英文:
Generating subject name from a x509 certificate in string format
问题
我正在尝试从x509.Certificate生成Distinguished Name。
我期望的格式是:
"CN=<common_name>,OU=<org_unit>,O=
,dnQualifier=+7He5GRZXim+LKEMb5FS98E+fPY="
(我用标签替换了一些值)
使用我的代码,我得到了预期的字符串,但没有dnQualifier部分,它是这样的:
CN=<common_name>,OU=<org_unit>,O=
,2.5.4.46=#131c537771614a5531514c2449444e4846373755547a1f5749653955303d"
在这里,
2.5.4.46是"dnQualifier"的ASN.1对象标识符。参考:链接
该值看起来像一个十六进制字符串。
是否有一种标准的方法(或简单的解决方法)可以以预期的格式获取Distinguished Name?也就是说,文本"dnQualifier"应该出现,而不是它的ObjectIdentifier,并且实际的字符串值应该以十六进制形式存在。
我的代码如下:
package mainimport ("crypto/x509""encoding/pem""fmt""github.com/sirupsen/logrus")func main() {cert := "" // 在这里放入证书字符串block, rest := pem.Decode([]byte(cert))if len(rest) != 0 {logrus.Error("证书字符串未完全解码:", rest)}certificate, err := x509.ParseCertificate(block.Bytes)if err != nil {logrus.WithError(err).Error("解析证书时出错")}fmt.Println(certificate.Subject.String())}
从这段代码中,certificate.Subject.String()的输出类似于:
CN=<common_name>,OU=<org_unit>,O=<org>,2.5.4.46=#131c537771614a5531514c2449444e4846373755547a1f5749653955303d
另外,
fmt.Printf("%+v\n", cert.Subject.ToRDNSequence())
和
var sub pkix.RDNSequenceasn1.Unmarshal(certificate.RawSubject, &sub)
都没有帮助。
英文:
I am trying to generate the Distinguished Name from a x509.Certificate.
The format I am expecting is:
> "CN=<common_name>,OU=<org_unit>,O=<org>,dnQualifier=+7He5GRZXim+LKEMb5FS98E+fPY="
(I've replaced some values with tags)
With my code, I get the expected string without the dnQualifier part, which is like:
> CN=<common_name>,OU=<org_unit>,O=<org>,2.5.4.46=#131c537771614a5531514c2449444e4846373755547a1f5749653955303d"
Here,
2.5.4.46 is the ASN.1 object id for "dnQualifier" Reference: Link
The value looks like a hex string.
Is there a standard way(or an easy workaround) to get the Distinguished Name in expected format? ie., text 'dnQualifier' should appear instead of its ObjectIdentifier and the actual string value should be present instead of hex.
My code looks like this:
package mainimport ("crypto/x509""encoding/pem""fmt""github.com/sirupsen/logrus")func main() {cert := "" // certificate string hereblock, rest := pem.Decode([]byte(cert))if len(rest) != 0 {logrus.Error("certificate string not fully decoded : ", rest)}certificate, err := x509.ParseCertificate(block.Bytes)if err != nil {logrus.WithError(err).Error("error parsing certificate")}fmt.Println(certificate.Subject.String())}
From this code certificate.Subject.String() gave the output something like:
CN=<common_name>,OU=<org_unit>,O=<org>,2.5.4.46=#131c537771614a5531514c2449444e4846373755547a1f5749653955303d"
Also,
fmt.Printf("%+v\n", cert.Subject.ToRDNSequence())
and
var sub pkix.RDNSequenceasn1.Unmarshal(certificate.RawSubject, &sub)
both did not help.
