将签名放在X509证书上

时间:2014-07-10 00:51:44

标签: openssl x509

我正在使用openssl API构建X509 ...我想使用第三方API签署此证书,该API接收带有要签名的数据的char *(还有一些参数可以查看要使用的私钥)并返回签名。

我想问的是,如果在openssl中存在一个放置签名的函数,因为X509_sign()做了很多事情但需要私钥...

我有办法做到这一点,但我想知道我是否遗漏了X509_INFO部分的内容,如果我正确设置签名数据或者我遗漏了什么。

证书生成正确,但我不知道是否发送了所有信息,或者我是否正确签名。

这就是我创建证书的方式:

 //Setting version
if(X509_set_version(certificate, X509_VERSION) != RETURN_OK)
{
    errorHandler->returnError(printer, "Unable to set the version to the certificate.", BUILDING_X509_CERTIFICATE);
    goto exitFailure;
}


//Setting serial number
if(ASN1_INTEGER_set(X509_get_serialNumber(certificate), serialNumber) != RETURN_OK)
{
    errorHandler->returnError(printer, "Unable to set the serial number to the certificate.", BUILDING_X509_CERTIFICATE);
    goto exitFailure;
}


//Setting the subject
if(X509_set_subject_name(certificate, subject) != RETURN_OK)
{
    errorHandler->returnError(printer, "Unable to set the subject to the certificate.", BUILDING_X509_CERTIFICATE);
    goto exitFailure;
}

//Setting the issuer
if(X509_set_issuer_name(certificate, issuer) != RETURN_OK)
{
    errorHandler->returnError(printer, "Unable to set the issuer to the certificate.", BUILDING_X509_CERTIFICATE);
    goto exitFailure;
}

//Setting the public key
if(X509_set_pubkey(certificate, subjectPubKey) != RETURN_OK)
{
    errorHandler->returnError(printer, "Unable to set the public key to the certificate.", BUILDING_X509_CERTIFICATE);
    goto exitFailure;
}

//Setting the not before
if(!X509_gmtime_adj(X509_get_notBefore(certificate), X509_VALIDITY_NOT_BEFORE))
{
    errorHandler->returnError(printer, "Unable to set the not before to the certificate.", BUILDING_X509_CERTIFICATE);
    goto exitFailure;
}

//Setting the not after
if(!X509_gmtime_adj(X509_get_notAfter(certificate), X509_VALIDITY_NOT_AFTER))
{
    errorHandler->returnError(printer, "Unable to set the not after to the certificate.", BUILDING_X509_CERTIFICATE);
    goto exitFailure;
}

这就是我以DER格式检索CERT_INFO的方式(我在char *中的第三方API中发送的数据):

//Preparin the data to sign
certificateInfoToSignLenght = i2d_X509_CINF(certificate->cert_info, &certificateInfoToSign);
if(!certificateInfoToSign)
{
    errorHandler->returnError(printer, "Unable to convert the certificate info in DER format.", SIGNING_X509_CERTIFICATE);
    goto exitFailure;
}

并将其发送给我的第三方函数,该函数返回签名:

sign_binary(&keyID, certificateInfoToSign,
                      (unsigned int*)&certificateInfoToSignLenght, signature, &signatureLenght,
                      signaturePublicKey, &signaturePublicKeyLenght);

最后,我正在设置签名和算法(第三方API仅在SHA256withRSA中生成签名):

//Adding signing algorithm
signatureType = X509_ALGOR_new();
signatureTypeObject = OBJ_nid2obj(DEFAULT_SIGNATURE_ALGORITHM);
if(!signatureTypeObject)
{
    errorHandler->returnError(printer, "Unable to create signature algorithm.", SIGNING_X509_CERTIFICATE);
    goto exitFailure;
}
signatureType->algorithm = signatureTypeObject;
certificate->sig_alg->algorithm = signatureType->algorithm;

//Adding the signed data to the certificate
certificate->signature->data = new unsigned char[signatureLenght];
memcpy(certificate->signature->data, signature, signatureLenght);
certificate->signature->length = signatureLenght;
if(!certificate->signature->data)
{
    errorHandler->returnError(printer, "Unable to append the signature to the certificate.", SIGNING_X509_CERTIFICATE);
    goto exitFailure;
}

0 个答案:

没有答案