X.509证书中的实际签名值在哪里? [英] Where is the actual signature value in a X.509 certificate?

问题描述

大家好，

我对X.509 v3证书上的实际签名值有疑问.根据RFC 2459和RFC 3280中所述的建议，签名值应位于签名算法之后.但是我的证书存储区中的所有证书都不包含签名值.它们仅包含签名算法.最重要的是，在.Net Framework(我正在使用C#)中，X509Certificate2类的任何成员均不提供对实际签名值的任何访问.有一个"Thumbprint"值，但我知道那只是证书本身的digest(hash)值.所以我的问题是数字签名在哪里?

另外，对于那些真正熟悉C#安全类的人，有人告诉我RSACryptoServiceProvider中RSA.Decrypt()方法的实现无法使用公共密钥解密RSA(私下")加密的数据.它只能使用私钥解密数据.我知道，使用私钥加密数据然后使用公钥解密数据是一种主要保留给创建数字签名的技术.但是这里的想法是，如果RSACryptoServiceProvider中的Decrypt()实现实际上可以使用对应的公共密钥解密用私有密钥加密的数据.

谢谢大家的阅读，我希望能收到您的来信.

Hello Everyone,

I have a question regarding the actual signature value on a X.509 v3 certificate. According to the recommendations stated in RFC 2459 and RFC 3280, the signature value should be located immediately after the signature algorithm. But all the certificates in my certificate store do not contain the signature value; they only contain the signature algorithm. On top of that, within the .Net Framework (I am working with C#), none of the members in the X509Certificate2 class provide any access to the actual signature value. There is a "Thumbprint" value, but I know that is just the digest(hash) value of the certificate itself. So my question is where is the digital signature?

Also, for those who are really familiar with C#''s security classes, I was told that the implementation of the RSA.Decrypt() method in RSACryptoServiceProvider cannot decrypt RSA ("privately") encrypted data using a public key; it can only decrypt data using a private key. I understand that encrypting data with a private key and then decrypting it with a public key is a technique that is mostly reserved for the use of creating digital signatures. But the idea here is if the implementation of Decrypt() in RSACryptoServiceProvider can actually decrypt data that was encrypted with a private key using the corresponding public key.

Thank you all for reading and I look forward to hearing from you.

推荐答案

RSA是两个密钥算法，您保留的私钥和给您的公钥其他.

使用私钥可以加密数据，其他人可以使用公钥解密数据.

其他人可以使用您的公钥加密数据，只有您才能使用私钥解密.

公钥是从私钥派生的，即私钥具有更多信息.

关于签名:
如果您查看 x.509 Wiki页面，您将看到证书附加了签名. (末尾的十六进制字节)这是文件的一部分，任何尝试使用证书的人都会对其进行检查并用于验证文件，.net对此进行抽象并为您验证.

RSA is a two key algorithm, the private key you keep and the public key you give to others.

Using the private key you encrypt data, which can be decrypted by others using the public key.

Others can encrypt data using your public key which only you can decrypt with your private key.

A public key is derived from a private key ie private key has more information.

Regarding the signatures :
If you take a look at the x.509 wiki page you will see that the certificate has a signature appended to it (the hex bytes at the end) this is part of the file and is checked by anyone trying to use the certificate and is used to validate the file, .net abstracts this and validates for you.

大家好，

首先，我要感谢 Mehdi Gholam 与我和与世界其他地区分享有关此主题的见解.非常感谢.

Mehdi Gholam 是正确的，将签名值附加到X.509证书中，并且.Net将对签名本身的实际数据进行抽象，并为我们进行验证. Wikipedia上提供的有关X.509证书的信息非常广泛，但对于希望对X.509证书进行简要说明的人来说非常有用.

无论如何，X.509证书使用 ASN.1专有编码规则(DER)来构造其二进制格式.因此，要了解X.509证书的文件结构，必须学习 ASN.1 的基础知识.那就是我所做的.这是链接.

RFC 2459
RFC 3280(2459的更新版本)
ASN.1简介
有关ASN.1的维基百科文章
有关X.509的维基百科文章 由Mehdi Gholam建议在其解决方案中

以下是RFC 3280中声明的X.509证书的定义.该定义的语法在ASN.1中.