答案1
得分: 0
标准库仅为有限的属性列表提供名称:
var attributeTypeNames = map[string]string{"2.5.4.6": "C","2.5.4.10": "O","2.5.4.11": "OU","2.5.4.3": "CN","2.5.4.5": "SERIALNUMBER","2.5.4.7": "L","2.5.4.8": "ST","2.5.4.9": "STREET","2.5.4.17": "POSTALCODE",}
对于其他属性,它只是使用对象标识符作为名称,并在可能的情况下将值编码为十六进制字符串(参见(RDNSequence).String):
oidString := tv.Type.String()typeName, ok := attributeTypeNames[oidString]if !ok {derBytes, err := asn1.Marshal(tv.Value)if err == nil {s += oidString + "=#" + hex.EncodeToString(derBytes)continue // No value escaping necessary.}typeName = oidString}valueString := fmt.Sprint(tv.Value)escaped := make([]rune, 0, len(valueString))
它不提供任何机制来获取自定义字符串。因此,我们必须自己处理。
我建议列出我们想要的属性,并将它们附加到certificate.Subject.ToRDNSequence().String()返回的字符串中。像这样:
package mainimport ("crypto/x509""crypto/x509/pkix""encoding/pem""fmt")func toString(name pkix.Name) string {s := name.ToRDNSequence().String()// 列出要添加的额外属性。attributeTypeNames := map[string]string{"2.5.4.43": "initials","2.5.4.46": "dnQualifier",}for typ, typeName := range attributeTypeNames {for _, atv := range name.Names {oidString := atv.Type.String()if oidString == typ {// 为了保持这个示例简单,我只是调用fmt.Sprint来获取字符串。// 也许你想转义一些字符。// 参见https://github.com/golang/go/blob/1db23771afc7b9b259e926db35602ecf5047ae23/src/crypto/x509/pkix/pkix.go#L67-L86s += "," + typeName + "=" + fmt.Sprint(atv.Value)break}}}return s}func main() {block, _ := pem.Decode([]byte(cert))certificate, err := x509.ParseCertificate(block.Bytes)if err != nil {panic(err)}fmt.Println(certificate.Subject.String())fmt.Println()fmt.Println(certificate.Subject.ToRDNSequence().String())fmt.Println()fmt.Println(toString(certificate.Subject))}var cert = `-----BEGIN CERTIFICATE-----MIIGvDCCBKSgAwIBAgIUPmInkYCv6nQgGfHrQ1sj/y/4gykwDQYJKoZIhvcNAQELBQAwgfsxGzAZBgNVBAMMEnNlY3VyZS5leGFtcGxlLmNvbTELMAkGA1UEBhMCWFgxETAPBgNVBAcMCEZ1biBMYW5kMSgwJgYDVQQKDB9NeUNvIExMQyBMVEQgSU5DIChkLmIuYS4gT3VyQ28pMRIwEAYDVQQLDAlTU0wgRGVwdC4xCzAJBgNVBAgMAllZMSQwIgYJKoZIhvcNAQkBFhVzc2wtYWRtaW5AZXhhbXBsZS5jb20xETAPBgNVBCkMCEpvaG4gRG9lMQwwCgYDVQQEDANEb2UxDTALBgNVBCoMBEpvaG4xDDAKBgNVBCsMA0pYRDENMAsGA1UELhMEc29tZTAeFw0yMzA2MTIxNDI2MzhaFw0yNDA2MTExNDI2MzhaMIH7MRswGQYDVQQDDBJzZWN1cmUuZXhhbXBsZS5jb20xCzAJBgNVBAYTAlhYMREwDwYDVQQHDAhGdW4gTGFuZDEoMCYGA1UECgwfTXlDbyBMTEMgTFREIElOQyAoZC5iLmEuIE91ckNvKTESMBAGA1UECwwJU1NMIERlcHQuMQswCQYDVQQIDAJZWTEkMCIGCSqGSIb3DQEJARYVc3NsLWFkbWluQGV4YW1wbGUuY29tMREwDwYDVQQpDAhKb2huIERvZTEMMAoGA1UEBAwDRG9lMQ0wCwYDVQQqDARKb2huMQwwCgYDVQQrDANKWEQxDTALBgNVBC4TBHNvbWUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDLi0xuep6R94LF5yn0Lqni2QlJTF4yiUApwspH1g6jUTLDCr5F70BkaxagzNzKXssbrgu+zwvIPHu1KiLNX1yoUHfdzDx0ECmaYW22ZET4P8F88slNmhQuxIXjYpOPo+2BHZ8U1bY7ojDCcw94JHMHbug07wHIu8Y54wijgjV