SHIHUC

好记性不如烂笔头,还可以分享给别人看看! 专注基础算法,互联网架构,人工智能领域的技术实现和应用。
  博客园  :: 首页  :: 新随笔  :: 联系 :: 订阅 订阅  :: 管理

MQTT研究之EMQ:【CoAP协议的ECC证书研究】

Posted on 2019-05-08 17:29  shihuc  阅读(1870)  评论(0编辑  收藏  举报

今天研究的内容,是CoAP这个协议在EMQ消息队列的支持,CoAP是一个受限资源的协议,基于UDP实现的多用于物联网环境的通信协议。相关介绍不多说,可以看RFC。

CoAP协议下,基于DTLS通信,同样因为协议的产生背景原因,所以,对秘钥大小有有一些要求,尽量的小,所以ECC(椭圆曲线)秘钥算法成为了首先,比RSA秘钥短很多,但是加密安全强度不比RSA对应较长的秘钥安全性低。所以,EC加密算法研究成为了本博文的重点,另外,CoAP的证书中签名算法,也是有所限制的,用的是ECDSA,因为签名算法和秘钥加密算法是对应着工作的。

 

相关验证逻辑,可以基于CoAP的开发工具Californium的java三件套(core,connector,scandium),可以用证书进行验证。

 

《一》. 下面看看基于OpenSSL工具创建EC证书的过程

[root@tkwh-kfcs-app2 coaps]# openssl ecparam -out coapCA.key -name secp521r1 -genkey
[root@tkwh-kfcs-app2 coaps]# openssl req -new -key coapCA.key -out coapCA.csr
[root@tkwh-kfcs-app2 coaps]# openssl x509 -req -days 365 -in coapCA.csr -signkey coapCA.key -out coapCA.crt

[root@tkwh-kfcs-app2 coaps]# openssl ecparam -out coapApp.key -name secp521r1 -genkey
[root@tkwh-kfcs-app2 coaps]# openssl req -new -key coapApp.key -out coapApp.csr
[root@tkwh-kfcs-app2 coaps]# openssl x509 -req -days 365 -in coapApp.csr -signkey coapApp.key -out coapApp.crt

 从这个指令过程看,证书创建的步骤,EC算法和RSA算法没有什么太大的区别,也是三步走(1. 自签名根证书,2.生成CSR证书签名请求,3.生成对应目标证书)

 

《二》下面基于JAVA原生JDK的工具创建ECC的证书全流程进行分享,直接上相关的代码,希望能给到相关朋友一些帮助,有什么不清楚,可以参考我前面的博文,关于RSA证书的创建过程。

1.创建秘钥对

/**
     * algo: e.g. ECC
     * signAlgo: e.g. secp256r1
     * @param algo
     * @param signAlgo
     * @return
     */
    public static KeyPair getKeyPair(String algo, String signAlgo) {
        KeyPairGenerator keyPairGenerator = null;
        try {
            keyPairGenerator = KeyPairGenerator.getInstance(algo);
            ECGenParameterSpec ecGenParameterSpec = new ECGenParameterSpec(signAlgo);
            keyPairGenerator.initialize(ecGenParameterSpec, new SecureRandom());
            KeyPair keyPair = keyPairGenerator.generateKeyPair();
            return keyPair;
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (InvalidAlgorithmParameterException e) {
            e.printStackTrace();
        }
        return null;
    }

2.创建自签名证书(CA)

/**
     * 生成自签名证书
     *
     * @param publicKey 公钥对象
     * @param privateKey 私钥对象
     * @param subj 证书主体描述信息
     * @param notBefore 有效期起始日期
     * @param validDays 有效期长度
     * @return
     * @throws Exception
     */
    public static X509Certificate createRootCert(PublicKey publicKey, PrivateKey privateKey, String subj, Date notBefore, long validDays) throws Exception{

