从字符串格式的x509证书中生成主题名称

huangapple go评论78阅读模式
英文:

Generating subject name from a x509 certificate in string format

问题

我正在尝试从x509.Certificate生成Distinguished Name。

我期望的格式是:

"CN=<common_name>,OU=<org_unit>,O=,dnQualifier=+7He5GRZXim+LKEMb5FS98E+fPY="

(我用标签替换了一些值)

使用我的代码,我得到了预期的字符串,但没有dnQualifier部分,它是这样的:

CN=<common_name>,OU=<org_unit>,O=,2.5.4.46=#131c537771614a5531514c2449444e4846373755547a1f5749653955303d"

在这里,
2.5.4.46是"dnQualifier"的ASN.1对象标识符。参考:链接
该值看起来像一个十六进制字符串。

是否有一种标准的方法(或简单的解决方法)可以以预期的格式获取Distinguished Name?也就是说,文本"dnQualifier"应该出现,而不是它的ObjectIdentifier,并且实际的字符串值应该以十六进制形式存在。

我的代码如下:

package main

import (
	"crypto/x509"
	"encoding/pem"
	"fmt"

	"github.com/sirupsen/logrus"
)

func main() {

	cert := "" // 在这里放入证书字符串
	block, rest := pem.Decode([]byte(cert))
	if len(rest) != 0 {
		logrus.Error("证书字符串未完全解码:", rest)
	}

	certificate, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		logrus.WithError(err).Error("解析证书时出错")
	}

	fmt.Println(certificate.Subject.String())
}

从这段代码中,certificate.Subject.String()的输出类似于:
CN=<common_name>,OU=<org_unit>,O=<org>,2.5.4.46=#131c537771614a5531514c2449444e4846373755547a1f5749653955303d

另外,

fmt.Printf("%+v\n", cert.Subject.ToRDNSequence())

var sub pkix.RDNSequence
asn1.Unmarshal(certificate.RawSubject, &sub)

都没有帮助。

英文:

I am trying to generate the Distinguished Name from a x509.Certificate.

The format I am expecting is:
> "CN=<common_name>,OU=<org_unit>,O=<org>,dnQualifier=+7He5GRZXim+LKEMb5FS98E+fPY="

(I've replaced some values with tags)

With my code, I get the expected string without the dnQualifier part, which is like:
> CN=<common_name>,OU=<org_unit>,O=<org>,2.5.4.46=#131c537771614a5531514c2449444e4846373755547a1f5749653955303d"

Here,
2.5.4.46 is the ASN.1 object id for "dnQualifier" Reference: Link
The value looks like a hex string.

Is there a standard way(or an easy workaround) to get the Distinguished Name in expected format? ie., text 'dnQualifier' should appear instead of its ObjectIdentifier and the actual string value should be present instead of hex.

My code looks like this:

package main

import (
	&quot;crypto/x509&quot;
	&quot;encoding/pem&quot;
	&quot;fmt&quot;

	&quot;github.com/sirupsen/logrus&quot;
)

func main() {

	cert := &quot;&quot; // certificate string here
	block, rest := pem.Decode([]byte(cert))
	if len(rest) != 0 {
		logrus.Error(&quot;certificate string not fully decoded : &quot;, rest)
	}

	certificate, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		logrus.WithError(err).Error(&quot;error parsing certificate&quot;)
	}

	fmt.Println(certificate.Subject.String())
}

From this code certificate.Subject.String() gave the output something like:
CN=&lt;common_name&gt;,OU=&lt;org_unit&gt;,O=&lt;org&gt;,2.5.4.46=#131c537771614a5531514c2449444e4846373755547a1f5749653955303d&quot;

Also,

fmt.Printf(&quot;%+v\n&quot;, cert.Subject.ToRDNSequence())

and

var sub pkix.RDNSequence
asn1.Unmarshal(certificate.RawSubject, &amp;sub)

both did not help.

