この記事は、Amazon S3 REST APIを呼び出した時のhttpプロトコルシーケンスをパケットキャプチャした結果を記録したものです(読んで面白いものではない)。
前提
- S3のTokyoリージョン(
ap-northeast-1)のバケット(samplebucket)に対して、オブジェクト(sample.txt)をPut/Get/Deleteしました。 - APIの署名は、署名バージョン4を使用したものです。
- アクセスキーID(
AKIAXXXXXXXXXXXXXXXX)はダミーなので、HTTPリクエストのAuthorizationヘッダの署名とはリンクしません。 - *
samplebucket*には、ライフサイクルポリシー *sample-lifecycle*が設定済みです。 - クライアントプログラムはC#で実装しています。また、ビルド時のターゲットフレームワークは
.NET Framework 4.6.1を指定しています。 - HTTPクライアントのクラスは
System.Net.Http.HttpClientを使用しています。
クライアントプログラムの実装イメージ(C#)
var content = new ByteArrayContent("hoge\n".ToBytes());
//////// ここでhttpClientを作成(過程は省略)
//////// var httpClient = new HttpClient(...);
httpClient.PutAsync(new URI("http://samplebucket.s3.amazonaws.com"), content);
httpClient.PutAsync(new URI("http://samplebucket.s3-accelerate.amazonaws.com"), content);
httpClient.GetAsync(new URI("http://samplebucket.s3.amazonaws.com"));
httpClient.DeleteAsync(new URI("http://samplebucket.s3.amazonaws.com"));
1. HTTPプロトコルシーケンス
1.1 PutObject
1.1.1 クライアント → Amazon S3
PUT /sample.txt HTTP/1.1
x-amz-content-sha256: 2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2
x-amz-date: 20191117T001244Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIAXXXXXXXXXXXXXXXX/20191117/ap-northeast-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=d4de97b542321428a14c85c3d37c3ba508bd79d50cd40064850e376b804e3ffb
Host: samplebucket.s3.amazonaws.com
Content-Length: 5
Expect: 100-continue
Connection: Keep-Alive
1.1.2 クライアント ← Amazon S3
HTTP/1.1 100 Continue
1.1.3 クライアント → Amazon S3
PUT /sample.txt HTTP/1.1
x-amz-content-sha256: 2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2
x-amz-date: 20191117T001244Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIAXXXXXXXXXXXXXXXX/20191117/ap-northeast-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=d4de97b542321428a14c85c3d37c3ba508bd79d50cd40064850e376b804e3ffb
Host: samplebucket.s3.amazonaws.com
Content-Length: 5
Expect: 100-continue
Connection: Keep-Alive
hoge
1.1.4 クライアント ← Amazon S3
HTTP/1.1 200 OK
x-amz-id-2: 1gGAlxbb3z+elQEmbYNLEJ+hBL5X9jFSbOJFp3Kph91JwVzQybaQzYbDOnbQFU1kH4IxYjMP+Pc=
x-amz-request-id: 127EE4E6FAAF7A70
Date: Sun, 17 Nov 2019 00:12:44 GMT
x-amz-expiration: expiry-date="Tue, 19 Nov 2019 00:00:00 GMT", rule-id="sample-lifecycle"
ETag: "c59548c3c576228486a1f0037eb16a1b"
Content-Length: 0
Server: AmazonS3
1.2.PutObject (Transfer Acceleration)
1.2.1 クライアント → Amazon S3
PUT /sample.txt HTTP/1.1
x-amz-content-sha256: 2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2
x-amz-date: 20191117T032908Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIAXXXXXXXXXXXXXXXX/20191117/ap-northeast-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=b57a429bc93f01a0263f69791bd73359249b7e8a5259eb08e0dbb28d479191cc
Host: samplebucket.s3-accelerate.amazonaws.com
Content-Length: 5
Expect: 100-continue
Connection: Keep-Alive
1.2.2 クライアント ← Amazon S3
HTTP/1.1 100 Continue
1.2.3 クライアント → Amazon S3
PUT /sample.txt HTTP/1.1
x-amz-content-sha256: 2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2
x-amz-date: 20191117T032908Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIAXXXXXXXXXXXXXXXX/20191117/ap-northeast-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=b57a429bc93f01a0263f69791bd73359249b7e8a5259eb08e0dbb28d479191cc
