卓越飞翔博客
php小编草莓从字符串格式的 x509 证书生成主题名称是一项重要的操作,它可以帮助开发人员从证书中提取出关键信息。通过解析字符串格式的 x509 证书,我们可以获取证书的主题名称,包括证书的颁发者、有效期、公钥等信息。这个过程对于构建安全的网络通信、验证证书的合法性以及保护用户隐私具有重要意义。在 PHP 中,我们可以借助 OpenSSL 扩展提供的函数来实现这个功能,简单、高效地处理 x509 证书。
问题内容
我正在尝试从 x509.certificate 生成可分辨名称。
我期望的格式是:
"cn=<common_name>,ou=<org_unit>,o=,dnqualifier=+7he5grzxim+lkemb5fs98e+fpy="
(我用标签替换了一些值)
通过我的代码,我得到了没有 dnqualifier 部分的预期字符串,如下所示:
cn=<common_name>,ou=<org_unit>,o=,2.5.4.46=#131c537771614a5531514c2449444e4846373755547a1f5749653955303d"
在这里, 2.5.4.46 是“dnqualifier”的 asn.1 对象 id 参考:链接 该值看起来像一个十六进制字符串。
是否有标准方法(或简单的解决方法)来获取预期格式的专有名称?即,应该出现文本“dnqualifier”而不是其 objectidentifier,并且应该出现实际的字符串值而不是十六进制。
我的代码如下所示:
package main
import (
"crypto/x509"
"encoding/pem"
"fmt"
"github.com/sirupsen/logrus"
)
func main() {
cert := "" // certificate string here
block, rest := pem.decode([]byte(cert))
if len(rest) != 0 {
logrus.error("certificate string not fully decoded : ", rest)
}
certificate, err := x509.parsecertificate(block.bytes)
if err != nil {
logrus.witherror(err).error("error parsing certificate")
}
fmt.println(certificate.subject.string())
}
从此代码 certificate.subject.string() 给出的输出如下:
cn=
另外,
fmt.printf("%+vn", cert.subject.tordnsequence())和
var sub pkix.RDNSequence
asn1.Unmarshal(certificate.RawSubject, &sub)
两者都没有帮助。
解决方法
标准库仅提供 有限的属性列表:
var attributetypenames = map[string]string{
"2.5.4.6": "c",
"2.5.4.10": "o",
"2.5.4.11": "ou",
"2.5.4.3": "cn",
"2.5.4.5": "serialnumber",
"2.5.4.7": "l",
"2.5.4.8": "st",
"2.5.4.9": "street",
"2.5.4.17": "postalcode",
}
对于其他属性,它只是使用对象标识符作为名称,并在可能的情况下将值编码为十六进制字符串(请参阅(rdnsequence).string):
oidstring := tv.type.string()
typename, ok := attributetypenames[oidstring]
if !ok {
derbytes, err := asn1.marshal(tv.value)
if err == nil {
s += oidstring + "=#" + hex.encodetostring(derbytes)
continue // no value escaping necessary.
}
typename = oidstring
}
valuestring := fmt.sprint(tv.value)
escaped := make([]rune, 0, len(valuestring))
它没有提供任何旋钮让我们获得定制的琴弦。所以我们必须自己做。
我建议列出我们想要的属性,并将它们附加到从 certificate.subject.tordnsequence().string() 返回的字符串中。像这样:
package main
import (
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt"
)
func tostring(name pkix.name) string {
s := name.tordnsequence().string()
// list the extra attributes that should be added.
attributetypenames := map[string]string{
"2.5.4.43": "initials",
"2.5.4.46": "dnqualifier",
}
for typ, typename := range attributetypenames {
for _, atv := range name.names {
oidstring := atv.type.string()
if oidstring == typ {
// to keep this demo simple, i just call fmt.sprint to get the string.
// maybe you want to escape some of the characters.
