有任何 openssl 命令行来验证 ECDSA prime256v1 证书和私钥匹配吗?

问题描述 投票:0回答:3

我现在正在测试 hyperledger/fabric/core/comm/testdata/certs/generate.go 以获取 ECDSA prime256v1 证书(Org1-cert.pem)和私钥(Org1-key.pem)。 我想使用 openssl 命令行来测试 Org1-cert.pem 是否与 Org1-key.pem 进行数学运算,但不知道如何?任何帮助表示赞赏。 我已经使用了该命令,但结果不匹配。 

# openssl x509 -pubkey -in Org1-cert.pem -noout | openssl md5

(标准输入)= 4f8782bbec9d258553f0c0c7c6879fef

# openssl pkey -pubout -in Org1-key.pem | openssl md5

(标准输入)= 98c3ec3c2971648f2721915ff7e80479

有关 Org1-cert.pem 和 Org1-key.pem 的更多信息如下:

# openssl x509 -in Org1-cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            50:0a:7a:e4:31:6e:1b:57:68:48:26:d7:a0:c5:9c:da
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = US, ST = California, L = San Francisco, O = Org1, CN = Org1
        Validity
            Not Before: Nov 13 09:09:06 2017 GMT
            Not After : Nov 11 09:09:06 2027 GMT
        Subject: C = US, ST = California, L = San Francisco, O = Org1, CN = Org1
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:ac:bb:17:91:91:1e:72:38:d2:aa:9a:2d:17:c8:
                    50:80:18:58:4a:a8:6a:40:0a:a8:2a:a8:58:33:46:
                    ae:2c:48:67:28:c7:af:59:09:92:01:68:15:cd:e5:
                    c0:84:d1:1e:3e:03:60:25:8b:55:89:3e:e9:e2:f1:
                    23:3e:e4:c4:c8
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage:
                Any Extended Key Usage
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                01:02:03:04
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:b4:81:76:75:fe:a1:1c:14:94:3e:d6:eb:b3:
         43:02:27:32:46:2e:c0:6d:b7:94:3b:9d:a9:05:ad:c9:10:29:
         34:02:21:00:80:31:3c:00:18:b3:c0:be:1d:73:dc:ab:9b:aa:
         28:75:86:bc:2a:97:64:9d:65:5f:6f:6f:a0:c8:38:aa:2c:35

    # more Org1-key.pem

-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIDgnuzTIxFYZorg/lKBQxwpyXWH7zREzuO8Gle9p8CzQoAoGCCqGSM49
AwEHoUQDQgAEsYeTGiApHX1SJAZ7HmroVR1YNBH6wc0WqiNWO/N3XG/aWxksYLA8
s2asE88Z5EOWs1qMLig2nyv3CL0H2VI0zg==
-----END EC PRIVATE KEY-----

    # more Org1-cert.pem

-----BEGIN CERTIFICATE-----
MIIB8jCCAZegAwIBAgIQUAp65DFuG1doSCbXoMWc2jAKBggqhkjOPQQDAjBYMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
YW5jaXNjbzENMAsGA1UEChMET3JnMTENMAsGA1UEAxMET3JnMTAeFw0xNzExMTMw
OTA5MDZaFw0yNzExMTEwOTA5MDZaMFgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpD
YWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRPcmcx
MQ0wCwYDVQQDEwRPcmcxMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErLsXkZEe
cjjSqpotF8hQgBhYSqhqQAqoKqhYM0auLEhnKMevWQmSAWgVzeXAhNEePgNgJYtV
iT7p4vEjPuTEyKNDMEEwDgYDVR0PAQH/BAQDAgGmMA8GA1UdJQQIMAYGBFUdJQAw
DwYDVR0TAQH/BAUwAwEB/zANBgNVHQ4EBgQEAQIDBDAKBggqhkjOPQQDAgNJADBG
AiEAtIF2df6hHBSUPtbrs0MCJzJGLsBtt5Q7nakFrckQKTQCIQCAMTwAGLPAvh1z
3Kubqih1hrwql2SdZV9vb6DIOKosNQ==
-----END CERTIFICATE-----
openssl hyperledger-fabric
3个回答
12
投票

您可以使用 OpenSSL 验证证书和任何支持的密钥(包括 ECDSA prime256v1 密钥)是否匹配。

此命令将从证书中获取公钥:

openssl x509 -noout -pubkey -in Org1-cert.pem

此命令将从密钥中获取公钥:

openssl pkey -pubout -in Org1-key.pem

您可以直观地比较它们...