3xwNvGaOrJtXs3cSuBMldFKi7S9gFgvQpOkQpbbl+v37vbVkzgS3BW4LF7apYQe9Q63Q2HeLd8/aAbATUJhGn1bzStruvDa9FkKtDLVkN6furAecCDC+EaOnpsxwImP/D01wUkofOjywmBGbm7a/bpBY0uXYQwMKXzTQUxd8MdaEV89Oao4ijuo8Q50+9XeHtB/q4tDhZJjW5K6XxqFXatRQa/xmN8FmitVDDIRXqAz4TTVPDeQXnUdh3rETZbgOQzy4mqcGzv723TdbfZLgIQNiF1aTJUeOtmbl7JUj/1QuLrpb+/AYzGQrG0XLpjR3h1esseBN1ts8eLVK5Z6ekP5urrjLv3Z2QQ1vsN/NGNqKVIyepPwj1wGxkKmaZ3D6i3GixQpmklno2WdorWf/M+opuc5+bL8Nhpc0HIROdi8VnkBj5MIMQaZwFnFhq1vVeIhKZXfEUEE8y1r7Ju/MO5Qd1Z6WATO77VCQd2g1xgqdJy7hrZGvMx/M9rRHqe57GYQIDAQABozYwNDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQU8wIFQBHUFEsMbDSbJClj4ZhCyNEwDQYJKoZIhvcNAQELBQADggIBAFx4qApmwKzD6juOfCDMdxyNJZLgYu0VtOSJAoR5vcK8Qk/rHpQMg/j+eoikjy+Xyh72wUovP25Z2c99gyeYX3VE2TtsqQ9uhz5EeoNvi4H5Em68s5hWpyWWo2U5fSvcoFmPbEFT/VTuvt+jczPXVrzZ3a9ZBwKAPIvOcLp5Y9iKsLzrkBVosAFAnFeffk/kyoOtrNoE/AhPEZUa8EfKrLh4GGp8NzzcJAMwwaoqkf3OHUFIZYaeNjA6sM37Id3EQwvsRtWKRrDkci6NQcpf0TpVxwAZiST2+tyImbuHACQ7qc1VHUl9OYAbHgjKgvhQsXxuYboBQAOxDvMjUEAPDzgzflJlpArI7AAO1VAMfT1/+4ULiO1p9egkqDtZuU4GrVBWo1PfTJ/alP2O/B/fNECeVLpHnlAst+FRldYmRnSZR3Uv47PzpUKA1+zIVmPkK0kWjCB1xdfiCPJ0t9Uc7BMUeYRxKf9zyTBf9IQzlfNl1lRxdOD7/TF/GjlWbtIeI8gWI38fiMhy6iAwl2EPK1GzQ3Wep0km/lx6OL5dGMrr2SBcZeCqhzvB7YA7K28IFf2Wma9TXl/NBdhw57/7bCLkbeVANiWGvuQROGGRmlXGZ1xP51mTHl8BL2ZN+Q4X7XjVFVXBeTFWxA8B9vLHo1QkdZCdrGzt5jEbpM5ZgJ5k-----END CERTIFICATE-----`
输出结果:
CN=secure.example.com,OU=SSL Dept.,O=MyCo LLC LTD INC (d.b.a. OurCo),L=Fun Land,ST=YY,C=XX,2.5.4.46=#1304736f6d65,2.5.4.43=#13034a5844,2.5.4.42=#13044a6f686e,2.5.4.4=#1303446f65,2.5.4.41=#13084a6f686e20446f65,1.2.840.113549.1.9.1=#0c1573736c2d61646d696e406578616d706c652e636f6dCN=secure.example.com,OU=SSL Dept.,O=MyCo LLC LTD INC (d.b.a. OurCo),L=Fun Land,ST=YY,C=XXCN=secure.example.com,OU=SSL Dept.,O=MyCo LLC LTD INC (d.b.a. OurCo),L=Fun Land,ST=YY,initials=JXD,dnQualifier=some
英文:
The standard library only provides names for a limited list of attributes:
var attributeTypeNames = map[string]string{"2.5.4.6": "C","2.5.4.10": "O","2.5.4.11": "OU","2.5.4.3": "CN","2.5.4.5": "SERIALNUMBER","2.5.4.7": "L","2.5.4.8": "ST","2.5.4.9": "STREET","2.5.4.17": "POSTALCODE",}
For other attributes, it simply uses the object identifier as the name, and encodes the value as hex string if possible (see (RDNSequence).String):
oidString := tv.Type.String()typeName, ok := attributeTypeNames[oidString]if !ok {derBytes, err := asn1.Marshal(tv.Value)if err == nil {s += oidString + "=#" + hex.EncodeToString(derBytes)continue // No value escaping necessary.}typeName = oidString}valueString := fmt.Sprint(tv.Value)escaped := make([]rune, 0, len(valueString))
It does not provide any knob for us to get a customized string. So we have to do it ourselves.
