一
数字证书的常见格式
二
CER格式数字证书与PEM格式数字证书的转换
(一) 从PEM到CER的转换:
openssl x509 -outform der -in demo.pem -out demo.cer
-----BEGIN CERTIFICATE-----
MIIFPDCCBCSgAwIBAgIGAYyvnmk8MA0GCSqGSIb3DQEBCwUAMIGiMTMwMQYDVQQD
DCpDaGFybGVzIFByb3h5IENBICgyOCBEZWMgMjAyMywgT05MWVhJVS1QQykxJTAj
BgNVBAsMHGh0dHBzOi8vY2hhcmxlc3Byb3h5LmNvbS9zc2wxETAPBgNVBAoMCFhL
NzIgTHRkMREwDwYDVQQHDAhBdWNrbGFuZDERMA8GA1UECAwIQXVja2xhbmQxCzAJ
BgNVBAYTAk5aMB4XDTIzMTIyNzA4NTA0M1oXDTI0MTIyNjA4NTA0M1owgaIxMzAx
BgNVBAMMKkNoYXJsZXMgUHJveHkgQ0EgKDI4IERlYyAyMDIzLCBPTkxZWElVLVBD
KTElMCMGA1UECwwcaHR0cHM6Ly9jaGFybGVzcHJveHkuY29tL3NzbDERMA8GA1UE
CgwIWEs3MiBMdGQxETAPBgNVBAcMCEF1Y2tsYW5kMREwDwYDVQQIDAhBdWNrbGFu
ZDELMAkGA1UEBhMCTlowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJ
TK1VSeT/k60mk8XIXLd/wSvl9XQpb6n2ouoybMj/vGSnr49reuzdZLAX2L4wR4E5
pIzCGGnYOKM0HgY8REiMPGRdPQujxkqlqlMj69/mQiUM6DNuP6QEIMaFqBD64pjd
Jv2X00FR/WTn+hulwA/iQyo43E9/lZ75yIa4eldEJKjLoteZAKrw6FAAEXec7Dfw
mGYvrVUBKBeQsHpSNo547hw1WStmfw7RbFgrOA2HPZb+3nbqAJb/zV2f9xfqRQZr
+H7GEzDv2jDvPGTKEYEe5BAy3xSxWiKsFGfmbJhebfQob08dh5PjJilB/ZZ8Phwe
3SYxpjZorgVmrKSPmdBnAgMBAAGjggF0MIIBcDAPBgNVHRMBAf8EBTADAQH/MIIB
LAYJYIZIAYb4QgENBIIBHROCARlUaGlzIFJvb3QgY2VydGlmaWNhdGUgd2FzIGdl
bmVyYXRlZCBieSBDaGFybGVzIFByb3h5IGZvciBTU0wgUHJveHlpbmcuIElmIHRo
aXMgY2VydGlmaWNhdGUgaXMgcGFydCBvZiBhIGNlcnRpZmljYXRlIGNoYWluLCB0
aGlzIG1lYW5zIHRoYXQgeW91J3JlIGJyb3dzaW5nIHRocm91Z2ggQ2hhcmxlcyBQ
cm94eSB3aXRoIFNTTCBQcm94eWluZyBlbmFibGVkIGZvciB0aGlzIHdlYnNpdGUu
IFBsZWFzZSBzZWUgaHR0cDovL2NoYXJsZXNwcm94eS5jb20vc3NsIGZvciBtb3Jl
IGluZm9ybWF0aW9uLjAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFFMQZywS+KKZ
6b7kqWVDwcw/YbvWMA0GCSqGSIb3DQEBCwUAA4IBAQB9YIDwLnBTHYT8E7cZ1DCd
1scQRak/iZwbTbcmxPLT/Mi/FTKDRNFXvA/3JO/SOZZMGmRU1TGiU1IfMyIIf5YT
yz7iuv1MTs5G8jlJ2iguIsAu4keBda3y9gOyDjGfdya1IXI1BxJV9zjw+uKqQS7k
zP7PEeCsJN41OPy1mgNuCxsLC1EvvilvTH7Q4fJGTtu/ImIgdeyIThuEc6m/hswv
DjAfGw9LNBJJNgQqiKid/lBp68HEDVTrsjEtRc9wnfiqlKXQlZnnt17vV8I8Bxdp
+ihpOt44gfR79Z9qPuScDejMYb3vCySsbOApPlS327ty4Abf1dlxFBVsjWbmQoV0
-----END CERTIFICATE-----
#define _CRT_SECURE_NO_WARNINGS
#include <iostream>
#include <fstream>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include <openssl/bio.h>
#include <openssl/applink.c>
int main() {
// 打开PEM格式证书文件
FILE* pem_file = fopen("demo.pem", "r");
