假设我有一个自签名的 X.509 证书:
file some.bin
some.bin: Certificate, Version=3, Serial=00ea5db390c4cc0de3, Issuer=Some Certificate, not-valid-before=2022-08-02 06:51:44 GMT, not-valid-after=2042-07-28 06:51:44 GMT, Subject=Some Certificate
显然它有一个签名值:
openssl x509 -text -in some.bin -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ea:5d:b3:90:c4:cc:0d:e3
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = Some Issuer
Not Before: Aug 2 06:51:44 2022 GMT
Not After : Jul 28 06:51:44 2042 GMT
Subject: CN = Some Certificate
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:56:98:eb:e0:96:9f:f5:2d:f0:99:2f:d8:6c:ae:
36:27:c0:a2:0c:95:9e:df:3a:fe:b6:57:69:bc:a6:
13:26:c4:e0:ca:58:fe:8b:19:d4:1c:d8:bf:cd:a4:
64:00:e6:50:02:af:c5:fc:f6:ba:f1:2b:f5:96:51:
99:40:ba:2c:33
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
9F:BD:59:32:3C:23:95:BE:9B:C3:4F:45:55:5A:97:C6:13:94:B3:09
X509v3 Authority Key Identifier:
9F:BD:59:32:3C:23:95:BE:9B:C3:4F:45:55:5A:97:C6:13:94:B3:09
X509v3 Basic Constraints:
CA:FALSE
1.2.3.1: critical
...
1.2.3.101: critical
..`.H.e....... .....U...j.A.........1.._Y.f.L..
1.2.3.102: critical
..`.H.e....... ................................
1.2.3.103: critical
..`.H.e....... ..C.T...Ld..c;.t.D4...>L..fFY.;.
1.2.3.104: critical
$....N.?.8.... .$.......*h...f....}
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:44:02:20:0f:e3:9f:d7:cd:27:5a:58:53:dd:4c:49:3c:71:
fe:ba:85:28:c2:11:50:ba:81:a2:96:36:d9:e9:82:fc:84:01:
02:20:59:05:09:e1:88:cc:9f:07:18:71:d8:ab:7d:52:63:e9:
cd:e4:e7:01:11:88:4b:28:0e:54:99:0e:45:08:19:c4
现在有了证书和签名的私钥(因为它是自签名的),我想更改证书中包含的 256 位哈希值之一,在本例中例如 OID 1.2.3.103。我可以更改 32 个字节,没问题,但是如何使用我的私钥重新计算签名值?最好的方法是重新创建整个证书。我想这应该是可能的?