Hello Everyone,

First, I''d like to thank Mehdi Gholam for sharing his insights with me and with the rest of the world on the matter pertaining to this topic. Thank you very much.

Mehdi Gholam is correct, the signature value is appended to the X.509 certificate and that .Net abstracts the actual data of the signature itself and just validates it for us. The information provided on Wikipedia regarding X.509 certificates are very broad, but is good for those who want a brief explaination about X.509 certificates.

Anyway, X.509 certificates employ the ASN.1 Distinguished Encoding Rule (DER) to structure its binary format. So to understand the file structure of a X.509 certificate, one must learn the basics of ASN.1. That is what I did. Here are the links.

RFC 2459
RFC 3280 (updated version of 2459)
Introduction to ASN.1
Wikipedia article on ASN.1
Wikipedia article on X.509 Suggested by Mehdi Gholam in his solution

Below is the definition of a X.509 certificate stated in RFC 3280. The syntax of the definition is in ASN.1.

Certificate  ::=  SEQUENCE  {
     tbsCertificate       TBSCertificate,
     signatureAlgorithm   AlgorithmIdentifier,
     signatureValue       BIT STRING  }

在ASN.1中， SEQUENCE 是封装不同数据类型的数据结构.在此，使用ASN.1运算符( :: = )将证书定义为 SEQUENCE 类型.在ASN.1中，一种数据类型由另一种数据类型定义.此外，数据结构和数据类型可以嵌套.在这种情况下， tbsCertificate 是定义为 TBSCertificate 类型的数据类型. TBSCertificate 本身是 SEQUENCE 类型.起初，这种表达定义的方式可能会有些混乱.我建议根据类型-值"对进行思考.例如，可以将 tbsCertificate 视为具有值 TBSCertificate 的类型.

说了这些，并遵循了类型值"的观点，我们可以看到 signatureAlgorithm 具有一个值 AlgorithmIdentifier ，该值在RFC 3280中定义为 SEQUENCE 类型封装了 OBJECT IDENTIFIER 类型和 ANY 类型.

一旦您熟悉了ASN.1，就可以将定义视为类型-数据类型"对.例如， signatureValue 是 BIT STRING 类型，而btw是实际签名值的存储位置.

下面是附加到X.509证书的解码数据的示例.根据我上面所述，此处的 SEQUENCE 是 AlgorithmIdentifier ，而 BIT STRING 是 signatureValue .左边的第一个整数 511 标识证书文件中的字节偏移量.第二个整数是标记号，它用作数据类型的标识符.例如， 0x30 是 SEQUENCE 类型的标签号，而 0x06 是标签号表示 OBJECT IDENTIFIER 类型.第三个整数标识数据类型的长度.例如， 13 指定 SEQUENCE 的长度为13个字节.最后，冒号:只是用来将定义和这些数字分开.

In ASN.1, a SEQUENCE is a data structure that encapsulates different data types. Here, Certificate is defined as a SEQUENCE type using the ASN.1 operator (::=). In ASN.1, a data type is defined by another data type. Furthermore, data structures and data types can be nested. In this case, tbsCertificate is a data type defined as a TBSCertificate type. TBSCertificate itself is a SEQUENCE type. This way of formulating a definition could somewhat be a little confusing at first. I recommend thinking in terms of "type-value" pairs. For example, tbsCertificate can be viewed as a type having the value, TBSCertificate.

Having said that and following this "type-value" perspective, we can see that signatureAlgorithm has a value, AlgorithmIdentifier, which is defined in RFC 3280 as a SEQUENCE type that encapsulates an OBJECT IDENTIFIER type and an ANY type.

And once you''ve become comfortable with ASN.1, you would then be able to see the definitions as "type-data type" pairs. For example, the signatureValue is a BIT STRING type, which btw is where the actual signature value is stored.