Host: samplebucket.s3-accelerate.amazonaws.com
Content-Length: 5
Expect: 100-continue
Connection: Keep-Alive
hoge
1.2.4 クライアント ← Amazon S3
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
x-amz-id-2: IhjWCgokNW4vHoZDAlgBmBj6FW/sWyjDeYYI5yPCCRe3wO6Y6n0wxWryDAwkIIBH5ucjGx4Mo2M=
x-amz-request-id: CBA86EAD08B58714
Date: Sun, 17 Nov 2019 03:29:08 GMT
x-amz-expiration: expiry-date="Tue, 19 Nov 2019 00:00:00 GMT", rule-id="sample-lifecycle"
ETag: "c59548c3c576228486a1f0037eb16a1b"
Server: AmazonS3
X-Cache: Miss from cloudfront
Via: 1.1 f8f7fa10720e88f937ab7011bfa41fb6.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: NRT20-C4
X-Amz-Cf-Id: mnZLq--nNnfv6CaTRW2lBEKe5lfncyUNPP55FCBizHA5WhD8lFnd6A==
1.3. GetObject
1.3.1 クライアント → Amazon S3
GET /sample.txt HTTP/1.1
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20191117T030846Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIAXXXXXXXXXXXXXXXX/20191117/ap-northeast-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=9075643d96f2632360561e07241a12073a2e24161bb160370520a4c3cca4f529
Host: samplebucket.s3.amazonaws.com
1.3.2 クライアント ← Amazon S3
HTTP/1.1 200 OK
x-amz-id-2: HcaZFDvu5473rQHE41W24Oc41VEEz9Wap83Of0yeYeqZ2nA91GtBLCJgj9gGiYcX4FMY8Lev+/k=
x-amz-request-id: 6B87E38BF4BACBAD
Date: Sun, 17 Nov 2019 03:08:46 GMT
Last-Modified: Sun, 17 Nov 2019 02:25:22 GMT
x-amz-expiration: expiry-date="Tue, 19 Nov 2019 00:00:00 GMT", rule-id="sample-lifecycle"
ETag: "c59548c3c576228486a1f0037eb16a1b"
Accept-Ranges: bytes
Content-Type: binary/octet-stream
Content-Length: 5
Server: AmazonS3
hoge
#1.4. DeleteObject
1.4.1 クライアント → Amazon S3
DELETE /sample.txt_1 HTTP/1.1
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20191117T043633Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIAXXXXXXXXXXXXXXXX/20191117/ap-northeast-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=a3b9594cb11e4752b64dd1d86399fded7cfd3feddd6776be2d0a3d37e29b88ab
Host: samplebucket.s3.amazonaws.com
Content-Length: 0
1.4.2 クライアント ← Amazon S3
HTTP/1.1 204 No Content
x-amz-id-2: 3ObtFd4sB6or4i4TEAZFi+UvVqtDBx9s8YqkqaPZtLbchBNmNyV+b4YCc+0HVWa11sLP0sKe2fY=
x-amz-request-id: 83E10C229B619354
Date: Sun, 17 Nov 2019 04:36:33 GMT
Server: AmazonS3
1.5. DeleteObject (Transfer Acceleration)
GetObjectやDeleteObjectでTransfer Accelerationを使っても問題ないみたい(TAを使うことには意味はないけど、実装を切り替える必要がないという意味では意味がある)。
Cloud Frontを経由するかどうかの違いしかないからかな。
1.5.1 クライアント → Amazon S3
DELETE /sample.txt HTTP/1.1
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20191117T032225Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIAXXXXXXXXXXXXXXXX/20191117/ap-northeast-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=87feb911b7dbcad7538738895feb88e33660b453b62b282b6dbde5f65496e454
Host: samplebucket.s3-accelerate.amazonaws.com
Content-Length: 0
1.5.2 クライアント ← Amazon S3
HTTP/1.1 204 No Content
Connection: keep-alive
x-amz-id-2: 8zkozysIbd19ycClxTyFvGOu3Esx4pJwL00XgJdDntvGMBHY9yt/KrIXijTaIsaCzWexPMimAwI=
x-amz-request-id: BFDC403D14CC0A69
Date: Sun, 17 Nov 2019 03:22:25 GMT
Server: AmazonS3
X-Cache: Miss from cloudfront
