php小编草莓在介绍签署证书时指出,授权密钥标识符(SKID)在签署过程中起到重要的作用。当签署证书时,SKID会被复制到证书中,用于标识该证书的授权密钥。这个标识符的存在可以帮助确保证书的真实性和合法性,同时也方便了后续的证书验证和管理工作。签署证书时,SKID的复制是必要的步骤,它在证书的使用和维护过程中扮演着重要的角色。
问题内容
我正在尝试使用 csr 和 spacemonkeygo/openssl 包装器签署证书。
用于签署证书的控制台 openssl 命令按预期工作,我获得了有效的证书。
openssl x509 -req -days 365 -in cert_client.csr -ca ca/root.crt -cakey ca/root.key -set_serial 10101 -out cert_client.crt -extfile ca/extensions.cnf
登录后复制
从截图中可以看出,skid和issuer的keyid是不同的。
但是,我在 go 中的代码提供了错误的证书,其中 skid 包含颁发证书的 keyid 的确切值。这会导致在“权威密钥标识符”中复制“颁发者”的无效值:由于 skid 与颁发者的 keyid 相同,因此它“认为”证书是自行颁发的。
package mainimport ( "github.com/spacemonkeygo/openssl" "math/big" "os" "time")func main() { crtfilepath := filepath("ca/root.crt") keyfilepath := filepath("ca/root.key") certca, privatekeyca, err := getrootca(pathcert(crtfilepath), pathkey(keyfilepath)) if err != nil { panic(err) } serialnumber := big.newint(10101) country := "ru" organization := "some organization" commonname := "commonname" expirationdate := time.now().adddate(1, 0, 0) certinfo := &openssl.certificateinfo{ serial: serialnumber, expires: expirationdate.sub(time.now()), commonname: commonname, // will fail if these are empty or not initialized country: country, organization: organization, } // just for example. publickey is received from csr privatekeycert, err := openssl.generatersakey(2048) if err != nil { panic(err) } newcert, err := openssl.newcertificate(certinfo, openssl.publickey(privatekeycert)) if err != nil { panic(err) } err = newcert.setversion(openssl.x509_v3) if err != nil { panic(err) } // (?) must be called before adding extensions err = newcert.setissuer(certca) if err != nil { panic(err) } err = newcert.addextension(openssl.nid_basic_constraints, "critical,ca:false") if err != nil { panic(err) } err = newcert.addextension(openssl.nid_subject_key_identifier, "hash") if err != nil { panic(err) } err = newcert.addextension(openssl.nid_authority_key_identifier, "keyid:always,issuer:always") if err != nil { panic(err) } err = newcert.sign(privatekeyca, openssl.evp_sha256) if err != nil { panic(err) } pembytes, err := newcert.marshalpem() if err != nil { panic(err) } err = os.writefile("generated.crt", pembytes, os.filemode(0644)) if err != nil { panic(err) } print("done")}type filepath stringtype pathcert stringtype pathkey stringfunc getrootca(pathcert pathcert, pathkey pathkey) (*openssl.certificate, openssl.privatekey, error) { capublickeyfile, err := os.readfile(string(pathcert)) if err != nil { return nil, nil, err } certca, err := openssl.loadcertificatefrompem(capublickeyfile) if err != nil { return nil, nil, err } caprivatekeyfile, err := os.readfile(string(pathkey)) if err != nil { return nil, nil, err } privatekeyca, err := openssl.loadprivatekeyfrompem(caprivatekeyfile) if err != nil { return nil, nil, err } return certca, privatekeyca, nil}
登录后复制
(生成的是正确的)
如果我不调用setissuer,skid是新生成的,但生成的证书仍然显示为“无效”。
我在代码中做错了什么?
