修改X509证书 [英] Modifying X509 certificate

问题描述

我想表明，如果我从给定的X509证书修改一个位或字节，则签名验证结果为假（因为此修改会导致证书中的哈希值不同）。我遇到了如何使用 getTBSCertificate（）方法对证书进行修改的情况。我的下面的代码完美地完成了验证过程但是我尝试使用位或字节修改的想法使其失败，但它不起作用。请注意，我提出的这个想法证明在签名验证时对证书的任何修改都会失败

I want to show that if I modify one bit or byte from a given X509 certificate the signature verification results false (because this modification results different hash value from the certificate). I'm stuck in the case that how to do the modification on the certificate using getTBSCertificate() method. My following code does the verification process perfectly BUT I tried to make it fail using bit or byte modification's idea but it doesn't work. Note that this idea that I proposed is to proof that any modification on the certificate will make a failure while signature verification

public class VerifyX509 {

private static Certificate getCACert;
private static Certificate[] getCert;

public static void main(String[] args) throws CertificateEncodingException {
    setURLConnection("https://www.google.com");
    X509Certificate x509cert= (X509Certificate) getCert[0];
    byte[] b= x509cert.getTBSCertificate();
    b[0] = (byte) ~b[0];
    // HOW TO UPDATE getTBSCertificate() after flipping the b[0] to make Verify() in my method verifySign() return false!
    verifySign();

  }


public static void setURLConnection(String link){

    try{
        int i=1;
        URL destinationURL = new URL(link);
        HttpsURLConnection con = (HttpsURLConnection) destinationURL.openConnection();
        con.connect();
        getCert = con.getServerCertificates();
        for (Certificate c : getCert) 
        {
            if (i==2)
            {
                getCACert= c;
                return;
            }
            i+=1;
        }
        }catch (Exception e1) {
        JOptionPane.showMessageDialog(null, "Error while connection! Check your Internet Connection.");
        e1.printStackTrace();
        }

}


public static boolean verifySign()
{

        try
        {
            getCert[0].verify(getCACert.getPublicKey());
            return true;
        } catch (GeneralSecurityException e2)
        {
            return false;
        }
}
}

如何设置校样 - 概念代码显示失败时的验证？

推荐答案

byte[] b= x509cert.getTBSCertificate();
b[0] = (byte) ~b[0];

更改从证书中获取的数组中的字节不会更改证书。

Changing a byte in an array that you have obtained from the certificate doesn't change the certificate.

您必须使用 CertificateFactory从字节数组重新加载它。

这篇关于修改X509证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！