Via: 1.1 5fa8781927f0b3b53d2119c9d6e2e874.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: NRT20-C1
X-Amz-Cf-Id: _U_7MT7LFGrhYgQiylaqD5A_QsVawI6_P7IFl6NK1_EfZ0pOX39HSw==
2. アイドルソケットのタイムアウト秒数
S3のアイドルソケットのタイムアウト秒数は約20秒である様子。
$ time printf "PUT /sample.txt HTTP/1.1\r\nContent-Length: 1\r\n\r\n" | nc samplebucket.s3.amazonaws.com 80
HTTP/1.1 400 Bad Request
Date: Wed, 27 Nov 19 13:10:58 GMT
Connection: close
Transfer-Encoding: chunked
x-amz-id-2: AOLBqJXBiatzDtJFzZ47xz58MCw0Xt2LsrMTfeAWEWB4rM2HyHoWgqhYA8S84puBU2Vnpbdq7bAvfSodhn5PV2DMzOUyUeh2
x-amz-request-id: 7275DD5C1C197259
Content-Type: application/xml
17b
<?xml version="1.0" encoding="UTF-8"?><Error><Code>RequestTimeout</Code><Message>Your socket connection to the server was not read from or written to within the timeout period. Idle connections will be closed.</Message><RequestId>7275DD5C1C197259</RequestId><HostId>AOLBqJXBiatzDtJFzZ47xz58MCw0Xt2LsrMTfeAWEWB4rM2HyHoWgqhYA8S84puBU2Vnpbdq7bAvfSodhn5PV2DMzOUyUeh2</HostId></Error>
0
real 0m21.342s
user 0m0.000s
sys 0m0.000s
tcpdump
$ sudo tcpdump -vv port 80
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
22:10:38.055187 IP (tos 0x0, ttl 64, id 58310, offset 0, flags [DF], proto TCP (6), length 60)
debian.40380 > s3-ap-northeast-1-w.amazonaws.com.http: Flags [S], cksum 0x416d (incorrect -> 0x5208), seq 2938391169, win 29200, options [mss 1460,sackOK,TS val 28289351 ecr 0,nop,wscale 7], length 0
22:10:38.103575 IP (tos 0x0, ttl 64, id 50316, offset 0, flags [none], proto TCP (6), length 44)
s3-ap-northeast-1-w.amazonaws.com.http > debian.40380: Flags [S.], cksum 0xfd35 (correct), seq 200128001, ack 2938391170, win 65535, options [mss 1460], length 0
22:10:38.103645 IP (tos 0x0, ttl 64, id 58311, offset 0, flags [DF], proto TCP (6), length 40)
debian.40380 > s3-ap-northeast-1-w.amazonaws.com.http: Flags [.], cksum 0x4159 (incorrect -> 0xa2e2), seq 1, ack 1, win 29200, length 0
22:10:38.103999 IP (tos 0x0, ttl 64, id 58312, offset 0, flags [DF], proto TCP (6), length 87)
debian.40380 > s3-ap-northeast-1-w.amazonaws.com.http: Flags [P.], cksum 0x4188 (incorrect -> 0x6e21), seq 1:48, ack 1, win 29200, length 47: HTTP, length: 47
PUT /sample.txt HTTP/1.1
Content-Length: 1
22:10:38.104554 IP (tos 0x0, ttl 64, id 50317, offset 0, flags [none], proto TCP (6), length 40)
s3-ap-northeast-1-w.amazonaws.com.http > debian.40380: Flags [.], cksum 0x14c4 (correct), seq 1, ack 48, win 65535, length 0
22:10:59.338162 IP (tos 0x0, ttl 64, id 50318, offset 0, flags [none], proto TCP (6), length 718)
s3-ap-northeast-1-w.amazonaws.com.http > debian.40380: Flags [P.], cksum 0x356b (correct), seq 1:679, ack 48, win 65535, length 678: HTTP, length: 678
HTTP/1.1 400 Bad Request
Date: Wed, 27 Nov 19 13:10:58 GMT
Connection: close
Transfer-Encoding: chunked
x-amz-id-2: AOLBqJXBiatzDtJFzZ47xz58MCw0Xt2LsrMTfeAWEWB4rM2HyHoWgqhYA8S84puBU2Vnpbdq7bAvfSodhn5PV2DMzOUyUeh2
x-amz-request-id: 7275DD5C1C197259
Content-Type: application/xml
17b
