0

I use SSL_get_peer_certificate(), X509_get_pubkey() API to get web site (www.google.com) https certificate public key, when I dump public key as below: 

00:bb:cb:8a:0e:b6:df:3f:0a:ba:a4:7b:20:9f:e9:
0a:f2:81:04:84:ed:d0:9e:c9:fd:2a:ec:39:9f:11:
56:c3:2e:33:39:8f:da:32:d7:84:54:55:5c:99:2f:
56:61:73:17:2d:26:15:bc:8b:89:12:b8:78:73:17:
1d:c5:32:a2:e3:f1:b5:c4:d8:41:67:41:72:16:74:
81:c8:4f:f3:a8:57:31:cd:69:73:7b:96:41:2d:be:
66:15:f0:eb:f7:33:7c:79:4a:00:40:0e:c6:df:71:
66:1a:a7:12:79:e8:7e:89:c2:04:cc:09:b0:1f:9b:
67:81:ec:5f:26:2d:09:c3:ce:1c:a6:96:e9:0f:de:
6f:aa:b1:07:82:be:a9:18:2e:2b:a5:c5:17:a1:91:
75:7b:0a:86:cc:1d:bc:91:10:1d:5b:3b:fd:49:37:
04:65:5a:c8:4a:41:17:37:63:ab:a1:83:11:58:c8:
24:74:c2:e4:ae:8e:d6:90:98:5a:d7:b7:96:4e:d4:
d8:21:e9:45:43:0b:e0:0b:07:dd:0f:79:47:4a:06:
44:17:97:59:c9:b1:e0:1b:2b:55:d8:bf:3c:07:f1:
be:56:5e:da:53:78:e2:c3:cb:6a:21:f5:83:66:66:
bd:eb:6f:27:da:aa:91:30:93:eb:40:52:e0:24:a5:
4d:b9

I find which is not same as I see in browser (In Chrome, click padlock in URL address bar, -> Connection -> Certificate information -> Certificate->Details -> Public Key (field)). as below

30 82 01 0a 02 82 01 01 00 bb cb 8a 0e b6 df 
3f 0a ba a4 7b 20 9f e9 0a f2 81 04 84 ed d0 
9e c9 fd 2a ec 39 9f 11 56 c3 2e 33 39 8f da 
32 d7 84 54 55 5c 99 2f 56 61 73 17 2d 26 15 
bc 8b 89 12 b8 78 73 17 1d c5 32 a2 e3 f1 b5 
c4 d8 41 67 41 72 16 74 81 c8 4f f3 a8 57 31 
cd 69 73 7b 96 41 2d be 66 15 f0 eb f7 33 7c 
79 4a 00 40 0e c6 df 71 66 1a a7 12 79 e8 7e 
89 c2 04 cc 09 b0 1f 9b 67 81 ec 5f 26 2d 09 
c3 ce 1c a6 96 e9 0f de 6f aa b1 07 82 be a9 
18 2e 2b a5 c5 17 a1 91 75 7b 0a 86 cc 1d bc 
91 10 1d 5b 3b fd 49 37 04 65 5a c8 4a 41 17 
37 63 ab a1 83 11 58 c8 24 74 c2 e4 ae 8e d6 
90 98 5a d7 b7 96 4e d4 d8 21 e9 45 43 0b e0 
0b 07 dd 0f 79 47 4a 06 44 17 97 59 c9 b1 e0 
1b 2b 55 d8 bf 3c 07 f1 be 56 5e da 53 78 e2 
c3 cb 6a 21 f5 83 66 66 bd eb 6f 27 da aa 91 
30 93 eb 40 52 e0 24 a5 4d b9 02 03 01 00 01

Why these two public key are different?
I am curious about what are these two kind of public key data?

Update:
Update public key field value from Chrome browser.

Jerry YY Rain
  • 4,134
  • 7
  • 35
  • 52
  • I haven't done this myself, but you pose an interesting question. How is it with the repeatability; do you get same results if you run your app multiple times? – WolfCoder Oct 28 '14 at 10:16
  • sure, this result should be always same which can also proved in soerium's answer, we get same result. – Jerry YY Rain Oct 29 '14 at 06:15

2 Answers2

1

Very interesting. I did some investigation in that field.

