为什么所有 mitmproxy-CA-certs 都具有相同的哈希值 8bbe0e8d?

How come that all mitmproxy-CA-certs have the same hash value of 8bbe0e8d?

我在两台不同的机器上使用 mitmproxy。版本是

Mitmproxy: 4.0.4
Python:    3.8.2
OpenSSL:   OpenSSL 1.1.1f  31 Mar 2020
Platform:  Linux-5.4.0-33-generic-x86_64-with-glibc2.29
and
Mitmproxy: 5.1.1
Python:    3.8.2
OpenSSL:   OpenSSL 1.1.1g  21 Apr 2020
Platform:  macOS-10.15.4-x86_64-i386-64bit

有一件事,让我很困惑:为什么ca-certificates具有相同的哈希值? AFAIK,public 将进入证书的密钥对是在安装时动态创建的,或者每当有人在 .mitmproxy 中删除它们时动态创建。 但有趣的是,两者具有相同的哈希值:

> openssl x509 -in .mitmproxy/mitmproxy-ca-cert.pem -noout -hash
8bbe0e8d

这实际上适用于我为调查此行为而进行的一些安装。 当我查看模数时,一切看起来都不一样,所以这似乎表明键实际上是不同的。但是据我所知,哈希键也是在 key/modulus 上计算的,所以我想知道,为什么我到处都能找到相同的哈希值 8bbe0e8d?

这会导致一些有趣的副作用: 例如。在 linux 上,根 CA 证书通常在 /etc/ssl/certs 中。 它们以合理的名称部署在那里,此外还有一个指向该文件的符号链接。 符号链接的名称是证书的哈希值,后跟序列号。这是由 openssl 的 c_rehash 工具生成的。通常没有哈希冲突,所有序列号都是0.

但是在 linux 系统包含两个不同的 mitmproxy 实例的 ca-certs 的情况下,我们有这样的事情

# ls -l /etc/ssl/certs/ | grep mitm
lrwxrwxrwx    1 root     root            21 Jun  1 21:45 8bbe0e8d.0 -> mitmproxy-systema-ca-cert.pem
-rw-r--r--    1 root     root          1318 Jun  1 21:44 mitmproxy-systema-ca-cert.pem
lrwxrwxrwx    1 root     root            21 Jun  1 22:34 8bbe0e8d.1 -> mitmproxy-systemb-ca-cert.pem
-rw-r--r--    1 root     root          1318 Jun  1 22:34 mitmproxy-systemb-ca-cert.pem

所以重复我的问题: 为什么哈希值总是8bbe0e8d?

提前致谢

请在下面找到相关的 openssl 输出:

>> openssl x509 -in mitmproxy-systema-ca-cert.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15904961119818 (0xe77298ec64a)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=mitmproxy, O=mitmproxy
        Validity
            Not Before: May 24 12:28:31 2020 GMT
            Not After : May 26 12:28:31 2023 GMT
        Subject: CN=mitmproxy, O=mitmproxy
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d3:60:2a:3a:8b:bc:9a:2c:fb:da:90:33:fa:a1:
                    a9:7a:96:52:e4:73:56:c8:c8:7f:8b:f8:ab:4b:e0:
                    55:2e:05:75:5b:55:4d:6d:58:b0:82:56:23:ac:ee:
                    ba:d4:4e:b0:ab:8e:52:25:2c:12:ef:fe:23:3b:f5:
                    0d:26:9e:cd:1e:d5:7c:5a:7b:e0:c6:6b:af:b6:b0:
                    cd:d1:5b:8b:12:ea:a1:d4:15:78:37:84:f2:d1:48:
                    61:7b:9b:c6:ec:e3:2c:41:32:72:15:15:d1:5f:7b:
                    87:01:40:86:6a:cf:5f:2a:0f:19:71:c5:37:08:94:
                    8c:4d:18:af:5d:5d:80:89:46:e9:04:23:f4:e7:84:
                    4e:97:ee:81:91:07:c8:18:5e:eb:64:3a:47:9e:c1:
                    29:50:2c:27:c7:80:35:b9:d6:ec:61:91:de:23:af:
                    04:7d:0c:e8:43:32:52:09:c9:34:ba:fd:98:51:ef:
                    78:13:2c:83:4a:e9:31:6e:d8:53:6b:12:79:44:e9:
                    5b:70:7a:b5:79:2e:00:a9:9f:53:f3:2f:c6:75:b0:
                    90:1b:00:b4:50:21:5e:fe:b5:a3:36:18:c5:42:cd:
                    fc:d5:33:e4:1b:c1:26:12:04:05:95:e5:99:7c:23:
                    2a:ea:de:f3:45:7e:3b:9d:e9:56:a5:83:07:61:e9:
                    dd:19
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            Netscape Cert Type:
                SSL CA
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection, Time Stamping, Microsoft Individual Code Signing, Microsoft Commercial Code Signing, Microsoft Trust List Signing, Microsoft Server Gated Crypto, Microsoft Encrypted File System, Netscape Server Gated Crypto
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                03:9C:EC:D3:BD:2A:C4:A8:E8:23:04:F2:AD:69:C9:2E:CF:CE:85:85
    Signature Algorithm: sha256WithRSAEncryption
         6d:98:36:7e:e6:2f:54:7d:7f:0a:9b:85:d5:ef:e6:c3:c7:df:
         c8:c4:1b:3e:78:51:ee:48:8c:c2:0c:ac:8f:89:67:06:22:3f:
         fe:05:f4:17:2b:1c:23:0e:53:1f:0e:7b:23:e1:fe:ac:9c:52:
         ac:13:11:06:be:00:55:13:36:1a:47:22:29:41:79:f8:ca:8e:
         2b:5a:26:57:b6:26:80:da:7d:ac:10:5f:53:b9:00:e4:d9:ed:
         51:04:52:af:d0:7c:33:ce:24:6f:eb:06:d0:49:c6:da:71:25:
         64:fe:66:0b:29:90:99:7f:b7:c4:3d:f9:17:5b:24:21:ae:7c:
         3f:b1:33:b5:af:64:e2:bc:44:d4:41:df:35:ca:45:8a:08:61:
         7a:76:8b:4c:7c:23:80:1d:87:97:29:98:78:a3:38:bf:3c:8d:
         5c:79:43:64:95:77:4d:50:cb:a2:17:fd:cf:f9:9f:42:b4:d5:
         20:8a:2c:12:af:9d:cd:34:b4:be:53:ad:e4:d8:33:bb:fe:7d:
         a1:57:e6:cf:b7:a6:30:a2:3d:f6:8f:4d:4b:f6:2b:cc:19:df:
         d2:d5:6e:25:d2:92:13:db:60:f9:6c:e4:bc:09:56:07:5a:30:
         6f:89:67:1a:e4:93:52:bd:f6:89:ab:1f:71:17:6b:78:97:69:
         05:46:a6:2f
-----BEGIN CERTIFICATE-----
MIIDoTCCAomgAwIBAgIGDncpjsZKMA0GCSqGSIb3DQEBCwUAMCgxEjAQBgNVBAMM
CW1pdG1wcm94eTESMBAGA1UECgwJbWl0bXByb3h5MB4XDTIwMDUyNDEyMjgzMVoX
DTIzMDUyNjEyMjgzMVowKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAlt
aXRtcHJveHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTYCo6i7ya
LPvakDP6oal6llLkc1bIyH+L+KtL4FUuBXVbVU1tWLCCViOs7rrUTrCrjlIlLBLv
/iM79Q0mns0e1Xxae+DGa6+2sM3RW4sS6qHUFXg3hPLRSGF7m8bs4yxBMnIVFdFf
e4cBQIZqz18qDxlxxTcIlIxNGK9dXYCJRukEI/TnhE6X7oGRB8gYXutkOkeewSlQ
LCfHgDW51uxhkd4jrwR9DOhDMlIJyTS6/ZhR73gTLINK6TFu2FNrEnlE6VtwerV5
LgCpn1PzL8Z1sJAbALRQIV7+taM2GMVCzfzVM+QbwSYSBAWV5Zl8Iyrq3vNFfjud
6Valgwdh6d0ZAgMBAAGjgdAwgc0wDwYDVR0TAQH/BAUwAwEB/zARBglghkgBhvhC
AQEEBAMCAgQweAYDVR0lBHEwbwYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcD
BAYIKwYBBQUHAwgGCisGAQQBgjcCARUGCisGAQQBgjcCARYGCisGAQQBgjcKAwEG
CisGAQQBgjcKAwMGCisGAQQBgjcKAwQGCWCGSAGG+EIEATAOBgNVHQ8BAf8EBAMC
AQYwHQYDVR0OBBYEFAOc7NO9KsSo6CME8q1pyS7PzoWFMA0GCSqGSIb3DQEBCwUA
A4IBAQBtmDZ+5i9UfX8Km4XV7+bDx9/IxBs+eFHuSIzCDKyPiWcGIj/+BfQXKxwj
DlMfDnsj4f6snFKsExEGvgBVEzYaRyIpQXn4yo4rWiZXtiaA2n2sEF9TuQDk2e1R
BFKv0HwzziRv6wbQScbacSVk/mYLKZCZf7fEPfkXWyQhrnw/sTO1r2TivETUQd81
ykWKCGF6dotMfCOAHYeXKZh4ozi/PI1ceUNklXdNUMuiF/3P+Z9CtNUgiiwSr53N
NLS+U63k2DO7/n2hV+bPt6Ywoj32j01L9ivMGd/S1W4l0pIT22D5bOS8CVYHWjBv
iWca5JNSvfaJqx9xF2t4l2kFRqYv
-----END CERTIFICATE-----