        String algo = "SHA256WITHECDSA";
        try {
            //证书拥有者subject的描述name
            sun.security.x509.X500Name subject = new sun.security.x509.X500Name(subj);

            CertificateExtensions certExts = new CertificateExtensions();
            certExts.set(SubjectKeyIdentifierExtension.NAME, new SubjectKeyIdentifierExtension((new KeyIdentifier(publicKey)).getIdentifier()));
            certExts.set(AuthorityKeyIdentifierExtension.NAME, new AuthorityKeyIdentifierExtension(new KeyIdentifier(publicKey), null, null));
            //设置是否根证书
            BasicConstraintsExtension bce = new BasicConstraintsExtension(true, -1);
            certExts.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(false, bce.getExtensionValue()));

            //配置证书的有效期,并生成根证书(自签名证书)
            X509CertInfo x509CertInfo = new X509CertInfo();
            //设置证书的版本号
            x509CertInfo.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));

            AlgorithmId algorithmId = AlgorithmId.get(algo);
            x509CertInfo.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algorithmId));

            //设置证书的签发者信息
            x509CertInfo.set(X509CertInfo.ISSUER, subject);

            //设置证书的拥有者信息
            x509CertInfo.set(X509CertInfo.SUBJECT, subject);

            //设置证书的序列号,基于当前时间计算
            x509CertInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber((int) (System.currentTimeMillis() / 1000L)));

            //设置证书的公钥
            x509CertInfo.set(X509CertInfo.KEY, new CertificateX509Key(publicKey));

            //设置证书有效期
            Date endDate = new Date(notBefore.getTime() + validDays * 24 * 60 * 60 * 1000L);
            CertificateValidity cv = new CertificateValidity(notBefore, endDate);
            x509CertInfo.set(X509CertInfo.VALIDITY, cv);

            x509CertInfo.set(CertificateExtensions.NAME, certExts);

            X509CertImpl cert = new X509CertImpl(x509CertInfo);
            try {
                cert.sign(privateKey, algo);
            } catch (InvalidKeyException | CertificateException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException e3) {
                e3.printStackTrace();
            }

            return cert;

        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }  catch (CertificateException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (Exception e) {
            e.printStackTrace();
        }

        return null;
    }

3.创建用户证书(用2中的证书签发客户证书)

/**
     * 基于根证书签发客户证书(非CA证书),即intermediate certificate
     *
     * @param ca 根证书文件对象
     * @param caKey 根证书对应的私钥
     * @param publicKey 待签发证书的公钥
     * @param subj 待签发证书的主体描述信息
     * @param notBefore 证书有效期起点
     * @param validDays 证书有效期长度
     * @param sginAlgo 证书签名算法
     * @return
     */
    public static X509Certificate createUserCert(X509Certificate ca, PrivateKey caKey, PublicKey publicKey, String subj, Date notBefore, long validDays, String sginAlgo)  {

        //获取ca证书
        X509Certificate caCert = ca;

        X509CertInfo x509CertInfo = new X509CertInfo();

        try {
            //设置证书的版本号
            x509CertInfo.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));

            //设置证书的序列号,基于当前时间计算
            x509CertInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber((int) (System.currentTimeMillis() / 1000L)));

            /**
             * 下面这个设置算法ID的代码,是错误的,会导致证书验证失败,但是报错不是很明确。 若将生成的证书存为keystore,让后keytool转换
             * 会出现异常。
             *
             * 重点: AlgorithmId的参数设置要和后面的证书签名中用到的算法信息一致。
             */
            AlgorithmId algorithmId = AlgorithmId.get(sginAlgo);
            x509CertInfo.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algorithmId));

            //设置证书的签发者信息
            sun.security.x509.X500Name issuer = new sun.security.x509.X500Name(caCert.getIssuerX500Principal().toString());
            x509CertInfo.set(X509CertInfo.ISSUER, issuer);

            //设置证书的拥有者信息
            sun.security.x509.X500Name subject = new sun.security.x509.X500Name(subj);
            x509CertInfo.set(X509CertInfo.SUBJECT, subject);