The very first cert in chromium chain you have provided: 30 82 01 0a 02 82 01 01 00 b2 56 ae e5 f2 a3 (...) is not pointing to "*.google.com" cert as you expected but to GeoTrust Global CA Cert (https://www.tbs-certificates.co.uk/FAQ/en/602.html, details here - http://geotrust.tbs-certificats.com/GeoTrust_Global_CA.cer)

I've extracted pubkey from www.google.com:443 and then converted it to 'modulus' 

$ openssl s_client -connect www.google.com:443 | openssl x509 -pubkey -noout
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu8uKDrbfPwq6pHsgn+kK
8oEEhO3Qnsn9Kuw5nxFWwy4zOY/aMteEVFVcmS9WYXMXLSYVvIuJErh4cxcdxTKi
4/G1xNhBZ0FyFnSByE/zqFcxzWlze5ZBLb5mFfDr9zN8eUoAQA7G33FmGqcSeeh+
icIEzAmwH5tngexfJi0Jw84cppbpD95vqrEHgr6pGC4rpcUXoZF1ewqGzB28kRAd
Wzv9STcEZVrISkEXN2OroYMRWMgkdMLkro7WkJha17eWTtTYIelFQwvgCwfdD3lH
SgZEF5dZybHgGytV2L88B/G+Vl7aU3jiw8tqIfWDZma9628n2qqRMJPrQFLgJKVN
uQIDAQAB
-----END PUBLIC KEY-----

$ openssl rsa -pubin -inform PEM -text -noout < public.key
Public-Key: (2048 bit)
Modulus:
    00:bb:cb:8a:0e:b6:df:3f:0a:ba:a4:7b:20:9f:e9:
    0a:f2:81:04:84:ed:d0:9e:c9:fd:2a:ec:39:9f:11:
    56:c3:2e:33:39:8f:da:32:d7:84:54:55:5c:99:2f:
    56:61:73:17:2d:26:15:bc:8b:89:12:b8:78:73:17:
    1d:c5:32:a2:e3:f1:b5:c4:d8:41:67:41:72:16:74:
    81:c8:4f:f3:a8:57:31:cd:69:73:7b:96:41:2d:be:
    66:15:f0:eb:f7:33:7c:79:4a:00:40:0e:c6:df:71:
    66:1a:a7:12:79:e8:7e:89:c2:04:cc:09:b0:1f:9b:
    67:81:ec:5f:26:2d:09:c3:ce:1c:a6:96:e9:0f:de:
    6f:aa:b1:07:82:be:a9:18:2e:2b:a5:c5:17:a1:91:
    75:7b:0a:86:cc:1d:bc:91:10:1d:5b:3b:fd:49:37:
    04:65:5a:c8:4a:41:17:37:63:ab:a1:83:11:58:c8:
    24:74:c2:e4:ae:8e:d6:90:98:5a:d7:b7:96:4e:d4:
    d8:21:e9:45:43:0b:e0:0b:07:dd:0f:79:47:4a:06:
    44:17:97:59:c9:b1:e0:1b:2b:55:d8:bf:3c:07:f1:
    be:56:5e:da:53:78:e2:c3:cb:6a:21:f5:83:66:66:
    bd:eb:6f:27:da:aa:91:30:93:eb:40:52:e0:24:a5:
    4d:b9
Exponent: 65537 (0x10001)

Conclusions - good, it looks like we both work on the same pubkey (www.google.com:443)

