dongmeng0317 2019-09-18 22:03
浏览 430
已采纳

如何使用任意或不建议使用的扩展名对证书进行签名

For example say I want to sign a cert with an arbitrary or deprecated extension (nsCertType for example): https://www.openssl.org/docs/manmaster/man5/x509v3_config.html

I believe I'm supposed to add the arbitrary extension as part of the certificate as per below but how / where do you discover the asn1 object identifier? I've read more documentation that I care to admit today and am still stumped. 

tmpl := &x509.Certificate{
    SerialNumber:          big.NewInt(time.Now().Unix()*1000),
    Subject:               pkix.Name{CommonName: "edgeproxy", Organization: []string{"edgeproxy"}},
    NotBefore:             now,
    NotAfter:              now.Add(caMaxAge),
    ExtraExtensions:       []pkix.Extension{
        {
            Id: asn1.ObjectIdentifier{}, //what goes here
            Critical: false,
            []byte("sslCA"),
        },
    },
    ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth,x509.ExtKeyUsageClientAuth,x509.ExtKeyUsageEmailProtection, x509.ExtKeyUsageTimeStamping, x509.ExtKeyUsageMicrosoftCommercialCodeSigning, x509.ExtKeyUsageMicrosoftServerGatedCrypto, x509.ExtKeyUsageNetscapeServerGatedCrypto} ,
    KeyUsage:              x509.KeyUsageCRLSign | x509.KeyUsageCertSign,
    IsCA:                  true,
    BasicConstraintsValid: true,
}

In python I would do this but don't know how to port this into go (which is what I'm doing at the end of the day):

    OpenSSL.crypto.X509Extension(
        b"nsCertType",
        False,
        b"sslCA"
    ),
  • 写回答

1条回答 默认 最新

  • duanrong6802 2019-09-18 23:13
    关注

    Go sources at https://golang.org/src/encoding/asn1/asn1.go define:

    // An ObjectIdentifier represents an ASN.1 OBJECT IDENTIFIER.

type ObjectIdentifier []int

    So the object identifier (OID for short) is an array of integers. The asn1 module has methods to parse them, like parseObjectIdentifier.

    This is the structure you need to put after the Id: attribute.

    But now you need to find out the OID you want.

    While difficult to read, OpenSSL source code can show you OIDs of many things in the X.400/X.500/X.509 worlds, or at least those known by OpenSSL.

    If you go to https://github.com/openssl/openssl/blob/1aec7716c1c5fccf605a46252a46ea468e684454/crypto/objects/obj_dat.h

    and searching on nsCertType you get:

    {"nsCertType", "Netscape Cert Type", NID_netscape_cert_type, 9, &so[407]},

    so is defined previously, and if you jump at its 407th item you see:

        0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x01,  /* [  407] OBJ_netscape_cert_type */

    and doing a final search on OBJ_netscape_cert_type in same file gives:

      71,    /* OBJ_netscape_cert_type           2 16 840 1 113730 1 1 */

    which means the corresponding OID is 2.16.840.1.113730.1.1

    Or you can decode the above list of integers that describe this OID (see How does ASN.1 encode an object identifier? for details).

    • first 0x60 is 9610 so 2*40 + 16, which means the OID starts with 2.16.
    • then each other one is in "base128" form: if most significant bit is 1 combine the 7 least significant bits together of all following numbers until one has 0 as most significant bit
    • 0x86 is 100001102 so has to go with 0x48 aka 010010002 so it is in fact 000011010010002 or 84010
    • 0x01 is less than 128 so it is itself, 1
    • 0x86 is still 100001102 but has to be paired with both 0xF8 (111110002) and 0x42 (010000102 and we stop here since first bit is 0) so 0000110111100010000102 altogether or 11373010
    • and the two last 0x01 are themselves, 1.

    so we do get again 2.16.840.1.113730.1.1

    You can double check it at some online OID browser like here: http://oid-info.com/cgi-bin/display?oid=2.16.840.1.113730.1.1&action=display that gives the following description for it:

    Netscape certificate type (a Rec. ITU-T X.509 v3 certificate extension used to identify whether the certificate subject is a Secure Sockets Layer (SSL) client, an SSL server or a Certificate Authority (CA))

    You can then even browse various arcs, like the netscape one, or others, to find out other OIDs.

    You also get the full ASN.1 notation:

    {joint-iso-itu-t(2) country(16) us(840) organization(1) netscape(113730) cert-ext(1) cert-type(1)}
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 C#算法问题, 不知道怎么处理这个数据的转换
  • ¥15 YoloV5 第三方库的版本对照问题
  • ¥15 请完成下列相关问题!
  • ¥15 drone 推送镜像时候 purge: true 推送完毕后没有删除对应的镜像,手动拷贝到服务器执行结果正确在样才能让指令自动执行成功删除对应镜像,如何解决?
  • ¥15 求daily translation(DT)偏差订正方法的代码
  • ¥15 js调用html页面需要隐藏某个按钮
  • ¥15 ads仿真结果在圆图上是怎么读数的
  • ¥20 Cotex M3的调试和程序执行方式是什么样的?
  • ¥20 java项目连接sqlserver时报ssl相关错误
  • ¥15 一道python难题3