英文:
Create a Certificate Signing Request (CSR) with an email address in Go
问题
我尝试使用"crypto/x509"包生成CSR,但没有找到将"emailAddress"字段添加到其Subject中的方法。
根据文档CertificateRequest的结构中有一个"EmailAddresses []string"字段,但它被序列化为SAN扩展。这是我使用的测试代码:
http://play.golang.org/p/OtObaTyuTM
此外,我使用"openssl req"程序创建了一个CSR并比较了结果:
% openssl req -in openssl.csr -noout -textCertificate Request:Data:Version: 0 (0x0)Subject: C=AU, ST=Some-State, L=MyCity, O=Company Ltd, OU=IT, CN=domain.com/emailAddress=test@email.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (512 bit)Modulus:00:a3:05:e3:37:63:f9:8b:d0:37:46:2d:a8:d9:26:4e:be:83:1d:b9:30:88:2b:80:4b:53:cc:7c:01:86:b0:9b:1d:3b:0a:05:c4:56:47:4e:5d:90:f9:5a:29:8b:9a:7f:fa:4b:5e:e4:5d:dd:c6:8b:87:33:c4:b4:fa:6b:b4:67:bdExponent: 65537 (0x10001)Attributes:a0:00Signature Algorithm: sha1WithRSAEncryption0b:24:6e:0a:f9:bf:23:d7:41:5f:96:da:78:d1:99:18:fb:d6:71:7e:79:f0:02:e9:8a:50:a9:00:32:df:26:14:2f:f4:3e:c4:22:c9:5c:4e:79:c1:c2:22:1b:2a:da:79:6f:51:ba:8a:12:63:27:02:4a:b3:22:97:59:f7:6e:d6===============================================================% openssl req -in golang.csr -noout -textCertificate Request:Data:Version: 0 (0x0)Subject: C=AU, O=Company Ltd, OU=IT, L=MyCity, ST=Some-State, CN=domain.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (512 bit)Modulus:00:ac:b6:51:5b:53:44:44:20:91:da:01:45:72:49:95:83:78:74:7c:05:f9:a7:77:88:02:3a:23:5f:04:c3:69:45:b9:5a:bb:fd:e7:d3:24:5f:46:14:b8:7d:30:ce:a0:c6:ea:e3:3b:ec:4c:75:24:cc:ce:60:1d:e9:33:57:ae:21Exponent: 65537 (0x10001)Attributes:Requested Extensions:X509v3 Subject Alternative Name:email:test@email.comSignature Algorithm: sha256WithRSAEncryptiona1:c1:b7:80:a0:f0:c3:b6:44:06:f4:ad:12:3a:67:19:fa:84:34:22:2a:d9:56:d9:8b:c9:a4:d0:cf:8d:a1:36:87:fa:75:b7:05:40:0a:15:1f:72:61:85:a8:09:bc:f4:13:e6:24:5e:2e:b7:99:e3:93:53:4e:2d:d5:0c:22:fc
在我看来,我应该自己构建RawSubject字段,并使用emailAddress oid,但我没有找到任何代码示例。
更新:
我找到了解决方案。如我上面提到的,RawSubject字段必须手动准备:
subj := pkix.Name{CommonName: cn,Country: []string{c},Organization: []string{o},OrganizationalUnit: []string{ou},Locality: []string{l},Province: []string{s},}rawSubj := subj.ToRDNSequence()rawSubj = appendRDNs(rawSubj, []string{e}, oidEmailAddress)asn1Subj, err := asn1.Marshal(rawSubj)template := x509.CertificateRequest{RawSubject: asn1Subj,SignatureAlgorithm: x509.SHA1WithRSA,}
其中:
- var oidEmailAddress = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 1}
- appendRDNs()在crypto/x509/pkix中定义(因为它的名称不以大写字母开头,所以默认情况下不会导出)。你可以将其再次定义为自己的函数并进行复制粘贴。
英文:
I tried to generate a CSR using "crypto/x509" package and didn't find the way to add a "emailAddress" field into its Subject.
According to the documentation CertificateRequest structure has a "EmailAddresses []string" field but it's serialized into SAN extension.
