如何在 C# 证书回调中查看“签名哈希算法”?
[英]How do I view "Signature hash algorithm" in C# certificate callback?
问题描述
I have a server that uses the following certificate for SSL/TLS communications:
我有一台使用以下证书进行 SSL/TLS 通信的服务器:
In my C# code, I use a custom certificate validation callback to view the properties of this certificate programmatically, like so:在我的 C# 代码中,我使用自定义证书验证回调以编程方式查看此证书的属性,如下所示:
private static bool CertificateValidationCallBack(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
// Certificate2 is better than Certificate1, right?
X509Certificate2 cert = (X509Certificate2)certificate;
Console.WriteLine("Certificate Subject : " + cert.Subject);
Console.WriteLine("Certificate Issuer : " + cert.Issuer);
// So on and so forth...
}
However, my problem is that I cannot seem to see that "Signature hash algorithm" property.但是,我的问题是我似乎看不到“签名哈希算法”属性。 cert.SignatureAlgorithm.FriendlyName returns RSASSA-PSS , and cert.SignatureAlgorithm.FriendlyName返回RSASSA-PSS ,并且
new System.Security.Cryptography.Oid(cert.GetKeyAlgorithm()).FriendlyName)
returns simply RSA .只返回RSA 。 None of these properties seem to give me that "sha256" property that I see in the GUI.这些属性似乎都没有给我在 GUI 中看到的“sha256”属性。 How do I return that property?我如何归还该财产?
Edit: I found this related question on Cryptography.SE that explains that Microsoft's certificate viewer GUI is a little wonky and off-standard, but if that's the case then I want to be wonky too.编辑:我在 Cryptography.SE 上发现了这个相关问题,它解释了 Microsoft 的证书查看器 GUI 有点不稳定且不符合标准,但如果是这种情况,那么我也想变得不稳定。 I want to know how to report "sha256" the same way that the GUI does.我想知道如何以与 GUI 相同的方式报告“sha256”。
Update 08/13: Viewed from another perspective, when I use the command 08/13 更新:从另一个角度来看,当我使用命令时
certutil.exe -dump cert.cer
An excerpt of the result:结果摘录:
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.10 RSASSA-PSS
Algorithm Parameters:
0000 30 34 a0 0f 30 0d 06 09 60 86 48 01 65 03 04 02
0010 01 05 00 a1 1c 30 1a 06 09 2a 86 48 86 f7 0d 01
0020 01 08 30 0d 06 09 60 86 48 01 65 03 04 02 01 05
0030 00 a2 03 02 01 20
2.16.840.1.101.3.4.2.1 sha256 (sha256NoSign)
05 00
1.2.840.113549.1.1.8 mgf1
2.16.840.1.101.3.4.2.1 sha256 (sha256NoSign)
05 00
0x20 (32)
I sure wish I knew how to find those OIDs (the sha256 ones) for myself... without resorting to parsing the output of an actual certutil command.我当然希望我知道如何为自己找到那些 OID(sha256 的)……而不用解析实际的 certutil 命令的输出。
1 个解决方案
解决方案1
0 2019-12-24 03:35:36
From your DER bytes, these are signature algorithms.从您的 DER 字节来看,这些是签名算法。
2a 86 48 86 f7 0d 01 01 08
I know these are signature algorithms.我知道这些是签名算法。 But, I don't know how to analyse these bytes.但是,我不知道如何分析这些字节。
I presume that last byte means the hash algorithm.我认为最后一个字节表示哈希算法。 I tested with openssl, last byte changed from 0b->0c->0d, when I generated a certificate with sha256, sha384, sha5512.我用openssl测试,当我用sha256、sha384、sha5512生成证书时,最后一个字节从0b->0c->0d改变了。 Please let me know, when you have figured it out.请让我知道,当你想通了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.