dongmeng0317 2019-09-18 22:03
浏览 430
已采纳

如何使用任意或不建议使用的扩展名对证书进行签名

For example say I want to sign a cert with an arbitrary or deprecated extension (nsCertType for example): https://www.openssl.org/docs/manmaster/man5/x509v3_config.html

I believe I'm supposed to add the arbitrary extension as part of the certificate as per below but how / where do you discover the asn1 object identifier? I've read more documentation that I care to admit today and am still stumped. 

tmpl := &x509.Certificate{
    SerialNumber:          big.NewInt(time.Now().Unix()*1000),
    Subject:               pkix.Name{CommonName: "edgeproxy", Organization: []string{"edgeproxy"}},
    NotBefore:             now,
    NotAfter:              now.Add(caMaxAge),
    ExtraExtensions:       []pkix.Extension{
        {
            Id: asn1.ObjectIdentifier{}, //what goes here
            Critical: false,
            []byte("sslCA"),
        },
    },
    ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth,x509.ExtKeyUsageClientAuth,x509.ExtKeyUsageEmailProtection, x509.ExtKeyUsageTimeStamping, x509.ExtKeyUsageMicrosoftCommercialCodeSigning, x509.ExtKeyUsageMicrosoftServerGatedCrypto, x509.ExtKeyUsageNetscapeServerGatedCrypto} ,
    KeyUsage:              x509.KeyUsageCRLSign | x509.KeyUsageCertSign,
    IsCA:                  true,
    BasicConstraintsValid: true,
}

In python I would do this but don't know how to port this into go (which is what I'm doing at the end of the day):

    OpenSSL.crypto.X509Extension(
        b"nsCertType",
        False,
        b"sslCA"
    ),
  • 写回答

1条回答 默认 最新

  • duanrong6802 2019-09-18 23:13
    关注

    Go sources at https://golang.org/src/encoding/asn1/asn1.go define:

    // An ObjectIdentifier represents an ASN.1 OBJECT IDENTIFIER.

type ObjectIdentifier []int

    So the object identifier (OID for short) is an array of integers. The asn1 module has methods to parse them, like parseObjectIdentifier.

    This is the structure you need to put after the Id: attribute.

    But now you need to find out the OID you want.

    While difficult to read, OpenSSL source code can show you OIDs of many things in the X.400/X.500/X.509 worlds, or at least those known by OpenSSL.

    If you go to https://github.com/openssl/openssl/blob/1aec7716c1c5fccf605a46252a46ea468e684454/crypto/objects/obj_dat.h

    and searching on nsCertType you get:

    {"nsCertType", "Netscape Cert Type", NID_netscape_cert_type, 9, &so[407]},

    so is defined previously, and if you jump at its 407th item you see:

        0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x01,  /* [  407] OBJ_netscape_cert_type */

    and doing a final search on OBJ_netscape_cert_type in same file gives:

      71,    /* OBJ_netscape_cert_type           2 16 840 1 113730 1 1 */

    which means the corresponding OID is 2.16.840.1.113730.1.1

    Or you can decode the above list of integers that describe this OID (see How does ASN.1 encode an object identifier? for details).

    • first 0x60 is 9610 so 2*40 + 16, which means the OID starts with 2.16.
    • then each other one is in "base128" form: if most significant bit is 1 combine the 7 least significant bits together of all following numbers until one has 0 as most significant bit
    • 0x86 is 100001102 so has to go with 0x48 aka 010010002 so it is in fact 000011010010002 or 84010
    • 0x01 is less than 128 so it is itself, 1
    • 0x86 is still 100001102 but has to be paired with both 0xF8 (111110002) and 0x42 (010000102 and we stop here since first bit is 0) so 0000110111100010000102 altogether or 11373010
    • and the two last 0x01 are themselves, 1.

    so we do get again 2.16.840.1.113730.1.1

    You can double check it at some online OID browser like here: http://oid-info.com/cgi-bin/display?oid=2.16.840.1.113730.1.1&action=display that gives the following description for it:

    Netscape certificate type (a Rec. ITU-T X.509 v3 certificate extension used to identify whether the certificate subject is a Secure Sockets Layer (SSL) client, an SSL server or a Certificate Authority (CA))

    You can then even browse various arcs, like the netscape one, or others, to find out other OIDs.

    You also get the full ASN.1 notation:

    {joint-iso-itu-t(2) country(16) us(840) organization(1) netscape(113730) cert-ext(1) cert-type(1)}
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 删除虚拟显示器驱动 删除所有 Xorg 配置文件 删除显示器缓存文件 重启系统 可是依旧无法退出虚拟显示器
  • ¥15 vscode程序一直报同样的错,如何解决?
  • ¥15 关于使用unity中遇到的问题
  • ¥15 开放世界如何写线性关卡的用例(类似原神)
  • ¥15 关于并联谐振电磁感应加热
  • ¥60 请查询全国几个煤炭大省近十年的煤炭铁路及公路的货物周转量
  • ¥15 请帮我看看我这道c语言题到底漏了哪种情况吧!
  • ¥66 如何制作支付宝扫码跳转到发红包界面
  • ¥15 pnpm 下载element-plus
  • ¥15 解决编写PyDracula时遇到的问题