XDmyGajc/psjSBdfAi2bw/kIMcXpQsJSR33n0kLJe4/5z5YwSJEt
M7F6DKLBZXALGRHC2RNKOW4XEKYZ+nJQ5E3Lms0NKHFPxj3c5QvUYfiWhC4lY1m
RZRPIDQc9Bmcu+gJseRGYd8g+USo0829CMq42KaQM7nshxmwexXPv9ic9nV6f+Qi
nw1hL6RdI3+YHRSZCBPNLFQFLLJATJMPWDDP2IBT56ZDDT4BQSP4/QeAbEOJ+Bp
0nJ0S+1opbcjqxyl
-----结束证书-----
$ openssl s_client -connect www.google.com:443 |\
openssl x509 -pubkey -noout |\
openssl pkey -pubin -outform der |\
openssl dgst -sha256 -binary |\
openssl enc -base64
...
depth=0 ... CN = www.google.com
i1RfARNCYn9+K3xmRNTaXG9sVSK6TMgY9l8SDm3MUZ4=
$ openssl s_client -connect google.com:443 |\
openssl x509 -pubkey -noout |\
openssl pkey -pubin -outform der |\
openssl dgst -sha256 -binary |\
openssl enc -base64
...
depth=0 ... CN = *.google.com
RTy7aSpufwRDWUudgZCwR5Xc7NETd6Imk4YlzvgKTRU=
www.google.com*.google.com$ openssl s_client -connect www.google.com:443 |\
openssl x509 -pubkey -noout |\
openssl pkey -pubin -outform der |\
openssl dgst -sha256 -binary |\
openssl enc -base64
...
depth=0 ... CN = www.google.com
i1RfARNCYn9+K3xmRNTaXG9sVSK6TMgY9l8SDm3MUZ4=
$ openssl s_client -connect google.com:443 |\
openssl x509 -pubkey -noout |\
openssl pkey -pubin -outform der |\
openssl dgst -sha256 -binary |\
openssl enc -base64
...
depth=0 ... CN = *.google.com
RTy7aSpufwRDWUudgZCwR5Xc7NETd6Imk4YlzvgKTRU=
如您所见,您计算的公钥指纹是正确的。只有您对正确指纹的假设不正确,因为您针对错误的站点检查了这些指纹。证书中只有一个公钥,您从哪里获得3个“正确”值?嗨,Robbey,我添加了更多代码,从生成这些散列的位置以及我如何验证生成的散列是正确的,请看一看。您计算值的方法看起来是正确的,并且与之匹配。是什么让你认为你认为正确的价值观是正确的——尤其是这3个值中哪一个是正确的?@ StfffululLigi我运行这个命令获得证书OpenSSL SyCuffer-Connect谷歌。com:443,当我运行带有无效散列的样例程序时,它在日志中给了我有效的。当我使用其中任何一个来代替无效连接时,建立了。@sector11:我猜您是从google.com检索到了证书,但您的代码与www.google.com进行了核对-两者都使用不同的证书。谢谢您提供的详细答案,为所有子域访问锁定根证书是一个好主意吗,@第11部分:请不要在评论中提出新问题(即使是后续问题),因为没有人会期望新的问题和答案出现在评论中。相反,问一个新问题。除此之外,在security.stackexchange.com上询问这个问题可能更好,但请先检查有关此主题的现有问题和答案。