數字證書格式編碼
數字證書格式編碼
目錄ASN.1描述與例項
1.TBSCertificate 的 ASN.1描述與例項
TBSCertificate格式用ASN.1描述如下:
TBSCertificate :=SEQUENCE {
version
[0] EXPLICIT Version DEFAULT v1,
serialNumber
CertificateSerialNumber,
signature
Algorithmldentifier,
issuer
Name,
validity
Validity,
subject
Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID[1] IMPLICIT Uniqueldentifier OPTIONAL,
-- If present, version MUST be v2 or v3
subjectUniqueID [2] IMPLICIT Uniqueldentifier OPTIONAL,
-- If present, version MUST be v2 or v3
extensions[3]EXPLICIT Extensions OPTIONAL
-- If present, version MUST be v3
}
Extensions ::=SEQUENCE SIZE (1..MAX) OF ExtensionTBSCertificate 中各項內容具體值如表13-3所示。
TBSCertificate | 值 |
---|---|
version | 02 |
serialNumber | 04 96 |
signature | sha 1 WithRSAEncryption ( 1.2.840.113549.1.1.5) |
issuer | “CN=Virtual CA,C=CN” |
validity | notBefore=20200222000000、notAfter=20220222000000 |
subject | “CN=chenshaoqing,OU=Person,C=CN” |
subjectPublicKeyInfo | 空 |
issuerUniquelD subjectUniquelD | 空 |
extensions | 包含6個擴充套件項(Extension ): basicContraints、subjectKeyldentifier、keyUsage、extKeyUsage,netscapeCertType、authorityKeyIdentifier |
-
Extension的ASN.1描述與例項Extension格式用ASN.1描述如下:
Extension :=SEQUENCE {
extnID
OBJECT IDENTIFIER,
critical
BOOLEAN DEFAULT FALSE,
extnValue
OCTET STRING }
Extension各擴充套件項值如表13-4所示。 -
Certificate 的ASN.1描述與例項Certificate格式用ASN.1描述如下:
Certificate ::=SEQUENCE {
tbsCertificate
TBSCertificate,
signatureAlgorithm
AlgorithmIdentifier,
signature Value
BIT STRING }
Certificate中各項內容的具體值如表13-5所示。
DER編碼過程
1.對Extension進行DER編碼
各擴充套件項具體內容用ASN.1描述如下:
BasicConstraints ::=SEQUENCE{
cA
BOOLEAN DEFAULT FALSE,
pathLenConstraint
INTEGER (O..MAX)OPTIONAL}
SubjectKeyIdentifier ::= Keyldentifier
(KeyIdentifier ::= OCTET STRING)KeyUsage ::= BIT STRING
ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX)OF KeyPurposeld
(KeyPurposeld ::= OBJECT IDENTIFIER)NetscapeCertType ::= BIT STRING
AuthorityKeyldentifier ::=SEQUENCE{
keyIdentifier
[O] KeyIdentifier
OPTIONAL,
authorityCertIssuer
[1]GeneralNames
OPTIONAL,
authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }(KeyIdentifier ::= OCTET STRING)
Extension為 SEQUENCE結構型別,不同擴充套件項DER編碼值包含在OCTET STRING型別extnValue中,編碼規則採用結構型別定長模式。各擴充套件項DER編碼值用括號分隔。其中,對於BIT STRING型別,編碼後第1個位元組表示填充位數或未使用位數。
2.對TBSCertificate進行DER編碼
TBSCertificate內容編碼規則採用結構型別定長模式,具體編碼過程如表13-7所示。
1、序列號=1174(0x0496)
echo -n -e "\xA0\x03\x02\x01\x02\x02\x02\x04\x96\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00" > 20191227.der
2、證書籤發者 DN="CN=Virtual CA
echo -n -e "\x30\x22\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x56\x69\x72\x74\x75\x61\x6C\x20\x43\x41" >> 20191227.der
3、證書有效期=20200222000000-20220222000000
echo -n -e "\x17\x0D\x32\x30\x32\x30\x30\x32\x32\x32\x30\x30\x30\x30\x5A\x17\x0D\x32\x30\x32\x32\x30\x32\x32\x32\x30\x30\x30\x30\x5A" >> 20191227.der
4、證書持有者DN=CN=你的名字拼音, OU=Person
echo -n -e "\x30\x37\x31\x0b\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4e\x31\x11\x30\x0f\x06\x03\x55\x04\x0a\x13\x08\x32\x30\x31\x39\x31\x32\x32\x37\x31\x15\x30\x13\x06\x03\x55\x04\x03\x13\x0c\x47\x61\x6e\x4e\x69\x6e\x67\x79\x75\x20\x20\x20\x20" >> 20191227.der