>> openssl x509 -in mitmproxy-systemb-ca-cert.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15891076851956 (0xe73edfda8f4)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=mitmproxy, O=mitmproxy
        Validity
            Not Before: May  8 10:48:05 2020 GMT
            Not After : May 10 10:48:05 2023 GMT
        Subject: CN=mitmproxy, O=mitmproxy
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d4:27:ef:99:12:9b:84:9d:82:a7:d1:96:e6:fe:
                    14:cf:a5:1a:d5:95:f5:1f:b3:25:fc:10:df:1a:f1:
                    20:4a:a5:e9:e9:b9:20:ba:d3:c2:88:e9:cb:fe:66:
                    43:5e:4a:1d:9c:39:f4:a8:64:50:51:f6:18:0b:f2:
                    a2:b3:da:1d:a5:0d:01:c5:bd:c0:6c:b7:a7:25:cd:
                    6d:d7:21:2b:ba:a8:35:b6:a4:a3:33:0d:15:8d:44:
                    8e:bb:70:d6:1a:9b:c2:21:09:f9:70:fc:42:8c:d6:
                    a9:1b:d2:d1:0c:4b:03:f2:44:ca:c7:bf:8f:8b:e2:
                    fe:0c:ff:99:fe:61:f2:8f:6e:26:ae:ec:60:6c:ff:
                    ec:51:db:3e:3c:3e:a9:32:38:61:13:52:8e:40:15:
                    b0:8d:f7:7b:b8:d9:11:84:d6:dc:bd:9e:12:58:5c:
                    03:13:d6:73:6e:95:84:5f:8d:21:72:bb:17:27:a7:
                    19:b4:00:43:7b:bc:2e:f2:d9:8a:68:53:0d:de:bc:
                    03:6c:f8:78:c9:e6:43:1f:45:1e:b0:d0:7d:3b:a7:
                    cc:05:f2:cb:b1:5f:9c:5f:7f:ee:f3:4e:94:99:28:
                    33:6f:65:eb:24:a2:44:f1:22:13:a7:71:cd:88:15:
                    c3:14:77:a2:3c:dc:59:6c:10:81:0f:f1:89:ef:90:
                    1d:b5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            Netscape Cert Type:
                SSL CA
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection, Time Stamping, Microsoft Individual Code Signing, Microsoft Commercial Code Signing, Microsoft Trust List Signing, Microsoft Server Gated Crypto, Microsoft Encrypted File System, Netscape Server Gated Crypto
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                FE:50:10:81:42:BA:C2:85:01:CB:D2:B4:2E:FF:F1:B3:CD:B2:63:16
    Signature Algorithm: sha256WithRSAEncryption
         00:d0:fe:58:df:07:90:b9:03:25:b9:0c:6d:37:e4:65:aa:0f:
         f9:d4:ea:9a:42:b7:3e:0f:8f:d3:1e:c4:26:03:ff:57:5b:6f:
         3d:36:fb:cd:61:4f:4a:5a:20:71:5e:96:25:b3:d2:31:4b:da:
         ec:6c:6e:30:e9:0f:77:5b:fe:34:95:5d:31:2a:bf:53:b9:f4:
         94:98:5c:fa:b9:c5:27:1a:7e:51:2e:dd:75:f5:c6:51:f7:8d:
         69:66:77:9c:e6:0f:7c:79:1a:2f:ca:be:16:9e:45:3f:4b:ff:
         49:d8:5d:37:5f:d5:2c:f4:cd:bd:06:fd:09:b0:7b:4b:2b:21:
         99:40:24:0a:f6:5f:c3:9c:2f:58:f6:60:b6:b4:3c:b6:89:43:
         a6:be:a0:4a:9b:d4:2d:06:b3:2c:b3:eb:c6:18:5a:e4:b1:2b:
         f7:b3:7a:a6:41:96:1e:09:19:39:37:25:e0:2c:7a:31:aa:bf:
         f8:1a:c2:76:9b:32:30:b7:20:28:ea:63:a9:f7:16:ba:4d:23:
         a5:90:7c:0f:31:b9:cd:f8:77:64:8f:28:5f:b8:10:64:4d:08:
         f8:6a:9c:45:6f:c7:28:2e:4c:2c:34:09:ef:57:ed:c6:0e:c3:
         6d:db:a4:de:8c:72:30:2d:59:8d:c1:e1:2c:6d:29:89:d5:9d:
         86:c3:fb:65
-----BEGIN CERTIFICATE-----
MIIDoTCCAomgAwIBAgIGDnPt/aj0MA0GCSqGSIb3DQEBCwUAMCgxEjAQBgNVBAMM
CW1pdG1wcm94eTESMBAGA1UECgwJbWl0bXByb3h5MB4XDTIwMDUwODEwNDgwNVoX
DTIzMDUxMDEwNDgwNVowKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAlt
aXRtcHJveHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUJ++ZEpuE
nYKn0Zbm/hTPpRrVlfUfsyX8EN8a8SBKpenpuSC608KI6cv+ZkNeSh2cOfSoZFBR
9hgL8qKz2h2lDQHFvcBst6clzW3XISu6qDW2pKMzDRWNRI67cNYam8IhCflw/EKM
1qkb0tEMSwPyRMrHv4+L4v4M/5n+YfKPbiau7GBs/+xR2z48PqkyOGETUo5AFbCN
93u42RGE1ty9nhJYXAMT1nNulYRfjSFyuxcnpxm0AEN7vC7y2YpoUw3evANs+HjJ
5kMfRR6w0H07p8wF8suxX5xff+7zTpSZKDNvZeskokTxIhOncc2IFcMUd6I83Fls
EIEP8YnvkB21AgMBAAGjgdAwgc0wDwYDVR0TAQH/BAUwAwEB/zARBglghkgBhvhC
AQEEBAMCAgQweAYDVR0lBHEwbwYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcD
BAYIKwYBBQUHAwgGCisGAQQBgjcCARUGCisGAQQBgjcCARYGCisGAQQBgjcKAwEG
CisGAQQBgjcKAwMGCisGAQQBgjcKAwQGCWCGSAGG+EIEATAOBgNVHQ8BAf8EBAMC
AQYwHQYDVR0OBBYEFP5QEIFCusKFAcvStC7/8bPNsmMWMA0GCSqGSIb3DQEBCwUA
A4IBAQAA0P5Y3weQuQMluQxtN+Rlqg/51OqaQrc+D4/THsQmA/9XW289NvvNYU9K
WiBxXpYls9IxS9rsbG4w6Q93W/40lV0xKr9TufSUmFz6ucUnGn5RLt119cZR941p
Znec5g98eRovyr4WnkU/S/9J2F03X9Us9M29Bv0JsHtLKyGZQCQK9l/DnC9Y9mC2
tDy2iUOmvqBKm9QtBrMss+vGGFrksSv3s3qmQZYeCRk5NyXgLHoxqr/4GsJ2mzIw
tyAo6mOp9xa6TSOlkHwPMbnN+HdkjyhfuBBkTQj4apxFb8coLkwsNAnvV+3GDsNt
26TejHIwLVmNweEsbSmJ1Z2Gw/tl
-----END CERTIFICATE-----