I would recommend to list the attributes we want, and append them to the string returned from certificate.Subject.ToRDNSequence().String(). Like this:
package mainimport ("crypto/x509""crypto/x509/pkix""encoding/pem""fmt")func toString(name pkix.Name) string {s := name.ToRDNSequence().String()// List the extra attributes that should be added.attributeTypeNames := map[string]string{"2.5.4.43": "initials","2.5.4.46": "dnQualifier",}for typ, typeName := range attributeTypeNames {for _, atv := range name.Names {oidString := atv.Type.String()if oidString == typ {// To keep this demo simple, I just call fmt.Sprint to get the string.// Maybe you want to escape some of the characters.// See https://github.com/golang/go/blob/1db23771afc7b9b259e926db35602ecf5047ae23/src/crypto/x509/pkix/pkix.go#L67-L86s += "," + typeName + "=" + fmt.Sprint(atv.Value)break}}}return s}func main() {block, _ := pem.Decode([]byte(cert))certificate, err := x509.ParseCertificate(block.Bytes)if err != nil {panic(err)}fmt.Println(certificate.Subject.String())fmt.Println()fmt.Println(certificate.Subject.ToRDNSequence().String())fmt.Println()fmt.Println(toString(certificate.Subject))}var cert = `-----BEGIN CERTIFICATE-----MIIGvDCCBKSgAwIBAgIUPmInkYCv6nQgGfHrQ1sj/y/4gykwDQYJKoZIhvcNAQELBQAwgfsxGzAZBgNVBAMMEnNlY3VyZS5leGFtcGxlLmNvbTELMAkGA1UEBhMCWFgxETAPBgNVBAcMCEZ1biBMYW5kMSgwJgYDVQQKDB9NeUNvIExMQyBMVEQgSU5DIChkLmIuYS4gT3VyQ28pMRIwEAYDVQQLDAlTU0wgRGVwdC4xCzAJBgNVBAgMAllZMSQwIgYJKoZIhvcNAQkBFhVzc2wtYWRtaW5AZXhhbXBsZS5jb20xETAPBgNVBCkMCEpvaG4gRG9lMQwwCgYDVQQEDANEb2UxDTALBgNVBCoMBEpvaG4xDDAKBgNVBCsMA0pYRDENMAsGA1UELhMEc29tZTAeFw0yMzA2MTIxNDI2MzhaFw0yNDA2MTExNDI2MzhaMIH7MRswGQYDVQQDDBJzZWN1cmUuZXhhbXBsZS5jb20xCzAJBgNVBAYTAlhYMREwDwYDVQQHDAhGdW4gTGFuZDEoMCYGA1UECgwfTXlDbyBMTEMgTFREIElOQyAoZC5iLmEuIE91ckNvKTESMBAGA1UECwwJU1NMIERlcHQuMQswCQYDVQQIDAJZWTEkMCIGCSqGSIb3DQEJARYVc3NsLWFkbWluQGV4YW1wbGUuY29tMREwDwYDVQQpDAhKb2huIERvZTEMMAoGA1UEBAwDRG9lMQ0wCwYDVQQqDARKb2huMQwwCgYDVQQrDANKWEQxDTALBgNVBC4TBHNvbWUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDLi0xuep6R94