CSR 签名如何工作? [英] How does CSR signing work?
问题描述
我正在尝试签署 CSR 文件中的 PEM 格式,使用 OpenSSL API.
I'm trying to sign a CSR file in PEM format using OpenSSL API.
我无法使用 X509_sign() 方法,因为我需要使用第三方 API 对请求进行签名.这个 API 要求我的应用程序发送需要签名的数据,它会返回一个签名.
I can't use X509_sign() method because I need to sign the request using a third party API. This API requires my application to send the data that needs signing and it will return me a signature.
我需要向它发送 char* 以签名到 3rd 方 API,但我不明白签名过程是如何工作的:
I need to send it the char* to sign to the 3rd party API, but I don't understand how the signing process works:
我是否需要仅使用来自 CSR 的数据(例如主题、公钥的指数和模数)来构建此
char*:
Char* = "DN=test,O=something...123456(这是指数)a2:43:65(这是模数)...
或者我是否需要使用在 OpenSSL 中使用 -text 命令时出现的所有元素构建我的缓冲区:
Or do I need to build my buffer with all the elements that appear when I use the -text command in OpenSSL:
证书:数据:主题: dn=test, O=something公钥信息:指数:123456模数:A2:43:65....
总结:CA 在执行 X509 证书签名时实际使用请求的哪些元素,以及应以何种格式呈现这些数据?
To summarize: What elements of the request does a CA actually use when performing signature of an X509 certificate, and in what format should this data be presented?
推荐答案
你的标题和正文不一致;openssl X509_sign() 签署证书,而不是CSR.CSR 不是证书,证书也不是 CSR,颁发证书并不是许多不知情或懒惰的人所说的签署 CSR".(正常)CSR 实际上是由请求者签名的,而不是 CA.openssl 使用 X509_REQ 类型作为 CSR,X509_REQ_sign 签署 CSR.
Your title and body don't agree; openssl X509_sign() signs a certificate, not a CSR. A CSR is not a cert, a cert is not a CSR, and issuing a cert is NOT 'signing a CSR' as many uninformed or lazy people say. (Normal) CSRs are actually signed by the requester, NOT the CA. openssl uses type X509_REQ for a CSR and X509_REQ_sign signs a CSR.
但答案基本相同.X.509 证书或 PKCS#10 CSR 是由三件事组成的序列:包含要签名的数据的主体、AlgorithmIdentifier 和签名(作为 BITSTRING).这些是使用 http://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One 定义的,并使用编码特异编码规则或 DER.您输入或看到的由 openssl req -text 或 openssl x509 -text 或其他程序显示的文本形式表示相同的数据,但通常不足以重现确切的位,并且您必须拥有数字签名才能工作的确切位.(这就是 DER 中杰出"的意思;它通过指定用于某些其他不明确情况的确切八位字节和位来修改基本编码规则或 BER.)对于 CSR,请参阅我在 https://security.stackexchange.com/questions/58717/what-part-of-the-csr-is-hashed-in-order-to-create-its-signature/58735 ;对于 cert,'wrapper' 是相同的,但主体明显不同,并且包含的内容远多于 DN 和 publickey.
But the answer is basically the same. Either an X.509 cert or a PKCS#10 CSR is a SEQUENCE of three things: a body containing the data to be signed, an AlgorithmIdentifier, and the signature (as a BITSTRING). These are defined using http://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One and encoded using Distinguished Encoding Rules or DER. The text form you enter or see displayed by openssl req -text or openssl x509 -text or other programs represents the same data but is in general not sufficient to reproduce the exact bits, and you must have the exact bits for digital signature to work. (That's what 'Distinguished' in DER means; it modifies Basic Encoding Rules or BER by specifying the exact octets and bits to use for certain otherwise ambiguous cases.) For CSR see my answer in https://security.stackexchange.com/questions/58717/what-part-of-the-csr-is-hashed-in-order-to-create-its-signature/58735 ; for cert the 'wrapper' is the same but the body is significantly different, and contains quite a bit more than DN and publickey.
TL;DR 对于 X509* cert,您签署 cert->cert_info 的 DER 编码,其类型为 X509_CINF 并且可以使用 i2d_X509_CINF() 进行编码.对于 X509_REQ* csr,您使用 i2d_X509_REQ_INFO() 对 csr->req_info 类型为 X509_REQ_INFO 的 DER 编码进行签名>.
TL;DR For X509* cert you sign the DER-encoding of cert->cert_info, which has type X509_CINF and can be encoded using i2d_X509_CINF(). For X509_REQ* csr you sign the DER-encoding of csr->req_info with type X509_REQ_INFO using i2d_X509_REQ_INFO().
替代方案:openssl 具有引擎 的概念,它是一个处理一些加密操作的外部库和/或硬件单元.如果您的第三方 API 是或可以包装"为 openssl 引擎,您可以通过配置和指定该引擎来使用(几乎所有)普通的 openssl 例程.如果该引擎尚不存在,那么仅为您的项目使用它可能会造成太多工作,但如果您预见到其他(未来)用途,则可能值得.
Alternative: openssl has the concept of engine, which is an external library and/or hardware unit that handles some cryptographic operations. If your third-party API is or can be 'wrapped' as an openssl engine, you can use (nearly all) normal openssl routines by configuring and specifying that engine. If that engine doesn't already exist, doing it solely for your project is likely too much work, but if you foresee other (future) uses it might be worth it.
这篇关于CSR 签名如何工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