<?xml version="1.0" encoding="UTF-8"?><Error><Code>RequestTimeout</Code><Message>Your socket connection to the server was not read from or written to within the timeout period. Idle connections will be closed.</Message><RequestId>7275DD5C1C197259</RequestId><HostId>AOLBqJXBiatzDtJFzZ47xz58MCw0Xt2LsrMTfeAWEWB4rM2HyHoWgqhYA8S84puBU2Vnpbdq7bAvfSodhn5PV2DMzOUyUeh2</HostId></Error>
0
22:10:59.338212 IP (tos 0x0, ttl 64, id 58313, offset 0, flags [DF], proto TCP (6), length 40)
debian.40380 > s3-ap-northeast-1-w.amazonaws.com.http: Flags [.], cksum 0x4159 (incorrect -> 0x9aef), seq 48, ack 679, win 30510, length 0
22:10:59.338335 IP (tos 0x0, ttl 64, id 50319, offset 0, flags [none], proto TCP (6), length 40)
s3-ap-northeast-1-w.amazonaws.com.http > debian.40380: Flags [F.], cksum 0x121d (correct), seq 679, ack 48, win 65535, length 0
22:10:59.338605 IP (tos 0x0, ttl 64, id 58314, offset 0, flags [DF], proto TCP (6), length 40)
debian.40380 > s3-ap-northeast-1-w.amazonaws.com.http: Flags [F.], cksum 0x4159 (incorrect -> 0x9aed), seq 48, ack 680, win 30510, length 0
22:10:59.339222 IP (tos 0x0, ttl 64, id 50320, offset 0, flags [none], proto TCP (6), length 40)
s3-ap-northeast-1-w.amazonaws.com.http > debian.40380: Flags [.], cksum 0x121c (correct), seq 680, ack 49, win 65535, length 0
#3. TLSハンドシェイク
##3.1 Client Hello (184 bytes)
ClientHello
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 179
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 175
Version: TLS 1.2 (0x0303)
Random: 5de90933d57dc7688bbf5e479ce77ffe295944f9f4073a0a…
GMT Unix Time: Dec 5, 2019 22:42:11.000000000 東京 (標準時)
Random Bytes: d57dc7688bbf5e479ce77ffe295944f9f4073a0ab486c043…
Session ID Length: 0
Cipher Suites Length: 42
Cipher Suites (21 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 92
Extension: server_name (len=33)
Type: server_name (0)
Length: 33
Server Name Indication extension
Server Name list length: 31
Server Name Type: host_name (0)
Server Name length: 28
Server Name: yz2cm-tokyo.s3.amazonaws.com
Extension: supported_groups (len=8)
Type: supported_groups (10)
Length: 8
Supported Groups List Length: 6
Supported Groups (3 groups)
Supported Group: x25519 (0x001d)
Supported Group: secp256r1 (0x0017)
Supported Group: secp384r1 (0x0018)
Extension: ec_point_formats (len=2)
Type: ec_point_formats (11)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: signature_algorithms (len=20)
Type: signature_algorithms (13)
Length: 20
Signature Hash Algorithms Length: 18
Signature Hash Algorithms (9 algorithms)
Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: ecdsa_sha1 (0x0203)
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: SHA1 DSA (0x0202)
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: DSA (2)
Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: ECDSA (3)
Extension: session_ticket (len=0)
Type: session_ticket (35)
Length: 0
Data (0 bytes)
Extension: extended_master_secret (len=0)
Type: extended_master_secret (23)
Length: 0
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
3.2 Server Hello (96 bytes)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ServerHello
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 91
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 87
Version: TLS 1.2 (0x0303)
Random: a1a714e5c85a3c351e90d4c93bd643b56810b46da812714b…