Then I have created example SSL connection to www.google.com:443 (python/M2Crypt) and listed "peer cert chain", here is the output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1227750 (0x12bbe6)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
        Validity
            Not Before: May 21 04:00:00 2002 GMT
            Not After : Aug 21 04:00:00 2018 GMT
        Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:da:cc:18:63:30:fd:f4:17:23:1a:56:7e:5b:df:
                    3c:6c:38:e4:71:b7:78:91:d4:bc:a1:d8:4c:f8:a8:
                    43:b6:03:e9:4d:21:07:08:88:da:58:2f:66:39:29:
                    bd:05:78:8b:9d:38:e8:05:b7:6a:7e:71:a4:e6:c4:
                    60:a6:b0:ef:80:e4:89:28:0f:9e:25:d6:ed:83:f3:
                    ad:a6:91:c7:98:c9:42:18:35:14:9d:ad:98:46:92:
                    2e:4f:ca:f1:87:43:c1:16:95:57:2d:50:ef:89:2d:
                    80:7a:57:ad:f2:ee:5f:6b:d2:00:8d:b9:14:f8:14:
                    15:35:d9:c0:46:a3:7b:72:c8:91:bf:c9:55:2b:cd:
                    d0:97:3e:9c:26:64:cc:df:ce:83:19:71:ca:4e:e6:
                    d4:d5:7b:a9:19:cd:55:de:c8:ec:d2:5e:38:53:e5:
                    5c:4f:8c:2d:fe:50:23:36:fc:66:e6:cb:8e:a4:39:
                    19:00:b7:95:02:39:91:0b:0e:fe:38:2e:d1:1d:05:
                    9a:f6:4d:3e:6f:0f:07:1d:af:2c:1e:8f:60:39:e2:
                    fa:36:53:13:39:d4:5e:26:2b:db:3d:a8:14:bd:32:
                    eb:18:03:28:52:04:71:e5:ab:33:3d:e1:38:bb:07:
                    36:84:62:9c:79:ea:16:30:f4:5f:c0:2b:e8:71:6b:
                    e4:f9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

            X509v3 Subject Key Identifier: 
                C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.geotrust.com/crls/secureca.crl

            X509v3 Certificate Policies: 
                Policy: X509v3 Any Policy
                  CPS: https://www.geotrust.com/resources/repository

    Signature Algorithm: sha1WithRSAEncryption
         76:e1:12:6e:4e:4b:16:12:86:30:06:b2:81:08:cf:f0:08:c7:
         c7:71:7e:66:ee:c2:ed:d4:3b:1f:ff:f0:f0:c8:4e:d6:43:38:
         b0:b9:30:7d:18:d0:55:83:a2:6a:cb:36:11:9c:e8:48:66:a3:
         6d:7f:b8:13:d4:47:fe:8b:5a:5c:73:fc:ae:d9:1b:32:19:38:
         ab:97:34:14:aa:96:d2:eb:a3:1c:14:08:49:b6:bb:e5:91:ef:
         83:36:eb:1d:56:6f:ca:da:bc:73:63:90:e4:7f:7b:3e:22:cb:
         3d:07:ed:5f:38:74:9c:e3:03:50:4e:a1:af:98:ee:61:f2:84:
         3f:12

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 146038 (0x23a76)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
        Validity
            Not Before: Apr  5 15:15:55 2013 GMT
            Not After : Dec 31 23:59:59 2016 GMT
        Subject: C=US, O=Google Inc, CN=Google Internet Authority G2
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9c:2a:04:77:5c:d8:50:91:3a:06:a3:82:e0:d8:
                    50:48:bc:89:3f:f1:19:70:1a:88:46:7e:e0:8f:c5:
                    f1:89:ce:21:ee:5a:fe:61:0d:b7:32:44:89:a0:74:
                    0b:53:4f:55:a4:ce:82:62:95:ee:eb:59:5f:c6:e1:
                    05:80:12:c4:5e:94:3f:bc:5b:48:38:f4:53:f7:24:
                    e6:fb:91:e9:15:c4:cf:f4:53:0d:f4:4a:fc:9f:54:
                    de:7d:be:a0:6b:6f:87:c0:d0:50:1f:28:30:03:40:
                    da:08:73:51:6c:7f:ff:3a:3c:a7:37:06:8e:bd:4b:
                    11:04:eb:7d:24:de:e6:f9:fc:31:71:fb:94:d5:60:
                    f3:2e:4a:af:42:d2:cb:ea:c4:6a:1a:b2:cc:53:dd:
                    15:4b:8b:1f:c8:19:61:1f:cd:9d:a8:3e:63:2b:84:
                    35:69:65:84:c8:19:c5:46:22:f8:53:95:be:e3:80:
                    4a:10:c6:2a:ec:ba:97:20:11:c7:39:99:10:04:a0:
                    f0:61:7a:95:25:8c:4e:52:75:e2:b6:ed:08:ca:14:
                    fc:ce:22:6a:b3:4e:cf:46:03:97:97:03:7e:c0:b1:
                    de:7b:af:45:33:cf:ba:3e:71:b7:de:f4:25:25:c2:
                    0d:35:89:9d:9d:fb:0e:11:79:89:1e:37:c5:af:8e:
                    72:69
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E