Here is a test code i used:
http://play.golang.org/p/OtObaTyuTM
Also I created a CSR using "openssl req" program and compared results:
% openssl req -in openssl.csr -noout -textCertificate Request:Data:Version: 0 (0x0)Subject: C=AU, ST=Some-State, L=MyCity, O=Company Ltd, OU=IT, CN=domain.com/emailAddress=test@email.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (512 bit)Modulus:00:a3:05:e3:37:63:f9:8b:d0:37:46:2d:a8:d9:26:4e:be:83:1d:b9:30:88:2b:80:4b:53:cc:7c:01:86:b0:9b:1d:3b:0a:05:c4:56:47:4e:5d:90:f9:5a:29:8b:9a:7f:fa:4b:5e:e4:5d:dd:c6:8b:87:33:c4:b4:fa:6b:b4:67:bdExponent: 65537 (0x10001)Attributes:a0:00Signature Algorithm: sha1WithRSAEncryption0b:24:6e:0a:f9:bf:23:d7:41:5f:96:da:78:d1:99:18:fb:d6:71:7e:79:f0:02:e9:8a:50:a9:00:32:df:26:14:2f:f4:3e:c4:22:c9:5c:4e:79:c1:c2:22:1b:2a:da:79:6f:51:ba:8a:12:63:27:02:4a:b3:22:97:59:f7:6e:d6===============================================================% openssl req -in golang.csr -noout -textCertificate Request:Data:Version: 0 (0x0)Subject: C=AU, O=Company Ltd, OU=IT, L=MyCity, ST=Some-State, CN=domain.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (512 bit)Modulus:00:ac:b6:51:5b:53:44:44:20:91:da:01:45:72:49:95:83:78:74:7c:05:f9:a7:77:88:02:3a:23:5f:04:c3:69:45:b9:5a:bb:fd:e7:d3:24:5f:46:14:b8:7d:30:ce:a0:c6:ea:e3:3b:ec:4c:75:24:cc:ce:60:1d:e9:33:57:ae:21Exponent: 65537 (0x10001)Attributes:Requested Extensions:X509v3 Subject Alternative Name:email:test@email.comSignature Algorithm: sha256WithRSAEncryptiona1:c1:b7:80:a0:f0:c3:b6:44:06:f4:ad:12:3a:67:19:fa:84:34:22:2a:d9:56:d9:8b:c9:a4:d0:cf:8d:a1:36:87:fa:75:b7:05:40:0a:15:1f:72:61:85:a8:09:bc:f4:13:e6:24:5e:2e:b7:99:e3:93:53:4e:2d:d5:0c:22:fc
To my mind I should build RawSubject field myself with emainAddress oid but I didn't find any code samples.
UPD:
I've found the solution. As I mentioned above, the RawSubject field must be prepared manually:
subj := pkix.Name{CommonName: cn,Country: []string{c},Organization: []string{o},OrganizationalUnit: []string{ou},Locality: []string{l},Province: []string{s},}rawSubj := subj.ToRDNSequence()rawSubj = appendRDNs(rawSubj, []string{e}, oidEmailAddress)asn1Subj, err := asn1.Marshal(rawSubj)template := x509.CertificateRequest{RawSubject: asn1Subj,SignatureAlgorithm: x509.SHA1WithRSA,}
where:
- var oidEmailAddress = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 1}
- appendRDNs() is defined in crypto/x509/pkix (because its name doesn't start with an uppercase letter, it's not exported by default. You can just define it again as your own function with copy&paste).
答案1
得分: 27
这是对Jeremy的答案的一种变体,它利用了Go自他的答案以来的一些新功能,并修复了我认为存在的一个错误。(有关更多信息,请参见我在他的帖子上的评论。)
以下是下面代码的可运行的playground链接。
package mainimport ("crypto/rand""crypto/rsa""crypto/x509""crypto/x509/pkix""encoding/asn1""encoding/pem""os")var oidEmailAddress = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 1}func main() {keyBytes, _ := rsa.GenerateKey(rand.Reader, 1024)emailAddress := "test@example.com"subj := pkix.Name{CommonName: "example.com",Country: []string{"AU"},Province: []string{"Some-State"},Locality: []string{"MyCity"},Organization: []string{"Company Ltd"},OrganizationalUnit: []string{"IT"},ExtraNames: []pkix.AttributeTypeAndValue{{Type: oidEmailAddress,Value: asn1.RawValue{Tag: asn1.TagIA5String,Bytes: []byte(emailAddress),},},},}template := x509.CertificateRequest{Subject: subj,SignatureAlgorithm: x509.SHA256WithRSA,}csrBytes, _ := x509.CreateCertificateRequest(rand.Reader, &template, keyBytes)pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})}
主要的区别是:
- 不再序列化主题并使用
RawSubject字段,而是将电子邮件地址字段添加到pkix.Name ExtraNames切片中(在Go 1.5中添加)。 - 电子邮件地址需要编码为ASN.1的
IA5String,而不是PrintableString或UTF8String。这就是为什么我们需要使用asn1.RawValue的原因。 - 不要将电子邮件地址添加到
CertificateRequest的EmailAddresses字段中,该字段设置了一个SubjectAltName(SAN)。这些更适用于签名电子邮件之类的东西。在TLS证书的上下文中,SAN应该用于替代有效的主机名和IP地址。
(更新于2018-06-14:Value已从string更改为asn1.RawValue。否则,OpenSSL会拒绝生成的CSR,因为emailAddress的ASN.1序列化编码需要是IA5String,而不是PrintableString或UTF8String。)
英文:
This is a variation on Jeremy's answer which takes advantage of some new additions in Go since his answer, and also fixes what I believe to be a bug. (For more info on that, see my comments on his post.)
