通过OpenSSL解析X509证书基本项

其他 2018-07-26 23:29:02 阅读次数: 0

转载自:https://blog.csdn.net/yyfzy/article/details/46798965

    在之前的文章“通过OpenSSL解码X509证书文件”里,讲述了如何使用OpenSSL将证书文件解码,得到证书上下文结构体X509的方法。下面我们接着讲述如何通过证书上下文结构体X509,获得想要的证书项。本文先讲述如何获取证书的基本项,后面还有文章介绍如何获取证书的扩展项。

       下面的代码,都是假定已经通过解码证书文件、得到了证书上下文结构体X509。至于如何使用OpenSSL解码证书文件、得到证书上下文结构体X509,请阅读之前的文章。

        首先,我们看看关于证书结构体X509定义:

  1. struct x509_st
  2. {
  3. X509_CINF *cert_info;
  4. X509_ALGOR *sig_alg;
  5. ASN1_BIT_STRING *signature;
  6. int valid;
  7. int references;
  8. char *name;
  9. CRYPTO_EX_DATA ex_data;
  10. /* These contain copies of various extension values */
  11. long ex_pathlen;
  12. long ex_pcpathlen;
  13. unsigned long ex_flags;
  14. unsigned long ex_kusage;
  15. unsigned long ex_xkusage;
  16. unsigned long ex_nscert;
  17. ASN1_OCTET_STRING *skid;
  18. AUTHORITY_KEYID *akid;
  19. X509_POLICY_CACHE *policy_cache;
  20. STACK_OF(DIST_POINT) *crldp;
  21. STACK_OF(GENERAL_NAME) *altname;
  22. NAME_CONSTRAINTS *nc;
  23. #ifndef OPENSSL_NO_RFC3779
  24. STACK_OF(IPAddressFamily) *rfc3779_addr;
  25. struct ASIdentifiers_st *rfc3779_asid;
  26. #endif
  27. #ifndef OPENSSL_NO_SHA
  28. unsigned char sha1_hash[SHA_DIGEST_LENGTH];
  29. #endif
  30. X509_CERT_AUX *aux;
  31. } /* X509 */;
  33. typedef struct x509_cinf_st
  34. {
  35. ASN1_INTEGER *version; /* [ 0 ] default of v1 */
  36. ASN1_INTEGER *serialNumber;
  37. X509_ALGOR *signature;
  38. X509_NAME *issuer;
  39. X509_VAL *validity;
  40. X509_NAME *subject;
  41. X509_PUBKEY *key;
  42. ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */
  43. ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */
  44. STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */
  45. ASN1_ENCODING enc;
  46. } X509_CINF;
      我们想要获取的证书基本项,有些就直接存在于这两个结构体中。
一、版本号

      通过解码证书文件,得到证书结构体m_pX509之后,可以通过函数X509_get_version()获取证书的版本。具体代码如下:

  1. int ver = X509_get_version(m_pX509);
  2. switch(ver)
  3. {
  4. case 0: //V1
  5. //...
  6. break;
  7. case 1: //V2
  8. //...
  9. break;
  10. case 2: //V3
  11. //...
  12. break;
  13. default:
  14. //Error!
  15. break;
  16. }
需要注意的是,0代表V1;1代表V2;2代表V3。目前绝大多数证书都是V3版本。

二、序列号

      同样,有了m_pX509之后,调用函数X509_get_serialNumber()即可获得证书的序列号。只是该函数返回的是ASN1_INTEGER类型,需要转换后才能是我们平常看到的十六进制表示的序列号。具体实现函数如下:

  1. ULONG COpenSSLCertificate::get_SN(LPSTR lptcSN, ULONG *pulLen)
  2. {
  3. ULONG ulRet = CERT_ERR_OK;
  4. ASN1_INTEGER *asn1_i = NULL;
  5. BIGNUM *bignum = NULL;
  6. char *serial = NULL;
  8. if (!m_pX509)
  9. {
  10. return CERT_ERR_INVILIDCALL;
  11. }
  12. if (!pulLen)
  13. {
  14. return CERT_ERR_INVALIDPARAM;
  15. }
  16. asn1_i = X509_get_serialNumber(m_pX509);
  17. bignum = ASN1_INTEGER_to_BN(asn1_i, NULL);
  18. if (bignum == NULL)
  19. {
  20. ulRet = CERT_ERR_FAILED;
  21. goto FREE_MEMORY;
  22. }
  23. serial = BN_bn2hex(bignum);
  24. if (serial == NULL)
  25. {
  26. ulRet = CERT_ERR_FAILED;
  27. goto FREE_MEMORY;
  28. }
  29. BN_free(bignum);
  30. if (!lptcSN)
  31. {
  32. *pulLen = strlen(serial) + 1;
  33. ulRet = CERT_ERR_OK;
  34. goto FREE_MEMORY;
  35. }
  36. if (*pulLen < strlen(serial) + 1)
  37. {
  38. ulRet = CERT_ERR_BUFFER_TOO_SMALL;
  39. goto FREE_MEMORY;
  40. }
  41. strcpy_s(lptcSN, *pulLen, serial);
  42. *pulLen = strlen(serial);
  43. FREE_MEMORY:
  44. OPENSSL_free(serial);
  45. return ulRet;
  46. }