答案1

得分: 0

标准库仅为有限的属性列表提供名称:

var attributeTypeNames = map[string]string{
	"2.5.4.6":  "C",
	"2.5.4.10": "O",
	"2.5.4.11": "OU",
	"2.5.4.3":  "CN",
	"2.5.4.5":  "SERIALNUMBER",
	"2.5.4.7":  "L",
	"2.5.4.8":  "ST",
	"2.5.4.9":  "STREET",
	"2.5.4.17": "POSTALCODE",
}

对于其他属性,它只是使用对象标识符作为名称,并在可能的情况下将值编码为十六进制字符串(参见(RDNSequence).String):

oidString := tv.Type.String()
typeName, ok := attributeTypeNames[oidString]
if !ok {
	derBytes, err := asn1.Marshal(tv.Value)
	if err == nil {
		s += oidString + "=#" + hex.EncodeToString(derBytes)
		continue // No value escaping necessary.
	}

	typeName = oidString
}

valueString := fmt.Sprint(tv.Value)
escaped := make([]rune, 0, len(valueString))

它不提供任何机制来获取自定义字符串。因此,我们必须自己处理。

我建议列出我们想要的属性,并将它们附加到certificate.Subject.ToRDNSequence().String()返回的字符串中。像这样:

package main

import (
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"fmt"
)

func toString(name pkix.Name) string {
	s := name.ToRDNSequence().String()

	// 列出要添加的额外属性。
	attributeTypeNames := map[string]string{
		"2.5.4.43": "initials",
		"2.5.4.46": "dnQualifier",
	}

	for typ, typeName := range attributeTypeNames {
		for _, atv := range name.Names {
			oidString := atv.Type.String()
			if oidString == typ {
				// 为了保持这个示例简单,我只是调用fmt.Sprint来获取字符串。
				// 也许你想转义一些字符。
				// 参见https://github.com/golang/go/blob/1db23771afc7b9b259e926db35602ecf5047ae23/src/crypto/x509/pkix/pkix.go#L67-L86
				s += "," + typeName + "=" + fmt.Sprint(atv.Value)
				break
			}
		}
	}
	return s
}

func main() {
	block, _ := pem.Decode([]byte(cert))
	certificate, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		panic(err)
	}

	fmt.Println(certificate.Subject.String())
	fmt.Println()
	fmt.Println(certificate.Subject.ToRDNSequence().String())
	fmt.Println()
	fmt.Println(toString(certificate.Subject))
}

