包属性是什么,我如何生成它们? [英] What are bag attributes and how can i generate them?
问题描述
在将某些证书从密钥库转换为openssl/pem时,我第一次注意到证书前面有包属性".
while converting some certificates from keystore to openssl/pem I noticed for the first time that there are "Bag Attributes" prepended to the certs.
看起来像这样:
Bag Attributes
friendlyName: CN=PositiveSSL CA,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
subject=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
issuer=/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
它们起任何作用吗?
我注意到我喜欢它们,因为它们使我的链文件(证书的串联)更加清晰.不幸的是,我下载的ca证书没有它们.
I noticed that I like them because they make my chain-files (a concatenation of certificates) more clear. Sadly the ca certs I download don't have them.
那我怎么生成它们呢?
推荐答案
确切地说,您显然是指使用openssl pkcs12 (import)实用程序将PKCS#12文件转换(或仅读取)PKCS#12文件,Java可以将其支持为密钥库,但直到2017年才成为Java9才是默认的(更新).PKCS#12被设计,通常用于私钥和该密钥的证书(通常为多个) ,尽管格式具有足够的灵活性以允许使用单独的证书. OpenSSL 命令行 pkcs12 -export需要一个私钥,尽管它将添加额外"证书,并且调用 API 的程序显然不能执行任何私钥.以我的经验,Java在版本8之前的PKCS#12中不支持单独的证书,在我的8和9中,它具有两个属性:pkcs9.friendlyName和2.16.840.1.113894.746875.1.1这显然是Oracle定义的TrustedKeyUsage.大多数单独的证书都不以PKCS#12的形式存储或下载.
To be exact, you apparently mean converting (or just reading) with the openssl pkcs12 (import) utility a PKCS#12 file, which can be supported by Java as a keystore but was not the default (update) until Java9 in 2017. PKCS#12 was designed and normally is used for a privatekey and the cert(s) (usually multiple) for that key, although the format is flexible enough to allow lone cert(s). OpenSSL commandline pkcs12 -export requires a privatekey, although it will add "extra" certs, and a program calling the API can apparently do no privatekey. In my experience, Java didn't support lone cert(s) in PKCS#12 before version 8, and in my 8 and 9 has two attributes: pkcs9.friendlyName and 2.16.840.1.113894.746875.1.1 which is apparently an Oracle-defined trustedKeyUsage. Most lone certs are not stored, or downloaded, as PKCS#12.
PKCS#12是根据几个(略有不同)袋子"结构定义的,这些结构包含各种内容,主要是私钥和带有附加可选属性的证书,这毫不奇怪地称为袋子属性";您的案件(显然)只有证书.这些属性遵循现在常规的结构,即任意数量的OID对加上值(取决于OID).请注意,在您的显示中,只有friendlyName是bag属性,因为它在标题下缩进,所以被指示.
PKCS#12 is defined in terms of several (slightly different) "bag" structures that contain various things, primarily privatekeys and certs with optional attributes attached that are unsurprisingly called "bag attributes"; your case (apparently) has only cert(s). These attributes follow the now-conventional structure of an arbitrary number of pairs of OID plus value depending on the OID. Note in your display only friendlyName is a bag attribute, indicated because it is indented under the heading.
subject=和issuer=行是来自证书本身的字段 ,为了方便起见,openssl pkcs12 (import)实用程序提取并打印了这些字段.如果足够,您可以使用x509实用程序将其显示为任何证书.特别是如果您想像pkcs12输出那样在PEM编码的证书"blob"之前放置它们,请使用openssl x509 -in infile -subject -issuer -out outfile.这会执行一个证书,因此,如果您在PEM文件中有一个链,则需要将其拆分并分别进行每个证书处理,然后可能再合并一次.例如类似
The subject= and issuer= lines are fields from the cert itself which the openssl pkcs12 (import) utility extracts and prints for convenience. If that is sufficient, you can display them for any cert with the x509 utility; in particular if you want to have them before the PEM-encoded cert "blob" in the way pkcs12 output does, use openssl x509 -in infile -subject -issuer -out outfile. This does one cert, so if you have a chain in a PEM file you need to split it apart and do each cert separately, and possibly combine again afterwards; for example something like
# split into files cert_1, cert_2, etc.
$ awk <chain.pem -va="openssl x509 -subject -issuer >cert_"
'/^-----BEGIN/{b=a (++n);x=1}x{print|b}/^-----END/{close(b);x=0}'
# output entire "bag" to stdout (with blank lines between certs)
$ awk <chain.pem -va="openssl x509 -subject -issuer" \
'/^-----BEGIN/{b=a;x=1}x{print|b}/^-----END/{close(b);x=0;print""}'
作为比较,openssl s_client -showcerts做的事情非常相似:它将接收的链中的每个证书blob输出给主题和颁发者,并用级别编号"s:"和"i:"标记它们.
As a comparison, openssl s_client -showcerts does something very similar: it outputs subject and issuer with each cert blob from the received chain, labelling them with a level number, "s:" and "i:".
这篇关于包属性是什么,我如何生成它们?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