三、公钥算法(证书算法)

      要想获取证书公钥算法,需要先调用函数X509_get_pubkey()得到公钥属性结构体,然后通过type字段来判断公钥的算法类型。具体实现函数如下:

  1. ULONG COpenSSLCertificate::get_KeyType(ULONG* pulType)
  2. {
  3. EVP_PKEY *pk = NULL;
  4. stack_st_X509* chain = NULL;
  5. X509_EXTENSION *pex = NULL;
  7. if (!m_pX509)
  8. {
  9. return CERT_ERR_INVILIDCALL;
  10. }
  11. if (!pulType)
  12. {
  13. return CERT_ERR_INVALIDPARAM;
  14. }
  16. pk = X509_get_pubkey(m_pX509);
  17. if (!pk)
  18. {
  19. return CERT_ERR_FAILED;
  20. }
  22. if (EVP_PKEY_RSA == pk->type)
  23. {
  24. *pulType = CERT_KEY_ALG_RSA;
  25. }
  26. else if (EVP_PKEY_EC == pk->type)
  27. {
  28. *pulType = CERT_KEY_ALG_ECC;
  29. }
  30. else if (EVP_PKEY_DSA == pk->type)
  31. {
  32. *pulType = CERT_KEY_ALG_DSA;
  33. }
  34. else if (EVP_PKEY_DH == pk->type)
  35. {
  36. *pulType = CERT_KEY_ALG_DH;
  37. }
  38. else
  39. {
  40. return CERT_KEY_ALG_UNKNOWN;
  41. }
  43. return CERT_ERR_OK;
  44. }
目前常见的证书算法为RSA和ECC,ECC在国内又成为SM2。SM2是国家密码管理局基于椭圆算法(ECC)制定的国内非对称算法标准。

四、证书用途

      证书从用途来分,分为“签名证书”和“加密证书”两大类。“签名证书”的公钥用来验证签名,而“加密证书”的公钥则用来加密数据。我们可以通过调用X509中的ex_kusage字段来判断证书的用途,具体函数实现如下:

  1. ULONG COpenSSLCertificate::get_KeyUsage(ULONG* lpUsage)
  2. {
  3. ULONG lKeyUsage = 0;
  5. if (!m_pX509)
  6. {
  7. return CERT_ERR_INVILIDCALL;
  8. }
  9. if (!lpUsage)
  10. {
  11. return CERT_ERR_INVALIDPARAM;
  12. }
  14. *lpUsage = CERT_USAGE_UNKNOWN;
  16. //X509_check_ca() MUST be called!
  17. X509_check_ca(m_pX509);
  18. lKeyUsage = m_pX509->ex_kusage;
  19. if ((lKeyUsage & KU_DATA_ENCIPHERMENT) == KU_DATA_ENCIPHERMENT)
  20. {
  21. *lpUsage = CERT_USAGE_EXCH;<span style= "white-space:pre"> </span> //加密证书
  22. }
  23. else if ((lKeyUsage & KU_DIGITAL_SIGNATURE) == KU_DIGITAL_SIGNATURE)
  24. {
  25. *lpUsage = CERT_USAGE_SIGN;<span style= "white-space:pre"> </span> //签名证书
  26. }
  28. return CERT_ERR_OK;
  29. }

五、签名算法

      证书的签名算法,是指证书用来签名时使用的算法(包含HASH算法)。签名算法用结构体X509中sig_alg字段来表示,可以通过sig_alg的子字段algorithm返回签名算法对象,从而得到签名算法的Oid。首先,签名算法的Oid常见得定义如下:

  1. /* Certificate siganture alg */
  2. #define CERT_SIGNATURE_ALG_RSA_RSA "1.2.840.113549.1.1.1"
  3. #define CERT_SIGNATURE_ALG_MD2RSA "1.2.840.113549.1.1.2"
  4. #define CERT_SIGNATURE_ALG_MD4RSA "1.2.840.113549.1.1.3"
  5. #define CERT_SIGNATURE_ALG_MD5RSA "1.2.840.113549.1.1.4"
  6. #define CERT_SIGNATURE_ALG_SHA1RSA "1.2.840.113549.1.1.5"
  7. #define CERT_SIGNATURE_ALG_SM3SM2 "1.2.156.10197.1.501"

