如何使用getTBSCertificate（）方法修改X509证书 [英] How do I modify a X509 certificate using getTBSCertificate() method

问题描述

我想证明X509证书不与其颁发者进行验证（我的意思是验证签名是否会因某种原因而失败）。在这种情况下，很明显，在验证过程中，对证书本身的一个位或字节进行翻转，添加或任何其他操作将使其无效（因此verify（）方法将导致FALSE，这表示它是无效的证书）。但是，我遇到了如何使用getTBSCertificate（）对证书进行修改的情况，因为那时它将被加载到内存中。我的下面的代码完美地完成了验证过程但是我试图让它失败使用这个想法，但它不起作用。请注意，我提出的这个想法是证明对证书的任何修改都将无法通过签名验证。

I want to show that an X509 certificate doesn't verify with its issuer (I mean verifying the signature would fail in some reason). In this case, it is obvious that flipping, adding, or any other operation on one bit or byte of the certificate itself will make it invalid while verification process( so verify() method will result FALSE which indicates that it's invalid certificate). However, I'm stuck in the case that how to do the modification on the certificate using getTBSCertificate() because it will be loaded in the memory by then. My following code does the verification process perfectly BUT I tried to make it fail using this idea but it doesn't work. Note that this idea I proposed is to proof that any modification on the certificate will fail the signature verification.

public class VerifyX509 {

private static Certificate getCACert;
private static Certificate[] getCert;

public static void main(String[] args) throws CertificateEncodingException {
    setURLConnection("https://www.google.com");
    X509Certificate x509cert= (X509Certificate) getCert[0];
    byte[] b= x509cert.getTBSCertificate();
    b[0] = (byte) ~b[0];
    // HOW TO UPDATE getTBSCertificate() after flipping the b[0] to make Verify() in my method verifySign() return false!
    verifySign();

  }


public static void setURLConnection(String link){

    try{
        int i=1;
        URL destinationURL = new URL(link);
        HttpsURLConnection con = (HttpsURLConnection) destinationURL.openConnection();
        con.connect();
        getCert = con.getServerCertificates();
        for (Certificate c : getCert) 
        {
            if (i==2)
            {
                getCACert= c;
                return;
            }
            i+=1;
        }
        }catch (Exception e1) {
        JOptionPane.showMessageDialog(null, "Error while connection! Check your Internet Connection.");
        e1.printStackTrace();
        }

}


public static boolean verifySign()
{

        try
        {
            getCert[0].verify(getCACert.getPublicKey());
            return true;
        } catch (GeneralSecurityException e2)
        {
            return false;
        }
}
}

推荐答案

先生。迈克，你所要做的就是获取行数据DER编码的证书信息（TBS部分），你可以按如下方式提取它



URL url = new网址（https://www.google.com/）;

HttpsURLConnection con =（HttpsURLConnection）url.openConnection（）;

con.connect（）;

证书userCert [] = con.getServerCertificates（）;

X509Certificate x509cert =（（X509Certificate）userCert [0]）;





byte [] tbs = x509cert.getTBSCertificate（）;





然后通过循环将数组b的内容复制到另一个数组bcopy并执行您想要的任何修改（即使用使用x55之后的屏蔽技术你可以通过
获得哈希值


字符串sha1 =;

MessageDigest crypt = MessageDigest .getInstance（SHA-1）;

crypt.reset（）;

crypt.update（bcopy）;

sha1 = byteToHex （crypt.digest（））;



private static String byteToHex（final byte [] hash）

{

Formatter formatter = new Formatter（）;

for（byte b：hash）

{

formatter.format（％02x ，b）;

}

字符串结果= formatter.toString（）;

formatter.close（）;

返回结果;

}



此时你有修改过的证书的哈希值，你现在可以去提取来自原始证书的签名[byte [] sig = x509cert.getSignature（）; ]并解密签名以获取哈希值并将其与修改后的哈希值进行比较，希望我帮助好运;）

Mr. Mike, all what you have to do is to get the row data DER-encoded certificate information (TBS part) and you can extract it as below

URL url = new URL("https://www.google.com/");
HttpsURLConnection con = (HttpsURLConnection) url.openConnection();
con.connect();
Certificate userCert[] = con.getServerCertificates();
X509Certificate x509cert = ((X509Certificate) userCert[0]);


byte[] tbs=x509cert.getTBSCertificate();


Then copy the content of the array b to another array bcopy through a loop and do what ever modifications you want (i.e by using the masking technique Anding with x55) after that you can get the hash value through

String sha1 = "";
MessageDigest crypt = MessageDigest.getInstance("SHA-1");
crypt.reset();
crypt.update(bcopy);
sha1 = byteToHex(crypt.digest());

private static String byteToHex(final byte[] hash)
{
Formatter formatter = new Formatter();
for (byte b : hash)
{
formatter.format("%02x", b);
}
String result = formatter.toString();
formatter.close();
return result;
}

at this point you have the hash value of the modified certificate, you can go now and extract the signature from the original certificate [ byte[] sig= x509cert.getSignature(); ] and decrypt the signature to get the hash value and compare it with the modified hash value, hope that I helped good luck ;)

这篇关于如何使用getTBSCertificate（）方法修改X509证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！