PKCS#10从PKCS#11请求一个对象密钥对 [英] PKCS#10 request for a object key pair from PKCS#11
问题描述
我需要为公钥生成PKCS#10 CSR。
MS具有IEnroll4 dll,允许使用createRequestWStr提高CSR。样本表示您需要生成一个新的密钥对(MS CAPI中有2个对象的容器),而MS自动给出csr生成的公钥上下文。
在我的情况下,我已经有一个使用pkcs#11生成的密钥对(作为2个对象,但没有密钥容器)。 MS dll不允许我继续进行。
QUERY 1:
有些身体可以指出我如何解决这个问题。
------------------------------------------- ---------------------------------
或者,我正在考虑根据RSA标准编写自己的代码进行CSR生成。我有ASN 1.0格式
认证请求的ASN.1语法是:
CertificationRequest :: = SEQUENCE {
certificationRequestInfo CertificationRequestInfo,
signatureAlgorithm SignatureAlgorithmIdentifier,
签名签名
}
SignatureAlgorithmIdentifier :: = AlgorithmIdentifier
签名:: = BIT STRING
CertificationRequestInfo :: = SEQUENCE {
版本版本,
主题名称,
subjectPublicKeyInfo SubjectPublicKeyInfo,
属性[0] IMPLICIT属性
}
属性:: = SET OF属性
QUERY 2:
我如何使用上面的语法?我对这个语法是完全新的?我需要查看哪些资源来编写自己的代码?
如果您需要生成证书请求PKCS#11接口(即不能使用CSP接口)最好的办法是避免IEnroll。
对于C ++,你的(免费和开源)选项似乎要查看OpenSSL或 Botan 。我不太喜欢OpenSSL的API,但它的工作原理。我从来没有使用过Botan,但似乎很不错。如果您愿意为他们付款,也有很多很好的选择。
或者,如果你想自己编写ASN.1,你可能想要阅读 ASN.1,BER和DER子集的Layman指南。正式的规范是在X.208和X.209中,但是那些是硬阅读。
你想生成一个ASN.1的DER编码
这是一个编码示例:
308201493081b3020100300e310c300a06035504031303666f6f30819d300d06092a864886f70d01
0101050003818b00308187028181009c921beeef551bcb051518f0c48bfe72cb1d5609a64a005e0c
008580bb81b3a43cea280d5bffa4e777733845fc2f485f1c8ccc0b2914f30d1e41369fd4a6758a3c
c887834c4d6177bd96b9f341232b00d453f28f2ae5ad5e3b0324d0b5b440a0901968fd556470dd4d
2ea2e99dd99c580703c042853265374cd3622f6c3369e5020103300d06092a864886f70d01010505
000381810068c0266a16117b37fb15ad143e2941ff8b8f082daf4ec02789db01636f51c739f199fb
19c56228cc12b9e482b966f8650fa3fdb24e31e97eef15f61aabc91dc194aeba4ebce5eab0c5e3db
36cc090a0e4b2c7d3ac27eeb0d3900d73bd88172464b890a8f9a58a0d34c0f5e226b6173cc92a316
4bbbf1d12f29d1e2ad3f36c977
或翻译与优秀的 dumpasn1实用程序:
0 30 329:SEQUENCE {
4 30 179:SEQUENCE {
7 02 1:INTEGER 0
10 30 14:SEQUENCE {
12 31 12:SET {
14 30 10:SEQUENCE {
16 06 3:OBJECT IDENTIFIER commonName(2 5 4 3)
21 13 3 :printableString'foo'
:}
:}
:}
26 30 157:SEQUENCE {
29 30 13:SEQUENCE {
31 06 9 :OBJECT IDENTIFIER rsaEncryption(1 2 840 113549 1 1 1)
42 05 0:NULL
:}
44 03 139:BIT STRING 0未使用的位,封装{
48 30 135:SEQUENCE {
51 02 129:INTEGER
:00 9C 92 1B EE EF 55 1B CB 05 15 18 F0 C4 8B FE
:72 CB 1D 56 09 A6 4A 00 5E 0C 00 85 80 BB 81 B3
:A4 3C EA 28 0D 5B FF A4 E7 77 73 38 45 FC 2F 48
: 5F 1C 8C CC 0B 29 14 F3 0D 1E 41 36 9F D4 A6 75
:8A 3C C8 87 83 4C 4D 61 77 BD 96 B9 F3 41 23 2B
:00 D4 53 F2 8F 2A E5 AD 5E 3B 03 24 D0 B5 B4 40
:A0 90 19 68 FD 55 64 70 DD 4D 2E A2 E9 9D D9 9C
:58 07 03 C0 42 85 32 65 37 4C D3 62 2F 6C 33 69
:[另一个1字节跳过]
183 02 1:INTEGER 3
:}
:}
:}
:}
186 30 13:SEQUENCE {
188 06 9:OBJECT IDENTIFIER
:sha1withRSAEncryption(1 2 840 113549 1 1 5)
199 05 0:NULL
:}
201 03 129:BIT STRING 0未使用的位
:68 C0 26 6A 16 11 7B 37 FB 15 AD 14 3E 29 41 FF
:8B 8F 08 2D AF 4E C0 27 89 DB 01 63 6F 51 C7 39
:F1 99 FB 19 C5 62 28 CC 12 B9 E4 82 B9 66 F8 65
:0F A3 FD B2 4E 31 E9 7E EF 15 F6 1A AB C9 1D C1
:94 AE BA 4E BC E5 EA B0 C5 E3 DB 36 CC 09 0A 0E
:4B 2C 7D 3A C2 7E EB 0D 39 00 D7 3B D8 81 72 46
:4B 89 0A 8F 9A 58 A0 D3 4C 0F 5E 22 6B 61 73 CC
:92 A3 16 4B BB F1 D1 2F 29 D1 E2 AD 3F 36 C9 77
:}
I have a RSA 1024 key pair generated using standard call from PKCS#11. I need to generate a PKCS#10 CSR for the public key.
