ssl 如何正确计算证书的指纹

cgfeq70w  于 2022-11-14  发布在  其他
关注(0)|答案(1)|浏览(454)

我在file file.pem 中有一个CA,如下所示:

-----BEGIN CERTIFICATE-----
MIIDczCCAlugAwIBAgIHALRRMXUkMTANBgkqhkiG9w0BAQ0FADBHMRswGQYDVQQD
DBJIdHRwQ2FuYXJ5IFJvb3QgQ0ExEzARBgNVBAoMCkh0dHBDYW5hcnkxEzARBgNV
BAsMCkh0dHBDYW5hcnkwHhcNMjAwMTE1MDc1MjUwWhcNMzEwMTEyMDc1MjUwWjBH
MRswGQYDVQQDDBJIdHRwQ2FuYXJ5IFJvb3QgQ0ExEzARBgNVBAoMCkh0dHBDYW5h
cnkxEzARBgNVBAsMCkh0dHBDYW5hcnkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDpDLS2xbpRfTgCPn9Xz0PdWNdppo7vUltGQlzJfD0FQZsyiCU3sYAe
oRGaInwgS4knBEt/9hxaLC8ivz9UlXWIhg8Xy4g+J463HfD4kP2fQElHfo+SlFwc
flkIVKgOB/rMgFMp6LH9YP+bmYMy3ndXYkTkYAGL6Q2EWO90HQLYkt2pm5ij7755
vp8Dksc7LHnHo0sqzrpB953Sx5dVTSyQ91fU3scxo8xvcJQG/vYfbEJA6rZunlLO
3NG8i8JhEYpEjWlf7MV0WIjlPk2vMCHKei/Wyd0msrmL12vjOl3IxMSZQn76SZ1k
+l9E+wuaAw61DnrzD2gkF3yfCNHr8xsrAgMBAAGjZDBiMB0GA1UdDgQWBBQpj7CB
UKauWN0/B4d2jAQxbmjTpDAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBtjAj
BgNVHSUEHDAaBggrBgEFBQcDAQYIKwYBBQUHAwIGBFUdJQAwDQYJKoZIhvcNAQEN
BQADggEBAKjH9gYYRg+BLXqey9FGd7mR5hCC3lB7NfLEyJULlAoLgzdGieXfcwdX
Qe5clq6Wfk35v2VxVBg1j/oxZYZyJxFvWiuJ840FHgOb5kD7qTS7i735PCbAyCVf
uSTonQw0Ny8gnjoTijjO/Dh0O6j2wr2kIHORdC2H4Kbya7jyriqY/M/tiuolDyBc
4RWW52pmDdFi+DMvdroRMaE/1fzDiYRB4ongMNLm7fytGTg9Dakhy7o4OC+dmlGm
miUEQIACm2cWrfI1/tjwh+BpbXG91i8y8FPA4YZ2iNmF1133dJhjNx66LETOfJA5
9dZqO1SpbFk4NVpI4UYzfzMdpqw2KgM=
-----END CERTIFICATE-----

我希望这个哈希值为SHA-256的哈希值是这样的:

"certificate_hash": "8eb1ec754c1d04af13efa97da1be05c90f1342e5"

但是我不知道怎么做。我知道我的CA的十六进制值,并试图检查转换的最终结果,但它是不一样的。我如何才能从这个CA得到SHA-256哈希值?
带签名的SHA-256哈希值:

B2:62:DC:C4:F2:4A:AA:51:C9:5C:00:6C:0F:27:19:00:DE:42:3D:D3:8C:79:72:89:9A:8D:89:37:84:2E:1E:58

带签名的SHA-1哈希值:

84:29:CA:F9:EE:3A:3C:CB:4A:08:42:66:0E:BA:2D:84:FC:B4:E5:51
lf5gs5x2

lf5gs5x21#

您有一个PEM encoded证书。要计算指纹,首先需要将其从PEM表示解码为二进制。为此,需要删除页眉和页脚(从-----开始),并将其余部分解码为Base64。然后可以从生成的二进制中计算SHA-1或SHA-256哈希值。
简而言之,在Linux命令行上(带有shell提示符“$”):

$ grep -v ^- cert.pem  | base64 -d | sha256sum
b262dcc4f24aaa51c95c006c0f271900de423dd38c7972899a8d8937842e1e58 -

$ grep -v ^- cert.pem  | base64 -d | sha1sum
8429caf9ee3a3ccb4a0842660eba2d84fcb4e551  -

b262dc...与您问题中的B2:62:DC:...完全相同,只是不同。
当然,也可以简单地使用openssl x509

$ openssl x509 -in cert.pem -fingerprint -sha256
SHA256 Fingerprint=B2:62:DC:C4:F2:4A:AA:51:C9:5C:00:6C:0F:27:19:00:DE:42:3D:D3:8C:79:72:89:9A:8D:89:37:84:2E:1E:5

$ openssl x509 -in cert.pem -fingerprint -sha1
SHA1 Fingerprint=84:29:CA:F9:EE:3A:3C:CB:4A:08:42:66:0E:BA:2D:84:FC:B4:E5:51

相关问题