            //设置证书的公钥
            x509CertInfo.set(X509CertInfo.KEY, new CertificateX509Key(publicKey));

            //设置证书有效期
            Date endDate = new Date(notBefore.getTime() + validDays * 24 * 60 * 60 * 1000L);
            CertificateValidity cv = new CertificateValidity(notBefore, endDate);
            x509CertInfo.set(X509CertInfo.VALIDITY, cv);

            CertificateExtensions exts = new CertificateExtensions();

            exts.set(SubjectKeyIdentifierExtension.NAME, new SubjectKeyIdentifierExtension((new KeyIdentifier(publicKey)).getIdentifier()));
            exts.set(AuthorityKeyIdentifierExtension.NAME, new AuthorityKeyIdentifierExtension(new KeyIdentifier(ca.getPublicKey()), null, null));
            exts.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(false,false,-1));
            x509CertInfo.set(CertificateExtensions.NAME, exts);

        } catch (CertificateException cee) {
            cee.printStackTrace();
        } catch (IOException eio) {
            eio.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }

        // 获取CA私钥
        PrivateKey caPrivateKey = caKey;
        //用CA的私钥给当前证书进行签名,获取最终的下游证书(证书链的下一节点)
        X509CertImpl cert = new X509CertImpl(x509CertInfo);
        try {
            cert.sign(caPrivateKey, sginAlgo);
        } catch (InvalidKeyException | CertificateException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException e3) {
            e3.printStackTrace();
        }
        return cert;
    }

 

4. 证书的导出和导入相关方法

/**
     * 导出ECC私钥文件存入文件,PEM格式,PKCS#8编码
     * @param privateKey
     * @param keyPath
     * @throws Exception
     */
    public static void savePrivateKeyAsPEM(PrivateKey privateKey, String keyPath) throws Exception {
        String content = Base64Util.encode(privateKey.getEncoded());
        File file = new File(keyPath);
        try (RandomAccessFile randomAccessFile = new RandomAccessFile(file, "rw")) {
            randomAccessFile.write(BEGIN_EC_PRIVATE_KEY.getBytes());
            randomAccessFile.write(NEW_LINE.getBytes());
            int i = 0;
            for (; i<(content.length() - (content.length() % 64)); i+=64) {
                randomAccessFile.write(content.substring(i, i + 64).getBytes());
                randomAccessFile.write(NEW_LINE.getBytes());
            }

            randomAccessFile.write(content.substring(i).getBytes());
            randomAccessFile.write(NEW_LINE.getBytes());

            randomAccessFile.write(END_EC_PRIVATE_KEY.getBytes());
        }
    }
/**
     * 导出ECC公钥文件存入文件,PEM格式,PKCS#8编码
     * 
     * @param publicKey
     * @param name
     * @throws Exception
     */
    public static void savePublicKeyAsPEM(PublicKey publicKey, String name) throws Exception {
        String content = Base64Util.encode(publicKey.getEncoded());
        File file = new File(name);
        try (RandomAccessFile randomAccessFile = new RandomAccessFile(file, "rw")) {
            randomAccessFile.write(BEGIN_EC_PUBLIC_KEY.getBytes());
            randomAccessFile.write(NEW_LINE.getBytes());
            int i = 0;
            for (; i<(content.length() - (content.length() % 64)); i+=64) {
                randomAccessFile.write(content.substring(i, i + 64).getBytes());
                randomAccessFile.write(NEW_LINE.getBytes());
            }

            randomAccessFile.write(content.substring(i).getBytes());
            randomAccessFile.write(NEW_LINE.getBytes());

            randomAccessFile.write(END_EC_PUBLIC_KEY.getBytes());
        }
    }

这里需要说明的是,写入文件后,文件格式中的头部和尾部信息如下:

private static final String BEGIN_EC_PRIVATE_KEY = "-----BEGIN PRIVATE KEY-----";
private static final String END_EC_PRIVATE_KEY = "-----END PRIVATE KEY-----";
private static final String BEGIN_EC_PUBLIC_KEY = "-----BEGIN PUBLIC KEY-----";
private static final String END_EC_PUBLIC_KEY = "-----END PUBLIC KEY-----";