GMT Unix Time: Dec 11, 2055 05:00:37.000000000 東京 (標準時)
Random Bytes: c85a3c351e90d4c93bd643b56810b46da812714b00c0a836…
Session ID Length: 32
Session ID: ea9ce5ca215eba15a90dcdf8df89b16b9dea041ea61cfd59…
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Compression Method: null (0)
Extensions Length: 15
Extension: server_name (len=0)
Type: server_name (0)
Length: 0
Extension: ec_point_formats (len=2)
Type: ec_point_formats (11)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Renegotiation info extension length: 0
##3.3 Certificate (185 bytes)
Certificate
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 2900
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 2896
Certificates Length: 2893
Certificates (2893 bytes)
Certificate Length: 1760
Certificate: 308206dc308205c4a0030201020210082df68ee9c69315be… (id-at-commonName=*.s3.amazonaws.com,id-at-organizationName=Amazon.com, Inc.,id-at-localityName=Seattle,id-at-stateOrProvinceName=Washington,id-at-countryName=US)
signedCertificate
version: v3 (2)
serialNumber: 0x082df68ee9c69315bebf72079b3810fd
signature (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 4 items (id-at-commonName=DigiCert Baltimore CA-2 G2,id-at-organizationalUnitName=www.digicert.com,id-at-organizationName=DigiCert Inc,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RelativeDistinguishedName item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
RDNSequence item: 1 item (id-at-organizationName=DigiCert Inc)
RelativeDistinguishedName item (id-at-organizationName=DigiCert Inc)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: DigiCert Inc
RDNSequence item: 1 item (id-at-organizationalUnitName=www.digicert.com)
RelativeDistinguishedName item (id-at-organizationalUnitName=www.digicert.com)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: www.digicert.com
RDNSequence item: 1 item (id-at-commonName=DigiCert Baltimore CA-2 G2)
RelativeDistinguishedName item (id-at-commonName=DigiCert Baltimore CA-2 G2)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: DigiCert Baltimore CA-2 G2
validity
notBefore: utcTime (0)
utcTime: 19-11-09 00:00:00 (UTC)
notAfter: utcTime (0)
utcTime: 21-03-12 12:00:00 (UTC)
subject: rdnSequence (0)
rdnSequence: 5 items (id-at-commonName=*.s3.amazonaws.com,id-at-organizationName=Amazon.com, Inc.,id-at-localityName=Seattle,id-at-stateOrProvinceName=Washington,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RelativeDistinguishedName item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
RDNSequence item: 1 item (id-at-stateOrProvinceName=Washington)
RelativeDistinguishedName item (id-at-stateOrProvinceName=Washington)
Id: 2.5.4.8 (id-at-stateOrProvinceName)
DirectoryString: printableString (1)
printableString: Washington
RDNSequence item: 1 item (id-at-localityName=Seattle)
RelativeDistinguishedName item (id-at-localityName=Seattle)
Id: 2.5.4.7 (id-at-localityName)
DirectoryString: printableString (1)
printableString: Seattle
RDNSequence item: 1 item (id-at-organizationName=Amazon.com, Inc.)
RelativeDistinguishedName item (id-at-organizationName=Amazon.com, Inc.)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Amazon.com, Inc.