      获取签名算法Oid的具体实现函数如下:

  1. ULONG COpenSSLCertificate::get_SignatureAlgOid(LPSTR lpscOid, ULONG *pulLen)
  2. {
  3. char oid[ 128] = { 0};
  4. ASN1_OBJECT* salg = NULL;
  6. if (!m_pX509)
  7. {
  8. return CERT_ERR_INVILIDCALL;
  9. }
  10. if (!pulLen)
  11. {
  12. return CERT_ERR_INVALIDPARAM;
  13. }
  15. salg = m_pX509->sig_alg->algorithm;
  16. OBJ_obj2txt(oid, 128, salg, 1);
  17. if (!lpscOid)
  18. {
  19. *pulLen = strlen(oid) + 1;
  20. return CERT_ERR_OK;
  21. }
  22. if (*pulLen < strlen(oid) + 1)
  23. {
  24. return CERT_ERR_BUFFER_TOO_SMALL;
  25. }
  27. strcpy_s(lpscOid, *pulLen, oid);
  28. *pulLen = strlen(oid) + 1;
  29. return CERT_ERR_OK;
  30. }
由于Windows对SM2/SM3算法还没有定义,所以对于ECC(SM2)证书,Windows直接显示签名算法的Oid:“1.2.156.10197.1.501”,如下图所示:

六、颁发者

      关于颁发者,我们可以通过调用函数X509_get_issuer_name()获取属性。不过该函数返回的是X509_NAME类型,需要调用函数X509_NAME_get_text_by_NID()将其转化为ASCII字符形式。具体通过下面函数实现:

  1. ULONG COpenSSLCertificate::get_Issuer(LPSTR lpValue, ULONG *pulLen)
  2. {
  3. int nNameLen = 512;
  4. CHAR csCommonName[ 512] = { 0};
  5. X509_NAME *pCommonName = NULL;
  7. if (!m_pX509)
  8. {
  9. return CERT_ERR_INVILIDCALL;
  10. }
  11. if (!pulLen)
  12. {
  13. return CERT_ERR_INVALIDPARAM;
  14. }
  16. pCommonName = X509_get_issuer_name(m_pX509);
  17. if (!pCommonName)
  18. {
  19. return CERT_ERR_FAILED;
  20. }
  21. nNameLen = X509_NAME_get_text_by_NID(pCommonName, NID_commonName, csCommonName, nNameLen);
  22. if ( -1 == nNameLen)
  23. {
  24. return CERT_ERR_FAILED;
  25. };
  26. if (!lpValue)
  27. {
  28. *pulLen = nNameLen + 1;
  29. return CERT_ERR_OK;
  30. }
  31. if (*pulLen < (ULONG)nNameLen + 1)
  32. {
  33. return CERT_ERR_BUFFER_TOO_SMALL;
  34. }
  36. strcpy_s(lpValue, *pulLen, csCommonName);
  37. *pulLen = nNameLen;
  38. return CERT_ERR_OK;
  39. }

七、使用者

      关于证书使用者,我们可以通过调用函数X509_get_subject_name)获取属性。同样,该函数返回的是X509_NAME类型,需要调用函数X509_NAME_get_text_by_NID()将其转化为ASCII字符形式。具体通过下面函数实现:

  1. ULONG COpenSSLCertificate::get_SubjectName(LPSTR lpValue, ULONG *pulLen)
  2. {
  3. int iLen = 0;
  4. int iSubNameLen = 0;
  5. CHAR csSubName[ 1024] = { 0};
  6. CHAR csBuf[ 256] = { 0};
  7. X509_NAME *pSubName = NULL;
  9. if (!m_pX509)
  10. {
  11. return CERT_ERR_INVILIDCALL;
  12. }
  13. if (!pulLen)
  14. {
  15. return CERT_ERR_INVALIDPARAM;
  16. }
  18. pSubName = X509_get_subject_name(m_pX509);
  19. if (!pSubName)
  20. {
  21. return CERT_ERR_FAILED;
  22. }
  24. ZeroMemory(csBuf, 256);
  25. iLen = X509_NAME_get_text_by_NID(pSubName, NID_countryName, csBuf, 256);
  26. if (iLen > 0)
  27. {
  28. strcat_s(csSubName, 1024, "C=");
  29. strcat_s(csSubName, 1024, csBuf);
  30. strcat_s(csSubName, 1024, ", ");
  31. }
  33. ZeroMemory(csBuf, 256);
  34. iLen = X509_NAME_get_text_by_NID(pSubName, NID_organizationName, csBuf, 256);
  35. if (iLen > 0)
  36. {
  37. strcat_s(csSubName, 1024, "O=");
  38. strcat_s(csSubName, 1024, csBuf);
  39. strcat_s(csSubName, 1024, ", ");
  40. }
  42. ZeroMemory(csBuf, 256);
  43. iLen = X509_NAME_get_text_by_NID(pSubName, NID_organizationalUnitName, csBuf, 256);
  44. if (iLen > 0)
  45. {
  46. strcat_s(csSubName, 1024, "OU=");
  47. strcat_s(csSubName, 1024, csBuf);
  48. strcat_s(csSubName, 1024, ", ");
  49. }
  51. ZeroMemory(csBuf, 256);
  52. iLen = X509_NAME_get_text_by_NID(pSubName, NID_commonName, csBuf, 256);
  53. if (iLen > 0)
  54. {
  55. strcat_s(csSubName, 1024, "CN=");
  56. strcat_s(csSubName, 1024, csBuf);
  57. }
  59. if (!lpValue)
  60. {
  61. *pulLen = strlen(csSubName) + 1;
  62. return CERT_ERR_OK;
  63. }
  64. if (*pulLen < strlen(csSubName) + 1)
  65. {
  66. return CERT_ERR_BUFFER_TOO_SMALL;
  67. }
  69. strcpy_s(lpValue, *pulLen, csSubName);
  70. *pulLen = strlen(csSubName);
  71. return CERT_ERR_OK;
  72. }

