0x01 问题描述  

存在一个前置系统，数据包有登录信息。登录需要填入用户名，证书上传，私钥。如图：

提供数据包如下：

POST /api/certLogin HTTP/1.1
Host: 192.168.11.153
Connection: keep-alive
Content-Length: 934
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarysSYBwFLJZmU0edVM
Origin: http://192.168.11.153
Referer: http://192.168.11.153/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6

------WebKitFormBoundarysSYBwFLJZmU0edVM
Content-Disposition: form-data; name="file"; filename="loginSM2.crt"
Content-Type: application/x-x509-ca-cert

-----BEGIN CERTIFICATE-----
MIIBpjCCAUugAwIBAgIRAIQyrttkXywULI3KhGNxYFYwCgYIKoEcz1UBg3UwPjEO
MAwGA1UEChMFQkNTWVMxDjAMBgNVBAMTBUJDU1lTMQ8wDQYDVQQqEwZHb3BoZXIx
CzAJBgNVBAYTAk5MMB4XDTIzMDcxNzAzMjMyNVoXDTI0MDcxNzAzMjMyNVowNTEV
MBMGA1UEChMMRXhhbXBsZSBJbmMuMQswCQYDVQQLEwJJVDEPMA0GA1UEAxMGYWRt
aW4xMFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEdTKwJfeYUBsH3rw8KlRiabJX
z3KxNcH2MuYl7ol27RLS5/nVvvlrY2iw2Ylni+CS+htLoScXpEBsuMzkPjG3VKMz
MDEwDgYDVR0PAQH/BAQDAgKkMAwGA1UdEwEB/wQCMAAwEQYDKgMEBApxd2VydHl1
aW9wMAoGCCqBHM9VAYN1A0kAMEYCIQCP9wit9wKLNhDB7qzK50PuMldu0WhEFRuk
ZDXegNcpjQIhAK+fiviPZu53F7cAGck8VijLOJFfN0q7xJIqJ4T+nujr
-----END CERTIFICATE-----

------WebKitFormBoundarysSYBwFLJZmU0edVM
Content-Disposition: form-data; name="username"

admin1
------WebKitFormBoundarysSYBwFLJZmU0edVM--
HTTP/1.1 200 OK
Server: nginx/1.24.0
Date: Tue, 18 Jul 2023 01:33:13 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 54
Connection: keep-alive

{"code":1,"msg":"..................","randNum":415979}POST /api/certLogin HTTP/1.1
Host: 192.168.11.153
Connection: keep-alive
Content-Length: 368
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.82
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryywsxrJ41AnxgA0zr
Origin: http://192.168.11.153
Referer: http://192.168.11.153/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6

------WebKitFormBoundaryywsxrJ41AnxgA0zr
Content-Disposition: form-data; name="signature"

c4f6d124ebcf0969ae0d86f234680ef7730f62f83d5fa257f6734d80537d63eff7004f1339d2d13368f61ff8327c9e77d2c6a48e85c73a9d739811aeda5341ac
------WebKitFormBoundaryywsxrJ41AnxgA0zr
Content-Disposition: form-data; name="randNum"

415979
------WebKitFormBoundaryywsxrJ41AnxgA0zr--
HTTP/1.1 200 OK
Server: nginx/1.24.0
Date: Tue, 18 Jul 2023 01:33:13 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 213
Connection: keep-alive

{"code":1,"msg":"...............","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiYWRtaW4xIiwiZXhwIjoxNjg5NzMwMzkzLCJpc3MiOiJxZnpoZSIsIm5iZiI6MTY4OTY0Mzk5Mn0.XQf7xBf5bUswduZrX_GHvlpXFOH8G69NdB47lVlhBMs"}

0x02 问题分析

数据包存在数字证书，用户名，随机数，签名值。

数字证书

用户名

随机数

签名值

证书为SM2 算法，通过工具还原证书

然后生成Sm2公私钥对，替换证书中的公钥，然后自己生成随机数，私钥进行签名，证书进行验签。验签成功则替换成功。

0x03 问题解决过程

1、生成sm2公私钥对

openssl1 ecparam -genkey -name SM2 -out sm2PriKey.pem  //生成私钥

openssl pkcs8 -topk8 -inform PEM -in sm2PriKey.pem -outform pem -nocrypt -out sm2PriKeyPkcs8.pem  //生成Pkcs8 pem

查看私钥和公钥

openssl ec -in sm2PriKey.pem -text  //查看

图

私钥生成公钥（这个题没必要，记录一下）

openssl ec -in sm2PriKey.pem -pubout -out sm2PubKey.pem

2、替换证书的公钥

证书的公钥如图：

将证书的公钥替换成生成的公钥

假设随机数为题目的 415979 ，对415979进行签名，生成签名值如下图：

0x04结果验证

待签名数据（随机数）：415979

签名值：30450220686f632e88a35c3c0467f2725077885120bc1acfc9499381b7be8f598aac2d66022100d9f2de4ac1d638fe6cbaee6acea4ebf659422946d754cfe7b77eddb6385028c1

公钥：

046d6981fcd109e87ed3bb698c78ffad20cc5d203317c36985480002106007551329e3530095ad6e7bac826be0ec82351353c12287081b94c12cb3772d212aa51c

进行签名验签，发现验签成功。那么题目应该就解开了。