由于ASN1值,提交给IIS CA的CSR失败

时间:2015-04-21 07:11:45

标签: python unicode openssl csr pyopenssl

我已经从pyOpenSSL生成了一个私钥/ CSR - 下面的代码片段:

键:

key = crypto.PKey()
key.generate_key(type, bits)
if os.path.exists(_keyfile):
    print "Certificate file exists, aborting."
    print " ", _keyfile
    sys.exit(1)
else:
    f = open(_keyfile, "w")
    f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
    f.close()
return key

CSR:

req = crypto.X509Req()
# Return an X509Name object representing the subject of the certificate.
req.get_subject().countryName = country
req.get_subject().stateOrProvinceName = state
req.get_subject().localityName = location
req.get_subject().organizationName = organisation
req.get_subject().organizationalUnitName = organisational_unit
req.get_subject().CN = nodename
# Add in extensions
#base_constraints = ([
#    crypto.X509Extension("keyUsage", False, "Digital Signature, Non Repudiation, Key Encipherment"),
#    crypto.X509Extension("basicConstraints", False, "CA:FALSE"),
#])
#x509_extensions = ([])
x509_extensions = []
# If there are SAN entries, append the base_constraints to include them.
if ss:
    san_constraint = crypto.X509Extension("subjectAltName", False, ss)
    x509_extensions.append(san_constraint)
req.add_extensions(x509_extensions)
# Set the public key of the certificate to pkey.
req.set_pubkey(key)
# Sign the certificate, using the key pkey and the message digest algorithm identified by the string digest.
req.sign(key, "sha1")
# Dump the certificate request req into a buffer string encoded with the type type.
if os.path.exists(_csrfile):
    print "Certificate file exists, aborting."
    print " ", _csrfile
    sys.exit(1)
else:
    f = open(_csrfile, "w")
    f.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, req))
    f.close()

我从IIS CA返回的错误是:

  

符合ASN1错误标记值。 0x8009310b(ASN:267)

根据Microsoft,这是由:

引起的
  

当证书请求以Unicode编码存储在文件中时,会发生此行为。 Microsoft证书服务不支持Unicode编码的文件请求文件。仅支持ANSI编码。

我知道如果我在命令行上从openssl生成CSR,它将由IIS CA RESTful Web服务接受并发布,而不会出错。

我想知道是否有某种方法可以从pyOpenSSL生成'ANSI'编码文件 - 我不确定它是否是密钥文件或使用导致问题的密钥文件签名的CSR。

1 个答案:

答案 0 :(得分:1)

我已经在stackoverflow question的帮助下解决了这个问题,感谢@yodatg。

由于bug in pyOpenSSL已修复,会出现问题。

发出:

openssl asn1parse -in certificates/cert.csr

我可以看到ASN1值:

8:d=2  hl=2 l=   1 prim: INTEGER           :01

在工作中的CSR中,它看起来像这样:

8:d=2  hl=2 l=   1 prim: INTEGER           :00

然后我改变了我的代码,在签名之前在req对象上包含了一个set_version调用:

#set version - IIS CA required this
req.set_version(0)

# Set the public key of the certificate to pkey.
req.set_pubkey(priv_key)

现在已经解决了。