Python SSL套接字证书-私钥不匹配不会给予错误?

mzmfm0qo  于 2022-11-14  发布在  Python
关注(0)|答案(1)|浏览(139)

爱好者!
简短版本:我可以更改私钥,使它们与证书不匹配,SSL握手和消息仍然通过。
长版本:我已经设置了一个简单的客户端-服务器pythonssl套接字。(下一个计算单元)。我想确保客户端通过证书验证服务器,而服务器通过证书验证客户端。这意味着我们生成了两组证书-私钥对。证书-私钥对都是用下面的Openssl代码生成的,配置文件只用于指定IP地址:

sudo openssl req -x509 -days 730 -newkey rsa:2048 -keyout key_ip_client.pem -out cert_ip_client.pem -config san_client_cert.cnf -nodes

下面的代码是:

import socket
import ssl
import json

ssl.match_hostname = lambda cert, hostname: True

HOST = "forum_hidden"
PORT = forum_hidden
client_key = 'key_ip_client.pem'
client_cert = "cert_ip_client.pem"
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
#context.load_verify_locations("./selfsigned.crt") 
context.load_verify_locations("./cert_ip.pem") #Check server certificate against this
context.load_cert_chain(certfile=client_cert, keyfile=client_key)

# Below follow a message represented as a dictionary where we have "security_level" which can be 
# COSMIC_TOP_SECRET, NATO_SECRET, NATO_CONFIDENTIAL, NATO_RESTRICTED, NATO_UNCLASSIFIED
# And the message itself.
m = {"security_classification": "COSMIC_TOP_SECRET", "message": "Here comes something cosmically secret!"} # a real dict.

class_data = json.dumps(m)
class_data_bytes = bytes(class_data, 'utf-8')
print("Data to be sent is: "+class_data)

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    with context.wrap_socket(s, server_hostname="192.168.0.14") as ssock:
        ssock.connect((HOST,PORT))
        ssock.sendall(class_data_bytes)
        data = ssock.recv(1024)
    
print(f"Recieved {data!r}")
data_decoded = data.decode('utf-8')
print(f"Recieved decoded {data_decoded!r}")
load_dict = json.loads(data_decoded)
print(load_dict["security_classification"])

我们有下面的服务器代码:

import socket
import ssl

HOST = "hidden_in_forum"
#HOST = socket.gethostname()
print(f"The given host name to server is: {HOST}")
PORT = hidden_in_forum

context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.verify_mode = ssl.CERT_REQUIRED
context.load_cert_chain(certfile="cert_ip.pem", keyfile="key_ip.pem", password=None)
context.load_verify_locations(cafile="cert_ip_client.pem") #Verify client certificate against this
#context.load_cert_chain("public.pem",keyfile="private.pem",password=None)

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    s.bind((HOST,PORT))
    s.listen()
    with context.wrap_socket(s, server_side=True) as ssock:
        conn, addre = ssock.accept()
        with conn:
            print(f"Connected by {addre}")
            while True:
                data = conn.recv(1024)
                if not data:
                    break
                print(f"Recieved message: {data}")
                conn.sendall(data)

现在!如果我们更改服务器或客户端的密钥文件(证书的私钥),使其成为另一个证书(为测试目的新生成的)的私钥,消息仍然可以通过!
我以为私钥是必要的,以确保握手工作,但当我看wireshark,看到包括的图像,它似乎仍然握手..我错过了什么?我现在假设我的“安全SSL”通道实际上并不那么安全!
多谢了!
为E干杯
更新:应Steffen Ulrich的要求,我将提供我使用的证书。为了澄清,我现在得到了不匹配的错误,当我有旧证书和新的私钥,所以这是好的,但在服务器端,我试图有旧证书和旧的私钥,但我修改了旧的私钥,只有一个字母a g到a G,然后它仍然工作。我将在下面向您展示,但首先是客户端和服务器证书和密钥:
客户证书:

