证书/CRL目录的哈希算法 [英] Hash algorithm for certificate / CRL directory

问题描述

OpenSSL能够为CA证书和CRL使用特定的目录结构.如果您将目录名称作为第三个参数传递给 SSL_CTX_load_verify_locations (如此问题中所述)，它将在此目录中查找CA证书，以便验证客户端证书.它通过获取客户端证书颁发者的哈希值并附加一个整数(例如，整数)来找到正确的CA证书. 34bb8598.0.通常，这些名称是指向实际文件的符号链接，并且使用

OpenSSL is able to use a specific directory structure for CA certificates and CRLs. If you pass a directory name as the third argument to SSL_CTX_load_verify_locations (as described in this question), it will look for CA certificates in this directory in order to verify client certificates. It finds the correct CA certificate by taking the hash of the issuer of the client certificate and appending an integer, e.g. 34bb8598.0. Usually, those names are symlinks pointing to the real files, and the symlinks are created using the c_rehash tool.

同样，OpenSSL可以将证书吊销列表存储在此类目录中，如

Likewise, OpenSSL can store certificate revocation lists in such directories, as described in this question, and look up the correct revocation list by the hash of the certificate issuer.

现在，我需要使程序重用这样的CRL目录.该程序不使用OpenSSL，因此我需要以其他方式生成这些哈希.生成这些哈希文件名的算法是什么?

Now, I need to make a program reuse such a CRL directory. The program doesn't use OpenSSL, so I need to generate those hashes in some other way. What is the algorithm for generating those hashed filenames?

推荐答案

没有记录哈希格式，因此这很可能会更改-实际上，它已经更改过一次. x509命令支持选项-subject_hash和-issuer_hash以及-subject_hash_old和-issuer_hash_old.此说明适用于OpenSSL 1.0.1f以后的新"哈希格式.

The hash format is not documented, so this is likely to change — in fact, it has changed once already. The x509 command supports the options -subject_hash and -issuer_hash along with -subject_hash_old and -issuer_hash_old. This description is for the "new" hash format as of OpenSSL 1.0.1f.

X509_subject_name_hash和X509_issuer_name_hash功能，只需在相应的证书属性上调用X509_NAME_hash. 该功能采用SHA-1名称的规范编码"的哈希值，将其前四个字节视为32位小端整数，然后将其返回(有效地反转了哈希值的前四个字节).

The X509_subject_name_hash and X509_issuer_name_hash functions just call X509_NAME_hash on the corresponding certificate attribute. That function takes the SHA-1 hash of the "canonical encoding" of the name, treats its first four bytes as a little-endian 32-bit integer, and returns it (effectively reversing the first four bytes of the hash).

那么规范编码"是什么?它是发行人名称的DER表示形式的变体，由功能 x509_name_canon . DER是标签长度值编码.我们所代表的对象树如下所示:

So what is the "canonical encoding"? It is a mutation of the DER representation of the issuer name, generated by the function x509_name_canon. DER is a tag-length-value encoding. The object tree we're representing looks like this:

• rdnSequence，带有标签0x31(十进制49)
  • 一个或多个RelativeDistinguishedName项目，每个项目都带有标签0x30(十进制48)
    • 用标签0x06
    表示的OID类型
    • 一个字符串值-这就是有趣的地方
    • rdnSequence, with tag 0x31 (decimal 49)
      • One or more RelativeDistinguishedName items, each with tag 0x30 (decimal 48)
        • A type, represented as an OID, with tag 0x06
        • A string value — and this is where it gets interesting

        证书中给出的字符串值可以用多种不同的类型表示，例如带有标签0x13的可打印字符串"，带有标签0x16的"IA5字符串"或带有标签0x0c的UTF-8字符串.

        The string values, as given in the certificate, can be represented with a number of different types, e.g. a "printable string" with tag 0x13, an "IA5 string" with tag 0x16, or a UTF-8 string with tag 0x0c.

        在生成规范编码"时，RDNSequence中每个项目的值都将转换为UTF-8，并使用标签0x0c重新编码为UTF-8字符串.这发生在 asn1_string_canon函数中.此外，应用了以下转换:

        When generating the "canonical encoding", the value for each item in the RDNSequence gets converted to UTF-8, and reencoded as a UTF-8 string with the tag 0x0c. This happens in the asn1_string_canon function. Furthermore, the following transformations are applied:

        • 任何开头和结尾的空格都将被删除.任何设置了高位的字节都将被允许通过而不会发生变化，因此在此上下文中的空白"表示空格，换页，换行符，换行符，回车，水平制表符和垂直制表符.
        • 在字符串中，上面定义的一个或多个空格字符的任何运行都将替换为一个空格(0x20).
        • 字符将转换为小写.由于任何设置了高位的字节都会被忽略，因此这仅适用于ASCII字母A到Z.
        • Any leading and trailing whitespace is removed. Any byte with its high-order bit set is let through without change, so "whitespace" in this context means space, form-feed, newline, carriage return, horizontal tab and vertical tab.
        • Inside the string, any run of one or more whitespace characters as defined above gets replaced with a single space (0x20).
        • Characters are converted to lowercase. Since any byte with its high-order bit set is ignored, this only applies to the ASCII letters A to Z.

        这就是您需要做的所有事情.

        And that's all you need to do.

        请注意，某些相关字段的ASN.1定义不允许使用UTF-8字符串(例如，国家/地区代码仅限于可打印的字符串")，因此您可能无法使用ASN.直接使用1个编码库.

        Note that the ASN.1 definitions of some of the fields in question do not permit UTF-8 strings (for example, country codes are restricted to "printable strings"), so you may not be able to use your ASN.1 encoding library directly.

        这篇关于证书/CRL目录的哈希算法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！