Below is an example of the decoded data that is appended to a X.509 certificate. In accordance to what I stated above, the SEQUENCE here is AlgorithmIdentifier and the BIT STRING is the signatureValue. The first integer from the left, 511, identifies the byte offset in the certificate file. The second integer is the Tag Number, which serves as an identifier for a data type. For example, 0x30 is the Tag Number for the SEQUENCE type and 0x06 is the Tag Number for the OBJECT IDENTIFIER type. The third integer identifies the length of the data type. For example, 13 specifies that the length of SEQUENCE is 13 bytes long. Finally the colon, : , is just there to seperate the definition and from those numbers.

511 30   13:   SEQUENCE {
513 06    9:     OBJECT IDENTIFIER
           :       sha1withRSAEncryption (1 2 840 113549 1 1 5)
524 05    0:     NULL
           :     }
526 03  129:   BIT STRING 0 unused bits
           :     1E 07 77 6E 66 B5 B6 B8 57 F0 03 DC 6F 77
           :     6D AF 55 1D 74 E5 CE 36 81 FC 4B C5 F4 47
           :     82 C4 0A 25 AA 8D D6 7D 3A 89 AB 44 34 39
           :     F6 BD 61 1A 78 85 7A B8 1E 92 A2 22 2F CE
           :     07 1A 08 8E F1 46 03 59 36 4A CB 60 E6 03
           :     40 01 5B 2A 44 D6 E4 7F EB 43 5E 74 0A E6
           :     E4 F9 3E E1 44 BE 1F E7 5F 5B 2C 41 8D 08
           :     BD 26 FE 6A A6 C3 2F B2 3B 41 12 6B C1 06
           :     8A B8 4C 91 59 EB 2F 38 20 2A 67 74 20 0B
           :     77 F3
           :   }

对于 WindowsXP 用户，" certmgr.msc "实用工具不显示证书的签名值，但是而是一个"缩略图"值.此缩略图"值是 entire 证书(以ASN.1 DER二进制格式)本身的摘要(哈希). 它是动态生成的，并且不是X.509证书的一部分. 签名值也是证书的摘要(哈希)，但是是RFC 3280中定义的 tbsCertificate 类型的摘要(哈希).因此，对于好奇的人，缩略图"值不是签名格式"中的签名值".

关于 .Net的RSA 实现，它使用公钥进行加密和私钥进行解密.在 RSACryptoServiceProvider.Decrypt()中实现的RSA解密算法利用了私钥.这是通过 design 设计的，因此，即使该数据已使用相应的私钥加密，我们也无法 使用它解密具有公钥的RSA加密数据.对于那些熟悉 Microsoft 的人来说，这不是不是第一次尝试通过使我们以某种方式做事来控制我们他们应该"思考".

最后，谢谢大家的阅读.如果您在寻找与我相同的问题的答案时偶然发现了该帖子，那么希望对您有所帮助.密码学是一门复杂的学科.它一定要是.有关某些密码算法甚至算法标准本身的信息是分散的，有限的，不可用的或难以理解的.但是不要让那阻止你学习.我没有.

For WindowsXP users, the "certmgr.msc" utility does not show the signature value of a certificate, but rather a "Thumbprint" value. This "Thumbprint" value is a digest(hash) of the entire certificate(in ASN.1 DER binary format) itself. It is dynamically generated and is not part of the X.509 certificate. The signature value is a digest(hash) of the certificate as well, but it is the digest(hash) of the tbsCertificate type as defined in RFC 3280. Therefore, for those who are curious, the "Thumbprint" value is not the "signature value" in it''s decrypted form.

Regarding .Net''s RSA implementation, it uses a public key for encryption and a private key for decryption. The RSA decryption algorithm implementated in RSACryptoServiceProvider.Decrypt() utilizes a private key. This is by design and thus, we cannot use it to decrypt RSA encrypted data with a public key even if that data was encrypted with the corresponding private key. For those of us who are familiar with Microsoft, this is not the first time it has attempted to control us by making us do things the way they "think" it should be done.

Finally, thank you all for reading. If you happened to stumbled upon this post while searching for an answer to the same question that I had, then I hope this helped. Cryptography is a complicated subject; it has to be. Information about certain cryptographic algorithm or even the algorithm standard itself are either scattered, limited, unavailable, or incomprehensible. But do not let that discourage you from learning; I didn''t.

这篇关于X.509证书中的实际签名值在哪里?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！