英文:
Parsing a PKCS #7 using go.mozilla.org/pkcs7 fails with "tags don't match"
问题
我正在尝试使用以下OpenSSL命令创建一个PKCS #7作为测试工具(改编自https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/):
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=US/ST=CA/L=San Francisco/O=Acme Corporation/OU=Awesomeness Department/CN=Insanely Great Certificate"
openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b
然而,如果我尝试使用pkcs7包解析它,我会得到一个标签不匹配的错误:
package main
import (
"os"
"go.mozilla.org/pkcs7"
)
func main() {
b, err := os.ReadFile("cert.p7b")
if err != nil {
panic(err)
}
if _, err := pkcs7.Parse(b); err != nil {
panic(err)
}
}
我得到一个标签不匹配的错误:
> go run main.go
panic: asn1: structure error: tags don't match (16 vs {class:0 tag:13 length:77 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} contentInfo @2
这难道不是一个有效的PKCS #7吗?
英文:
I'm trying to create a PKCS #7 as a test fixture using the following OpenSSL commands (adapted from https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/):
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=US/ST=CA/L=San Francisco/O=Acme Corporation/OU=Awesomeness Department/CN=Insanely Great Certificate"
openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b
However, if I try parsing it using the pkcs7 package,
package main
import (
"os"
"go.mozilla.org/pkcs7"
)
func main() {
b, err := os.ReadFile("cert.p7b")
if err != nil {
panic(err)
}
if _, err := pkcs7.Parse(b); err != nil {
panic(err)
}
}
I get an error that the tags don't match,
> go run main.go
panic: asn1: structure error: tags don't match (16 vs {class:0 tag:13 length:77 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} contentInfo @2
Should this not be a valid PKCS #7?
答案1
得分: 1
原来 pkcs7.Parse 函数期望输入的格式为 DER 格式,而 OpenSSL 的输出默认为 PEM 格式。因此,要么需要修改程序以适应 DER 格式的输入,例如:
package main
import (
"encoding/pem"
"os"
"go.mozilla.org/pkcs7"
)
func main() {
b, err := os.ReadFile("cert.p7b")
if err != nil {
panic(err)
}
block, _ := pem.Decode(b)
if block == nil {
panic("输入不是 PEM 格式。")
}
if _, err := pkcs7.Parse(block.Bytes); err != nil {
panic(err)
}
}
或者在 openssl crl2pkcs7 命令中使用 outform 标志指定为 der:
> openssl crl2pkcs7 --help
unknown option '--help'
usage: crl2p7 [-certfile file] [-in file] [-inform DER | PEM]
[-nocrl] [-out file] [-outform DER | PEM]
-certfile file PEM 格式的 CA 证书链
-in file 输入文件(默认为标准输入)
-inform format 输入格式(DER 或 PEM,默认为 PEM)
-nocrl 不从输入中读取 CRL 或不在输出中包含 CRL
-out file 输出文件(默认为标准输出)
-outform format 输出格式(DER 或 PEM,默认为 PEM)
以上是翻译好的内容,请确认是否满意。
英文:
It turns out that pkcs7.Parse expects its input to be in DER format whereas the output from OpenSSL is in PEM format by default. So either the program needs to be adapted to
package main
import (
"encoding/pem"
"os"
"go.mozilla.org/pkcs7"
)
func main() {
b, err := os.ReadFile("cert.p7b")
if err != nil {
panic(err)
}
block, _ := pem.Decode(b)
if block == nil {
panic("Input is not in PEM format.")
}
if _, err := pkcs7.Parse(block.Bytes); err != nil {
panic(err)
}
}
Or in the openssl crl2pkcs7 call one needs to specify the outform flag as der:
> openssl crl2pkcs7 --help
unknown option '--help'
usage: crl2p7 [-certfile file] [-in file] [-inform DER | PEM]
[-nocrl] [-out file] [-outform DER | PEM]
-certfile file Chain of PEM certificates to a trusted CA
-in file Input file (default stdin)
-inform format Input format (DER or PEM (default))
-nocrl Do not read CRL from input or include CRL in output
-out file Output file (default stdout)
-outform format Output format (DER or PEM (default))
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论