如何从证书中获取主题密钥标识符

时间:2012-03-27 12:46:29

标签: c openssl x509

我创建了一个RSA证书,如下所示。

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number: 5 (0x5)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=DE, ST=NRW, L=Aachen, O=RWTH Aachen University, CN=Anupam Ashish Root CA/emailAddress=root_ca@gmail.com
    Validity
        Not Before: Mar  1 12:09:56 2012 GMT
        Not After : Nov 26 12:09:56 2014 GMT
    Subject: C=DE, ST=NRW, O=RWTH Aachen University, CN=Middle Box2/emailAddress=mb2@gmail.com
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
        RSA Public Key: (1024 bit)
            Modulus (1024 bit):
                00:c5:3f:ef:31:eb:93:48:ca:a9:43:10:a7:35:0f:
                c2:eb:d6:96:28:d1:14:be:0b:9e:f6:b1:c9:ee:6c:
                05:11:92:b3:ac:02:0a:b2:a9:e2:22:19:58:e9:ba:
                72:8d:ff:f4:3d:eb:a1:32:51:ee:02:bc:60:31:77:
                b4:f7:14:e0:04:7d:e4:5a:05:e7:03:6f:b4:76:2a:
                05:a1:d2:01:18:d8:a1:a0:b5:0f:85:88:96:94:84:
                78:26:69:36:3a:66:b0:28:27:ed:58:43:26:c4:00:
                5f:f1:b2:fb:79:38:a1:b3:96:f4:64:df:b1:15:9f:
                ba:1a:ac:56:17:0b:47:06:0b
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Basic Constraints: 
            CA:FALSE
        X509v3 Subject Key Identifier: 
            5D:A1:F3:85:B3:FA:E2:81:9C:F6:C9:8E:E6:63:0F:B5:A3:7E:C3:B7
        X509v3 Authority Key Identifier: 
            keyid:2E:8B:78:D6:B0:52:F9:D8:EB:55:94:60:55:0D:B3:1A:20:50:93:CE
            DirName:/C=DE/ST=NRW/L=Aachen/O=RWTH Aachen University/CN=Anupam Ashish Root CA/emailAddress=root_ca@gmail.com
            serial:E2:08:67:9C:EF:A1:48:1C