            X509v3 Subject Key Identifier: 
                4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://g.symcb.com/crls/gtglobal.crl

            Authority Information Access: 
                OCSP - URI:http://g.symcd.com

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.11129.2.5.1

    Signature Algorithm: sha1WithRSAEncryption
         27:8c:cf:e9:c7:3b:be:c0:6f:e8:96:84:fb:9c:5c:5d:90:e4:
         77:db:8b:32:60:9b:65:d8:85:26:b5:ba:9f:1e:de:64:4e:1f:
         c6:c8:20:5b:09:9f:ab:a9:e0:09:34:45:a2:65:25:37:3d:7f:
         5a:6f:20:cc:f9:fa:f1:1d:8f:10:0c:02:3a:c4:c9:01:76:96:
         be:9b:f9:15:d8:39:d1:c5:03:47:76:b8:8a:8c:31:d6:60:d5:
         e4:8f:db:fa:3c:c6:d5:98:28:f8:1c:8f:17:91:34:cb:cb:52:
         7a:d1:fb:3a:20:e4:e1:86:b1:d8:18:0f:be:d6:87:64:8d:c5:
         0a:25:42:51:ef:b2:38:b8:e0:1d:d0:e1:fc:e6:f4:af:46:ba:
         ef:c0:bf:c5:b4:05:f5:94:75:0c:fe:a2:be:02:ba:ea:86:5b:
         f9:35:b3:66:f5:c5:8d:85:a1:1a:23:77:1a:19:17:54:13:60:
         9f:0b:e1:b4:9c:28:2a:f9:ae:02:34:6d:25:93:9c:82:a8:17:
         7b:f1:85:b0:d3:0f:58:e1:fb:b1:fe:9c:a1:a3:e8:fd:c9:3f:
         f4:d7:71:dc:bd:8c:a4:19:e0:21:23:23:55:13:8f:a4:16:02:
         09:7e:b9:af:ee:db:53:64:bd:71:2f:b9:39:ce:30:b7:b4:bc:
         54:e0:47:07

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 299822383261939216 (0x4292ede7a09f610)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
        Validity
            Not Before: Oct 15 10:57:54 2014 GMT
            Not After : Jan 13 00:00:00 2015 GMT
        Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bb:cb:8a:0e:b6:df:3f:0a:ba:a4:7b:20:9f:e9:
                    0a:f2:81:04:84:ed:d0:9e:c9:fd:2a:ec:39:9f:11:
                    56:c3:2e:33:39:8f:da:32:d7:84:54:55:5c:99:2f:
                    56:61:73:17:2d:26:15:bc:8b:89:12:b8:78:73:17:
                    1d:c5:32:a2:e3:f1:b5:c4:d8:41:67:41:72:16:74:
                    81:c8:4f:f3:a8:57:31:cd:69:73:7b:96:41:2d:be:
                    66:15:f0:eb:f7:33:7c:79:4a:00:40:0e:c6:df:71:
                    66:1a:a7:12:79:e8:7e:89:c2:04:cc:09:b0:1f:9b:
                    67:81:ec:5f:26:2d:09:c3:ce:1c:a6:96:e9:0f:de:
                    6f:aa:b1:07:82:be:a9:18:2e:2b:a5:c5:17:a1:91:
                    75:7b:0a:86:cc:1d:bc:91:10:1d:5b:3b:fd:49:37:
                    04:65:5a:c8:4a:41:17:37:63:ab:a1:83:11:58:c8:
                    24:74:c2:e4:ae:8e:d6:90:98:5a:d7:b7:96:4e:d4:
                    d8:21:e9:45:43:0b:e0:0b:07:dd:0f:79:47:4a:06:
                    44:17:97:59:c9:b1:e0:1b:2b:55:d8:bf:3c:07:f1:
                    be:56:5e:da:53:78:e2:c3:cb:6a:21:f5:83:66:66:
                    bd:eb:6f:27:da:aa:91:30:93:eb:40:52:e0:24:a5:
                    4d:b9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:www.google.com
            Authority Information Access: 
                CA Issuers - URI:http://pki.google.com/GIAG2.crt
                OCSP - URI:http://clients1.google.com/ocsp

