我正在使用openssl API构建X509 ...我想使用第三方API签署此证书,该API接收带有要签名的数据的char *(还有一些参数可以查看要使用的私钥)并返回签名。
我想问的是,如果在openssl中存在一个放置签名的函数,因为X509_sign()做了很多事情但需要私钥...
我有办法做到这一点,但我想知道我是否遗漏了X509_INFO部分的内容,如果我正确设置签名数据或者我遗漏了什么。
证书生成正确,但我不知道是否发送了所有信息,或者我是否正确签名。
这就是我创建证书的方式:
//Setting version
if(X509_set_version(certificate, X509_VERSION) != RETURN_OK)
{
errorHandler->returnError(printer, "Unable to set the version to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
//Setting serial number
if(ASN1_INTEGER_set(X509_get_serialNumber(certificate), serialNumber) != RETURN_OK)
{
errorHandler->returnError(printer, "Unable to set the serial number to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
//Setting the subject
if(X509_set_subject_name(certificate, subject) != RETURN_OK)
{
errorHandler->returnError(printer, "Unable to set the subject to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
//Setting the issuer
if(X509_set_issuer_name(certificate, issuer) != RETURN_OK)
{
errorHandler->returnError(printer, "Unable to set the issuer to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
//Setting the public key
if(X509_set_pubkey(certificate, subjectPubKey) != RETURN_OK)
{
errorHandler->returnError(printer, "Unable to set the public key to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
//Setting the not before
if(!X509_gmtime_adj(X509_get_notBefore(certificate), X509_VALIDITY_NOT_BEFORE))
{
errorHandler->returnError(printer, "Unable to set the not before to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
//Setting the not after
if(!X509_gmtime_adj(X509_get_notAfter(certificate), X509_VALIDITY_NOT_AFTER))
{
errorHandler->returnError(printer, "Unable to set the not after to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
这就是我以DER格式检索CERT_INFO的方式(我在char *中的第三方API中发送的数据):
//Preparin the data to sign
certificateInfoToSignLenght = i2d_X509_CINF(certificate->cert_info, &certificateInfoToSign);
if(!certificateInfoToSign)
{
errorHandler->returnError(printer, "Unable to convert the certificate info in DER format.", SIGNING_X509_CERTIFICATE);
goto exitFailure;
}
并将其发送给我的第三方函数,该函数返回签名:
sign_binary(&keyID, certificateInfoToSign,
(unsigned int*)&certificateInfoToSignLenght, signature, &signatureLenght,
signaturePublicKey, &signaturePublicKeyLenght);
最后,我正在设置签名和算法(第三方API仅在SHA256withRSA中生成签名):
//Adding signing algorithm
signatureType = X509_ALGOR_new();
signatureTypeObject = OBJ_nid2obj(DEFAULT_SIGNATURE_ALGORITHM);
if(!signatureTypeObject)
{
errorHandler->returnError(printer, "Unable to create signature algorithm.", SIGNING_X509_CERTIFICATE);
goto exitFailure;
}
signatureType->algorithm = signatureTypeObject;
certificate->sig_alg->algorithm = signatureType->algorithm;
//Adding the signed data to the certificate
certificate->signature->data = new unsigned char[signatureLenght];
memcpy(certificate->signature->data, signature, signatureLenght);
certificate->signature->length = signatureLenght;
if(!certificate->signature->data)
{
errorHandler->returnError(printer, "Unable to append the signature to the certificate.", SIGNING_X509_CERTIFICATE);
goto exitFailure;
}