RDNSequence item: 1 item (id-at-commonName=*.s3.amazonaws.com)
RelativeDistinguishedName item (id-at-commonName=*.s3.amazonaws.com)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: uTF8String (4)
uTF8String: *.s3.amazonaws.com
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
subjectPublicKey: 3082010a0282010100c95bce91b929589e2b5c147890dbdf…
modulus: 0x00c95bce91b929589e2b5c147890dbdf033c316a11a0b5d2…
publicExponent: 65537
extensions: 10 items
Extension (id-ce-authorityKeyIdentifier)
Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
AuthorityKeyIdentifier
keyIdentifier: c012b22874684667e97025741a00455b067d5c44
Extension (id-ce-subjectKeyIdentifier)
Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
SubjectKeyIdentifier: ddf2260064b7caf75ca696a6d7accbe127150c13
Extension (id-ce-subjectAltName)
Extension Id: 2.5.29.17 (id-ce-subjectAltName)
GeneralNames: 2 items
GeneralName: dNSName (2)
dNSName: *.s3.amazonaws.com
GeneralName: dNSName (2)
dNSName: s3.amazonaws.com
Extension (id-ce-keyUsage)
Extension Id: 2.5.29.15 (id-ce-keyUsage)
critical: True
Padding: 5
KeyUsage: a0 (digitalSignature, keyEncipherment)
1... .... = digitalSignature: True
.0.. .... = contentCommitment: False
..1. .... = keyEncipherment: True
...0 .... = dataEncipherment: False
.... 0... = keyAgreement: False
.... .0.. = keyCertSign: False
.... ..0. = cRLSign: False
.... ...0 = encipherOnly: False
0... .... = decipherOnly: False
Extension (id-ce-extKeyUsage)
Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
KeyPurposeIDs: 2 items
KeyPurposeId: 1.3.6.1.5.5.7.3.1 (id-kp-serverAuth)
KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)
Extension (id-ce-cRLDistributionPoints)
Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
CRLDistPointsSyntax: 2 items
DistributionPoint
distributionPoint: fullName (0)
fullName: 1 item
GeneralName: uniformResourceIdentifier (6)
uniformResourceIdentifier: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl
DistributionPoint
distributionPoint: fullName (0)
fullName: 1 item
GeneralName: uniformResourceIdentifier (6)
uniformResourceIdentifier: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl
Extension (id-ce-certificatePolicies)
Extension Id: 2.5.29.32 (id-ce-certificatePolicies)
CertificatePoliciesSyntax: 2 items
PolicyInformation
policyIdentifier: 2.16.840.1.114412.1.1 (US company arc.114412.1.1)
policyQualifiers: 1 item
PolicyQualifierInfo
Id: 1.3.6.1.5.5.7.2.1 (id-qt-cps)
DirectoryString: https://www.digicert.com/CPS
PolicyInformation
policyIdentifier: 2.23.140.1.2.2 (joint-iso-itu-t.23.140.1.2.2)
Extension (id-pe-authorityInfoAccess)
Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccess)
AuthorityInfoAccessSyntax: 2 items
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
accessLocation: 6
uniformResourceIdentifier: http://ocsp.digicert.com
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
accessLocation: 6
uniformResourceIdentifier: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt
Extension (id-ce-basicConstraints)
Extension Id: 2.5.29.19 (id-ce-basicConstraints)
critical: True
BasicConstraintsSyntax [0 length]
Extension (SignedCertificateTimestampList)
Extension Id: 1.3.6.1.4.1.11129.2.4.2 (SignedCertificateTimestampList)
Serialized SCT List Length: 359
Signed Certificate Timestamp (Google 'Pilot' log)
Serialized SCT Length: 118
SCT Version: 0
Log ID: a4b90990b418581487bb13a2cc67700a3c359804f91bdfb8…
Timestamp: Nov 9, 2019 00:00:24.368000000 UTC
Extensions length: 0
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Length: 71
Signature: 304502210089f1d42959192169051ed1618ffebbc5a6f1cb…
Signed Certificate Timestamp (Unknown Log)
Serialized SCT Length: 118
SCT Version: 0
Log ID: 4494652eb0eeceafc44007d8a8fe28c0dae682bed8cb31b5…
Timestamp: Nov 9, 2019 00:00:24.360000000 UTC
Extensions length: 0
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Length: 71
Signature: 3045022100aefd4229ea2b9753d7f35ba6b65ea9186d441c…
Signed Certificate Timestamp (Google 'Skydiver' log)