var cert = `-----BEGIN CERTIFICATE-----
MIIGvDCCBKSgAwIBAgIUPmInkYCv6nQgGfHrQ1sj/y/4gykwDQYJKoZIhvcNAQEL
BQAwgfsxGzAZBgNVBAMMEnNlY3VyZS5leGFtcGxlLmNvbTELMAkGA1UEBhMCWFgx
ETAPBgNVBAcMCEZ1biBMYW5kMSgwJgYDVQQKDB9NeUNvIExMQyBMVEQgSU5DIChk
LmIuYS4gT3VyQ28pMRIwEAYDVQQLDAlTU0wgRGVwdC4xCzAJBgNVBAgMAllZMSQw
IgYJKoZIhvcNAQkBFhVzc2wtYWRtaW5AZXhhbXBsZS5jb20xETAPBgNVBCkMCEpv
aG4gRG9lMQwwCgYDVQQEDANEb2UxDTALBgNVBCoMBEpvaG4xDDAKBgNVBCsMA0pY
RDENMAsGA1UELhMEc29tZTAeFw0yMzA2MTIxNDI2MzhaFw0yNDA2MTExNDI2Mzha
MIH7MRswGQYDVQQDDBJzZWN1cmUuZXhhbXBsZS5jb20xCzAJBgNVBAYTAlhYMREw
DwYDVQQHDAhGdW4gTGFuZDEoMCYGA1UECgwfTXlDbyBMTEMgTFREIElOQyAoZC5i
LmEuIE91ckNvKTESMBAGA1UECwwJU1NMIERlcHQuMQswCQYDVQQIDAJZWTEkMCIG
CSqGSIb3DQEJARYVc3NsLWFkbWluQGV4YW1wbGUuY29tMREwDwYDVQQpDAhKb2hu
IERvZTEMMAoGA1UEBAwDRG9lMQ0wCwYDVQQqDARKb2huMQwwCgYDVQQrDANKWEQx
DTALBgNVBC4TBHNvbWUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDL
i0xuep6R94LF5yn0Lqni2QlJTF4yiUApwspH1g6jUTLDCr5F70BkaxagzNzKXssb
rgu+zwvIPHu1KiLNX1yoUHfdzDx0ECmaYW22ZET4P8F88slNmhQuxIXjYpOPo+2B
HZ8U1bY7ojDCcw94JHMHbug07wHIu8Y54wijgjV3xwNvGaOrJtXs3cSuBMldFKi7
S9gFgvQpOkQpbbl+v37vbVkzgS3BW4LF7apYQe9Q63Q2HeLd8/aAbATUJhGn1bzS
truvDa9FkKtDLVkN6furAecCDC+EaOnpsxwImP/D01wUkofOjywmBGbm7a/bpBY0
uXYQwMKXzTQUxd8MdaEV89Oao4ijuo8Q50+9XeHtB/q4tDhZJjW5K6XxqFXatRQa
/xmN8FmitVDDIRXqAz4TTVPDeQXnUdh3rETZbgOQzy4mqcGzv723TdbfZLgIQNiF
1aTJUeOtmbl7JUj/1QuLrpb+/AYzGQrG0XLpjR3h1esseBN1ts8eLVK5Z6ekP5ur
rjLv3Z2QQ1vsN/NGNqKVIyepPwj1wGxkKmaZ3D6i3GixQpmklno2WdorWf/M+opu
c5+bL8Nhpc0HIROdi8VnkBj5MIMQaZwFnFhq1vVeIhKZXfEUEE8y1r7Ju/MO5Qd1
Z6WATO77VCQd2g1xgqdJy7hrZGvMx/M9rRHqe57GYQIDAQABozYwNDATBgNVHSUE
DDAKBggrBgEFBQcDATAdBgNVHQ4EFgQU8wIFQBHUFEsMbDSbJClj4ZhCyNEwDQYJ
KoZIhvcNAQELBQADggIBAFx4qApmwKzD6juOfCDMdxyNJZLgYu0VtOSJAoR5vcK8
Qk/rHpQMg/j+eoikjy+Xyh72wUovP25Z2c99gyeYX3VE2TtsqQ9uhz5EeoNvi4H5
Em68s5hWpyWWo2U5fSvcoFmPbEFT/VTuvt+jczPXVrzZ3a9ZBwKAPIvOcLp5Y9iK
sLzrkBVosAFAnFeffk/kyoOtrNoE/AhPEZUa8EfKrLh4GGp8NzzcJAMwwaoqkf3O
HUFIZYaeNjA6sM37Id3EQwvsRtWKRrDkci6NQcpf0TpVxwAZiST2+tyImbuHACQ7
qc1VHUl9OYAbHgjKgvhQsXxuYboBQAOxDvMjUEAPDzgzflJlpArI7AAO1VAMfT1/
+4ULiO1p9egkqDtZuU4GrVBWo1PfTJ/alP2O/B/fNECeVLpHnlAst+FRldYmRnSZ
R3Uv47PzpUKA1+zIVmPkK0kWjCB1xdfiCPJ0t9Uc7BMUeYRxKf9zyTBf9IQzlfNl
1lRxdOD7/TF/GjlWbtIeI8gWI38fiMhy6iAwl2EPK1GzQ3Wep0km/lx6OL5dGMrr
2SBcZeCqhzvB7YA7K28IFf2Wma9TXl/NBdhw57/7bCLkbeVANiWGvuQROGGRmlXG
Z1xP51mTHl8BL2ZN+Q4X7XjVFVXBeTFWxA8B9vLHo1QkdZCdrGzt5jEbpM5ZgJ5k
-----END CERTIFICATE-----`

输出结果:

CN=secure.example.com,OU=SSL Dept.,O=MyCo LLC LTD INC (d.b.a. OurCo),L=Fun Land,ST=YY,C=XX,2.5.4.46=#1304736f6d65,2.5.4.43=#13034a5844,2.5.4.42=#13044a6f686e,2.5.4.4=#1303446f65,2.5.4.41=#13084a6f686e20446f65,1.2.840.113549.1.9.1=#0c1573736c2d61646d696e406578616d706c652e636f6d

CN=secure.example.com,OU=SSL Dept.,O=MyCo LLC LTD INC (d.b.a. OurCo),L=Fun Land,ST=YY,C=XX

CN=secure.example.com,OU=SSL Dept.,O=MyCo LLC LTD INC (d.b.a. OurCo),L=Fun Land,ST=YY,initials=JXD,dnQualifier=some
英文:

The standard library only provides names for a limited list of attributes:

var attributeTypeNames = map[string]string{
	&quot;2.5.4.6&quot;:  &quot;C&quot;,
	&quot;2.5.4.10&quot;: &quot;O&quot;,
	&quot;2.5.4.11&quot;: &quot;OU&quot;,
	&quot;2.5.4.3&quot;:  &quot;CN&quot;,
	&quot;2.5.4.5&quot;:  &quot;SERIALNUMBER&quot;,
	&quot;2.5.4.7&quot;:  &quot;L&quot;,
	&quot;2.5.4.8&quot;:  &quot;ST&quot;,
	&quot;2.5.4.9&quot;:  &quot;STREET&quot;,
	&quot;2.5.4.17&quot;: &quot;POSTALCODE&quot;,
}

