在 Java 中生成 X509Certificate 的主题哈希
Generate Subject Hash of X509Certificate in Java
我目前正在尝试使用 Java 安全性 API 和 BouncyCastle 生成主题哈希。
这是我在使用 Openssl 库时所做的:
openssl x509 -in /Users/Sn0wfreezeDev/Downloads/Test.pem -hash
这会生成一个短的 8 位哈希 1817886a
这是我的 Java 代码
X509Certificate cert = CertManager.getCertificate(number, c);
MessageDigest sha1 = MessageDigest.getInstance("SHA1");
System.out.println(" Subject " + cert.getSubjectDN());
System.out.println(" Issuer " + cert.getIssuerDN());
sha1.update(cert.getSubjectDN().getName().getBytes());
String hexString = bytesToHex(sha1.digest());
System.out.println(" sha1 " + hexString);
System.out.println();
This generates a short 8 digit hash 1817886a
OpenSSL 有两种形式:
$ cd openssl-1.0.2-src
$ grep -R X509_subject_name_hash *
...
crypto/x509/x509.h:unsigned long X509_subject_name_hash(X509 *x);
crypto/x509/x509.h:unsigned long X509_subject_name_hash_old(X509 *x);
crypto/x509/x509_cmp.c:unsigned long X509_subject_name_hash(X509 *x)
crypto/x509/x509_cmp.c:unsigned long X509_subject_name_hash_old(X509 *x)
...
Generate Subject Hash of X509Certificate in Java...
这是来自 crypto/x509/x509_cmp.c 的来源:
unsigned long X509_subject_name_hash(X509 *x)
{
return (X509_NAME_hash(x->cert_info->subject));
}
#ifndef OPENSSL_NO_MD5
unsigned long X509_subject_name_hash_old(X509 *x)
{
return (X509_NAME_hash_old(x->cert_info->subject));
}
#endif
最后:
unsigned long X509_NAME_hash(X509_NAME *x)
{
unsigned long ret = 0;
unsigned char md[SHA_DIGEST_LENGTH];
/* Make sure X509_NAME structure contains valid cached encoding */
i2d_X509_NAME(x, NULL);
if (!EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(),
NULL))
return 0;
ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) |
((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
) & 0xffffffffL;
return (ret);
}
#ifndef OPENSSL_NO_MD5
unsigned long X509_NAME_hash_old(X509_NAME *x)
{
EVP_MD_CTX md_ctx;
unsigned long ret = 0;
unsigned char md[16];
/* Make sure X509_NAME structure contains valid cached encoding */
i2d_X509_NAME(x, NULL);
EVP_MD_CTX_init(&md_ctx);
EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
if (EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL)
&& EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length)
&& EVP_DigestFinal_ex(&md_ctx, md, NULL))
ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) |
((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
) & 0xffffffffL;
EVP_MD_CTX_cleanup(&md_ctx);
return (ret);
}
#endif
i2d_X509_NAME encodes a X509_NAME into a standard representation using RFC 2459(以及其他地方)。例如,它用于证书主题和颁发者名称。
您可以使用 openssl x509 -in <cert> -text -noout 等命令查看 OpenSSL 对名称字符串使用的内容。它看起来类似于 C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com(取自 Google 证书)。
Generate Subject Hash of X509Certificate in Java...