-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIUQslic8rw21j+s4oFX7EPXN7XAPgwDQYJKoZIhvcNAQEL
BQAweDELMAkGA1UEBhMCWFgxDDAKBgNVBAgMA04vQTEMMAoGA1UEBwwDTi9BMSAw
HgYDVQQKDBdTZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZTErMCkGA1UEAwwiMTIwLjAu
MC4xOiBTZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZTAeFw0yMjA5MTQxNzM0MDRaFw0y
NDA5MTMxNzM0MDRaMHgxCzAJBgNVBAYTAlhYMQwwCgYDVQQIDANOL0ExDDAKBgNV
BAcMA04vQTEgMB4GA1UECgwXU2VsZi1zaWduZWQgY2VydGlmaWNhdGUxKzApBgNV
BAMMIjEyMC4wLjAuMTogU2VsZi1zaWduZWQgY2VydGlmaWNhdGUwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc78JI7H/kjI4y6DgF1mIbla2dgzCF4f2n
EJDSbr6NRD9cD/gpNuNE4kLGgIAL2WwoxD9DJ7k5BQKT9DtYsL/aGssGpu3bZ5hT
L2atOU+BGigoLio9LddEPjiNm204QFbivXIZO2PeTqQ9EnyKEntT8VfiJoCXxIeF
vnnVgMm/+8GZTDKx8KmXL+pSvbdAsoncXaU0sgzxtgfEOqJg9GTdYgbxxtmnwWDa
U24fg9dYKLJ9thjWR+EsBg4IGwOCMBedl72GQ29ToNkG9w5pfhYoVM3JSg5LvPtd
58iT//fwxGWfH6Zw/ltlE/JATvDFRqdUdZA81AxFDVOznvbYtAuDAgMBAAGjMjAw
MA8GA1UdEQQIMAaHBMCoAAUwHQYDVR0OBBYEFKjoWvQH/nmPQnJOhw9cdBCRpHu7
MA0GCSqGSIb3DQEBCwUAA4IBAQA4FkMY+Q9ymiZDU+XBYKls20kewb1rcNEYDquG
TzyDQbFshwsePzASn1ezyADghiv1kW9zYHl3PC/UCxyG+VAzUbqkQh/gYgSuuFMW
1XMdho5Lph1OI3foGe0wGDHaT8zsSVg7bgQyvtDLzVwIcCsocvyYM/PW9pwRXmJh
11m4HzDTcGwrqqMn2UVtrCzxG4HISf6J1IcNxTV34htgpqG8leibn/kHQBFwOOA8
GHyyryDXVdqARa+p0P0BvxUPUGaGbgYzFK4fnPNY3/CbmkIof9anPrfJcFAT2MbR
oshbw8n+3rBd7XQ94vBCDz3lH/bW5sd4U/ZuNXg9nT2yho24
-----END CERTIFICATE-----

客户端私密密钥:

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCc78JI7H/kjI4y
6DgF1mIbla2dgzCF4f2nEJDSbr6NRD9cD/gpNuNE4kLGgIAL2WwoxD9DJ7k5BQKT
9DtYsL/aGssGpu3bZ5hTL2atOU+BGigoLio9LddEPjiNm204QFbivXIZO2PeTqQ9
EnyKEntT8VfiJoCXxIeFvnnVgMm/+8GZTDKx8KmXL+pSvbdAsoncXaU0sgzxtgfE
OqJg9GTdYgbxxtmnwWDaU24fg9dYKLJ9thjWR+EsBg4IGwOCMBedl72GQ29ToNkG
9w5pfhYoVM3JSg5LvPtd58iT//fwxGWfH6Zw/ltlE/JATvDFRqdUdZA81AxFDVOz
nvbYtAuDAgMBAAECggEAGC4Ct7ykmeCkGijYVOHqnMhrhwzLAZ3HuKFfRuTkPBzL
TFJzkFoSGy9nTXFICUtXFFLkUmMA8U2Zz5T+PdSBwseFB4HZvQfRmuN/ROpDGyee
D07JmEKDW9LgYMUVR2j2WhoJReT2Jq7kNDqwcI+Xa+AQA9qdzoRrwwoNeH1O2GLi
az4ivbAta6GFm95+H/Vz2y8sofptVWazKdohsshHMnW4SNGErboDluvXuh9l11RN
8P0ZjHpFvh0LvpLSofRL6msjIgoWRHDVHZIY6Uml9WtPEaGMvqWFdmj6IWeRuNbW
QaZSzJtZPX6RuSDqVCjKBPBYusl/k5cNxLh6wPpSKQKBgQDP6TwluVZIL+2putcS
Wnkr8LBspoUzYZE2462tGsz16Z9KfNwvCiz5ggnzIopYMNYHXT4bBOWvn9Y8V/M6
8lbT1ZKz0tvCWKqLqDYw9BRphsvOd4eQPxv6LLHs52yXglvzgM36itLaNIh2QPdI
RZjxdOPpYhQrz6hPcWGQU6j2GQKBgQDBPDysCgKDr2oTVCSbR3Z8CUm3PU+WhZve
/1JKWPql77gRsR810lWCDkIwDw+HeesvIajE8xg72z4B8bQRZ/uyepqBC2/h2lfb
wQP2NLX+I3lkmvnDwHzZSeSTcmyIcLntYlauEYt7SVHDX42FdZKNlPjB486vsLEH
J5m18D7p+wKBgAuBofWIg1Dtbh7Fm1+FqE0ZPfpVYOvOC4ZZJWR+Jje53Tn3HQxx
aLnKS5isIbHtyfqQW36NT9TfaLDgQTLS9KE2oa7YDZd85rth7NXavEJ21lKv5M3D
4F2BGbu9txHPgh1A1KV4B2FSJPc+czEJwQQj7vUcm3ctP+hdowOkzaYJAoGAUvh2
ZLh3k+uB9IKwpSvuKBwk1tUwk0UTRJEE2H+UQCPKOW6AJDAIHyvYJ6KP3G/xF++v
88EdqrXcziDmXIL1hBE4vigXBjcmemlKNjEz48d/nD8e93pzISmlR9pd18fvTYpo
BZ3q8ijtPqKMtb1iDADnPvl+CdooaRYL3h8mJHkCgYEAklY+nvcwmKldPyM3fHH+
iQHozupMVwSdDG/aKU3qDgpAaENGsSmrNZooM0vbkU4VqBq0cSKEboAYoM9vv2cp
fyxu8nd5k3LMk4k2rXllaGJDxJkXYiNUAxxjnhqXyaSq2KU1r9Ymk6rQgj6Oiif3
zs6G8ulY5mzd/P4nO1pPU2E=
-----END PRIVATE KEY-----