            X509v3 Subject Key Identifier: 
                65:C6:9C:EA:E1:99:17:E6:31:43:41:43:C8:9E:EA:94:D8:25:71:2E
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.11129.2.5.1

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://pki.google.com/GIAG2.crl

    Signature Algorithm: sha1WithRSAEncryption
         4d:bf:54:df:29:e6:f6:9d:7f:43:f7:91:13:ca:9c:98:41:70:
         ea:89:bc:87:a6:92:dd:e5:c6:46:fd:11:da:15:07:54:bd:e2:
         70:0f:97:f8:6a:b1:1c:d3:81:d5:c8:e6:39:b7:ee:c1:18:0f:
         45:44:68:17:09:8a:76:6a:51:38:ba:27:33:e4:9b:5d:17:03:
         e6:70:72:91:24:b9:84:e7:eb:01:97:21:11:2e:8e:61:ce:57:
         fa:4b:92:ba:7c:62:4a:54:fa:77:8e:4f:a9:3a:7a:a4:45:df:
         95:4a:12:03:ed:9e:e8:73:d1:b0:9b:b4:7f:e6:5f:9b:62:59:
         74:d7:48:06:11:87:1b:c6:b0:e4:83:39:56:e3:75:a4:26:12:
         35:45:66:b8:4f:7b:cb:23:5f:15:2e:b0:10:44:12:67:82:24:
         19:28:85:5b:1e:c6:0c:87:2a:55:64:67:dc:b0:0e:27:87:16:
         e2:aa:72:69:77:a1:fa:d4:d1:75:ec:51:1f:95:e1:5c:a8:9c:
         a4:ad:19:5a:04:f7:42:dd:a7:9d:47:96:40:c6:7f:55:74:54:
         cb:60:79:ca:82:72:d5:7b:b2:3b:28:fb:ef:7c:eb:16:6b:f6:
         cc:4b:1e:0a:ff:79:69:30:c9:19:07:7a:dc:51:26:06:8f:58:
         dc:4e:55:cf

Conclusions - it looks like my connection is using itermediate CA cert (GeoTrust Global CA (cross), https://www.tbs-certificates.co.uk/FAQ/en/615.html)

soerium
  • 573
  • 4
  • 12
  • you can mapping Modulus in above "peer cert chain", the **very first cert** is point to **CN=www.google.com**, it is not match with **GeoTrust Global CA Cert** – Jerry YY Rain Oct 29 '14 at 06:13
  • Geo Trust Global CA Cert is what you see in your browser (second pubkey in your question). Try download http://geotrust.tbs-certificats.com/GeoTrust_Global_CA.cer and check its modulus for example. – soerium Oct 29 '14 at 06:31
  • OK, maybe I have paste something wrong, Now I update new public key value from chrome browser. – Jerry YY Rain Oct 29 '14 at 06:47
1

I think what you may be seeing is that when you get the key from the browser, you're getting the whole ASN.1 raw key (denoted by the 30 82), but you're getting some watered down version from SSL_get_peer_certificate() and/or X509_get_pubkey() that has removed this header and just given you the rest of the key (without the leading30 82 01 0a 02 82 01 01 or trailing 02 03 01 00 01).

I tried to look into what exactly x509_get_pubkey() returns, but didn't have much luck, but this is where I would start - researching why you're getting the raw key from the browser, but something truncated from the function.

ice13berg
  • 713
  • 8
  • 12
  • Yes, You are so attentive, I do not notice difference is extra leading and trailing, I think this is [Microsoft ANS.1 format](http://stackoverflow.com/questions/12749858/rsa-public-key-format) – Jerry YY Rain Oct 31 '14 at 06:50