信任链在哪里? [python] asn1crypto和pkcs11 Aladdin USB eToken [英] Where is the trust chain? [python] asn1crypto and pkcs11 Aladdin USB eToken
问题描述
我的代码工作正常。我正在使用USB eToken签名。但是在将此代码的PEM输出复制并粘贴到 https://lapo.it/asn1js/ 信任链未显示。该eToken由CA提供,因此具有签名的信任链。
I have this code working fine. I am signing with an USB eToken. But after copying and pasting the PEM output of this code in the https://lapo.it/asn1js/ the trust chain is not shown. This eToken was provided by a CA and thus it has a trust chain of the signature. What's wrong?
lib = pkcs11.lib('/usr/lib/libeToken.so.9')
for slot in lib.get_slots():
try:
token = slot.get_token()
with token.open(user_pin='****') as session:
priv = session.get_key(object_class=pkcs11.constants.ObjectClass.PRIVATE_KEY)
pub = session.get_key(object_class=pkcs11.constants.ObjectClass.PUBLIC_KEY)
tbs = TbsCertificate({
'version': 'v1',
'serial_number': 1,
'issuer': Name.build({
'common_name': 'Test Certificate',
}),
'subject': Name.build({
'common_name': 'Test Certificate',
}),
'signature': {
'algorithm': 'sha256_rsa',
'parameters': None,
},
'validity': {
'not_before': Time({
'utc_time': datetime.datetime(2017, 1, 1, 0, 0),
}),
'not_after': Time({
'utc_time': datetime.datetime(2038, 12, 31, 23, 59),
}),
},
'subject_public_key_info': {
'algorithm': {
'algorithm': 'rsa',
'parameters': None,
},
'public_key': RSAPublicKey.load(encode_rsa_public_key(pub)),
}
})
# Sign the TBS Certificate
value = priv.sign(tbs.dump(),
mechanism=Mechanism.SHA256_RSA_PKCS)
cert = Certificate({
'tbs_certificate': tbs,
'signature_algorithm': {
'algorithm': 'sha256_rsa',
'parameters': None,
},
'signature_value': value,
})
print(pem.armor('CERTIFICATE', cert.dump()).decode())
except TokenNotPresent:
pass
推荐答案
您已经构建并签署了一个单独的X.509证书,然后以PEM格式输出。信任链是多个证书,通常以从叶子开始的PEM编码证书列表的形式提供。
You have constructed and signed one individual X.509 certificate and then output it in PEM format. A chain of trust is multiple certificates, commonly provided as a list of PEM-encoded certificates starting from the leaf.
因此,您还需要输出签名证书。在X.509中,有两条信息:由发行者签名的公共证书(包括公共密钥)和在令牌上使用的私钥。
Thus you need to output the signing certificate as well. In X.509 there are two pieces of information: your public certificate (including public key) signed by the issuer and the private key you have used on your token.
PKCS #11设备可以存储X.509证书,因此很有可能为此令牌签名了X.509对象,您可以使用 Session.get_objects 。
PKCS#11 devices can store X.509 certificates so there's a good chance the signed X.509 object for this certificate is on your token and you can retrieve it with Session.get_objects.
# Retrieve first certificate object from the HSM
cert = next(session.get_objects({Attribute.CLASS: ObjectClass.CERTIFICATE}))
# Retrieve the DER-encoded value of the certificate
der_bytes = cert[Attribute.VALUE]
# Convert to PEM encoding
pem_bytes = pem.armor('CERTIFICATE', der_bytes)
此示例来自博览会rting证书。
如果令牌上有多个证书,则可以包括其他搜索参数,包括证书类型,颁发者等。文档包含更多信息有关证书对象的参数。 PKCS#11规范仍然包含更多信息。
If you have multiple certificates on your token you can include additional search parameters including the certificate type, issuer, etc. The docs contain more information on the parameters for certificate objects. The PKCS#11 spec contains further information still.
或者,如果您具有其他某种形式的X.509证书,则可以简单地附加它。它不需要存储在HSM中。
Alternatively, if you have the X.509 certificate in some other form you can simply append it. It does not need to be stored in the HSM.
这篇关于信任链在哪里? [python] asn1crypto和pkcs11 Aladdin USB eToken的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