或者您可以使用 Bash 自动比较任何证书和密钥,如下所示:

  1. 创建一个名为 verify-cert-key:

    的脚本 
    #!/usr/bin/env bash
certFile="${1}"
keyFile="${2}"
certPubKey="$(openssl x509 -noout -pubkey -in "${certFile}")"
keyPubKey="$(openssl pkey -pubout -in "${keyFile}")"
if [[ "${certPubKey}" == "${keyPubKey}" ]]
then
  echo "PASS: key and cert match"
else
  echo "FAIL: key and cert DO NOT match"
fi

  2. 使脚本可执行:

    chmod +x verify-cert-key

  3. 运行它:

    ./verify-cert-key Org1-cert.pem Org1-key.pem

警告:macOS Sierra 上的 openssl 没有 pkey

在 macOS Sierra 上,即使匹配,脚本也可能会显示“失败:密钥和证书不匹配”。

验证 pkey 是否丢失:

openssl pkey -in

如果丢失,您将看到:

openssl:Error: 'pkey' is an invalid command.

接下来是来自 OpenSSL 的大量其他使用摘要输出。

您可能还会看到“openssl:错误:‘pkey’是无效命令。”

如果缺少 pkey,您需要安装更新的 openssl 并相应地设置您的 PATH。

我使用 Homebrew 安装了较新的 OpenSSL 并设置我的 PATH,如下所示:

export PATH=/usr/local/Cellar/openssl/1.0.2m/bin/:$PATH

验证 pkey 是否可用:

openssl pkey -in

这应该显示 pkey 使用摘要:

Usage pkey [options]
where options are

现在脚本应该可以按预期工作。

1
投票

您需要做的是读取证书和私钥,并检查证书的公钥与私钥中的公钥是否匹配。

openssl x509 -in signcerts/peer.pem -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:45:70:b1:2c:74:4e:6a:9d:6f:33:70:95:e3:41:07:3a:08:4f:4c
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, ST=California, L=San Francisco, O=Internet Widgets, Inc., OU=WWW, CN=example.com
        Validity
            Not Before: Nov 11 17:07:00 2016 GMT
            Not After : Nov 11 17:07:00 2017 GMT
        Subject: C=US, ST=North Carolina, L=Raleigh, O=Hyperledger Fabric, OU=COP
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:1c:1b:8a:b0:03:b8:de:1b:38:24:6a:45:7e:21:
                    8c:90:1f:f1:b0:82:d3:b0:eb:e6:37:65:a6:c2:9b:
                    0f:1d:93:4b:eb:0f:07:59:ed:f1:08:f4:2d:74:6f:
                    d7:24:9b:d9:f8:2e:f9:e8:a1:2c:50:13:37:cb:0e:
                    4f:4d:f9:2e:f2
                ASN1 OID: prime256v1
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                E1:42:75:C5:19:E1:EB:37:96:D8:82:80:05:43:A3:22:DF:56:93:C8
            X509v3 Authority Key Identifier: 
                keyid:17:67:42:3D:AA:9E:82:3F:C4:C5:1D:9F:5B:C3:99:D1:B5:9C:48:10

            X509v3 Subject Alternative Name: 
                DNS:myhost.com, DNS:www.myhost.com
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:20:37:fd:1d:b9:78:c6:7d:f3:e0:4c:0d:2a:68:a5:
         33:d9:57:d8:5a:b8:8d:6a:40:69:15:41:f7:b3:a6:54:47:b2:
         02:21:00:db:96:83:3d:01:c6:1a:ad:80:be:12:93:d3:0b:ed:
         d3:c7:17:d4:64:c6:08:86:df:9a:e2:e9:33:02:90:8f:7f

openssl ec -in keystore/key.pem -text -noout

read EC key
Private-Key: (256 bit)
priv:
    0b:16:c0:5b:a7:13:3a:b3:d5:18:7a:9e:f0:f8:32:
    23:e4:28:2b:66:a3:1c:e1:de:34:ea:b8:6e:4c:49:
    b7:8b
pub: 
    04:1c:1b:8a:b0:03:b8:de:1b:38:24:6a:45:7e:21:
    8c:90:1f:f1:b0:82:d3:b0:eb:e6:37:65:a6:c2:9b:
    0f:1d:93:4b:eb:0f:07:59:ed:f1:08:f4:2d:74:6f:
    d7:24:9b:d9:f8:2e:f9:e8:a1:2c:50:13:37:cb:0e:
    4f:4d:f9:2e:f2
ASN1 OID: prime256v1
0
投票

使用 md5 验证私钥、CSR、证书链和证书叶之间的关系。

从任意密钥中提取公钥并将其通过管道传输到 openssl md5。如果密钥匹配,则您已成功验证关系。

# Private Key
openssl ec -in ecdsa-domain-private.key -pubout | openssl md5

# CSR 
openssl req -noout -modulus -in openssl req -in ecdsa-certificate-signing-request-for-certificate-authority.csr -noout -pubkey | openssl md5

# Certificate from CA (Certificate Chain or Leaf Certificate, both will give same result)
openssl x509 -in certificate-chain.crt -pubkey -noout | openssl md5

示例输出将如下所示

MD5(stdin)= 93739e80546792e8be2a61803467b7665c
MD5(stdin)= 93739e80546792e8be2a61803467b7665c
MD5(stdin)= 93739e80546792e8be2a61803467b7665c
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.