x509 v3证书结构
version number //版本号
serial number //序列号
signature algorithm ID //签名算法id
issuer name //发行者名称
validity period //有效时间
not before //xx时间之前
not after //xx时间之后
subject name //证书所属者名称
subject public key info //公钥信息
public key algorithm //公钥算法
subject public key //公钥
issuer unique identifier(可选) //发布者唯一标识符
subject unique identifier(可选) //所属着唯一标识符
extensions(可选) //扩展信息
...
certificate signature algorithm //证书签名算法
certificate signature //证书签名
CERL extension扩展
x509证书处理流程(基础流程)
1.检查基本的证书信息,包含以下内容
a.使用working_public_key_algorithm 和working_public_key、working_public_key_parameters检查在证书中的签名
b.检查证书的有效时间
c.证书是否被吊销
d.证书的颁布者是否正在使用
2.如果证书是自颁布的并且不是路径中的最后一个证书,跳过这一步。否则,检查证书所属者的名字,判断是否在x500的允许的permitted_subtrees中;同时,检查在subjectAltName扩展中的每一个备选名称(alternative names).
3.同上,检查的是subject name(证书所有者的名称)
4.证书存在策略拓展(policies extension) 并且valid_policy_tree不为空,用以下的步骤来处理策略(policy)信息
a.对于每一个不在证书拓展(certificate policies extension)中的策略(policy)P,使用P-OID表示p的policy同时用P-Q表示对于P的policy集合,之后经过下面几个步骤的处理
a1.对于每一个P-OID在valid_policy_tree深度为i-1的expected_policy_set集合,使用这样的方式创建树的子节点:设置P-OID的valid_policy,设置P-Q的qualifier_set同时设置{P-OID}的expected_policy_set集合
a2.如果a1中没有匹配的,并且valid_policy_tree包含了深度为i-1的anypolicy节点(兼容所有的),生成满足以下条件的节点:设置P-OID的valid_policy,设置P-Q的qualifier_set,并且设置{P-OID}的expected_policy_set集合
5.如果证书的policy拓展不存在,将valid_policy_tree置为空
6.检查explicit_policy是否大于0或者valid_policy_tree是否为空
证书样例:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3409819322 (0xcb3db6ba)
Signature Algorithm: sm2sign-with-sm3
Issuer: C=cn, ST=bj, L=bj, O=tsinghua, OU=general, CN=hubert/emailAddress=chf@tsinghua.org.cn
Validity
Not Before: Apr 2 07:47:56 2022 GMT
Not After : Apr 2 07:47:56 2023 GMT
Subject: C=cn, ST=bj, O=tsinghua, OU=general, CN=hubert/emailAddress=chf@tsinghua.org.cn
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:f2:7e:86:67:89:b2:52:70:d0:07:f8:07:3c:b7:
33:50:34:cb:2a:e0:66:b6:11:b3:56:3b:40:72:ee:
a5:5b:1b:95:aa:d5:97:25:57:25:53:3e:61:2b:8c:
a7:28:d3:60:0d:d7:c8:01:3a:af:28:32:fd:a4:b7:
3d:ed:ab:aa:4a
ASN1 OID: sm2p256v1
NIST CURVE: SM2
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Key Encipherment
Netscape Comment:
GmSSL Generated Certificate
X509v3 Subject Key Identifier:
0A:50:52:06:A9:1B:09:D5:0E:18:74:DC:5D:47:D6:72:6D:8C:43:DE
X509v3 Authority Key Identifier:
keyid:55:CA:9E:61:61:81:72:7F:26:7A:85:95:9A:1D:C5:8B:B3:C7:B8:6A
Signature Algorithm: sm2sign-with-sm3
30:44:02:20:4c:7b:c8:e2:ab:e5:4d:86:09:f8:af:de:ba:82:
d8:dc:b9:9e:37:7d:d4:b5:de:d6:72:27:04:d2:2f:39:87:1b:
02:20:77:82:33:0b:b3:67:a9:a6:34:31:3d:d8:c8:3d:75:13:
21:ae:6d:56:2d:77:ce:23:bc:b2:00:83:e7:2a:36:db
-----BEGIN CERTIFICATE-----
MIICgjCCAimgAwIBAgIFAMs9trowCgYIKoEcz1UBg3UwgYoxCzAJBgNVBAYTAmNu
MQswCQYDVQQIDAJiajELMAkGA1UEBwwCYmoxETAPBgNVBAoMCGxvb25nc29uMRAw
DgYDVQQLDAdnZW5lcmFsMRQwEgYDVQQDDAtjaGVuaGFpZmVuZzEmMCQGCSqGSIb3
DQEJARYXY2hlbmhhaWZlbmdAbG9vbmdzb24uY24wHhcNMjIwNDAyMDc0NzU2WhcN
MjMwNDAyMDc0NzU2WjB9MQswCQYDVQQGEwJjbjELMAkGA1UECAwCYmoxETAPBgNV
BAoMCGxvb25nc29uMRAwDgYDVQQLDAdnZW5lcmFsMRQwEgYDVQQDDAtjaGVuaGFp
ZmVuZzEmMCQGCSqGSIb3DQEJARYXY2hlbmhhaWZlbmdAbG9vbmdzb24uY24wWTAT
BgcqhkjOPQIBBggqgRzPVQGCLQNCAATyfoZnibJScNAH+Ac8tzNQNMsq4Ga2EbNW
O0By7qVbG5Wq1ZclVyVTPmErjKco02AN18gBOq8oMv2ktz3tq6pKo4GHMIGEMAkG
A1UdEwQCMAAwCwYDVR0PBAQDAgUgMCoGCWCGSAGG+EIBDQQdFhtHbVNTTCBHZW5l
cmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFApQUgapGwnVDhh03F1H1nJtjEPe
MB8GA1UdIwQYMBaAFFXKnmFhgXJ/JnqFlZodxYuzx7hqMAoGCCqBHM9VAYN1A0cA
MEQCIEx7yOKr5U2GCfiv3rqC2Ny5njd91LXe1nInBNIvOYcbAiB3gjMLs2eppjQx
PdjIPXUTIa5tVi13ziO8sgCD5yo22w==
-----END CERTIFICATE-----
阅读(3169) | 评论(0) | 转发(0) |