证书结构

发布于 2024-10-22 02:15:08 字数 268 浏览 5 评论 0原文

大多数签名证书占用空间都是 20 字节长(Windows 证书管理器中的“占用空间”字段)。

这怎么可能是发证(认证)机构签署的值呢?具体来说,证书的签名应该是由私钥签名的证书字段的哈希值,因此至少具有颁发者私钥的 RSA 模数长度(在 RSA 签名的情况下),因此......至少 512 位(64 字节)长。

我一定缺少一些东西......如果这个足迹只是一个散列,那么它不能是一个签名的证书。证书签名实际上在哪里?无法通过简单的哈希检查证书是否有效。

问候, 苹果92

Most of signed certificate footprints are 20 byte long (field "footprint" in Windows certificate manager).

How can this be a value signed by an issuance (certification) authority? Concretly, the signature of the certificate should be the hashed value of the certificate fields signed by a private key and thus have at least the RSA modulus length (in the case of a RSA signature) of the issuer private key and thus... be at least 512 bits (64 byte) long.

There is something I must be missing... If this footprint is only a hash, then it cannot be a signed certificate. Where is the certificate signature in fact ? it is not possible to check that the certificate is valid from a simple Hash.

Regards,
Apple92

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

留蓝 2024-10-29 02:15:08

您指的是“指纹”吗?指纹只是一个哈希值,仅用于方便查找证书以进行比较。它不是证书本身的一部分,它是由证书管理器证书生成的。证书签名位于证书内部。

证书本身由身份信息和公钥组成,结构称为 TBSCertificate (TBS 是 To Be Signed 的缩写),加上签名算法和签名本身。请参阅 RFC5280 了解所有详细信息。

Do you mean "fingerprint"? A fingerprint is only a hash and is only used as a convenience to lookup a certificate for comparison purposes. It is not part of the certificate proper, it is generated from the certificate by the certificate manager. The certificate signature is inside the certificate.

The certificate itself is composed of the identifying information and public key in a structure called a TBSCertificate (TBS is short for To Be Signed), plus the signature algorithm and the signature itself. See RFC5280 for all the gory details.

停滞 2024-10-29 02:15:08

您可以通过 Windows 中的证书管理器查看指纹,它不是证书的一部分。它由证书管理器动态生成,以便于识别它管理的许多证书。

证书由三部分组成。 (详细信息参见 https://www.rfc-editor.org/rfc/ rfc5280#section-4.1)

  • tbsCertificate:包含主题和颁发者的名称、与主题相关的公钥、有效期等。这个 tbsCertificate(又名要签名的证书)是颁发者( CA) 审查并签字。
  • SignatureAlgorithm:颁发者(CA)用于签署上述 tbsCertificate 的加密算法的标识符。算法各不相同。最常见的算法之一是对 tbsCertificate(DER 格式)进行哈希处理以生成摘要,然后由颁发者 (CA) 的私钥对其进行编码。结果存储在下一个字段 signatureValue 中。
  • signatureValue:此字段由发行者 (CA) 使用上面的 signatureAlgorithm 生成的结果值填充。

颁发者(CA)构建上述证书结构的行为称为签名

Fingerprint, which you can see via the Certificate Manager in Windows, is not a part of the certificate. It is dynamically generated by the Certificate Manager in favor of the convenience of identifying many certificates it manages.

A certificate consists of three parts. (Details are in https://www.rfc-editor.org/rfc/rfc5280#section-4.1)

  • tbsCertificate: This contains the names of the subject and issuer, a public key associated with the subject, a validity period, etc. This tbsCertificate(a.k.a certificate to be signed) is what an issuer(CA) reviews and signs for.
  • signatureAlgorithm: The identifier for the cryptographic algorithm used by the issuer(CA) to sign the tbsCertificate above. Algorithm varies. One of the most common algorithms is to hash the tbsCertificate (of DER format) to produce a digest, which is then encoded by the issuer(CA)'s private key. The result is stored in the next field, signatureValue.
  • signatureValue: This field is populated with the resulting value that is produced by the issuer(CA) using the signatureAlgorithm above.

The behavior of composing a certificate structure above by an issuer(CA) is called signing.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文