和服务器证书:

-----BEGIN CERTIFICATE-----
MIIDsDCCApigAwIBAgIUWlkrLG6iMBqWyXAAbeSWjfJ46F4wDQYJKoZIhvcNAQEL
BQAweDELMAkGA1UEBhMCWFgxDDAKBgNVBAgMA04vQTEMMAoGA1UEBwwDTi9BMSAw
HgYDVQQKDBdTZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZTErMCkGA1UEAwwiMTIwLjAu
MC4xOiBTZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZTAeFw0yMjA5MDgxNDQ2NDBaFw0y
NDA5MDcxNDQ2NDBaMHgxCzAJBgNVBAYTAlhYMQwwCgYDVQQIDANOL0ExDDAKBgNV
BAcMA04vQTEgMB4GA1UECgwXU2VsZi1zaWduZWQgY2VydGlmaWNhdGUxKzApBgNV
BAMMIjEyMC4wLjAuMTogU2VsZi1zaWduZWQgY2VydGlmaWNhdGUwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR5/Th+AAxyt0O7rsg44ei5dBKfnsVbZy0
INpgKPes0jXECt8q1cPaobWUJzwJv2RQpgqgCXW6O5yTKm9qkLibt5QYEHYSO+HK
pJCzPCF2FU1JkCec9Hk18smqnFhmEkh9SvZxk+VjV1i6q/PT6evZRiL9UmioZaOK
nIsugLT5quJLJ8CZ/WI8t+4eL8kz40ktQ0onmYDtFGqFI34qlssg/EEEe9WMgjMm
9TNY93uEGzMW3Qbzr72FYFri5fhwmdAlgk3vQN7V0s+aULqD+NpWW++pkXcPa4pH
+YdUfhbY3+3eKBtX1sDSH/x+FaNFWWyGRzBZWu33/tJJuoKNFywLAgMBAAGjMjAw
MA8GA1UdEQQIMAaHBMCoAA4wHQYDVR0OBBYEFNlWF0nuzzV4ds0hKyTpStlMcYBq
MA0GCSqGSIb3DQEBCwUAA4IBAQBHMy3IDHVXtfdXhQj7PD5nn5eWNVwuHXgnnJBN
VMz0mjFeKQ74Pt5ZY0MW9OOeRmTwMMagquHZwvd6rLCfdEvK4k0hCJ3pYfg4LK08
6jWOAYquslhXOp5UUjnk1Lev+9mqelDda0vcN3QETMz6WAr/gXmwn0UU6bchfVTD
WSDwPyhE+/iId3AyHk8sn2B3tPifLfRbeUR0Dz3Qjs0rquakChaL8CaF/9ZA+2vE
OM0d6zMnefVwLPOFgM8Vqqr3OF3R7gNJe6RJuOYNs6B3hOPACX6WMvIyX7xkONjx
0iicFaH1ndzSWnqgT7A+SL8N6nn042h4XbfKJSGpxwR4Z0CY
-----END CERTIFICATE-----