if (!pem_file) {
std::cerr << "Failed to open PEM file." << std::endl;
return 1;
}
// 创建BIO对象
BIO* pem_bio = BIO_new_fp(pem_file, BIO_CLOSE);
if (!pem_bio) {
std::cerr << "Failed to create BIO for PEM file." << std::endl;
fclose(pem_file);
return 1;
}
// 读取PEM格式证书
X509* cert = PEM_read_bio_X509(pem_bio, nullptr, nullptr, nullptr);
if (!cert) {
std::cerr << "Failed to read PEM certificate." << std::endl;
BIO_free(pem_bio);
fclose(pem_file);
return 1;
}
// 创建DER格式证书文件
FILE* der_file = fopen("demo.cer", "wb");
if (!der_file) {
std::cerr << "Failed to create DER file." << std::endl;
BIO_free(pem_bio);
fclose(pem_file);
X509_free(cert);
return 1;
}
// 将X509证书编码为DER格式并写入文件
if (i2d_X509_fp(der_file, cert) == 0) {
std::cerr << "Failed to write DER certificate." << std::endl;
fclose(der_file);
BIO_free(pem_bio);
fclose(pem_file);
X509_free(cert);
return 1;
}
// 释放资源
fclose(der_file);
BIO_free(pem_bio);
fclose(pem_file);
X509_free(cert);
std::cout << "Conversion completed successfully." << std::endl;
return 0;
}
(二) 从CER到PEM的转换:
openssl x509 -inform der -in demo.cer -out demo.pem
三
计算数字证书的hash值
mv cacert.pem `openssl x509 -inform PEM -subject_hash_old -in cacert.pem |head -1`'.0'
mv cacert.cer `openssl x509 -inform DER -subject_hash_old -in cacert.cer |head -1`'.0'
四
证书的加载流程和原理
五
配置代理实操
(一) 使用手机程序安装pem证书
1. 选择cacert.pem数字证书进行安装
2. 命名为pem
3. 查看证书
4. 导出该文件进行原cer数字证书对比
(二) 用户证书抓包测试
(三) 用户证书目录转存储系统系统证书目录
(四) 系统证书抓包测试
(五) 手动推送pem证书到系统目录下
1. 将pem证书推动到系统目录下
2. 并修改权限为644
3. 重启手机,等待Move_Certificates插件将证书重定向到系统目录证书下
4. 抓包效果
(六) 制作与原系统证书一致的pem格式数字证书
1. 源系统证书处理pem格式数字证书除了base64,还有签名等信息
platina:/system/etc/security/cacerts # cat 7892ad52.0
-----BEGIN CERTIFICATE-----
MIIClDCCAhqgAwIBAgIILCmcWxbtBZUwCgYIKoZIzj0EAwIwfzELMAkGA1UEBhMC
VVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9T
U0wgQ29ycG9yYXRpb24xNDAyBgNVBAMMK1NTTC5jb20gRVYgUm9vdCBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eSBFQ0MwHhcNMTYwMjEyMTgxNTIzWhcNNDEwMjEyMTgx
NTIzWjB/MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hv
dXN0b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjE0MDIGA1UEAwwrU1NMLmNv
bSBFViBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IEVDQzB2MBAGByqGSM49
AgEGBSuBBAAiA2IABKoSR5CYG/vvw0AHgyBO8TCCogbR8pKGYfL2IWjKAMTH6kMA