Serialized SCT Length: 117
SCT Version: 0
Log ID: bbd9dfbc1f8a71b593942397aa927b473857950aab52e81a…
Timestamp: Nov 9, 2019 00:00:24.373000000 UTC
Extensions length: 0
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Length: 70
Signature: 304402201b83ac5f412f5e1d1559b99256a00f81f29a6f4a…
algorithmIdentifier (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
Padding: 0
encrypted: 0c89a8b47822c2568af1a6369e0dac14324090870de1e484…
Certificate Length: 1127
Certificate: 308204633082034ba00302010202100182f8098ea2e626b9… (id-at-commonName=DigiCert Baltimore CA-2 G2,id-at-organizationalUnitName=www.digicert.com,id-at-organizationName=DigiCert Inc,id-at-countryName=US)
signedCertificate
version: v3 (2)
serialNumber: 0x0182f8098ea2e626b91a3b27841fb9af
signature (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 4 items (id-at-commonName=Baltimore CyberTrust Root,id-at-organizationalUnitName=CyberTrust,id-at-organizationName=Baltimore,id-at-countryName=IE)
RDNSequence item: 1 item (id-at-countryName=IE)
RelativeDistinguishedName item (id-at-countryName=IE)
Id: 2.5.4.6 (id-at-countryName)
CountryName: IE
RDNSequence item: 1 item (id-at-organizationName=Baltimore)
RelativeDistinguishedName item (id-at-organizationName=Baltimore)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Baltimore
RDNSequence item: 1 item (id-at-organizationalUnitName=CyberTrust)
RelativeDistinguishedName item (id-at-organizationalUnitName=CyberTrust)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: CyberTrust
RDNSequence item: 1 item (id-at-commonName=Baltimore CyberTrust Root)
RelativeDistinguishedName item (id-at-commonName=Baltimore CyberTrust Root)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: Baltimore CyberTrust Root
validity
notBefore: utcTime (0)
utcTime: 15-12-08 12:05:07 (UTC)
notAfter: utcTime (0)
utcTime: 25-05-10 12:00:00 (UTC)
subject: rdnSequence (0)
rdnSequence: 4 items (id-at-commonName=DigiCert Baltimore CA-2 G2,id-at-organizationalUnitName=www.digicert.com,id-at-organizationName=DigiCert Inc,id-at-countryName=US)
RDNSequence item: 1 item (id-at-countryName=US)
RelativeDistinguishedName item (id-at-countryName=US)
Id: 2.5.4.6 (id-at-countryName)
CountryName: US
RDNSequence item: 1 item (id-at-organizationName=DigiCert Inc)
RelativeDistinguishedName item (id-at-organizationName=DigiCert Inc)
Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: DigiCert Inc
RDNSequence item: 1 item (id-at-organizationalUnitName=www.digicert.com)
RelativeDistinguishedName item (id-at-organizationalUnitName=www.digicert.com)
Id: 2.5.4.11 (id-at-organizationalUnitName)
DirectoryString: printableString (1)
printableString: www.digicert.com
RDNSequence item: 1 item (id-at-commonName=DigiCert Baltimore CA-2 G2)
RelativeDistinguishedName item (id-at-commonName=DigiCert Baltimore CA-2 G2)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: DigiCert Baltimore CA-2 G2
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
subjectPublicKey: 3082010a0282010100bbe700fe000173ef9b88f05c0875f0…
modulus: 0x00bbe700fe000173ef9b88f05c0875f05c70731fffb57a1f…
publicExponent: 65537
extensions: 7 items
Extension (id-ce-subjectKeyIdentifier)
Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
SubjectKeyIdentifier: c012b22874684667e97025741a00455b067d5c44
Extension (id-ce-authorityKeyIdentifier)
Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
AuthorityKeyIdentifier
keyIdentifier: e59d5930824758ccacfa085436867b3ab5044df0
Extension (id-ce-basicConstraints)
Extension Id: 2.5.29.19 (id-ce-basicConstraints)
critical: True
BasicConstraintsSyntax
cA: True
pathLenConstraint: 0
Extension (id-ce-keyUsage)
Extension Id: 2.5.29.15 (id-ce-keyUsage)
critical: True
Padding: 1
KeyUsage: 86 (digitalSignature, keyCertSign, cRLSign)
1... .... = digitalSignature: True
.0.. .... = contentCommitment: False
..0. .... = keyEncipherment: False
...0 .... = dataEncipherment: False
.... 0... = keyAgreement: False
.... .1.. = keyCertSign: True
