CSR失败:错误解析请求ASN1错误标记值已满足(ASN:267 CRYPT_E_ASN1_BADTAG)

时间:2016-06-16 20:13:02

标签: ruby-on-rails ruby ruby-on-rails-3 openssl rsa

我正在尝试以下列方式提交CSR请求:

require 'openssl'
require 'json'

def public_key_info
  key_info = private_key.public_key.to_pem
  key_info = key_info.sub! '-----BEGIN PUBLIC KEY-----', '-----BEGIN CERTIFICATE REQUEST-----'
  key_info = key_info.sub! '-----END PUBLIC KEY-----', '-----END CERTIFICATE REQUEST-----'
  key_info
end

# "Creating a new 2048bit RSA Keypair..."
def private_key
  @private_key = OpenSSL::PKey::RSA.new 2048
end

payload = { 
  "CsrData" => public_key_info,
  "certTemplate" => "MyTemplate"
}

encoded = JSON.generate(payload)    
p "Payload is #{encoded}"

response = RestClient::Resource.new(
  'http://myURL/GenerateCertificateUsingCsr',
).post encoded, :content_type => 'application/json', :accept => 'text/plain'

response_json = JSON.parse(response.body)
p response_json

请求失败并显示错误提交失败:错误解析请求。遇到ASN1错误标记值。 0x8009310b(ASN:267 CRYPT_E_ASN1_BADTAG)

{
    "certTemplate":"MyTemplate",
    "CsrData":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuWeK196VcjZZFbKyEjpj\n8I6DjHbwiMi9I10tV41OEt9Ozp+M0V6TYOKNlJTXGxNUHD0lXFJBlS2z/PLQbW/3\n6C9xRkIclve5Uq8J2NmubnR9+NOt/cjPb4EJtMlxySq5cWOqEyq4UirUEfch9HMC\nkLwJ0MPdrDatZqfIv1IvhBiKfyqWV2jds3X60NlmvyGxnrd54dO8/OqNJNmw2BP9\n3aa21asRqB7oPW2H49o2gwDxF6ZEwymAFvU4jvO+BQLRDYTm8GslHyX9kCXWnYHg\nX7gqvek/mu7KqyIB44YyOjGYkVX76El32B08ruKlc+xZ8kFWC1bMzwZNoFEBKO6D\n9QIDAQAB\n-----END CERTIFICATE REQUEST-----"
}

{"ErrorCode"=>1005, "ErrorMessage"=>"The submission failed: Error Parsing Request  ASN1 bad tag value met. 0x8009310b (ASN: 267 CRYPT_E_ASN1_BADTAG)", "Return"=>false, "p12Data"=>nil, "certexpdate"=>nil, "serialNo"=>nil}
=> true

但是如果我从命令行创建CSR请求:

  

openssl req -out mytest.csr -new -newkey rsa:2048 -nodes -keyout   mytest.key

然后转换了CSR,所以用\n字符串替换新行。

然后准备一个Json有效载荷:

{
  "certTemplate":"MyTemplate",
  "CsrData":"-----BEGIN CERTIFICATE REQUEST-----\nMIIC8zCCAdsCAQAwgZUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNRDEWMBQGA1UE\nBwwNU2lsdmVyIFNwcmluZzELMAkGA1UECgwCRVMxCzAJBgNVBAsMAk1MMSAwHgYD\nVQQDDBcgbXNjbGllbnQ1MS5zYW10ZXN0LmNvbTElMCMGCSqGSIb3DQEJARYWbXNj\nbGllbnQ1MUBzYW10ZXN0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\nggEBAL+X4YJ041JDVfYZr2IXHEAsBc9cbtYxuLa4FkXz+enZYj+9J4qK7zl9OJ7P\nfW29jf82oyQ83RH6XrYcFJKO9cuXgkkQaNV8X6J7sbn87hHUn8xZ1SORd+OPV/ws\nHdOuuv/kQi0S1Rz9Qn7RJiEnQqC14bp50fjJDxxYBVcU/bevlMuFzf8pKQbNfWD5\nbpHHPKpN6uKAXQa2vCqRPAHMvlxCqVHf1Lmy6xojsHGDdqYcYgwG2JB140nOpKtA\nwO9jR5wF7HmqUs/u/fV+p86IaHt6rAxo8WX0Ymu+48DanMdlBqjQ222OthnTbgmD\nbW9j16kNesriu8APSpxW6f7InhsCAwEAAaAYMBYGCSqGSIb3DQEJAjEJDAdNTF9U\nVjJHMA0GCSqGSIb3DQEBCwUAA4IBAQCOxISJbXXQqFmHTwcIP+jaYM1souuptE5l\nhrG/5T1Irz357DABfQpaZkon8dIF8QRpjCY2+b44srGtbKBbnUDAgM5e+qqZjx6X\ng7Yp7LLVW9EplvMYT83M62K9UyNFqjizgXbNIxJRsApLutLBpTpB3vIpQcZYhygf\nfJx/zmN3rD3K47SdaDd9JyD7W3tnAQ1rHEG1uS+Pm9Cq5+Wi8k+nEeGHtQnY5eps\nYqA/g86m4VR5RP0+oTvq3FC57PFqrbv+lwD9brCzjAK/c/QcyBnoxnMNbFVzwhcf\nKAF82Vl9kvwOwyD8sPN19V9ldmZpMhQ/2hsuHxRLAnlwHYhqfl/9\n-----END CERTIFICATE REQUEST-----"
}

上述CSR请求正常。

上面的ruby代码我做错了什么?

1 个答案:

答案 0 :(得分:2)

这是因为CSR请求不是pem格式的公钥。与公钥相比,CSR具有不同的ASN1表示法。这就是为什么你得到ASN1相关的错误。

关于如何使用Ruby包装器为OpenSSL创建CSR,您可以看到this gist。如您所见,您还需要指定专有名称。

def csr(key)
  options = { 
    :country      => 'PL',
    :state        => 'M',
    :city         => 'Cracow',
    :organization => 'OSPL',
    :department   => '', 
    :common_name  => 'OSPL',
    :email        => ''
  }

  request = OpenSSL::X509::Request.new
  request.version = 0 
  request.subject = OpenSSL::X509::Name.new([
    ['C',             options[:country], OpenSSL::ASN1::PRINTABLESTRING],
    ['ST',            options[:state],        OpenSSL::ASN1::PRINTABLESTRING],
    ['L',             options[:city],         OpenSSL::ASN1::PRINTABLESTRING],
    ['O',             options[:organization], OpenSSL::ASN1::UTF8STRING],
    ['OU',            options[:department],   OpenSSL::ASN1::UTF8STRING],
    ['CN',            options[:common_name],  OpenSSL::ASN1::UTF8STRING],
    ['emailAddress',  options[:email],        OpenSSL::ASN1::UTF8STRING]
  ])
  request.public_key = key.public_key
  request.sign(key, OpenSSL::Digest::SHA1.new)
end