MS has the IEnroll4 dll which will allow to raise a CSR using createRequestWStr. The samples indicate that you need to generate a new key pair(a container with 2 objects in MS CAPI) and MS automatically gives the the public key context for csr generation.
In my case, I already have a key pair generated using pkcs#11(as 2 objects but no key container). MS dll is not allowing me to proceed further. QUERY 1: Can some body point out how I can resolve this issue. ----------------------------------------------------------------------------
Alternatively, I was thinking to write my own code for CSR generation based on RSA standards. I am having the ASN 1.0 format The ASN.1 syntax for a Certification Request is:
CertificationRequest ::= SEQUENCE {
certificationRequestInfo CertificationRequestInfo,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature Signature
}
SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
Signature ::= BIT STRING
CertificationRequestInfo ::= SEQUENCE {
version Version,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
attributes [0] IMPLICIT Attributes
}
Attributes ::= SET OF Attribute
QUERY 2: How do I use the above syntaxes? I am totally new to this syntax? Which resources should I need to look at to write my own code?
If you need to generate your certificate-request with the PKCS#11-interface (i.e. you cannot use a CSP-interface instead) your best bet is to avoid IEnroll.
For C++ your (free and open source) options seems to be to look into OpenSSL or Botan. I am not terribly fond of OpenSSL's API, but it works. I have never used Botan, but it seems pretty nice. There are also many excellent choices if you are willing to pay for them.
Alternatively, if you want to write the ASN.1 yourself you probably want to read A Layman's Guide to a Subset of ASN.1, BER, and DER. The formal specifications are in X.208 and X.209, but those are hard reading.
You want to generate a DER encoding of the ASN.1 (that is described in the link).
Here is an example encoding:
308201493081b3020100300e310c300a06035504031303666f6f30819d300d06092a864886f70d01
0101050003818b00308187028181009c921beeef551bcb051518f0c48bfe72cb1d5609a64a005e0c
008580bb81b3a43cea280d5bffa4e777733845fc2f485f1c8ccc0b2914f30d1e41369fd4a6758a3c
c887834c4d6177bd96b9f341232b00d453f28f2ae5ad5e3b0324d0b5b440a0901968fd556470dd4d
2ea2e99dd99c580703c042853265374cd3622f6c3369e5020103300d06092a864886f70d01010505
000381810068c0266a16117b37fb15ad143e2941ff8b8f082daf4ec02789db01636f51c739f199fb
19c56228cc12b9e482b966f8650fa3fdb24e31e97eef15f61aabc91dc194aeba4ebce5eab0c5e3db
36cc090a0e4b2c7d3ac27eeb0d3900d73bd88172464b890a8f9a58a0d34c0f5e226b6173cc92a316
4bbbf1d12f29d1e2ad3f36c977
or translated with the excellent dumpasn1 utility:
0 30 329: SEQUENCE {
4 30 179: SEQUENCE {
7 02 1: INTEGER 0
10 30 14: SEQUENCE {
12 31 12: SET {
14 30 10: SEQUENCE {
16 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
21 13 3: PrintableString 'foo'
: }
: }
: }
26 30 157: SEQUENCE {
29 30 13: SEQUENCE {
31 06 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
42 05 0: NULL
: }
44 03 139: BIT STRING 0 unused bits, encapsulates {
48 30 135: SEQUENCE {
51 02 129: INTEGER
: 00 9C 92 1B EE EF 55 1B CB 05 15 18 F0 C4 8B FE
: 72 CB 1D 56 09 A6 4A 00 5E 0C 00 85 80 BB 81 B3
: A4 3C EA 28 0D 5B FF A4 E7 77 73 38 45 FC 2F 48
: 5F 1C 8C CC 0B 29 14 F3 0D 1E 41 36 9F D4 A6 75
: 8A 3C C8 87 83 4C 4D 61 77 BD 96 B9 F3 41 23 2B
: 00 D4 53 F2 8F 2A E5 AD 5E 3B 03 24 D0 B5 B4 40
: A0 90 19 68 FD 55 64 70 DD 4D 2E A2 E9 9D D9 9C
: 58 07 03 C0 42 85 32 65 37 4C D3 62 2F 6C 33 69
: [ Another 1 bytes skipped ]
183 02 1: INTEGER 3
: }
: }
: }
: }
186 30 13: SEQUENCE {
188 06 9: OBJECT IDENTIFIER
: sha1withRSAEncryption (1 2 840 113549 1 1 5)
199 05 0: NULL
: }
201 03 129: BIT STRING 0 unused bits
: 68 C0 26 6A 16 11 7B 37 FB 15 AD 14 3E 29 41 FF
: 8B 8F 08 2D AF 4E C0 27 89 DB 01 63 6F 51 C7 39
: F1 99 FB 19 C5 62 28 CC 12 B9 E4 82 B9 66 F8 65
: 0F A3 FD B2 4E 31 E9 7E EF 15 F6 1A AB C9 1D C1
: 94 AE BA 4E BC E5 EA B0 C5 E3 DB 36 CC 09 0A 0E
: 4B 2C 7D 3A C2 7E EB 0D 39 00 D7 3B D8 81 72 46
: 4B 89 0A 8F 9A 58 A0 D3 4C 0F 5E 22 6B 61 73 CC
: 92 A3 16 4B BB F1 D1 2F 29 D1 E2 AD 3F 36 C9 77
: }
这篇关于PKCS#10从PKCS#11请求一个对象密钥对的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