.... ..1. = cRLSign: True
.... ...0 = encipherOnly: False
0... .... = decipherOnly: False
Extension (id-pe-authorityInfoAccess)
Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccess)
AuthorityInfoAccessSyntax: 1 item
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
accessLocation: 6
uniformResourceIdentifier: http://ocsp.digicert.com
Extension (id-ce-cRLDistributionPoints)
Extension Id: 2.5.29.31 (id-ce-cRLDistributionPoints)
CRLDistPointsSyntax: 1 item
DistributionPoint
distributionPoint: fullName (0)
fullName: 1 item
GeneralName: uniformResourceIdentifier (6)
uniformResourceIdentifier: http://crl3.digicert.com/Omniroot2025.crl
Extension (id-ce-certificatePolicies)
Extension Id: 2.5.29.32 (id-ce-certificatePolicies)
CertificatePoliciesSyntax: 1 item
PolicyInformation
policyIdentifier: 2.5.29.32.0 (anyPolicy)
policyQualifiers: 1 item
PolicyQualifierInfo
Id: 1.3.6.1.5.5.7.2.1 (id-qt-cps)
DirectoryString: https://www.digicert.com/CPS
algorithmIdentifier (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
Padding: 0
encrypted: 2fe23766c31acf9155ee2914fa5010be998de228f1741607…
##3.4 Server Key Exchange (338 bytes)
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 333
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 329
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: secp256r1 (0x0017)
Pubkey Length: 65
Pubkey: 049fb495ea14ab38a012f39ad8e686b827122f19c7242eda…
Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: RSA (1)
Signature Length: 256
Signature: 1d9e83b5921c6679fcc9d5557bdff9bff07de981ef82b6c3…
##3.5 Server Hello Done (9 bytes)
ServerHelloDone
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 4
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
##3.6 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message (126 bytes)
ClientKeyExchange,ChangeCipherSpec,EncryptedHandshakeMessage
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 70
Handshake Protocol: Client Key Exchange
Handshake Type: Client Key Exchange (16)
Length: 66
EC Diffie-Hellman Client Params
Pubkey Length: 65
Pubkey: 04af4ea916072eb6a58aaccde749064e170dbc22dbceede6…
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.2 (0x0303)
Length: 1
Change Cipher Spec Message
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 40
Handshake Protocol: Encrypted Handshake Message
##3.7 Change Cipher Spec (6 bytes)
ChangeCipherSpec
Transport Layer Security
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20)
Version: TLS 1.2 (0x0303)
Length: 1
Change Cipher Spec Message
##3.8 Finished (45 bytes)
Finished
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 40
Handshake Protocol: Encrypted Handshake Message
##3.9 Finished (507 bytes)
Finished
Transport Layer Security
TLSv1.2 Record Layer: Application Data Protocol: http-over-tls
Content Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 502
Encrypted Application Data: 00000000000000012b91bd82dd852eba9f2c38497b9d49d6…
##3.10 Application Data (54 bytes)
ApplicationData
Transport Layer Security
TLSv1.2 Record Layer: Application Data Protocol: http-over-tls
Content Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 49
Encrypted Application Data: 0000000000000001613b3503a917544189f53347f1acf2eb…
##3.11 Application Data (30 bytes)
ApplicationData
Transport Layer Security
TLSv1.2 Record Layer: Application Data Protocol: http-over-tls
Content Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 25
Encrypted Application Data: 0000000000000002560df9a5e059a8525b59a49fe9b4881a…
##3.12 Application Data (386 bytes)
ApplicationData
Transport Layer Security
TLSv1.2 Record Layer: Application Data Protocol: http-over-tls
Content Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 381
Encrypted Application Data: 0000000000000002b39f4fcde4ec922bbd358885e08293e3…
##3.13 Encrypted Alert (31 bytes)
EncryptedAlert
Transport Layer Security
TLSv1.2 Record Layer: Encrypted Alert
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 26
Alert Message: Encrypted Alert
#4. 参考