dongmeng0317
dongmeng0317
2019-09-18 22:03

如何使用任意或不建议使用的扩展名对证书进行签名

已采纳

For example say I want to sign a cert with an arbitrary or deprecated extension (nsCertType for example): https://www.openssl.org/docs/manmaster/man5/x509v3_config.html

I believe I'm supposed to add the arbitrary extension as part of the certificate as per below but how / where do you discover the asn1 object identifier? I've read more documentation that I care to admit today and am still stumped.

tmpl := &x509.Certificate{
    SerialNumber:          big.NewInt(time.Now().Unix()*1000),
    Subject:               pkix.Name{CommonName: "edgeproxy", Organization: []string{"edgeproxy"}},
    NotBefore:             now,
    NotAfter:              now.Add(caMaxAge),
    ExtraExtensions:       []pkix.Extension{
        {
            Id: asn1.ObjectIdentifier{}, //what goes here
            Critical: false,
            []byte("sslCA"),
        },
    },
    ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth,x509.ExtKeyUsageClientAuth,x509.ExtKeyUsageEmailProtection, x509.ExtKeyUsageTimeStamping, x509.ExtKeyUsageMicrosoftCommercialCodeSigning, x509.ExtKeyUsageMicrosoftServerGatedCrypto, x509.ExtKeyUsageNetscapeServerGatedCrypto} ,
    KeyUsage:              x509.KeyUsageCRLSign | x509.KeyUsageCertSign,
    IsCA:                  true,
    BasicConstraintsValid: true,
}

In python I would do this but don't know how to port this into go (which is what I'm doing at the end of the day):

    OpenSSL.crypto.X509Extension(
        b"nsCertType",
        False,
        b"sslCA"
    ), 
  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

1条回答

  • duanrong6802 duanrong6802 2年前

    Go sources at https://golang.org/src/encoding/asn1/asn1.go define:

    // An ObjectIdentifier represents an ASN.1 OBJECT IDENTIFIER.
    
    type ObjectIdentifier []int
    

    So the object identifier (OID for short) is an array of integers. The asn1 module has methods to parse them, like parseObjectIdentifier.

    This is the structure you need to put after the Id: attribute.

    But now you need to find out the OID you want.

    While difficult to read, OpenSSL source code can show you OIDs of many things in the X.400/X.500/X.509 worlds, or at least those known by OpenSSL.

    If you go to https://github.com/openssl/openssl/blob/1aec7716c1c5fccf605a46252a46ea468e684454/crypto/objects/obj_dat.h

    and searching on nsCertType you get:

    {"nsCertType", "Netscape Cert Type", NID_netscape_cert_type, 9, &so[407]},
    

    so is defined previously, and if you jump at its 407th item you see:

        0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x01,  /* [  407] OBJ_netscape_cert_type */
    

    and doing a final search on OBJ_netscape_cert_type in same file gives:

      71,    /* OBJ_netscape_cert_type           2 16 840 1 113730 1 1 */
    

    which means the corresponding OID is 2.16.840.1.113730.1.1

    Or you can decode the above list of integers that describe this OID (see How does ASN.1 encode an object identifier? for details).

    • first 0x60 is 9610 so 2*40 + 16, which means the OID starts with 2.16.
    • then each other one is in "base128" form: if most significant bit is 1 combine the 7 least significant bits together of all following numbers until one has 0 as most significant bit
    • 0x86 is 100001102 so has to go with 0x48 aka 010010002 so it is in fact 000011010010002 or 84010
    • 0x01 is less than 128 so it is itself, 1
    • 0x86 is still 100001102 but has to be paired with both 0xF8 (111110002) and 0x42 (010000102 and we stop here since first bit is 0) so 0000110111100010000102 altogether or 11373010
    • and the two last 0x01 are themselves, 1.

    so we do get again 2.16.840.1.113730.1.1

    You can double check it at some online OID browser like here: http://oid-info.com/cgi-bin/display?oid=2.16.840.1.113730.1.1&action=display that gives the following description for it:

    Netscape certificate type (a Rec. ITU-T X.509 v3 certificate extension used to identify whether the certificate subject is a Secure Sockets Layer (SSL) client, an SSL server or a Certificate Authority (CA))

    You can then even browse various arcs, like the netscape one, or others, to find out other OIDs.

    You also get the full ASN.1 notation:

    {joint-iso-itu-t(2) country(16) us(840) organization(1) netscape(113730) cert-ext(1) cert-type(1)}
    
    点赞 评论 复制链接分享

相关推荐