openssl的X509-V3证书结构

1270阅读 0评论2022-04-06 hiyachen
分类:云计算

x509 v3证书结构
version number  //版本号
serial number     //序列号
signature algorithm ID   //签名算法id
issuer name         //发行者名称
validity period       //有效时间
    not before      //xx时间之前
    not after      //xx时间之后
subject name        //证书所属者名称
subject public key info   //公钥信息
    public key algorithm   //公钥算法
    subject public key    //公钥
issuer unique identifier(可选)  //发布者唯一标识符
subject unique identifier(可选)  //所属着唯一标识符
extensions(可选)       //扩展信息
...

certificate signature algorithm //证书签名算法
certificate signature    //证书签名
CERL extension扩展

x509证书处理流程(基础流程)
1.检查基本的证书信息,包含以下内容
  a.使用working_public_key_algorithm 和working_public_key、working_public_key_parameters检查在证书中的签名
  b.检查证书的有效时间
  c.证书是否被吊销
  d.证书的颁布者是否正在使用
2.如果证书是自颁布的并且不是路径中的最后一个证书,跳过这一步。否则,检查证书所属者的名字,判断是否在x500的允许的permitted_subtrees中;同时,检查在subjectAltName扩展中的每一个备选名称(alternative names).
3.同上,检查的是subject name(证书所有者的名称)
4.证书存在策略拓展(policies extension) 并且valid_policy_tree不为空,用以下的步骤来处理策略(policy)信息
  a.对于每一个不在证书拓展(certificate policies extension)中的策略(policy)P,使用P-OID表示p的policy同时用P-Q表示对于P的policy集合,之后经过下面几个步骤的处理
    a1.对于每一个P-OID在valid_policy_tree深度为i-1的expected_policy_set集合,使用这样的方式创建树的子节点:设置P-OID的valid_policy,设置P-Q的qualifier_set同时设置{P-OID}的expected_policy_set集合
    a2.如果a1中没有匹配的,并且valid_policy_tree包含了深度为i-1的anypolicy节点(兼容所有的),生成满足以下条件的节点:设置P-OID的valid_policy,设置P-Q的qualifier_set,并且设置{P-OID}的expected_policy_set集合
5.如果证书的policy拓展不存在,将valid_policy_tree置为空
6.检查explicit_policy是否大于0或者valid_policy_tree是否为空

证书样例:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3409819322 (0xcb3db6ba)
    Signature Algorithm: sm2sign-with-sm3
        Issuer: C=cn, ST=bj, L=bj, O=tsinghua, OU=general, CN=hubert/emailAddress=chf@tsinghua.org.cn
        Validity
            Not Before: Apr  2 07:47:56 2022 GMT
            Not After : Apr  2 07:47:56 2023 GMT
        Subject: C=cn, ST=bj, O=tsinghua, OU=general, CN=hubert/emailAddress=chf@tsinghua.org.cn
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:f2:7e:86:67:89:b2:52:70:d0:07:f8:07:3c:b7:
                    33:50:34:cb:2a:e0:66:b6:11:b3:56:3b:40:72:ee:
                    a5:5b:1b:95:aa:d5:97:25:57:25:53:3e:61:2b:8c:
                    a7:28:d3:60:0d:d7:c8:01:3a:af:28:32:fd:a4:b7:
                    3d:ed:ab:aa:4a
                ASN1 OID: sm2p256v1
                NIST CURVE: SM2
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Key Encipherment
            Netscape Comment:
                GmSSL Generated Certificate
            X509v3 Subject Key Identifier:
                0A:50:52:06:A9:1B:09:D5:0E:18:74:DC:5D:47:D6:72:6D:8C:43:DE
            X509v3 Authority Key Identifier:
                keyid:55:CA:9E:61:61:81:72:7F:26:7A:85:95:9A:1D:C5:8B:B3:C7:B8:6A

    Signature Algorithm: sm2sign-with-sm3
         30:44:02:20:4c:7b:c8:e2:ab:e5:4d:86:09:f8:af:de:ba:82:
         d8:dc:b9:9e:37:7d:d4:b5:de:d6:72:27:04:d2:2f:39:87:1b:
         02:20:77:82:33:0b:b3:67:a9:a6:34:31:3d:d8:c8:3d:75:13:
         21:ae:6d:56:2d:77:ce:23:bc:b2:00:83:e7:2a:36:db
-----BEGIN CERTIFICATE-----
MIICgjCCAimgAwIBAgIFAMs9trowCgYIKoEcz1UBg3UwgYoxCzAJBgNVBAYTAmNu
MQswCQYDVQQIDAJiajELMAkGA1UEBwwCYmoxETAPBgNVBAoMCGxvb25nc29uMRAw
DgYDVQQLDAdnZW5lcmFsMRQwEgYDVQQDDAtjaGVuaGFpZmVuZzEmMCQGCSqGSIb3
DQEJARYXY2hlbmhhaWZlbmdAbG9vbmdzb24uY24wHhcNMjIwNDAyMDc0NzU2WhcN
MjMwNDAyMDc0NzU2WjB9MQswCQYDVQQGEwJjbjELMAkGA1UECAwCYmoxETAPBgNV
BAoMCGxvb25nc29uMRAwDgYDVQQLDAdnZW5lcmFsMRQwEgYDVQQDDAtjaGVuaGFp
ZmVuZzEmMCQGCSqGSIb3DQEJARYXY2hlbmhhaWZlbmdAbG9vbmdzb24uY24wWTAT
BgcqhkjOPQIBBggqgRzPVQGCLQNCAATyfoZnibJScNAH+Ac8tzNQNMsq4Ga2EbNW
O0By7qVbG5Wq1ZclVyVTPmErjKco02AN18gBOq8oMv2ktz3tq6pKo4GHMIGEMAkG
A1UdEwQCMAAwCwYDVR0PBAQDAgUgMCoGCWCGSAGG+EIBDQQdFhtHbVNTTCBHZW5l
cmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFApQUgapGwnVDhh03F1H1nJtjEPe
MB8GA1UdIwQYMBaAFFXKnmFhgXJ/JnqFlZodxYuzx7hqMAoGCCqBHM9VAYN1A0cA
MEQCIEx7yOKr5U2GCfiv3rqC2Ny5njd91LXe1nInBNIvOYcbAiB3gjMLs2eppjQx
PdjIPXUTIa5tVi13ziO8sgCD5yo22w==
-----END CERTIFICATE-----
上一篇:SRS-开源流媒体服务器及在云平台中的部署
下一篇:SSL/TLS中DH-DHE-ECDHE介绍