LF5yn0Lqni2QlJTF4yiUApwspH1g6jUTLDCr5F70BkaxagzNzKXssbrgu+zwvIPHu1KiLNX1yoUHfdzDx0ECmaYW22ZET4P8F88slNmhQuxIXjYpOPo+2BHZ8U1bY7ojDCcw94JHMHbug07wHIu8Y54wijgjV3xwNvGaOrJtXs3cSuBMldFKi7S9gFgvQpOkQpbbl+v37vbVkzgS3BW4LF7apYQe9Q63Q2HeLd8/aAbATUJhGn1bzStruvDa9FkKtDLVkN6furAecCDC+EaOnpsxwImP/D01wUkofOjywmBGbm7a/bpBY0uXYQwMKXzTQUxd8MdaEV89Oao4ijuo8Q50+9XeHtB/q4tDhZJjW5K6XxqFXatRQa/xmN8FmitVDDIRXqAz4TTVPDeQXnUdh3rETZbgOQzy4mqcGzv723TdbfZLgIQNiF1aTJUeOtmbl7JUj/1QuLrpb+/AYzGQrG0XLpjR3h1esseBN1ts8eLVK5Z6ekP5urrjLv3Z2QQ1vsN/NGNqKVIyepPwj1wGxkKmaZ3D6i3GixQpmklno2WdorWf/M+opuc5+bL8Nhpc0HIROdi8VnkBj5MIMQaZwFnFhq1vVeIhKZXfEUEE8y1r7Ju/MO5Qd1Z6WATO77VCQd2g1xgqdJy7hrZGvMx/M9rRHqe57GYQIDAQABozYwNDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQU8wIFQBHUFEsMbDSbJClj4ZhCyNEwDQYJKoZIhvcNAQELBQADggIBAFx4qApmwKzD6juOfCDMdxyNJZLgYu0VtOSJAoR5vcK8Qk/rHpQMg/j+eoikjy+Xyh72wUovP25Z2c99gyeYX3VE2TtsqQ9uhz5EeoNvi4H5Em68s5hWpyWWo2U5fSvcoFmPbEFT/VTuvt+jczPXVrzZ3a9ZBwKAPIvOcLp5Y9iKsLzrkBVosAFAnFeffk/kyoOtrNoE/AhPEZUa8EfKrLh4GGp8NzzcJAMwwaoqkf3OHUFIZYaeNjA6sM37Id3EQwvsRtWKRrDkci6NQcpf0TpVxwAZiST2+tyImbuHACQ7qc1VHUl9OYAbHgjKgvhQsXxuYboBQAOxDvMjUEAPDzgzflJlpArI7AAO1VAMfT1/+4ULiO1p9egkqDtZuU4GrVBWo1PfTJ/alP2O/B/fNECeVLpHnlAst+FRldYmRnSZR3Uv47PzpUKA1+zIVmPkK0kWjCB1xdfiCPJ0t9Uc7BMUeYRxKf9zyTBf9IQzlfNl1lRxdOD7/TF/GjlWbtIeI8gWI38fiMhy6iAwl2EPK1GzQ3Wep0km/lx6OL5dGMrr2SBcZeCqhzvB7YA7K28IFf2Wma9TXl/NBdhw57/7bCLkbeVANiWGvuQROGGRmlXGZ1xP51mTHl8BL2ZN+Q4X7XjVFVXBeTFWxA8B9vLHo1QkdZCdrGzt5jEbpM5ZgJ5k-----END CERTIFICATE-----`
The output:
CN=secure.example.com,OU=SSL Dept.,O=MyCo LLC LTD INC (d.b.a. OurCo),L=Fun Land,ST=YY,C=XX,2.5.4.46=#1304736f6d65,2.5.4.43=#13034a5844,2.5.4.42=#13044a6f686e,2.5.4.4=#1303446f65,2.5.4.41=#13084a6f686e20446f65,1.2.840.113549.1.9.1=#0c1573736c2d61646d696e406578616d706c652e636f6dCN=secure.example.com,OU=SSL Dept.,O=MyCo LLC LTD INC (d.b.a. OurCo),L=Fun Land,ST=YY,C=XXCN=secure.example.com,OU=SSL Dept.,O=MyCo LLC LTD INC (d.b.a. OurCo),L=Fun Land,ST=YY,C=XX,initials=JXD,dnQualifier=some
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论