VIbc/R/fALhBYlzccBYy3h+Z1MzFB8gIH2EWB1E9fVwHU+M1OIzfzZ/ZLg1Kthku
WnBaBu2+8KGwytAJKaNjMGEwHQYDVR0OBBYEFFvKXuXe0oGqzagtZFG22XKbl+ZP
MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUW8pe5d7SgarNqC1kUbbZcpuX
5k8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2gAMGUCMQCK5kCJN+vp1RPZ
ytRrJPOwPYdGWBrssd9v+1a6cGvHOMzosYxPD/fxZ3YOg9AeUY8CMD32IygmTMZg
h5Mmm7I1HrrW9zzRHM76JTymGoEVW/MSD2zuZYrJh6j5B+BimoxcSg==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3182246526754555285 (0x2c299c5b16ed0595)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com EV Root Certification Authority ECC
Validity
Not Before: Feb 12 18:15:23 2016 GMT
Not After : Feb 12 18:15:23 2041 GMT
Subject: C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com EV Root Certification Authority ECC
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:aa:12:47:90:98:1b:fb:ef:c3:40:07:83:20:4e:
f1:30:82:a2:06:d1:f2:92:86:61:f2:f6:21:68:ca:
00:c4:c7:ea:43:00:54:86:dc:fd:1f:df:00:b8:41:
62:5c:dc:70:16:32:de:1f:99:d4:cc:c5:07:c8:08:
1f:61:16:07:51:3d:7d:5c:07:53:e3:35:38:8c:df:
cd:9f:d9:2e:0d:4a:b6:19:2e:5a:70:5a:06:ed:be:
f0:a1:b0:ca:d0:09:29
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Subject Key Identifier:
5B:CA:5E:E5:DE:D2:81:AA:CD:A8:2D:64:51:B6:D9:72:9B:97:E6:4F
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:5B:CA:5E:E5:DE:D2:81:AA:CD:A8:2D:64:51:B6:D9:72:9B:97:E6:4F
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
30:65:02:31:00:8a:e6:40:89:37:eb:e9:d5:13:d9:ca:d4:6b:
24:f3:b0:3d:87:46:58:1a:ec:b1:df:6f:fb:56:ba:70:6b:c7:
38:cc:e8:b1:8c:4f:0f:f7:f1:67:76:0e:83:d0:1e:51:8f:02:
30:3d:f6:23:28:26:4c:c6:60:87:93:26:9b:b2:35:1e:ba:d6:
f7:3c:d1:1c:ce:fa:25:3c:a6:1a:81:15:5b:f3:12:0f:6c:ee:
65:8a:c9:87:a8:f9:07:e0:62:9a:8c:5c:4a
SHA1 Fingerprint=4C:DD:51:A3:D1:F5:20:32:14:B0:C6:C5:32:23:03:91:C7:46:42:6D
platina:/system/etc/security/cacerts #
2.生成系统系统预设格式证书文件
openssl x509 -inform PEM -text -in cacert.pem > 7591945e.0
openssl x509 -inform DER -text -in cacert.cer > 7591945e.0
3. 编辑生成的文件
-----BEGIN CERTIFICATE-----
MIIFPDCCBCSgAwIBAgIGAYyvnmk8MA0GCSqGSIb3DQEBCwUAMIGiMTMwMQYDVQQD
DCpDaGFybGVzIFByb3h5IENBICgyOCBEZWMgMjAyMywgT05MWVhJVS1QQykxJTAj
BgNVBAsMHGh0dHBzOi8vY2hhcmxlc3Byb3h5LmNvbS9zc2wxETAPBgNVBAoMCFhL