和服务器私钥:

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCR5/Th+AAxyt0O
7rsg44ei5dBKfnsVbZy0INpgKPes0jXECt8q1cPaobWUJzwJv2RQpgqgCXW6O5yT
Km9qkLibt5QYEHYSO+HKpJCzPCF2FU1JkCec9Hk18smqnFhmEkh9SvZxk+VjV1i6
q/PT6evZRiL9UmioZaOKnIsugLT5quJLJ8CZ/WI8t+4eL8kz40ktQ0onmYDtFGqF
I34qlssg/EEEe9WMgjMm9TNY93uEGzMW3Qbzr72FYFri5fhwmdAlgk3vQN7V0s+a
ULqD+NpWW++pkXcPa4pH+YdUfhbY3+3eKBtX1sDSH/x+FaNFWWyGRzBZWu33/tJJ
uoKNFywLAgMBAAECggEAGV2Tj6NfWUi01K9BPg8AWhwM8Z56hHepahFaFaSZpmRn
L31aXeaK5Zv+ZtLJV8J7zJ+JMlhirK1HY7hZZVPinEO2jdZyyGm7r9CbTWWzRYWf
iZ3znRBNcEkUsUH8BkbAbnPVU1qMYxBg3xcczScaNww/8f1dL4V4AJWFhuCeVdcR
tJIWFvGZ9akUiHqR7xB0HUPL8S6pLH9MUGp9KfH4XOb+QWwwkZig9R1zTzXyD/Gj
lPGkmff9qPCy0F7ooYftOmHr0EGcUgOTG60s9faezkR96Y86PsJVlFMskhKLdSI0
t0xoCp3ZzNWcpyOhj/scVEglH7cYGlmfQnYicKslwQKBgQC3Xye9kxScpQJ3iHeZ
qmqhnr4BwMVmm6OPKEuiC4jFv6v87C+EociCmxZDgfEgYVYll7Z/HFnFr7o/JM5h
tBIUYBXuQpAao81hK0XBSHCQUd8qTiFa/P2aBTeOM6YaC25k0MCVXYAchtsGwdQa
FGqDeGGjWng0E1kYgWlcIR7HSwKBgQDLsgBKAXetMlm6uHoEHNvidyTJBpG4tZ6K
XleBET6dS6r9+KEdNZwkSimXd0dlwT/9svs4gDL7JnkNasLTHKPNeEL4ZF1ZQ0p8
qYXui6Hi7rgyf7u+mfi7nMj8XpjWfStkAx9BbLJUBP/soTsPcMwfGDMDvGgG/EHW
Z/M1qP52QQKBgEytEWUH93p41Us+WSR8ShJC2pjJDsIVGpNl+hpMUGi/+R7NdCE1
tS5Hw0t/LmCn0untQnZsWG19SZfVwCbCsTyr4P+7/Z3mGJ8lBQoJTGhMk9CQ0wnE
+BZLUCu6FR6W4RZu49iRPFyxVyzAJ/yvxMossEcqMVE1NfA1TOUlREV5AoGBAMcg
XL38D0VmOmeZndZVa/NIq9JFNMFP8wurTHmlJQPaC++5Va9bUCf9xAkJFuf3choO
FR7X3H6+zon6Ozjr/4mGrllqrALuEGwrwP1AzWIuIi1jx2J93LVzgNuNknXj6T4c
+zoXC4GtXY6y0yy2BSXEn2JglYV2ptn1xsFHUnLBAoGAV0ms5DF4tuSX6S7yzHYP
1/uJ9zQiTUvv/7ZeZsoNCnC8+JJ8GkfEW4PwAv3fQyHRV5lcSyv1vaoxiveCCSUG
lqMGkGpKWFzamJu2qAgwTVtd/suXxO0M8Q36ycG/xMMR36Yzg6QclLUapDyEdsPg
tk9BEpc7Tc/GMykTW1j6fHo=
-----END PRIVATE KEY-----

新生成的私钥现在如预期的那样抛出一个不匹配错误:

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCm52KSBKzjxntf
bXSsCDW0MyASDZMTgKPovPbGI3BWN80qhhPtmmOsFf0J2tyLPVJeXR2ytNZdiAvG
JOWVepSd96UYMsbJ9uZGT7VdxvoTccWMM6x6r5WOL2Qes4XBuSDq0GXsPZ9sQ0eS
XIT+FxUD0RPyyikneOC/znTg+i7cs4fRivuslRjbsiyyN32u6LqRrrFdAbXAZgE+
ymZDTRwdxKEtgU3RcYPwgOf3AXuAZZK1orjK/4cV38ZWQ3NKJJO6LNhl1goN8hWW
u46x7IG1GaIxBmeeLDDlH6FQX7sZCxX9ZT79CMJcYUMGKxN1j37Rc7cVUdHJgDvC
fNl/FajHAgMBAAECggEABKZCJF0wT8a8sxjX0jRcV/ZrTfVw2Rnmoa956bpyVlnc
Q53+j3TokpJTko21Qm+6jARotQy9Qq0X3t+HlxVrbxxx+JhEL2YgXhRkXLC+pgIF
BcspYoriTgFbTFD7SJKWrH6SXaAN1onn7teC9kJrBHMzl2TdpqAtv/TJZBG0HSkb
j6OtlxaQ83dgTTPJzaNYQO12KuGf4XzYBfD9VeszsEBhS+WXWjNGCjz1NaoxswWC
CQuhPgyPMs0zwEBVjkb0nvN9yh6i+ZUi/duFBxbtX+cdffdEKhU4QHykOUFEuWIT
FFowrOlo14kRDfBY3ncib209CgpP+LGbWV9UfUesKQKBgQC2/MSRjDt14rNfaesA
UKaPeTyH+CE2e3shL7offMCWBCACltBzSeqWbYLvfjhTXdIDApaa2CJuX5cSeiN/
jrB167saEoFLxMpoMu6AjpjHC6JcWHlDNoPXtA/usLfUCgw9TkYuvn7oi3BvAj/f
WP9dmlHHt5xoLyv+z1ImzkN0YwKBgQDpf8Q7dwhZQfVwg5m0dnMTFEd5UdX3kIlB
W1fMR84/+NJBWTIOrL0RGm7VeBMksVdB8Ds8+6HLWhn6SBWaRyMg835+TFqGoiJQ
qBx78MJ8nSau0Iu4wiQSR7LpL1Cv3BN83y4QOuF6VQsbez0e3ulHUvFCVr3e9+qw
6sBttYTtTQKBgQCfgic3WK5cTIlfmsynMaZ/WodRXxJUk775ZskvuWeHXYEpwJ1k
YgKDrmJ8seIXiakPxqnRwKYC4ICoMp/PCWr438vxJkBe8+QcgIk2txamK5YUOWs7
E8JJvURGJPWZeEjDCABVruihfSs9GRDkeIfh6CtxlLRafQQ00jQib5qNUQKBgCaz
JGTur5WLlxBU327Hiv8Ih2gWJi5n6DfK2dxjsk1sAf0OuXsxKgzhoqkCw7l7Iwks
tcS/t+sqPc/7jokJbUsS0E5CfWZ/DMztb/sixjk9GqIyslWm56+X7pEzZF4hTaGO
o+XQvHo4CiU94b1yGJvXpWDnW4TO9jjoT4hfY26pAoGBAJHa3u0oqIlJ9crGIPzE
yKsfmCboktLjrbMeJgYcqO/doK2ZNNqJLQgTn/Hkpqn1MiotL8YVKg47XA/qlGWA
kGsi5BmISt/TlNDe0ZsPfAp/zrljeRKxSTjYXREuwDM/Gf7utdvgi1WgAuyM/2BU
iDNvRRwe5UbsQ9XrKUoM8smh
-----END PRIVATE KEY-----

还有服务器私钥的修改(如上所示),倒数第二行的“g”被替换为“G”。这不会在服务器端引发不匹配错误!所以看起来私钥可以在很小的程度上被修改,并且仍然工作?

