分类 OpenSSL 下的文章

“OpenSSL是一个开放源代码的软件库包,应用程序可以使用这个包来进行安全通信,避免窃听,同时确认另一端连线者的身份。这个包广泛被应用在互联网的网页服务器上。 其主要库是以C语言所写成,实现了基本的加密功能,实现了SSL与TLS协议。”

openssl - How can i know the CA subject name list which loaded in SSL context - Stack Overflow
the sample code shows you how to extract the Common Name (CN) and Subject Alternate Names (SAN) from the certificate in print_cn_name and print_san_name.

void print_san_name(const char* label, X509* const cert)
{
    int success = 0;
    GENERAL_NAMES* names = NULL;
    unsigned char* utf8 = NULL;

    do
    {
        if(!cert) break; /* failed */

        names = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0 );
        if(!names) break;

        int i = 0, count = sk_GENERAL_NAME_num(names);
        if(!count) break; /* failed */

        for( i = 0; i < count; ++i )
        {
            GENERAL_NAME* entry = sk_GENERAL_NAME_value(names, i);
            if(!entry) continue;

            if(GEN_DNS == entry->type)
            {
                int len1 = 0, len2 = -1;

                len1 = ASN1_STRING_to_UTF8(&utf8, entry->d.dNSName);
                if(utf8) {
                    len2 = (int)strlen((const char*)utf8);
                }

                if(len1 != len2) {
                    fprintf(stderr, "  Strlen and ASN1_STRING size do not match (embedded null?): %d vs %d\n", len2, len1);
                }

                /* If there's a problem with string lengths, then     */
                /* we skip the candidate and move on to the next.     */
                /* Another policy would be to fails since it probably */
                /* indicates the client is under attack.              */
                if(utf8 && len1 && len2 && (len1 == len2)) {
                    fprintf(stdout, "  %s: %s\n", label, utf8);
                    success = 1;
                }

                if(utf8) {
                    OPENSSL_free(utf8), utf8 = NULL;
                }
            }
            else
            {
                fprintf(stderr, "  Unknown GENERAL_NAME type: %d\n", entry->type);
            }
        }

    } while (0);

    if(names)
        GENERAL_NAMES_free(names);

    if(utf8)
        OPENSSL_free(utf8);

    if(!success)
        fprintf(stdout, "  %s: <not available>\n", label);    
}

Referenced from:https://stackoverflow.com/questions/38368710/how-can-i-know-the-ca-subject-name-list-which-loaded-in-ssl-context

证书中的DNS指的是X509v3扩展里面的X509v3 Subject Alternative Name;

可以使用命令查看

openssl x509 -text -noout -in 1.crt

输出如下:

X509v3 extensions:

X509v3 Subject Alternative Name: 
    DNS: test.com

代码如下:

#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
#include <openssl/bio.h>
#include <openssl/x509v3.h>

int main(int argc, char **argv)
{
    BIO *bio = NULL;

    bio = BIO_new_file(argv[1], "r");
    assert(bio);

    X509 *x = NULL;
    x = PEM_read_bio_X509(bio, NULL, NULL, NULL);
    assert(x);

    GENERAL_NAMES* subjectAltNames = (GENERAL_NAMES*)X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);

    int cnt = sk_GENERAL_NAME_num(subjectAltNames);
    int i;

    for (i = 0; i < cnt; i++) {
        GENERAL_NAME* generalName = sk_GENERAL_NAME_value(subjectAltNames, i);

        printf("%s\n", ASN1_STRING_data(GENERAL_NAME_get0_value(generalName, NULL)));

    }
}
gcc -lssl a.c
./a.out 1.crt

Referenced from:https://blog.csdn.net/propro1314/article/details/72571807?locationNum=6&fps=1

certificates - Provide subjectAltName to openssl directly on the command line
Example of giving the most common attributes (subject and extensions)
on the command line:

 openssl req -new -subj "/C=GB/CN=foo" \
                  -addext "subjectAltName = DNS:foo.co.uk" \
                  -addext "certificatePolicies = 1.2.3.4" \
                  -newkey rsa:2048 -keyout key.pem -out req.pem

