phpseclib $X509-> CSR 上的 setDomain? [英] phpseclib $X509->setDomain on CSR?

问题描述

是否可以为 CSR 上的 subjectAltName 设置 x509 v3 扩展属性?

Is it possible to set x509 v3 extended attribute for subjectAltName on a CSR?

我能够成功生成 CSR，然后将其传递给 CA 进行签名.

I am able to successfully generate a CSR, and then pass that to a CA to sign.

CA 能够调用 X509->setDomain("bob.com","*.bob.com","asdf.org") 之类的函数；并且它们毫无问题地出现在最终证书中(注意:我正在为 phpseclib 执行签名、重新加载、设置扩展、辞职解决方法).

The CA is able to call functions like X509->setDomain("bob.com","*.bob.com","asdf.org"); and they appear in the final cert without issue (note: i am doing the sign, reload, set extensions, resign workaround for phpseclib).

CSR 进程调用相同的函数 $X509->setExtension("id-ce-subjectAltName",array("names","here") ) 或 $X509->setDomain("domain1","domain2");CSR本身似乎没有设置一些X509扩展属性(openssl可以)，我只能在二次签名之前重新导入后才能通过CA添加SAN.

The CSR process calling the same functions $X509->setExtension("id-ce-subjectAltName",array("names","here") ) or $X509->setDomain("domain1","domain2"); does not appear to set some X509 extended attributes in the CSR itself (openssl can), I have only been able to add SAN by the CA after re-import before the second signing.

谢谢！

我创建了一个示例 CSR(签名、重新加载、x509v3 扩展、辞职解决方法)并且似乎可以设置一些扩展属性(CA:false、密钥用法等)但不是 subjectAltName 信息:

I created an example CSR (sign, reload, x509v3 extensions, resign workaround) and it seems possible to set SOME extended attributes (CA: false, key usage, etc.) but NOT the subjectAltName info:

-----BEGIN CERTIFICATE REQUEST-----
MIIC1TCCAb8CAQAwVDELMAkGA1UEBgwCU1MxEDAOBgNVBAgMB09ic2N1cmUxDzAN
BgNVBAcMBlNlY3VyZTEQMA4GA1UECgwHYm9iY29ycDEQMA4GA1UEAwwHYm9iLmNv
bTCCASAwCwYJKoZIhvcNAQEBA4IBDwAwggEKAoIBAQCunNrjxEOILsESZ1osUkT3
zSeAHlzNiCBQnc/Xf+oW7Ir7wKfbHkV10cM583mw3Zy8rlCT/lUq0H+f3Uoc5/FA
dsYWhatlJRlTjv+yjSsxyB9i/hZ/KliP3Ix2O+Pq1wZIWfvk40hmCHHSB6YDtqt0
vXqUTIhH3SfyLtK9nd/6WG8bgIq9jgL6xvF3h44ynEwkuOnHt4a9WrflGX4KKcwo
OM98M/TAntDgSXBEYoLxenIbl3ypa7gtghVHHls3QOSay5QM87K3PJ3kSWVlZ3tN
tZGfbFdLiS+3MH8G3ujSX8XYeBnUj5jXi4SzpzQ9o5pyArL8DD8kC/Q9P/el1aZb
AgMBAAGgQDA+BgkqhkiG9w0BCQ4xMTAvMAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/
BAwwCgYIKwYBBQUHAwEwBwYDVR0RBAAwCwYJKoZIhvcNAQELA4IBAQAUIhgLf6LH
WwhncU+yrNy6yHPHjFbipehUaS/Wa6FBbANpLyEdslqNwFD2FyXofSQVCB0L6VnH
NNXHcfZqWOT8+Xd0yNmfr/w+vg+s1yY4S0VAG6mxGsqwdIJqgXm2jaw0rMpzRs/k
wfOpJ+gyRTrQz9VJrn4xC4Uv6zTGNj56qZehDievW74SGISbGzj7AGmCxpp5/qZD
LN4Ls3wZ7I4TfuYZDh7qWuFwEAEEv40JPF2qO3VitvyAYrKg3bnUlFzQrOsfs4Ot
xzihLwkFEobih1bOEhzTnSv+lMckfw0DQ5Eb8mtFTC+/KOqEMMU5Hq1fm3B9Bkgs
FmqQZk4QlerY
-----END CERTIFICATE REQUEST-----

推荐答案

好吧，我想我在 phpseclib 的 X509 签名函数中发现了一个功能":

OK, I think i found a "feature" in phpseclib's X509 signing function:

function sign($issuer, $subject, $signatureAlgorithm = 'sha1WithRSAEncryption')

如果您签署 CSR，sign 函数中的代码声称复制 X509 v3 扩展属性，但是当它执行此行时:

If you sign the CSR, the code in the sign function claims to copy the X509 v3 extended attributes, however by the time it executes this line:

$csrexts = $subject->getAttribute('pkcs-9-at-extensionRequest', 0);

结果始终为空(一个空数组)，$THIS(新)证书中的属性在前约 30 行代码中的某处被覆盖.

The result is always blank (an empty array), the attributes in $THIS (new) cert were overwritten somewhere in the previous ~30 lines of code.

我将 csrexts 行移到 Sign 函数的顶部，现在属性被正确复制到生成的证书中，在 CSR 中具有 X509 扩展属性(必须由我之前的答案手动计算和设置)

I moved the csrexts line to the top of the Sign function, and attributes are now being copied correctly into generated certificates with X509 extended attributes in the CSR (that had to be manually calculated and set by my previous answer)

我将使用 sourceforge 尝试发布错误请求，以期为其他人免去麻烦.

I will use sourceforge to try and post a bug request to save others the struggle hopefully.

这篇关于phpseclib $X509-> CSR 上的 setDomain?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！