 

用OPENSSL创建的EC证书私钥,默认情况下会含有EC PARAMETERS的描述,这个部分,JAVA生成过程中,目前没有弄清楚,如何能做到和OPENSSL一样,不过,不考虑EC PARAMETERS部分,整个证书运行逻辑没有问题。(若有知道的博友,可以给我留言,告知我JAVA代码如何实现openssl生成的EC证书私钥模式的文件),下面给予一个对比,OPENSSL的EC私钥内容和用上述JAVA生成的EC私钥内容:

OPENSSL(PKCS#1编码):

openssl ecparam -out coapApp.key -name secp521r1 -genkey

-----BEGIN EC PARAMETERS-----
BgUrgQQAIw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MIHcAgEBBEIBHpCev79KIY4T9lMyheMD9A+kXUXxmhbTdQO+bA9PCeLeXpUuHiPU
dgJ31MjWYBe/5lr9Vr9kwZ20CAErIPDgttCgBwYFK4EEACOhgYkDgYYABAGhKHT6
J6aihJyNgjdGNDP2yaCGDZjmuQw2JIs9l0C27B6KHytxOV5qZfvA80s8kq/a1FBn
lUlHHjsEaVi20wWTmAFMgs75xAU+VjXEU9i03GaQuwC73mySAHWPWVQXmFu0b+Bz
wfvBf8so3Qew054UFbmg1zvcjZM0rBhn6GZtp7LOZw==
-----END EC PRIVATE KEY-----

查看具体内容:

[root@ws2 opt]# openssl ec -in coapApp.key -noout -text
read EC key
Private-Key: (521 bit)
priv:
    01:1e:90:9e:bf:bf:4a:21:8e:13:f6:53:32:85:e3:
    03:f4:0f:a4:5d:45:f1:9a:16:d3:75:03:be:6c:0f:
    4f:09:e2:de:5e:95:2e:1e:23:d4:76:02:77:d4:c8:
    d6:60:17:bf:e6:5a:fd:56:bf:64:c1:9d:b4:08:01:
    2b:20:f0:e0:b6:d0
pub: 
    04:01:a1:28:74:fa:27:a6:a2:84:9c:8d:82:37:46:
    34:33:f6:c9:a0:86:0d:98:e6:b9:0c:36:24:8b:3d:
    97:40:b6:ec:1e:8a:1f:2b:71:39:5e:6a:65:fb:c0:
    f3:4b:3c:92:af:da:d4:50:67:95:49:47:1e:3b:04:
    69:58:b6:d3:05:93:98:01:4c:82:ce:f9:c4:05:3e:
    56:35:c4:53:d8:b4:dc:66:90:bb:00:bb:de:6c:92:
    00:75:8f:59:54:17:98:5b:b4:6f:e0:73:c1:fb:c1:
    7f:cb:28:dd:07:b0:d3:9e:14:15:b9:a0:d7:3b:dc:
    8d:93:34:ac:18:67:e8:66:6d:a7:b2:ce:67
ASN1 OID: secp521r1
NIST CURVE: P-521

 

JAVA(PKCS#8编码):

ECGenParameterSpec ecGenParameterSpec = new ECGenParameterSpec(“secp256r1”);

-----BEGIN PRIVATE KEY-----
MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCAoWE90so3R0wAj/kWS
p43qZEHS2WcdZZAehpPtfZyV6A==
-----END PRIVATE KEY-----

查看具体内容:

[root@ws2 opt]# openssl ec -in eccDevCertPem.key -noout -text
read EC key
Private-Key: (256 bit)
priv:
    28:58:4f:74:b2:8d:d1:d3:00:23:fe:45:92:a7:8d:
    ea:64:41:d2:d9:67:1d:65:90:1e:86:93:ed:7d:9c:
    95:e8
pub: 
    04:af:74:c5:4f:53:69:76:51:0d:c7:0a:9d:36:62:
    f0:4c:ab:f1:42:5c:cf:68:28:e8:9c:c7:13:b4:61:
    b0:a9:52:2a:66:57:2e:35:fe:92:dc:1c:8f:c9:cb:
    fa:2f:88:6a:bb:c3:54:d2:3d:34:ad:d5:9c:20:f5:
    1d:1e:9d:87:3b
ASN1 OID: prime256v1
NIST CURVE: P-256

 

5. JAVA创建证书的DEMO

public void fromZeroToStart() throws Exception {
        String subjCA = "OU=TaiKang,O=TKCloud,L=Wuhan,ST=Hubei,C=CN,CN=IOT_" + "ECC_CA";
        String subjSVR = "OU=TaiKang,O=TKCloud,L=Wuhan,ST=Hubei,C=CN,CN=" + "10.95.197.8";
        String subjDev = "OU=TaiKang,O=TKCloud,L=Wuhan,ST=Hubei,C=CN,CN=IOT_" + "Device";

        KeyPair eccCaKey = CertUtils.getKeyPair("EC", "secp256r1");
        KeyPair eccEmKey = CertUtils.getKeyPair("EC", "secp256r1");
        KeyPair eccDvKey = CertUtils.getKeyPair("EC", "secp256r1");

        //自签发根证书
        Date notBefore = new Date();
        X509Certificate crt = CertUtils.createRootCert(eccCaKey.getPublic(), eccCaKey.getPrivate(), subjCA, notBefore,365, SIGN_ALGO);
//根证书签发生成实体证书
        X509Certificate eccEmqCert = CertUtils.createUserCert(crt, eccCaKey.getPrivate(), eccEmKey.getPublic(), subjSVR, notBefore, 365, SIGN_ALGO);
//写入证书到文件
        SSLUtils.exportPemCrtFile(crt.getEncoded(),basePath + "eccRootCert.crt");
        SSLUtils.exportDerKeyFile(eccCaKey.getPrivate().getEncoded(),basePath + "eccRootCert.key");
        SSLUtils.savePrivateKeyAsPEM(eccCaKey.getPrivate(), basePath + "eccRootCertPem.key");
        SSLUtils.exportPemCrtFile(eccEmqCert.getEncoded(),basePath + "eccEmqCert.crt");
        SSLUtils.exportDerKeyFile(eccEmKey.getPrivate().getEncoded(),basePath + "eccEmqCert.key");
        SSLUtils.savePrivateKeyAsPEM(eccEmKey.getPrivate(), basePath + "eccEmqCertPem.key");
    }

 

6. 遇到的小麻烦

1)证书的有效时间和验证服务器的时间不同步导致异常

[root@mq2 ecc]# openssl verify -CAfile eccRootCert.crt eccEmqCert.crt 
eccEmqCert.crt: CN = IOT_ECC_CA, C = CN, ST = Hubei, L = Wuhan, O = TKCloud, OU = TaiKang
error 9 at 1 depth lookup:certificate is not yet valid

等一会后,同样的证书,同样的操作,就可以了(生成的证书里面设置的有效时间范围,和当前验证操作,即执行openssl的服务的时间没有同步,服务器时间慢了点

[root@mq2 ecc]# openssl verify -CAfile eccRootCert.crt eccEmqCert.crt 
eccEmqCert.crt: OK

 

[root@ws2 ecc]# mosquitto_pub -d -h 10.95.197.8 -p 8883 -t taikang/rulee -i client18 --cafile /opt/ecc/eccRootCert.crt --cert /opt/ecc/eccDevCert.crt --key /opt/ecc/eccDevCertPem.key -u shihuc -P shihuc -m "are you ok, emqttd"
Client client18 sending CONNECT
OpenSSL Error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Error: A TLS error occurred.