例如,在新安装的 ubuntu 20.04 盒子或新容器上,
发出以下命令不仅对我重现了这个问题:

  apt update
  apt install mitmproxy
  mitmdump
  <CTRL-C>
  openssl x509 -in /root/.mitmproxy/mitmproxy-ca-cert.pem -hash -issuer_hash
  8bbe0e8d
  8bbe0e8d

当然两个哈希是相同的,它是一个自签名的根证书。但是我很奇怪,我总是得到8bbe0e8d的哈希值。无处不在。

解决这个谜语的答案记录在 OpenSSL man page:

-issuer_hash outputs the "hash" of the certificate issuer name.

正如您在证书输出中看到的那样,证书的颁发者是固定的,因此在安装的每个系统上都是相同的 mitmproxy:CN=mitmproxy, O=mitmproxy

固定输入当然总是输出相同的哈希值。

一个根 CA 证书可以有多个子证书。因此,所有这些子证书都具有相同的颁发者,因此都映射到相同的散列。因此,/etc/ssl/certs/ 中的多个证书映射到相同的哈希值并不罕见。这似乎是某种分组。

此时使用证书指纹(或颁发者证书指纹)没有多大意义,因为当您使用 /etc/ssl/certs/ 通常您想要准确地找到该证书的数据。如果您已经知道证书指纹,那么您也拥有该证书,因此不必搜索证书数据。