总的来说,您正在生成主题的专有名称字符串的哈希值并返回一个无符号长整数。 unsigned long 实际上是一个截断的散列。
X509_subject_name_hash 使用 SHA-1,X509_subject_name_hash_old 使用 MD5。
(comment) ... how they can use a sha1 hash to generate that short hash
OpenSSL 提供截断哈希的十六进制编码。整个哈希值在 md 中。 md 将是 16 个字节 (MD5) 或 20 个字节 (SHA-1)。
截断发生在选择字节 [0,3] 和 md[0]、md[1]、md[2] 和 md[3] 上的位操作时。
这8位数字来自对4个字节进行十六进制编码。
我目前正在尝试使用 Java 安全性 API 和 BouncyCastle 生成主题哈希。
这是我在使用 Openssl 库时所做的:
openssl x509 -in /Users/Sn0wfreezeDev/Downloads/Test.pem -hash
这会生成一个短的 8 位哈希 1817886a
这是我的 Java 代码
X509Certificate cert = CertManager.getCertificate(number, c);
MessageDigest sha1 = MessageDigest.getInstance("SHA1");
System.out.println(" Subject " + cert.getSubjectDN());
System.out.println(" Issuer " + cert.getIssuerDN());
sha1.update(cert.getSubjectDN().getName().getBytes());
String hexString = bytesToHex(sha1.digest());
System.out.println(" sha1 " + hexString);
System.out.println();
This generates a short 8 digit hash 1817886a
OpenSSL 有两种形式:
$ cd openssl-1.0.2-src
$ grep -R X509_subject_name_hash *
...
crypto/x509/x509.h:unsigned long X509_subject_name_hash(X509 *x);
crypto/x509/x509.h:unsigned long X509_subject_name_hash_old(X509 *x);
crypto/x509/x509_cmp.c:unsigned long X509_subject_name_hash(X509 *x)
crypto/x509/x509_cmp.c:unsigned long X509_subject_name_hash_old(X509 *x)
...
Generate Subject Hash of X509Certificate in Java...
这是来自 crypto/x509/x509_cmp.c 的来源:
unsigned long X509_subject_name_hash(X509 *x)
{
return (X509_NAME_hash(x->cert_info->subject));
}
#ifndef OPENSSL_NO_MD5
unsigned long X509_subject_name_hash_old(X509 *x)
{
return (X509_NAME_hash_old(x->cert_info->subject));
}
#endif
最后:
unsigned long X509_NAME_hash(X509_NAME *x)
{
unsigned long ret = 0;
unsigned char md[SHA_DIGEST_LENGTH];
/* Make sure X509_NAME structure contains valid cached encoding */
i2d_X509_NAME(x, NULL);
if (!EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(),
NULL))
return 0;
ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) |
((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
) & 0xffffffffL;
return (ret);
}
#ifndef OPENSSL_NO_MD5
unsigned long X509_NAME_hash_old(X509_NAME *x)
{
EVP_MD_CTX md_ctx;
unsigned long ret = 0;
unsigned char md[16];
/* Make sure X509_NAME structure contains valid cached encoding */
i2d_X509_NAME(x, NULL);
EVP_MD_CTX_init(&md_ctx);
EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
if (EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL)
&& EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length)
&& EVP_DigestFinal_ex(&md_ctx, md, NULL))
ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) |
((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
) & 0xffffffffL;
EVP_MD_CTX_cleanup(&md_ctx);
return (ret);
}
#endif
i2d_X509_NAME encodes a X509_NAME into a standard representation using RFC 2459(以及其他地方)。例如,它用于证书主题和颁发者名称。
您可以使用 openssl x509 -in <cert> -text -noout 等命令查看 OpenSSL 对名称字符串使用的内容。它看起来类似于 C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com(取自 Google 证书)。
Generate Subject Hash of X509Certificate in Java...
总的来说,您正在生成主题的专有名称字符串的哈希值并返回一个无符号长整数。 unsigned long 实际上是一个截断的散列。
X509_subject_name_hash 使用 SHA-1,X509_subject_name_hash_old 使用 MD5。
(comment) ... how they can use a sha1 hash to generate that short hash
OpenSSL 提供截断哈希的十六进制编码。整个哈希值在 md 中。 md 将是 16 个字节 (MD5) 或 20 个字节 (SHA-1)。
截断发生在选择字节 [0,3] 和 md[0]、md[1]、md[2] 和 md[3] 上的位操作时。
这8位数字来自对4个字节进行十六进制编码。