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCR5/Th+AAxyt0O
7rsg44ei5dBKfnsVbZy0INpgKPes0jXECt8q1cPaobWUJzwJv2RQpgqgCXW6O5yT
Km9qkLibt5QYEHYSO+HKpJCzPCF2FU1JkCec9Hk18smqnFhmEkh9SvZxk+VjV1i6
q/PT6evZRiL9UmioZaOKnIsugLT5quJLJ8CZ/WI8t+4eL8kz40ktQ0onmYDtFGqF
I34qlssg/EEEe9WMgjMm9TNY93uEGzMW3Qbzr72FYFri5fhwmdAlgk3vQN7V0s+a
ULqD+NpWW++pkXcPa4pH+YdUfhbY3+3eKBtX1sDSH/x+FaNFWWyGRzBZWu33/tJJ
uoKNFywLAgMBAAECggEAGV2Tj6NfWUi01K9BPg8AWhwM8Z56hHepahFaFaSZpmRn
L31aXeaK5Zv+ZtLJV8J7zJ+JMlhirK1HY7hZZVPinEO2jdZyyGm7r9CbTWWzRYWf
iZ3znRBNcEkUsUH8BkbAbnPVU1qMYxBg3xcczScaNww/8f1dL4V4AJWFhuCeVdcR
tJIWFvGZ9akUiHqR7xB0HUPL8S6pLH9MUGp9KfH4XOb+QWwwkZig9R1zTzXyD/Gj
lPGkmff9qPCy0F7ooYftOmHr0EGcUgOTG60s9faezkR96Y86PsJVlFMskhKLdSI0
t0xoCp3ZzNWcpyOhj/scVEglH7cYGlmfQnYicKslwQKBgQC3Xye9kxScpQJ3iHeZ
qmqhnr4BwMVmm6OPKEuiC4jFv6v87C+EociCmxZDgfEgYVYll7Z/HFnFr7o/JM5h
tBIUYBXuQpAao81hK0XBSHCQUd8qTiFa/P2aBTeOM6YaC25k0MCVXYAchtsGwdQa
FGqDeGGjWng0E1kYgWlcIR7HSwKBgQDLsgBKAXetMlm6uHoEHNvidyTJBpG4tZ6K
XleBET6dS6r9+KEdNZwkSimXd0dlwT/9svs4gDL7JnkNasLTHKPNeEL4ZF1ZQ0p8
qYXui6Hi7rgyf7u+mfi7nMj8XpjWfStkAx9BbLJUBP/soTsPcMwfGDMDvGgG/EHW
Z/M1qP52QQKBgEytEWUH93p41Us+WSR8ShJC2pjJDsIVGpNl+hpMUGi/+R7NdCE1
tS5Hw0t/LmCn0untQnZsWG19SZfVwCbCsTyr4P+7/Z3mGJ8lBQoJTGhMk9CQ0wnE
+BZLUCu6FR6W4RZu49iRPFyxVyzAJ/yvxMossEcqMVE1NfA1TOUlREV5AoGBAMcg
XL38D0VmOmeZndZVa/NIq9JFNMFP8wurTHmlJQPaC++5Va9bUCf9xAkJFuf3choO
FR7X3H6+zon6Ozjr/4mGrllqrALuEGwrwP1AzWIuIi1jx2J93LVzgNuNknXj6T4c
+zoXC4GtXY6y0yy2BSXEn2JglYV2ptn1xsFHUnLBAoGAV0ms5DF4tuSX6S7yzHYP
1/uJ9zQiTUvv/7ZeZsoNCnC8+JJ8GkfEW4PwAv3fQyHRV5lcSyv1vaoxiveCCSUG
lqMGkGpKWFzamJu2qAgwTVtd/suXxO0M8Q36ycG/xMMR36Yzg6QclLUapDyEdsPG
tk9BEpc7Tc/GMykTW1j6fHo=
-----END PRIVATE KEY-----

所以我想知道这是自然的,我们可以篡改私钥,仍然使它工作?
谢谢你!
干杯E

fnvucqvd

fnvucqvd1#

简短版本:我可以更改私钥,使它们与证书不匹配,SSL握手和消息仍然通过。
这是一个误导性的总结。基于更新后的问题实际上所做的并不是对私钥的任意更改,而是一个非常具体的更改:
以及服务器私钥的修改(如上所示),其中倒数第二行的“g”已被替换为“G”。这不会在服务器端引发不匹配错误!
查看openssl rsa -in key.pem -text的细节,可以看到密钥的 coefficient 发生了变化。但是,这部分甚至可能不被使用,这取决于实现。引用Can an altered RSA private key still work as the original?中的一个答案:
...大多数RSA实现实际上不会使用私钥文件中的所有值。特别是,大多数使用CRT(中国剩余定理)的RSA实现实际上不会使用𝑛𝑑密钥文件中的或值进行解密,因为它们不需要这些值。相反,任何使用直接模幂运算的实现通常只使用𝑛和𝑑,并忽略其余的值。
在此特定情况下𝑛,𝑑未进行更改,仅CRT。
所以它看起来像私钥可以在一个小的方式改变,仍然工作?
某些改变是可能的,即在特定实现中不用于计算的位置上。但这并不意味着任意改变是可能的。

相关问题