// see https://github.com/golang/go/blob/1db23771afc7b9b259e926db35602ecf5047ae23/src/crypto/x509/pkix/pkix.go#l67-l86
s += "," + typename + "=" + fmt.sprint(atv.value)
break
}
}
}
return s
}
func main() {
block, _ := pem.decode([]byte(cert))
certificate, err := x509.parsecertificate(block.bytes)
if err != nil {
panic(err)
}
fmt.println(certificate.subject.string())
fmt.println()
fmt.println(certificate.subject.tordnsequence().string())
fmt.println()
fmt.println(tostring(certificate.subject))
}
var cert = `-----begin certificate-----
miigvdccbksgawibagiupminkycv6nqggfhrq1sj/y/4gykwdqyjkozihvcnaqel
bqawgfsxgzazbgnvbammennly3vyzs5legftcgxllmnvbtelmakga1uebhmcwfgx
etapbgnvbacmcez1bibmyw5kmsgwjgydvqqkdb9neunviexmqybmveqgsu5dichk
lmiuys4gt3vyq28pmriweaydvqqldaltu0wgrgvwdc4xczajbgnvbagmallzmsqw
igyjkozihvcnaqkbfhvzc2wtywrtaw5azxhhbxbszs5jb20xetapbgnvbckmcepv
ag4grg9lmqwwcgydvqqedaneb2uxdtalbgnvbcombepvag4xddakbgnvbcsma0py
rdenmasga1uelhmec29tztaefw0ymza2mtixndi2mzhafw0ynda2mtexndi2mzha
mih7mrswgqydvqqddbjzzwn1cmuuzxhhbxbszs5jb20xczajbgnvbaytalhymrew
dwydvqqhdahgdw4gtgfuzdeomcyga1uecgwftxldbybmtemgtfreieloqyaozc5i
lmeuie91cknvktesmbaga1uecwwju1nmierlchqumqswcqydvqqidajzwtekmcig
csqgsib3dqejaryvc3nslwfkbwluqgv4yw1wbguuy29tmrewdwydvqqpdahkb2hu
iervztemmaoga1uebawdrg9lmq0wcwydvqqqdarkb2humqwwcgydvqqrdankweqx
dtalbgnvbc4tbhnvbwuwggiima0gcsqgsib3dqebaquaa4icdwawggikaoicaqdl
i0xuep6r94lf5yn0lqni2qljtf4yiuapwsph1g6jutldcr5f70bkaxagznzkxssb
rgu+zwviphu1kilnx1youhfdzdx0ecmayw22zet4p8f88slnmhquxixjypopo+2b
hz8u1by7ojdccw94jhmhbug07whiu8y54wijgjv3xwnvgaorjtxs3csubmldfki7
s9gfgvqpokqpbbl+v37vbvkzgs3bw4lf7apyqe9q63q2held8/aabatujhgn1bzs
truvda9fkktdlvkn6furaeccdc+eaonpsxwimp/d01wukofojywmbgbm7a/bpby0
uxyqwmkxztquxd8mdaev89oao4ijuo8q50+9xehtb/q4tdhzjjw5k6xxqfxatrqa
/xmn8fmitvddirxqaz4ttvpdeqxnudh3retzbgoqzy4mqcgzv723tdbfzlgiqnif
1atjueotmbl7juj/1qulrpb+/ayzgqrg0xlpjr3h1essebn1ts8elvk5z6ekp5ur
rjlv3z2qq1vsn/ngnqkviyeppwj1wgxkkmaz3d6i3gixqpmklno2wdorwf/m+opu
c5+bl8nhpc0hirodi8vnkbj5mimqazwfnfhq1vveihkzxfeuee8y1r7ju/mo5qd1
z6wato77vcqd2g1xgqdjy7hrzgvmx/m9rrhqe57gyqidaqabozywndatbgnvhsue
ddakbggrbgefbqcdatadbgnvhq4efgqu8wifqbhufesmbdsbjclj4zhcynewdqyj
kozihvcnaqelbqadggibafx4qapmwkzd6juofcdmdxynjzlgyu0vtosjaor5vck8
qk/rhpqmg/j+eoikjy+xyh72wuovp25z2c99gyeyx3ve2ttsqq9uhz5eeonvi4h5
em68s5hwpywwo2u5fsvcofmpbeft/vtuvt+jczpxvrzz3a9zbwkapivoclp5y9ik
slzrkbvosafanfeffk/kyootrnoe/ahpezua8efkrlh4ggp8nzzcjamwwaoqkf3o
hufizyaenja6sm37id3eqwvsrtwkrrdkci6nqcpf0tpvxwazist2+tyimbuhacq7
qc1vhul9oyabhgjkgvhqsxxuybobqaoxdvmjueapdzgzfljlpari7aao1vamft1/
+4ulio1p9egkqdtzuu4grvbwo1pftj/alp2o/b/fnecevlphnlast+frldymrnsz
r3uv47pzpuka1+zivmpkk0kwjcb1xdficpj0t9uc7bmueyrxkf9zytbf9iqzlfnl
1lrxdod7/tf/gjlwbtiei8gwi38fimhy6iawl2epk1gzq3wep0km/lx6ol5dgmrr
2sbczecqhzvb7ya7k28iff2wma9txl/nbdhw57/7bclkbevaniwgvuqroggrmlxg
z1xp51mthl8bl2zn+q4x7xjvfvxbetfwxa8b9vlho1qkdzcdrgzt5jebpm5zgj5k
-----end certificate-----`
输出:
CN=secure.example.com,OU=SSL Dept.,O=MyCo LLC LTD INC (d.b.a. OurCo),L=Fun Land,ST=YY,C=XX,2.5.4.46=#1304736f6d65,2.5.4.43=#13034a5844,2.5.4.42=#13044a6f686e,2.5.4.4=#1303446f65,2.5.4.41=#13084a6f686e20446f65,1.2.840.113549.1.9.1=#0c1573736c2d61646d696e406578616d706c652e636f6d
CN=secure.example.com,OU=SSL Dept.,O=MyCo LLC LTD INC (d.b.a. OurCo),L=Fun Land,ST=YY,C=XX
CN=secure.example.com,OU=SSL Dept.,O=MyCo LLC LTD INC (d.b.a. OurCo),L=Fun Land,ST=YY,C=XX,initials=JXD,dnQualifier=some