For other attributes, it simply uses the object identifier as the name, and encodes the value as hex string if possible (see (RDNSequence).String):

oidString := tv.Type.String()
typeName, ok := attributeTypeNames[oidString]
if !ok {
	derBytes, err := asn1.Marshal(tv.Value)
	if err == nil {
		s += oidString + &quot;=#&quot; + hex.EncodeToString(derBytes)
		continue // No value escaping necessary.
	}

	typeName = oidString
}

valueString := fmt.Sprint(tv.Value)
escaped := make([]rune, 0, len(valueString))

It does not provide any knob for us to get a customized string. So we have to do it ourselves.

I would recommend to list the attributes we want, and append them to the string returned from certificate.Subject.ToRDNSequence().String(). Like this:

package main

import (
	&quot;crypto/x509&quot;
	&quot;crypto/x509/pkix&quot;
	&quot;encoding/pem&quot;
	&quot;fmt&quot;
)

func toString(name pkix.Name) string {
	s := name.ToRDNSequence().String()

	// List the extra attributes that should be added.
	attributeTypeNames := map[string]string{
		&quot;2.5.4.43&quot;: &quot;initials&quot;,
		&quot;2.5.4.46&quot;: &quot;dnQualifier&quot;,
	}

	for typ, typeName := range attributeTypeNames {
		for _, atv := range name.Names {
			oidString := atv.Type.String()
			if oidString == typ {
				// To keep this demo simple, I just call fmt.Sprint to get the string.
				// Maybe you want to escape some of the characters.
				// See https://github.com/golang/go/blob/1db23771afc7b9b259e926db35602ecf5047ae23/src/crypto/x509/pkix/pkix.go#L67-L86
				s += &quot;,&quot; + typeName + &quot;=&quot; + fmt.Sprint(atv.Value)
				break
			}
		}
	}
	return s
}

func main() {
	block, _ := pem.Decode([]byte(cert))
	certificate, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		panic(err)
	}

	fmt.Println(certificate.Subject.String())
	fmt.Println()
	fmt.Println(certificate.Subject.ToRDNSequence().String())
	fmt.Println()
	fmt.Println(toString(certificate.Subject))
}