上述错误信息,也是证书的有效时间和服务器时间不同步,参照上面的错误。

 

2)openssl的版本不同导致的查看证书出现异常

[root@mq2 ecc]# openssl x509 -in eccRootCert.crt -noout -text           
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1556080738 (0x5cbfe862)
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=IOT_ECC_CA, C=CN, ST=Hubei, L=Wuhan, O=TKCloud, OU=TaiKang
        Validity
            Not Before: Apr 24 04:38:58 2019 GMT
            Not After : Apr 23 04:38:58 2020 GMT
        Subject: CN=IOT_ECC_CA, C=CN, ST=Hubei, L=Wuhan, O=TKCloud, OU=TaiKang
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:65:49:e6:46:8d:28:b2:49:d2:45:26:04:f9:d5:
                    b3:f4:84:f9:38:2e:ad:43:d1:14:92:af:ad:c3:0a:
                    3c:35:21:f3:25:39:85:41:a9:b9:51:d7:b3:20:6b:
                    5d:09:23:c6:66:b5:22:f3:fb:dd:a6:1c:74:43:19:
                    c1:b0:50:5c:44
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:0F:62:52:44:B1:7F:AA:23:BE:55:70:E3:05:F1:0F:EE:96:CB:C1:E9

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Subject Key Identifier: 
                0F:62:52:44:B1:7F:AA:23:BE:55:70:E3:05:F1:0F:EE:96:CB:C1:E9
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:02:f5:d5:3b:59:8a:42:af:c7:9a:15:06:f9:4b:
         03:09:0d:bb:28:59:dc:eb:91:38:65:99:64:45:91:33:2d:d5:
         02:20:51:f6:c3:ff:8e:76:32:cd:f2:a9:a9:23:18:37:d3:0a:
         18:9a:94:94:16:00:b4:fc:7c:cc:11:e8:99:18:81:21
[root@mq2 ecc]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

同一个证书,在另外一个服务器上查看:

[root@tkwh-kfcs-app2 java]# openssl x509 -in eccRootCert.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1556066987 (0x5cbfb2ab)
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=IOT_ECC_CA, C=CN, ST=Hubei, L=Wuhan, O=TKCloud, OU=TaiKang
        Validity
            Not Before: Apr 24 00:49:35 2019 GMT
            Not After : Apr 23 00:49:35 2020 GMT
        Subject: CN=IOT_ECC_CA, C=CN, ST=Hubei, L=Wuhan, O=TKCloud, OU=TaiKang
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
            Unable to load Public Key
139880214046624:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:371:
139880214046624:error:100D7010:elliptic curve routines:ECKEY_PUB_DECODE:EC lib:ec_ameth.c:206:
139880214046624:error:0B07707D:x509 certificate routines:X509_PUBKEY_get:public key decode error:x_pubkey.c:164:
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:06:67:AB:58:41:C5:DA:BD:23:73:9C:BA:E5:45:79:28:73:1C:E2:AF

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Subject Key Identifier: 
                06:67:AB:58:41:C5:DA:BD:23:73:9C:BA:E5:45:79:28:73:1C:E2:AF
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:5e:f6:fa:30:42:6f:20:1e:f6:34:1f:66:2c:a3:
         c7:a8:25:27:a1:8f:83:73:96:23:f2:e4:0d:e5:4b:a8:d2:a5:
         02:20:4c:6f:8b:2b:d4:5d:23:b3:fd:ba:3e:18:66:30:69:dc:
         48:f5:a9:88:7e:2f:e8:e9:7b:7b:4c:85:e0:bc:d5:01
[root@tkwh-kfcs-app2 java]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013         

 

好了,到这里,ECC证书创建和基本的验证过程,到此结束,有相关需求或者探讨的,可以关注我的博客,一起深入。