        Netscape CA Revocation Url: 
            https://www.example.com/example-ca-crl.pem
Signature Algorithm: sha1WithRSAEncryption
    62:1b:d4:37:45:62:12:54:b1:75:db:dd:fa:21:c6:73:a4:8b:
    08:e0:28:b7:5c:d2:c5:d4:8c:71:97:7b:97:a4:d3:fc:87:d5:
    ea:b2:ba:77:73:61:bf:d5:a5:04:18:f1:3a:a5:eb:bf:68:e0:
    9b:e1:c8:2b:a5:c0:5c:11:48:9f:27:42:e9:d2:fd:0c:ac:1b:
    c8:fa:47:fc:03:d2:cc:52:b2:67:1a:a5:96:47:9c:10:d4:5f:
    67:58:fa:06:b1:12:16:fd:1a:32:e6:77:24:ae:3d:f6:f6:b3:
    a4:ee:58:18:bb:54:d2:57:4e:60:8f:be:89:bb:ad:57:a6:fe:
    31:2a
-----BEGIN CERTIFICATE-----
MIIDqDCCAxGgAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBjzELMAkGA1UEBhMCREUx
DDAKBgNVBAgTA05SVzEPMA0GA1UEBxMGQWFjaGVuMR8wHQYDVQQKExZSV1RIIEFh
Y2hlbiBVbml2ZXJzaXR5MR4wHAYDVQQDExVBbnVwYW0gQXNoaXNoIFJvb3QgQ0Ex
IDAeBgkqhkiG9w0BCQEWEXJvb3RfY2FAZ21haWwuY29tMB4XDTEyMDMwMTEyMDk1
NloXDTE0MTEyNjEyMDk1NlowcDELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzEf
MB0GA1UEChMWUldUSCBBYWNoZW4gVW5pdmVyc2l0eTEUMBIGA1UEAxMLTWlkZGxl
IEJveDIxHDAaBgkqhkiG9w0BCQEWDW1iMkBnbWFpbC5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAMU/7zHrk0jKqUMQpzUPwuvWlijRFL4Lnvaxye5sBRGS
s6wCCrKp4iIZWOm6co3/9D3roTJR7gK8YDF3tPcU4AR95FoF5wNvtHYqBaHSARjY
oaC1D4WIlpSEeCZpNjpmsCgn7VhDJsQAX/Gy+3k4obOW9GTfsRWfuhqsVhcLRwYL
AgMBAAGjggEwMIIBLDAJBgNVHRMEAjAAMB0GA1UdDgQWBBRdofOFs/rigZz2yY7m
Yw+1o37DtzCBxAYDVR0jBIG8MIG5gBQui3jWsFL52OtVlGBVDbMaIFCTzqGBlaSB
kjCBjzELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzEPMA0GA1UEBxMGQWFjaGVu
MR8wHQYDVQQKExZSV1RIIEFhY2hlbiBVbml2ZXJzaXR5MR4wHAYDVQQDExVBbnVw
YW0gQXNoaXNoIFJvb3QgQ0ExIDAeBgkqhkiG9w0BCQEWEXJvb3RfY2FAZ21haWwu
Y29tggkA4ghnnO+hSBwwOQYJYIZIAYb4QgEEBCwWKmh0dHBzOi8vd3d3LmV4YW1w    
bGUuY29tL2V4YW1wbGUtY2EtY3JsLnBlbTANBgkqhkiG9w0BAQUFAAOBgQBiG9Q3
RWISVLF12936IcZzpIsI4Ci3XNLF1Ixxl3uXpNP8h9Xqsrp3c2G/1aUEGPE6peu/
aOCb4cgrpcBcEUifJ0Lp0v0MrBvI+kf8A9LMUrJnGqWWR5wQ1F9nWPoGsRIW/Roy
5nckrj329rOk7lgYu1TSV05gj76Ju61Xpv4xKg==
-----END CERTIFICATE-----

我能够从文件中读取证书,并在x509结构中将证书保存在内存中。 但是,对于我的项目,我需要存储在x509v3扩展组件中的主题密钥标识符(SKID)中的公钥的哈希值。我无法找到一个明确的方法,如何使用C语言中的openssl函数检索它。

请帮忙

由于 阿努邦

2 个答案:

答案 0 :(得分:1)

查看X509_get_ext_by_NID()

示例:

    int loc = X509_get_ext_by_NID(cert, NID_subject_key_identifier,-1);
    X509_EXTENSION *ext = X509_get_ext(cert, loc);
    if (ext) {
          /* your code here, data is in ext->value->data */
    }

过时的文档,但仍然有效:

http://www.umich.edu/~x509/ssleay/x509_exts.html

答案 1 :(得分:0)

在@dwalter的答案后面加上以下代码,将为您提供主题密钥ID,共享完整的代码,因为这不是获得SKID的直接方法。

//Gives the subject key id for the certificate.
string get_certificate_skid(const string& certificate_path)
{
    X509* cert = X509_new();
    BIO* bio_cert = BIO_new_file(certificate_path.c_str(), "rb");
    PEM_read_bio_X509(bio_cert, &cert, NULL, NULL);

    string certificate_skid("-");

    int loc = X509_get_ext_by_NID(cert, NID_subject_key_identifier,-1);
    X509_EXTENSION *ext = X509_get_ext(cert, loc);
    if (ext) {
        const unsigned char* octet_str_data = ext->value->data;
        long xlen;
        int tag, xclass;
        int ret = ASN1_get_object(&octet_str_data, &xlen, &tag, &xclass, ext->value->length);
        char* skid = hex_to_string(octet_str_data, xlen);
        if(skid != nullptr)
        {   
            certificate_skid.assign(skid);
            free(skid);
        }   
    }   

    BIO_free(bio_cert); 
    X509_free(cert);

    return certificate_skid;
}