如何在golang中解析自定义的X509v3扩展?

huangapple go评论83阅读模式
英文:

How to parse custom X509v3 extension in golang?

问题

我有一个client.crt.pem文件。

我想要获取自定义扩展的键值对。

(例如:

2.9.1.6.2.6.1.9.9.4.1G1

或者

2.9.1.6.2.6.1.9.9.4.10C024731

)。

如何在golang中解析它们?

这是证书信息。

使用openssl x509 -in client.crt.pem -noout -text命令显示它。

...
...
        X509v3扩展:
            X509v3基本约束:
                CA:FALSE
            Netscape证书类型:
                SSL客户端,S/MIME
            Netscape注释:
                OpenSSL生成的客户端证书
            X509v3密钥用法: 关键
                数字签名,不可否认,密钥加密
            X509v3扩展密钥用法:
                TLS Web客户端身份验证,电子邮件保护
            2.9.1.6.2.6.1.9.9.4.1:
                ..G1
            2.9.1.6.2.6.1.9.9.4.2:
                ..R1
            2.9.1.6.2.6.1.9.9.4.3:
                ..3
            X509v3主题备用名称:
                IP地址:127.0.0.1,IP地址:0:0:0:0:0:0:0:1,DNS:localhost
...
...

或者使用openssl asn1parse -i -in client.crt.pem命令

...
...
  998:d=4  hl=2 l=  18 cons:     SEQUENCE
 1000:d=5  hl=2 l=  10 prim:      OBJECT            :2.9.1.6.2.6.1.9.9.4.1
 1012:d=5  hl=2 l=   4 prim:      OCTET STRING      [HEX DUMP]:0C024731
 1018:d=4  hl=2 l=  18 cons:     SEQUENCE
 1020:d=5  hl=2 l=  10 prim:      OBJECT            :2.9.1.6.2.6.1.9.9.4.2
 1032:d=5  hl=2 l=   4 prim:      OCTET STRING      [HEX DUMP]:0C025231
 1038:d=4  hl=2 l=  17 cons:     SEQUENCE
 1040:d=5  hl=2 l=  10 prim:      OBJECT            :2.9.1.6.2.6.1.9.9.4.3
 1052:d=5  hl=2 l=   3 prim:      OCTET STRING      [HEX DUMP]:0C0133
...
...
英文:

I have a client.crt.pem.

I want to get the custom extension key-value.

(e.g.

2.9.1.6.2.6.1.9.9.4.1 and G1,

or

2.9.1.6.2.6.1.9.9.4.1 and 0C024731

).

How to parse them in golang?

Here is the certificate info.

Use openssl x509 -in client.crt.pem -noout -text to show it.

...
...
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Client, S/MIME
            Netscape Comment:
                OpenSSL Generated Client Certificate
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, E-mail Protection
            2.9.1.6.2.6.1.9.9.4.1:
                ..G1
            2.9.1.6.2.6.1.9.9.4.2:
                ..R1
            2.9.1.6.2.6.1.9.9.4.3:
                ..3
            X509v3 Subject Alternative Name:
                IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, DNS:localhost
...
...

Or use openssl asn1parse -i -in client.crt.pem

...
...
  998:d=4  hl=2 l=  18 cons:     SEQUENCE
 1000:d=5  hl=2 l=  10 prim:      OBJECT            :2.9.1.6.2.6.1.9.9.4.1
 1012:d=5  hl=2 l=   4 prim:      OCTET STRING      [HEX DUMP]:0C024731
 1018:d=4  hl=2 l=  18 cons:     SEQUENCE
 1020:d=5  hl=2 l=  10 prim:      OBJECT            :2.9.1.6.2.6.1.9.9.4.2
 1032:d=5  hl=2 l=   4 prim:      OCTET STRING      [HEX DUMP]:0C025231
 1038:d=4  hl=2 l=  17 cons:     SEQUENCE
 1040:d=5  hl=2 l=  10 prim:      OBJECT            :2.9.1.6.2.6.1.9.9.4.3
 1052:d=5  hl=2 l=   3 prim:      OCTET STRING      [HEX DUMP]:0C0133
...
...

答案1

得分: 1

这是我的解决方案,

供您参考。

func getCustomExtensions(serverCertFile string, customOIDPrefix string) ([]pkix.Extension, bool) {
    certBytes, err := os.ReadFile(serverCertFile)
    if err != nil {
        return nil, false
    }
    block, _ := pem.Decode(certBytes)
    if block.Type == "CERTIFICATE" {
        certificate, err := x509.ParseCertificate(block.Bytes)
        if err != nil {
            return nil, false
        }
        var extensions []pkix.Extension
        for _, ext := range certificate.Extensions {
            // 通过 customOID 过滤自定义扩展
            if strings.Contains(ext.Id.String(), customOIDPrefix) {
                extensions = append(extensions, ext)
            }
        }
        return extensions, true
    }

    return nil, false
}
英文:

Here is my solution,

FYI.

func getCustomExtensions(serverCertFile string, customOIDPrefix string) ([]pkix.Extension, bool) {
    certBytes, err := os.ReadFile(serverCertFile)
    if err != nil {
        return nil, false
    }
    block, _ := pem.Decode(certBytes)
    if block.Type == "CERTIFICATE" {
        certificate, err := x509.ParseCertificate(block.Bytes)
        if err != nil {
            return nil, false
        }
        var extensions []pkix.Extension
        for _, ext := range certificate.Extensions {
            // filter the custom extensions by customOID
            if strings.Contains(ext.Id.String(), customOIDPrefix) {
                extensions = append(extensions, ext)
            }
        }
        return extensions, true
    }

    return nil, false
}

huangapple
  • 本文由 发表于 2021年10月18日 14:43:58
  • 转载请务必保留本文链接:https://go.coder-hub.com/69611757.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定