更新:我比较了为 2 个包装器添加扩展的实现:spacemonkey/go 和 pyopenssl。
去:
// add an extension to a certificate.// extension constants are nid_* as found in openssl.func (c *certificate) addextension(nid nid, value string) error { issuer := c if c.issuer != nil { issuer = c.issuer } var ctx c.x509v3_ctx c.x509v3_set_ctx(&ctx, c.x, issuer.x, nil, nil, 0) ex := c.x509v3_ext_conf_nid(nil, &ctx, c.int(nid), c.cstring(value)) if ex == nil { return errors.new("failed to create x509v3 extension") } defer c.x509_extension_free(ex) if c.x509_add_ext(c.x, ex, -1) python(省略一些注释):
# X509Extension::__init__def __init__( self, type_name: bytes, critical: bool, value: bytes, subject: Optional["X509"] = None, issuer: Optional["X509"] = None, ) -> None: ctx = _ffi.new("X509V3_CTX*") # A context is necessary for any extension which uses the r2i # conversion method. That is, X509V3_EXT_nconf may segfault if passed # a NULL ctx. Start off by initializing most of the fields to NULL. _lib.X509V3_set_ctx(ctx, _ffi.NULL, _ffi.NULL, _ffi.NULL, _ffi.NULL, 0) # We have no configuration database - but perhaps we should (some # extensions may require it). _lib.X509V3_set_ctx_nodb(ctx) # Initialize the subject and issuer, if appropriate. ctx is a local, # and as far as I can tell none of the X509V3_* APIs invoked here steal # any references, so no need to mess with reference counts or # duplicates. if issuer is not None: if not isinstance(issuer, X509): raise TypeError("issuer must be an X509 instance") ctx.issuer_cert = issuer._x509 if subject is not None: if not isinstance(subject, X509): raise TypeError("subject must be an X509 instance") ctx.subject_cert = subject._x509 if critical: # There are other OpenSSL APIs which would let us pass in critical # separately, but they're harder to use, and since value is already # a pile of crappy junk smuggling a ton of utterly important # structured data, what's the point of trying to avoid nasty stuff # with strings? (However, X509V3_EXT_i2d in particular seems like # it would be a better API to invoke. I do not know where to get # the ext_struc it desires for its last parameter, though.) value = b"critical," + value extension = _lib.X509V3_EXT_nconf(_ffi.NULL, ctx, type_name, value) if extension == _ffi.NULL: _raise_current_error() self._extension = _ffi.gc(extension, _lib.X509_EXTENSION_free)
登录后复制
明显的区别在于 api:python 的版本接受 subject 和 issuer 作为参数进行重载。 go 的版本没有。
实现上的差异如下:
在python中调用x509v3_ext_nconfx509v3_ext_conf_nid 在 go 中调用这两个函数都可以在 github 上找到。
我认为使用 openspacemonkey/go-openssl 与 ca 签名时不可能添加 skid 扩展。
似乎唯一的方法是手动使用 c 绑定并“像 python 那样做”。
解决方法
我实施了一种巧妙的解决方法来添加 skid 和authoritykeyidentifier。生成的证书有效。但是,由于 certificate 结构体的 x *c.x509 成员未导出,因此访问它们的唯一方法是通过不安全的指针和强制转换。
这不是推荐的方法,而是在 spacemonkey/go 更新之前的一种方法(我怀疑它会很快发生)。
func addAuthorityKeyIdentifier(c *openssl.Certificate) error { var ctx C.X509V3_CTX C.X509V3_set_ctx(&ctx, nil, nil, nil, nil, 0) // this is ugly and very unsafe! cx509 := *(**C.X509)(unsafe.Pointer(c)) cx509Issuer := cx509 if c.Issuer != nil { cx509Issuer = *(**C.X509)(unsafe.Pointer(c.Issuer)) } ctx.issuer_cert = cx509Issuer cExtName := C.CString("authorityKeyIdentifier") defer C.free(unsafe.Pointer(cExtName)) cExtValue := C.CString("keyid:always,issuer:always") defer C.free(unsafe.Pointer(cExtValue)) extension := C.X509V3_EXT_nconf(nil, &ctx, cExtName, cExtValue) if extension == nil { return errors.New("failed to set 'authorityKeyIdentifier' extension") } defer C.X509_EXTENSION_free(extension) addResult := C.X509_add_ext(cx509, extension, -1) if addResult == 0 { return errors.New("failed to set 'authorityKeyIdentifier' extension") } return nil}func addSKIDExtension(c *openssl.Certificate) error { var ctx C.X509V3_CTX C.X509V3_set_ctx(&ctx, nil, nil, nil, nil, 0) // this is ugly and very unsafe! cx509 := *(**C.X509)(unsafe.Pointer(c)) _ = cx509 ctx.subject_cert = cx509 _ = ctx cExtName := C.CString("subjectKeyIdentifier") defer C.free(unsafe.Pointer(cExtName)) cExtValue := C.CString("hash") defer C.free(unsafe.Pointer(cExtValue)) extension := C.X509V3_EXT_nconf(nil, &ctx, cExtName, cExtValue) if extension == nil { return errors.New("failed to set 'subjectKeyIdentifier' extension") } defer C.X509_EXTENSION_free(extension) // adding itself as a subject addResult := C.X509_add_ext(cx509, extension, -1) if addResult == 0 { return errors.New("failed to set 'subjectKeyIdentifier' extension") } return nil}
登录后复制
以上就是签署证书时,授权密钥标识符被复制到 SKID的详细内容,更多请关注【创想鸟】其它相关文章!
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容, 请发送邮件至253000106@qq.com举报,一经查实,本站将立刻删除。
发布者:PHP中文网,转转请注明出处:https://www.chuangxiangniao.com/p/2484464.html
