首頁 > 後端開發 > Golang > 簽署憑證時,授權金鑰識別碼複製到 SKID

簽署憑證時,授權金鑰識別碼複製到 SKID

PHPz
發布: 2024-02-09 13:27:32
轉載
904 人瀏覽過

签署证书时,授权密钥标识符被复制到 SKID

php小編草莓在介紹簽署憑證時指出,授權金鑰識別碼(SKID)在簽署過程中扮演重要的角色。當簽署憑證時,SKID會被複製到憑證中,用於識別該憑證的授權金鑰。這個識別碼的存在可以幫助確保憑證的真實性和合法性,同時也方便了後續的憑證驗證和管理工作。簽署憑證時,SKID的複製是必要的步驟,它在憑證的使用和維護過程中扮演著重要的角色。

問題內容

我正在嘗試使用 csr 和 spacemonkeygo/openssl 包裝器簽署憑證。

用於簽署憑證的控制台 openssl 命令按預期工作,我獲得了有效的憑證。

openssl x509 -req -days 365 -in cert_client.csr -ca ca/root.crt -cakey ca/root.key -set_serial 10101 -out cert_client.crt -extfile ca/extensions.cnf
登入後複製

從截圖中可以看出,skid和issuer的keyid是不同的。

但是,我在 go 中的程式碼提供了錯誤的證書,其中 skid 包含頒發證書的 keyid 的確切值。這會導致在「權威金鑰識別碼」中複製「頒發者」的無效值:由於 skid 與頒發者的 keyid 相同,因此它「認為」憑證是自行頒發的。

package main

import (
    "github.com/spacemonkeygo/openssl"
    "math/big"
    "os"
    "time"
)

func main() {

    crtfilepath := filepath("ca/root.crt")
    keyfilepath := filepath("ca/root.key")

    certca, privatekeyca, err := getrootca(pathcert(crtfilepath), pathkey(keyfilepath))
    if err != nil {
        panic(err)
    }

    serialnumber := big.newint(10101)

    country := "ru"
    organization := "some organization"
    commonname := "commonname"
    expirationdate := time.now().adddate(1, 0, 0)

    certinfo := &openssl.certificateinfo{
        serial:     serialnumber,
        expires:    expirationdate.sub(time.now()),
        commonname: commonname,

        // will fail if these are empty or not initialized
        country:      country,
        organization: organization,
    }

    // just for example. publickey is received from csr
    privatekeycert, err := openssl.generatersakey(2048)
    if err != nil {
        panic(err)
    }

    newcert, err := openssl.newcertificate(certinfo, openssl.publickey(privatekeycert))
    if err != nil {
        panic(err)
    }

    err = newcert.setversion(openssl.x509_v3)
    if err != nil {
        panic(err)
    }

    // (?) must be called before adding extensions
    err = newcert.setissuer(certca)
    if err != nil {
        panic(err)
    }

    err = newcert.addextension(openssl.nid_basic_constraints,
        "critical,ca:false")
    if err != nil {
        panic(err)
    }

    err = newcert.addextension(openssl.nid_subject_key_identifier,
        "hash")
    if err != nil {
        panic(err)
    }

    err = newcert.addextension(openssl.nid_authority_key_identifier,
        "keyid:always,issuer:always")
    if err != nil {
        panic(err)
    }

    err = newcert.sign(privatekeyca, openssl.evp_sha256)
    if err != nil {
        panic(err)
    }

    pembytes, err := newcert.marshalpem()
    if err != nil {
        panic(err)
    }

    err = os.writefile("generated.crt", pembytes, os.filemode(0644))
    if err != nil {
        panic(err)
    }

    print("done")
}

type filepath string
type pathcert string
type pathkey string

func getrootca(pathcert pathcert, pathkey pathkey) (*openssl.certificate, openssl.privatekey, error) {

    capublickeyfile, err := os.readfile(string(pathcert))
    if err != nil {
        return nil, nil, err
    }

    certca, err := openssl.loadcertificatefrompem(capublickeyfile)
    if err != nil {
        return nil, nil, err
    }

    caprivatekeyfile, err := os.readfile(string(pathkey))
    if err != nil {
        return nil, nil, err
    }

    privatekeyca, err := openssl.loadprivatekeyfrompem(caprivatekeyfile)
    if err != nil {
        return nil, nil, err
    }

    return certca, privatekeyca, nil
}
登入後複製

(生成的是正確的)

如果我不呼叫setissuer,skid是新產生的,但產生的憑證仍然顯示為「無效」。

我在程式碼中做錯了什麼?

更新: 我比較了為 2 個包裝器新增擴充功能的實作:spacemonkey/gopyopenssl

去:

// add an extension to a certificate.
// extension constants are nid_* as found in openssl.
func (c *certificate) addextension(nid nid, value string) error {
    issuer := c
    if c.issuer != nil {
        issuer = c.issuer
    }
    var ctx c.x509v3_ctx
    c.x509v3_set_ctx(&ctx, c.x, issuer.x, nil, nil, 0)
    ex := c.x509v3_ext_conf_nid(nil, &ctx, c.int(nid), c.cstring(value))
    if ex == nil {
        return errors.new("failed to create x509v3 extension")
    }
    defer c.x509_extension_free(ex)
    if c.x509_add_ext(c.x, ex, -1) <= 0 {
        return errors.new("failed to add x509v3 extension")
    }
    return nil
}
登入後複製

python(省略一些註解):