NzIgTHRkMREwDwYDVQQHDAhBdWNrbGFuZDERMA8GA1UECAwIQXVja2xhbmQxCzAJ
BgNVBAYTAk5aMB4XDTIzMTIyNzA4NTA0M1oXDTI0MTIyNjA4NTA0M1owgaIxMzAx
BgNVBAMMKkNoYXJsZXMgUHJveHkgQ0EgKDI4IERlYyAyMDIzLCBPTkxZWElVLVBD
KTElMCMGA1UECwwcaHR0cHM6Ly9jaGFybGVzcHJveHkuY29tL3NzbDERMA8GA1UE
CgwIWEs3MiBMdGQxETAPBgNVBAcMCEF1Y2tsYW5kMREwDwYDVQQIDAhBdWNrbGFu
ZDELMAkGA1UEBhMCTlowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJ
TK1VSeT/k60mk8XIXLd/wSvl9XQpb6n2ouoybMj/vGSnr49reuzdZLAX2L4wR4E5
pIzCGGnYOKM0HgY8REiMPGRdPQujxkqlqlMj69/mQiUM6DNuP6QEIMaFqBD64pjd
Jv2X00FR/WTn+hulwA/iQyo43E9/lZ75yIa4eldEJKjLoteZAKrw6FAAEXec7Dfw
mGYvrVUBKBeQsHpSNo547hw1WStmfw7RbFgrOA2HPZb+3nbqAJb/zV2f9xfqRQZr
+H7GEzDv2jDvPGTKEYEe5BAy3xSxWiKsFGfmbJhebfQob08dh5PjJilB/ZZ8Phwe
3SYxpjZorgVmrKSPmdBnAgMBAAGjggF0MIIBcDAPBgNVHRMBAf8EBTADAQH/MIIB
LAYJYIZIAYb4QgENBIIBHROCARlUaGlzIFJvb3QgY2VydGlmaWNhdGUgd2FzIGdl
bmVyYXRlZCBieSBDaGFybGVzIFByb3h5IGZvciBTU0wgUHJveHlpbmcuIElmIHRo
aXMgY2VydGlmaWNhdGUgaXMgcGFydCBvZiBhIGNlcnRpZmljYXRlIGNoYWluLCB0
aGlzIG1lYW5zIHRoYXQgeW91J3JlIGJyb3dzaW5nIHRocm91Z2ggQ2hhcmxlcyBQ
cm94eSB3aXRoIFNTTCBQcm94eWluZyBlbmFibGVkIGZvciB0aGlzIHdlYnNpdGUu
IFBsZWFzZSBzZWUgaHR0cDovL2NoYXJsZXNwcm94eS5jb20vc3NsIGZvciBtb3Jl
IGluZm9ybWF0aW9uLjAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFFMQZywS+KKZ
6b7kqWVDwcw/YbvWMA0GCSqGSIb3DQEBCwUAA4IBAQB9YIDwLnBTHYT8E7cZ1DCd
1scQRak/iZwbTbcmxPLT/Mi/FTKDRNFXvA/3JO/SOZZMGmRU1TGiU1IfMyIIf5YT
yz7iuv1MTs5G8jlJ2iguIsAu4keBda3y9gOyDjGfdya1IXI1BxJV9zjw+uKqQS7k
zP7PEeCsJN41OPy1mgNuCxsLC1EvvilvTH7Q4fJGTtu/ImIgdeyIThuEc6m/hswv
DjAfGw9LNBJJNgQqiKid/lBp68HEDVTrsjEtRc9wnfiqlKXQlZnnt17vV8I8Bxdp
+ihpOt44gfR79Z9qPuScDejMYb3vCySsbOApPlS327ty4Abf1dlxFBVsjWbmQoV0
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1703753443644 (0x18caf9e693c)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = "Charles Proxy CA (28 Dec 2023, ONLYXIU-PC)", OU = https://charlesproxy.com/ssl, O = XK72 Ltd, L = Auckland, ST = Auckland, C = NZ
Validity
Not Before: Dec 27 08:50:43 2023 GMT
Not After : Dec 26 08:50:43 2024 GMT
Subject: CN = "Charles Proxy CA (28 Dec 2023, ONLYXIU-PC)", OU = https://charlesproxy.com/ssl, O = XK72 Ltd, L = Auckland, ST = Auckland, C = NZ
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:89:4c:ad:55:49:e4:ff:93:ad:26:93:c5:c8:5c:
b7:7f:c1:2b:e5:f5:74:29:6f:a9:f6:a2:ea:32:6c:
c8:ff:bc:64:a7:af:8f:6b:7a:ec:dd:64:b0:17:d8:
be:30:47:81:39:a4:8c:c2:18:69:d8:38:a3:34:1e:
06:3c:44:48:8c:3c:64:5d:3d:0b:a3:c6:4a:a5:aa:
53:23:eb:df:e6:42:25:0c:e8:33:6e:3f:a4:04:20:
c6:85:a8:10:fa:e2:98:dd:26:fd:97:d3:41:51:fd:
64:e7:fa:1b:a5:c0:0f:e2:43:2a:38:dc:4f:7f:95:
9e:f9:c8:86:b8:7a:57:44:24:a8:cb:a2:d7:99:00:
aa:f0:e8:50:00:11:77:9c:ec:37:f0:98:66:2f:ad:
55:01:28:17:90:b0:7a:52:36:8e:78:ee:1c:35:59:
2b:66:7f:0e:d1:6c:58:2b:38:0d:87:3d:96:fe:de:
76:ea:00:96:ff:cd:5d:9f:f7:17:ea:45:06:6b:f8:
7e:c6:13:30:ef:da:30:ef:3c:64:ca:11:81:1e:e4:
10:32:df:14:b1:5a:22:ac:14:67:e6:6c:98:5e:6d:
f4:28:6f:4f:1d:87:93:e3:26:29:41:fd:96:7c:3e:
1c:1e:dd:26:31:a6:36:68:ae:05:66:ac:a4:8f:99:
d0:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Comment:
....This Root certificate was generated by Charles Proxy for SSL Proxying. If this certificate is part of a certificate chain, this means that you're browsing through Charles Proxy with SSL Proxying enabled for this website. Please see http://charlesproxy.com/ssl for more information.
X509v3 Key Usage: critical
Certificate Sign
X509v3 Subject Key Identifier:
53:10:67:2C:12:F8:A2:99:E9:BE:E4:A9:65:43:C1:CC:3F:61:BB:D6
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
7d:60:80:f0:2e:70:53:1d:84:fc:13:b7:19:d4:30:9d:d6:c7:
10:45:a9:3f:89:9c:1b:4d:b7:26:c4:f2:d3:fc:c8:bf:15:32:
83:44:d1:57:bc:0f:f7:24:ef:d2:39:96:4c:1a:64:54:d5:31:
a2:53:52:1f:33:22:08:7f:96:13:cb:3e:e2:ba:fd:4c:4e:ce:
46:f2:39:49:da:28:2e:22:c0:2e:e2:47:81:75:ad:f2:f6:03:
b2:0e:31:9f:77:26:b5:21:72:35:07:12:55:f7:38:f0:fa:e2:
aa:41:2e:e4:cc:fe:cf:11:e0:ac:24:de:35:38:fc:b5:9a:03:
6e:0b:1b:0b:0b:51:2f:be:29:6f:4c:7e:d0:e1:f2:46:4e:db:
bf:22:62:20:75:ec:88:4e:1b:84:73:a9:bf:86:cc:2f:0e:30:
1f:1b:0f:4b:34:12:49:36:04:2a:88:a8:9d:fe:50:69:eb:c1:
c4:0d:54:eb:b2:31:2d:45:cf:70:9d:f8:aa:94:a5:d0:95:99:
e7:b7:5e:ef:57:c2:3c:07:17:69:fa:28:69:3a:de:38:81:f4:
7b:f5:9f:6a:3e:e4:9c:0d:e8:cc:61:bd:ef:0b:24:ac:6c:e0:
29:3e:54:b7:db:bb:72:e0:06:df:d5:d9:71:14:15:6c:8d:66:
e6:42:85:74
4. 抓包效果
六
总结
看雪ID:Onlyxiu
https://bbs.kanxue.com/user-home-957322.htm
# 往期推荐
2、.NET 恶意软件 101:分析 .NET 可执行文件结构
球分享
球点赞
球在看
点击阅读原文查看更多
原文始发于微信公众号(看雪学苑):Android配置抓包证书的原理