我正在尝试使用 CSR 和包装器签署证书spacemonkeygo/openssl。用于签署证书的控制台 openssl 命令按预期工作,我获得了有效证书。openssl x509 -req -days 365 -in cert_client.csr -CA ca/root.crt -CAkey ca/root.key -set_serial 10101 -out cert_client.crt -extfile ca/extensions.cnf从截图可以看出,SKID和Issuer的keyid是不一样的。但是,我在 Go 中的代码提供了一个错误的证书,其中 SKID 包含颁发证书的 keyid 的确切值。它导致在“授权密钥标识符”中为“颁发者”复制无效值:由于 SKID 与颁发者的 KeyId 相同,它“认为”证书是自行颁发的。如果我不调用SetIssuer,SKID 是新生成的,但生成的证书仍显示为“无效”。我在代码中做错了什么?
1 回答
慕桂英3389331
TA贡献2036条经验 获得超8个赞
我已经实施了一个 hacky 解决方法来添加 SKID 和 authorityKeyIdentifier。生成的证书有效。但是,由于structx *C.X509的成员Certificate未导出,因此访问它们的唯一方法是通过不安全的指针和强制转换。
这不是推荐的方式,而是spacemonkey/go更新之前的一种方式(我怀疑它会很快发生)。
func addAuthorityKeyIdentifier(c *openssl.Certificate) error {
var ctx C.X509V3_CTX
C.X509V3_set_ctx(&ctx, nil, nil, nil, nil, 0)
// this is ugly and very unsafe!
cx509 := *(**C.X509)(unsafe.Pointer(c))
cx509Issuer := cx509
if c.Issuer != nil {
cx509Issuer = *(**C.X509)(unsafe.Pointer(c.Issuer))
}
ctx.issuer_cert = cx509Issuer
cExtName := C.CString("authorityKeyIdentifier")
defer C.free(unsafe.Pointer(cExtName))
cExtValue := C.CString("keyid:always,issuer:always")
defer C.free(unsafe.Pointer(cExtValue))
extension := C.X509V3_EXT_nconf(nil, &ctx, cExtName, cExtValue)
if extension == nil {
return errors.New("failed to set 'authorityKeyIdentifier' extension")
}
defer C.X509_EXTENSION_free(extension)
addResult := C.X509_add_ext(cx509, extension, -1)
if addResult == 0 {
return errors.New("failed to set 'authorityKeyIdentifier' extension")
}
return nil
}
func addSKIDExtension(c *openssl.Certificate) error {
var ctx C.X509V3_CTX
C.X509V3_set_ctx(&ctx, nil, nil, nil, nil, 0)
// this is ugly and very unsafe!
cx509 := *(**C.X509)(unsafe.Pointer(c))
_ = cx509
ctx.subject_cert = cx509
_ = ctx
cExtName := C.CString("subjectKeyIdentifier")
defer C.free(unsafe.Pointer(cExtName))
cExtValue := C.CString("hash")
defer C.free(unsafe.Pointer(cExtValue))
extension := C.X509V3_EXT_nconf(nil, &ctx, cExtName, cExtValue)
if extension == nil {
return errors.New("failed to set 'subjectKeyIdentifier' extension")
}
defer C.X509_EXTENSION_free(extension)
// adding itself as a subject
addResult := C.X509_add_ext(cx509, extension, -1)
if addResult == 0 {
return errors.New("failed to set 'subjectKeyIdentifier' extension")
}
return nil
}
- 1 回答
- 0 关注
- 85 浏览
添加回答
举报
0/150
提交
取消