var cert = `-----BEGIN CERTIFICATE-----
MIIGvDCCBKSgAwIBAgIUPmInkYCv6nQgGfHrQ1sj/y/4gykwDQYJKoZIhvcNAQEL
BQAwgfsxGzAZBgNVBAMMEnNlY3VyZS5leGFtcGxlLmNvbTELMAkGA1UEBhMCWFgx
ETAPBgNVBAcMCEZ1biBMYW5kMSgwJgYDVQQKDB9NeUNvIExMQyBMVEQgSU5DIChk
LmIuYS4gT3VyQ28pMRIwEAYDVQQLDAlTU0wgRGVwdC4xCzAJBgNVBAgMAllZMSQw
IgYJKoZIhvcNAQkBFhVzc2wtYWRtaW5AZXhhbXBsZS5jb20xETAPBgNVBCkMCEpv
aG4gRG9lMQwwCgYDVQQEDANEb2UxDTALBgNVBCoMBEpvaG4xDDAKBgNVBCsMA0pY
RDENMAsGA1UELhMEc29tZTAeFw0yMzA2MTIxNDI2MzhaFw0yNDA2MTExNDI2Mzha
MIH7MRswGQYDVQQDDBJzZWN1cmUuZXhhbXBsZS5jb20xCzAJBgNVBAYTAlhYMREw
DwYDVQQHDAhGdW4gTGFuZDEoMCYGA1UECgwfTXlDbyBMTEMgTFREIElOQyAoZC5i
LmEuIE91ckNvKTESMBAGA1UECwwJU1NMIERlcHQuMQswCQYDVQQIDAJZWTEkMCIG
CSqGSIb3DQEJARYVc3NsLWFkbWluQGV4YW1wbGUuY29tMREwDwYDVQQpDAhKb2hu
IERvZTEMMAoGA1UEBAwDRG9lMQ0wCwYDVQQqDARKb2huMQwwCgYDVQQrDANKWEQx
DTALBgNVBC4TBHNvbWUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDL
i0xuep6R94LF5yn0Lqni2QlJTF4yiUApwspH1g6jUTLDCr5F70BkaxagzNzKXssb
rgu+zwvIPHu1KiLNX1yoUHfdzDx0ECmaYW22ZET4P8F88slNmhQuxIXjYpOPo+2B
HZ8U1bY7ojDCcw94JHMHbug07wHIu8Y54wijgjV3xwNvGaOrJtXs3cSuBMldFKi7
S9gFgvQpOkQpbbl+v37vbVkzgS3BW4LF7apYQe9Q63Q2HeLd8/aAbATUJhGn1bzS
truvDa9FkKtDLVkN6furAecCDC+EaOnpsxwImP/D01wUkofOjywmBGbm7a/bpBY0
uXYQwMKXzTQUxd8MdaEV89Oao4ijuo8Q50+9XeHtB/q4tDhZJjW5K6XxqFXatRQa
/xmN8FmitVDDIRXqAz4TTVPDeQXnUdh3rETZbgOQzy4mqcGzv723TdbfZLgIQNiF
1aTJUeOtmbl7JUj/1QuLrpb+/AYzGQrG0XLpjR3h1esseBN1ts8eLVK5Z6ekP5ur
rjLv3Z2QQ1vsN/NGNqKVIyepPwj1wGxkKmaZ3D6i3GixQpmklno2WdorWf/M+opu
c5+bL8Nhpc0HIROdi8VnkBj5MIMQaZwFnFhq1vVeIhKZXfEUEE8y1r7Ju/MO5Qd1
Z6WATO77VCQd2g1xgqdJy7hrZGvMx/M9rRHqe57GYQIDAQABozYwNDATBgNVHSUE
DDAKBggrBgEFBQcDATAdBgNVHQ4EFgQU8wIFQBHUFEsMbDSbJClj4ZhCyNEwDQYJ
KoZIhvcNAQELBQADggIBAFx4qApmwKzD6juOfCDMdxyNJZLgYu0VtOSJAoR5vcK8
Qk/rHpQMg/j+eoikjy+Xyh72wUovP25Z2c99gyeYX3VE2TtsqQ9uhz5EeoNvi4H5
Em68s5hWpyWWo2U5fSvcoFmPbEFT/VTuvt+jczPXVrzZ3a9ZBwKAPIvOcLp5Y9iK
sLzrkBVosAFAnFeffk/kyoOtrNoE/AhPEZUa8EfKrLh4GGp8NzzcJAMwwaoqkf3O
HUFIZYaeNjA6sM37Id3EQwvsRtWKRrDkci6NQcpf0TpVxwAZiST2+tyImbuHACQ7
qc1VHUl9OYAbHgjKgvhQsXxuYboBQAOxDvMjUEAPDzgzflJlpArI7AAO1VAMfT1/
+4ULiO1p9egkqDtZuU4GrVBWo1PfTJ/alP2O/B/fNECeVLpHnlAst+FRldYmRnSZ
R3Uv47PzpUKA1+zIVmPkK0kWjCB1xdfiCPJ0t9Uc7BMUeYRxKf9zyTBf9IQzlfNl
1lRxdOD7/TF/GjlWbtIeI8gWI38fiMhy6iAwl2EPK1GzQ3Wep0km/lx6OL5dGMrr
2SBcZeCqhzvB7YA7K28IFf2Wma9TXl/NBdhw57/7bCLkbeVANiWGvuQROGGRmlXG
Z1xP51mTHl8BL2ZN+Q4X7XjVFVXBeTFWxA8B9vLHo1QkdZCdrGzt5jEbpM5ZgJ5k
-----END CERTIFICATE-----`

The output:

CN=secure.example.com,OU=SSL Dept.,O=MyCo LLC LTD INC (d.b.a. OurCo),L=Fun Land,ST=YY,C=XX,2.5.4.46=#1304736f6d65,2.5.4.43=#13034a5844,2.5.4.42=#13044a6f686e,2.5.4.4=#1303446f65,2.5.4.41=#13084a6f686e20446f65,1.2.840.113549.1.9.1=#0c1573736c2d61646d696e406578616d706c652e636f6d
CN=secure.example.com,OU=SSL Dept.,O=MyCo LLC LTD INC (d.b.a. OurCo),L=Fun Land,ST=YY,C=XX
CN=secure.example.com,OU=SSL Dept.,O=MyCo LLC LTD INC (d.b.a. OurCo),L=Fun Land,ST=YY,C=XX,initials=JXD,dnQualifier=some

huangapple
  • 本文由 发表于 2023年6月12日 17:55:23
  • 转载请务必保留本文链接:https://go.coder-hub.com/76455500.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定