# X509Extension::__init__
def __init__(
        self,
        type_name: bytes,
        critical: bool,
        value: bytes,
        subject: Optional["X509"] = None,
        issuer: Optional["X509"] = None,
    ) -> None:

        ctx = _ffi.new("X509V3_CTX*")

        # A context is necessary for any extension which uses the r2i
        # conversion method.  That is, X509V3_EXT_nconf may segfault if passed
        # a NULL ctx. Start off by initializing most of the fields to NULL.
        _lib.X509V3_set_ctx(ctx, _ffi.NULL, _ffi.NULL, _ffi.NULL, _ffi.NULL, 0)

        # We have no configuration database - but perhaps we should (some
        # extensions may require it).
        _lib.X509V3_set_ctx_nodb(ctx)

        # Initialize the subject and issuer, if appropriate.  ctx is a local,
        # and as far as I can tell none of the X509V3_* APIs invoked here steal
        # any references, so no need to mess with reference counts or
        # duplicates.
        if issuer is not None:
            if not isinstance(issuer, X509):
                raise TypeError("issuer must be an X509 instance")
            ctx.issuer_cert = issuer._x509
        if subject is not None:
            if not isinstance(subject, X509):
                raise TypeError("subject must be an X509 instance")
            ctx.subject_cert = subject._x509

        if critical:
            # There are other OpenSSL APIs which would let us pass in critical
            # separately, but they're harder to use, and since value is already
            # a pile of crappy junk smuggling a ton of utterly important
            # structured data, what's the point of trying to avoid nasty stuff
            # with strings? (However, X509V3_EXT_i2d in particular seems like
            # it would be a better API to invoke.  I do not know where to get
            # the ext_struc it desires for its last parameter, though.)
            value = b"critical," + value

        extension = _lib.X509V3_EXT_nconf(_ffi.NULL, ctx, type_name, value)
        if extension == _ffi.NULL:
            _raise_current_error()
        self._extension = _ffi.gc(extension, _lib.X509_EXTENSION_free)
登入後複製

明顯的差異在於 api:python 的版本接受 subjectissuer 作為參數進行重載。 go 的版本沒有。

實現上的差異如下:

  • 在python中呼叫x509v3_ext_nconf
  • x509v3_ext_conf_nid 在 go 中調用 這兩個函數都可以在 github 上找到。

我認為使用 openspacemonkey/go-openssl 與 ca 簽章時不可能新增 skid 擴充功能。

# 似乎唯一的方法是手動使用 c 綁定並「像 python 那樣做」。

解決方法

我實作了一個巧妙的解決方法來新增 skid 和authoritykeyidentifier。產生的證書有效。但是,由於 certificate 結構體的 x *c.x509 成員未匯出,因此存取它們的唯一方法是透過不安全的指標和強制轉換。
這不是推薦的方法,而是在 spacemonkey/go 更新之前的一種方法(我懷疑它會很快發生)。

func addAuthorityKeyIdentifier(c *openssl.Certificate) error {
    var ctx C.X509V3_CTX
    C.X509V3_set_ctx(&ctx, nil, nil, nil, nil, 0)

    // this is ugly and very unsafe!
    cx509 := *(**C.X509)(unsafe.Pointer(c))

    cx509Issuer := cx509
    if c.Issuer != nil {
        cx509Issuer = *(**C.X509)(unsafe.Pointer(c.Issuer))
    }
    ctx.issuer_cert = cx509Issuer

    cExtName := C.CString("authorityKeyIdentifier")
    defer C.free(unsafe.Pointer(cExtName))
    cExtValue := C.CString("keyid:always,issuer:always")
    defer C.free(unsafe.Pointer(cExtValue))

    extension := C.X509V3_EXT_nconf(nil, &ctx, cExtName, cExtValue)
    if extension == nil {
        return errors.New("failed to set 'authorityKeyIdentifier' extension")
    }
    defer C.X509_EXTENSION_free(extension)

    addResult := C.X509_add_ext(cx509, extension, -1)
    if addResult == 0 {
        return errors.New("failed to set 'authorityKeyIdentifier' extension")
    }

    return nil
}

func addSKIDExtension(c *openssl.Certificate) error {
    var ctx C.X509V3_CTX
    C.X509V3_set_ctx(&ctx, nil, nil, nil, nil, 0)
    
    // this is ugly and very unsafe!
    cx509 := *(**C.X509)(unsafe.Pointer(c))
    _ = cx509

    ctx.subject_cert = cx509
    _ = ctx

    cExtName := C.CString("subjectKeyIdentifier")
    defer C.free(unsafe.Pointer(cExtName))
    cExtValue := C.CString("hash")
    defer C.free(unsafe.Pointer(cExtValue))

    extension := C.X509V3_EXT_nconf(nil, &ctx, cExtName, cExtValue)
    if extension == nil {
        return errors.New("failed to set 'subjectKeyIdentifier' extension")
    }
    defer C.X509_EXTENSION_free(extension)

    // adding itself as a subject
    addResult := C.X509_add_ext(cx509, extension, -1)
    if addResult == 0 {
        return errors.New("failed to set 'subjectKeyIdentifier' extension")
    }

    return nil
}
登入後複製

以上是簽署憑證時,授權金鑰識別碼複製到 SKID的詳細內容。更多資訊請關注PHP中文網其他相關文章!

來源:stackoverflow.com
本網站聲明
本文內容由網友自願投稿,版權歸原作者所有。本站不承擔相應的法律責任。如發現涉嫌抄襲或侵權的內容,請聯絡admin@php.cn
熱門教學
更多>
最新下載
更多>
網站特效
網站源碼
網站素材
前端模板