Here's a runnable playground link for the code below.
package mainimport ("crypto/rand""crypto/rsa""crypto/x509""crypto/x509/pkix""encoding/asn1""encoding/pem""os")var oidEmailAddress = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 1}func main() {keyBytes, _ := rsa.GenerateKey(rand.Reader, 1024)emailAddress := "test@example.com"subj := pkix.Name{CommonName: "example.com",Country: []string{"AU"},Province: []string{"Some-State"},Locality: []string{"MyCity"},Organization: []string{"Company Ltd"},OrganizationalUnit: []string{"IT"},ExtraNames: []pkix.AttributeTypeAndValue{{Type: oidEmailAddress,Value: asn1.RawValue{Tag: asn1.TagIA5String,Bytes: []byte(emailAddress),},},},}template := x509.CertificateRequest{Subject: subj,SignatureAlgorithm: x509.SHA256WithRSA,}csrBytes, _ := x509.CreateCertificateRequest(rand.Reader, &template, keyBytes)pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})}
The main differences are:
- Rather than serializing the subject and using the
RawSubjectfield, add the email address field to thepkix.Name ExtraNamesslice (added in Go 1.5). - The email address needs to be encoded as an ASN.1
IA5String, not as aPrintableStringorUTF8String. This is why we need to useasn1.RawValue. - Don't add email addresses to the
CertificateRequestEmailAddressesfield, which sets a SubjectAltName (SAN). Those are designed more for things like signed emails. In the context of TLS certificates, SANs should be used for alternatively valid hostnames and IP addresses.
(Update 2018-06-14: The Value has been changed from a string to an asn1.RawValue. OpenSSL rejects CSRs generated otherwise because the ASN.1 serialized encoding of emailAddress needs to be IA5String rather than PrintableString or UTF8String.)
答案2
得分: 22
我知道mephist回答了他自己的问题,但他留下了一些需要拼凑在一起的东西。为了完整起见(也因为我在过去两年中已经两次降落在这里...),这是一个完整的工作示例:https://play.golang.org/p/YL_qfPe4Zz
package mainimport ("crypto/rand""crypto/rsa""crypto/x509""crypto/x509/pkix""encoding/asn1""encoding/pem""os")var oidEmailAddress = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 1}func main() {keyBytes, _ := rsa.GenerateKey(rand.Reader, 1024)emailAddress := "test@example.com"subj := pkix.Name{CommonName: "example.com",Country: []string{"AU"},Province: []string{"Some-State"},Locality: []string{"MyCity"},Organization: []string{"Company Ltd"},OrganizationalUnit: []string{"IT"},}rawSubj := subj.ToRDNSequence()rawSubj = append(rawSubj, []pkix.AttributeTypeAndValue{{Type: oidEmailAddress, Value: emailAddress},})asn1Subj, _ := asn1.Marshal(rawSubj)template := x509.CertificateRequest{RawSubject: asn1Subj,EmailAddresses: []string{emailAddress},SignatureAlgorithm: x509.SHA256WithRSA,}csrBytes, _ := x509.CreateCertificateRequest(rand.Reader, &template, keyBytes)pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})}
英文:
I know mephist answered his own question, but he left a few things to piece together. So, for the sake of completeness (and because I've landed here twice in the past 2 years...) Here's a complete working example: https://play.golang.org/p/YL_qfPe4Zz
package mainimport ("crypto/rand""crypto/rsa""crypto/x509""crypto/x509/pkix""encoding/asn1""encoding/pem""os")var oidEmailAddress = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 1}func main() {keyBytes, _ := rsa.GenerateKey(rand.Reader, 1024)emailAddress := "test@example.com"subj := pkix.Name{CommonName: "example.com",Country: []string{"AU"},Province: []string{"Some-State"},Locality: []string{"MyCity"},Organization: []string{"Company Ltd"},OrganizationalUnit: []string{"IT"},}rawSubj := subj.ToRDNSequence()rawSubj = append(rawSubj, []pkix.AttributeTypeAndValue{{Type: oidEmailAddress, Value: emailAddress},})asn1Subj, _ := asn1.Marshal(rawSubj)template := x509.CertificateRequest{RawSubject: asn1Subj,EmailAddresses: []string{emailAddress},SignatureAlgorithm: x509.SHA256WithRSA,}csrBytes, _ := x509.CreateCertificateRequest(rand.Reader, &template, keyBytes)pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})}
答案3
得分: 0
只需将其放在CommonName中即可。
CommonName: "domain.com/emailAddress=test@email.com",
主题:C=AU,O=Company Ltd,OU=IT,L=MyCity,ST=Some-State,CN=domain.com/emailAddress=test@email.com
英文:
Just put it in the CommonName?
CommonName: "domain.com/emailAddress=test@email.com",
>Subject: C=AU, O=Company Ltd, OU=IT, L=MyCity, ST=Some-State, CN=domain.com/emailAddress=test@email.com
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论