八、有效期限

      要获取证书的有效期属性,需要通过调用函数X509_get_notBefore()和X509_get_notAfter()来实现。而且这两个函数返回的时间是time_t类型,需要转化为SYSTEMTIME类型。具体实现函数如下:

  1. ULONG COpenSSLCertificate::get_ValidDate(SYSTEMTIME *ptmStart, SYSTEMTIME *ptmEnd)
  2. {
  3. int err = 0;
  4. ASN1_TIME *start = NULL;
  5. ASN1_TIME *end = NULL;
  6. time_t ttStart = { 0};
  7. time_t ttEnd = { 0};
  8. LONGLONG nLLStart = 0;
  9. LONGLONG nLLEnd = 0;
  10. FILETIME ftStart = { 0};
  11. FILETIME ftEnd = { 0};
  13. if (!m_pX509)
  14. {
  15. return CERT_ERR_INVALIDPARAM;
  16. }
  18. start = X509_get_notBefore(m_pX509);
  19. end = X509_get_notAfter(m_pX509);
  21. ttStart = ASN1_TIME_get(start, &err);
  22. ttEnd = ASN1_TIME_get(end, &err);
  23. nLLStart = Int32x32To64(ttStart, 10000000) + 116444736000000000;
  24. nLLEnd = Int32x32To64(ttEnd, 10000000) + 116444736000000000;
  26. ftStart.dwLowDateTime = (DWORD)nLLStart;
  27. ftStart.dwHighDateTime = (DWORD)(nLLStart >> 32);
  28. ftEnd.dwLowDateTime = (DWORD)nLLEnd;
  29. ftEnd.dwHighDateTime = (DWORD)(nLLEnd >> 32);
  31. FileTimeToSystemTime(&ftStart, ptmStart);
  32. FileTimeToSystemTime(&ftEnd, ptmEnd);
  34. return 0;
  35. }

      至此,X509证书的基本项通过OpenSLL均已解析完毕!如需获取证书的扩展项或者公钥等数据,请关注后续博文。


猜你喜欢

转载自blog.csdn.net/ayang1986/article/details/81025611
今日推荐
火速冲上 GitHub 热榜 —— 开源编程语言、框架哪有这么可爱?
北京人形机器人创新中心发布全球首个纯电驱拟人奔跑的全尺寸人形机器人“天工”
LFOSSA 源来如此公开课 | 掌握云原生未来:CNCF 认证全面攻略与备考秘籍
国产云输入法——仅华为无云端数据上传安全问题
开源日报 | 工业开源项目OGG 1.0;姐姐,你要和我一起配置火狐吗;苹果AI遥遥落后?Fedora 40
开放签电子签章:停止新增,优化体验,前进更进(五一假期前工作)
开源日报 | 中学生开源前端动画引擎;全球首个Llama3 8B中文版开源模型;联想电脑恐出局;Linus讽刺AI炒作
周排行
浏览器对同一域名进行请求的最大并发连接数
React Hook之自定义Hook
【转】MyBatis缓存机制
-Java-泛型
自动化测试常用脚本-发送邮件
LeetCode#859: Buddy Strings
java、Python处理字符串
第二篇の博客
Hadoop伪分布式环境安装
SQL Server进阶(十一)临时表、表变量
每日归档
更多
2024-04-27(56)
2024-04-26(39)
2024-04-25(22)
2024-04-24(36)
2024-04-23(26)
2024-04-22(39)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022