如何为Android N证书固定生成X.509证书的SubjectPublicKeyInfo的Base64编码的SHA256散列? [英] How Do We Generate a Base64-Encoded SHA256 Hash of SubjectPublicKeyInfo of an X.509 Certificate, for Android N Certificate Pinning?

问题描述

N Developer Preview中有关其网络安全配置的文档提供了以下说明:

The documentation in the N Developer Preview for their network security configuration offers these instructions:

证书固定是通过使用公钥(X.509证书的SubjectPublicKeyInfo)的哈希提供一组证书来完成的.然后，仅当证书链包含至少一个固定的公钥时，证书链才有效.

Certificate pinning is done by providing a set of certificates by hash of the public key (SubjectPublicKeyInfo of the X.509 certificate). A certificate chain is then only valid if the certificate chain contains at least one of the pinned public keys.

他们显示的XML已损坏(缺少结束标记)，但否则表明哈希是SHA256且编码为base64:

The XML that they show is broken (missing a closing tag), but otherwise suggests that the hash is SHA256 and encoded base64:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">example.com</domain>
        <pin-set expiration="2018-01-01">
            <pin digest="SHA-256">7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=</pin>
            <!-- backup pin -->
            <pin digest="SHA-256">fwza0LRMXouZHRC8Ei+4PyuldPDcf3UKgO/04cDM1oE=</pin>
    </domain-config>
</network-security-config>

我们如何创建这样的哈希?

How do we create such a hash?

我在此要点中尝试了此方法，但是openssl x509 -inform der -pubkey -noout不喜欢我的CRT文件.我无法轻易确定问题是否出在CRT文件，说明，我的openssl版本或其他版本中.

I tried the approach in this gist, but openssl x509 -inform der -pubkey -noout is not liking my CRT file. I cannot readily determine if the problem is in the CRT file, the instructions, my version of openssl, or something else.

有人知道创建此哈希的好方法吗?

Does anyone have a known good recipe for creating this hash?

推荐答案

openssl x509 -in cert.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

如果cert.crt是DER形式而不是PEM形式，则可能需要在第一个命令中添加-inform der.

You may need to add -inform der to the first command if cert.crt is in DER form rather than in PEM form.

这篇关于如何为Android N证书固定生成X.509证书的SubjectPublicKeyInfo的Base64编码的SHA256散列?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！