Referenced from:https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line

openssl x509 -in mosquitto-client.crt  -dates -noout 

notBefore=Jul 16 01:46:39 2021 GMT
notAfter=Oct 14 01:46:39 2021 GMT

openssl x509 -in mosquitto-client.crt  -enddate -noout

notAfter=Oct 14 01:46:39 2021 GMT

openssl x509 -in mosquitto-client.crt  -startdate -noout

notBefore=Jul 16 01:46:39 2021 GMT

openssl x509 -in mosquitto-client.crt  -dates

notBefore=Jul 16 01:46:39 2021 GMT
notAfter=Oct 14 01:46:39 2021 GMT
-----BEGIN CERTIFICATE-----
MIIDoTCCAomgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMCR0Ix
FzAVBgNVBAgMDlVuaXRlZCBLaW5nZG9tMQ4wDAYDVQQHDAVEZXJieTESMBAGA1UE
CgwJTW9zcXVpdHRvMQswCQYDVQQLDAJDQTEWMBQGA1UEAwwNbW9zcXVpdHRvLm9y
ZzEfMB0GCSqGSIb3DQEJARYQcm9nZXJAYXRjaG9vLm9yZzAeFw0yMTA3MTYwMTQ2
MzlaFw0yMTEwMTQwMTQ2MzlaMHsxCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJHRDEL
MAkGA1UEBwwCR1oxCzAJBgNVBAoMAkdWMQswCQYDVQQLDAJSRDEVMBMGA1UEAwwM
Y29uc3QubmV0LmNuMSEwHwYJKoZIhvcNAQkBFhJhZG1pbkBjb25zdC5uZXQuY24w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+dawDyzrq/AIse67Z+8lO
vkKI43fVVERSTYYWdSiYe7uQ3ikhxVEbdeJhrIGwkmUqAciYnzd7/XiRB3IHk23B
Sb9pvuwoXw91+4KfqKpzwYE7d6+7GwB1Q/WYsHzoerhJ4VdCsjnIFs2XzHH27XCG
6sBpmjjAECJUUxrYO4uf071pIk9KFRdxact2Dqbzhn1Yx/cUPWFAemWZNVCYe32K
nmoA7YaOGC9l3IShbUwlST88LDfEphy4JlTRQikElHHvna976S+nBpC4ZniLaFLY
inDQEAH5Zpk2xuiGkcfByh7u2dPHJaa7qD0T3GCiluxR2mgt/H/tPgYgoXUvb1hP
AgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBCwUA
A4IBAQAVG415JvxO+4WuxZMdIpXtiwEF5iCEeXPZdzh7Hi57+L/URPbTenNlranX
RsUaEbPSHPDzM7PrvrsQ3VHBJ2t5zczPu+O7dwrjMGvamYQFZqxZIBg6jifsN8Ig
gdrh7EEY/eDZSl1I/mS5cKfZ5cuERp8pUGgABO6k4+cq+qh+wWMatvGlsNvghBQX
b7tk4JbhgPNX41XnmmKDBarMjJRx+Jfq9izJ8C9KfUoDhgFuywCsKD1k9Vxpl4kk
GD2SJrX1JLPgBaXeEXuDjf7zu8VgQUvV15BcxuGDeH1aUpM5HwvlucPbyO5s5CIY
JT8Bq1acw6izCNAvm3tMh3lYe83S
-----END CERTIFICATE-----
查看openssl x509帮助信息

openssl x509 -help

查看所有的证书信息

openssl x509 -in mosquitto-client.crt  -text

Certificate:

Data:
    Version: 3 (0x2)
    Serial Number: 0 (0x0)
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C = GB, ST = United Kingdom, L = Derby, O = Mosquitto, OU = CA, CN = mosquitto.org, emailAddress = roger@atchoo.org
    Validity
        Not Before: Jul 16 01:46:39 2021 GMT
        Not After : Oct 14 01:46:39 2021 GMT
    Subject: C = CN, ST = GD, L = GZ, O = GV, OU = RD, CN = const.net.cn, emailAddress = admin@const.net.cn
    Subject Public Key Info:

RSA sign and verify using OpenSSL
创建待签名的文件,公私钥

$ echo abcdefghijklmnopqrstuvwxyz > myfile.txt

生成512位的私钥,这个有点短,现在默认都是使用2048位的私钥了。

$ openssl genrsa -out myprivate.pem 512

从私钥里面生成/得到公钥匙.

$ openssl rsa -in myprivate.pem -pubout > mypublic.pem

查看私钥内容

$ cat myprivate.pem

-----BEGIN RSA PRIVATE KEY-----
MIIBOwIBAAJBAMv7Reawnxr0DfYN3IZbb5ih/XJGeLWDv7WuhTlie//c2TDXw/mW
914VFyoBfxQxAezSj8YpuADiTwqDZl13wKMCAwEAAQJAYaTrFT8/KpvhgwOnqPlk
NmB0/psVdW6X+tSMGag3S4cFid3nLkN384N6tZ+na1VWNkLy32Ndpxo6pQq4NSAb
YQIhAPNlJsV+Snpg+JftgviV5+jOKY03bx29GsZF+umN6hD/AiEA1ouXAO2mVGRk
BuoGXe3o/d5AOXj41vTB8D6IUGu8bF0CIQC6zah7LRmGYYSKPk0l8w+hmxFDBAex
IGE7SZxwwm2iCwIhAInnDbe2CbyjDrx2/oKvopxTmDqY7HHWvzX6K8pthZ6tAiAw
w+DJoSx81QQpD8gY/BXjovadVtVROALaFFvdmN64sw==
-----END RSA PRIVATE KEY-----

使用Openssl命令签名
Message digest algorithm : SHA1
Padding scheme : PCKS#1 v1.5
使用 sha1 摘要 PKCS1 填充 进行签名

$ openssl dgst -sha1 -sign myprivate.pem -out sha1.sign myfile.txt

查看二进制文件

$ hexdump sha1.sign

0000000 91 39 be 98 f1 6c f5 3d 22 da 63 cb 55 9b b0 6a
0000010 93 33 8d a6 a3 44 e2 8a 42 85 c2 da 33 fa cb 70
0000020 80 d2 6e 7a 09 48 37 79 a0 16 ee bc 20 76 02 fc
0000030 3f 90 49 2c 2f 2f b8 14 3f 0f e3 0f d8 55 59 3d
0000040
使用openssl 验签
Openssl decrypts the signature to generate hash and compares it to the hash of the input file.

$ openssl dgst -sha1 -verify mypublic.pem -signature sha1.sign myfile.txt

Verified OK
Referenced from:https://medium.com/@bn121rajesh/rsa-sign-and-verify-using-openssl-behind-the-scene-bf3cac0aade2