从 PEM 文件获取 ASN.1 颁发者字符串?
我最近遇到了 Windows 2003 的一个问题(显然它也存在于其他版本中),如果 SSL/TLS 服务器正在请求客户端证书身份验证并且它具有超过 16KB 的受信任证书 DN,则 Internet Explorer(或任何其他应用程序)使用 schannel.dll)无法完成 SSL 握手。 (简而言之,服务器将消息分成 2^14 字节的块,根据 RFC 2246 秒 6.2.1,但 Schannel 并不是为了支持这一点而编写的。我已从 Microsoft 支持部门得到确认,这是一个Schannel 中的缺陷,他们正在考虑在未来的版本中修复它。)
所以我试图找到一种方法来轻松解析我的可信证书(我使用 Apache 作为我的服务器,所以它们都是 PEM 格式)获取 DN 的 ASN.1 格式总长度(这是它们在握手期间通过线路发送的方式),从而查看是否太接近限制。 不过,我还没有找到一种方法来做到这一点:OpenSSL asn1parse 函数很接近,但它似乎没有提供一种方法来获取仅颁发者名称的 ASN.1 序列,这就是我需要。
有什么建议么?
I recently came across an issue with Windows 2003 (apparently it also exists in other versions too), where if an SSL/TLS server is requesting client certificate authentication and it has more than 16KB of trusted certificate DNs, Internet Explorer (or any other app that uses schannel.dll) is unable to complete the SSL handshake. (In a nutshell, the server breaks the message into chunks of 2^14 bytes, as per RFC 2246 sec. 6.2.1, but Schannel wasn't written to support that. I've gotten confirmation from Microsoft support that this is a flaw in Schannel and that they're considering fixing it in a future release.)
So I'm trying to find a way to easily parse through my trusted certificates (I use Apache as my server, so all of them are in PEM format) to get the total ASN.1-format length of the DNs (which is how they get sent over the wire during the handshake), and thereby see if I'm getting too close to the limit. I haven't yet been able to find a way to do this, though: the OpenSSL asn1parse function comes close, but it doesn't seem to provide a way to get the ASN.1 sequence for just the issuer name, which is what I need.
Any suggestions?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
由于 ASN.1 是自描述的,因此编写 ASN.1 解析器相当容易。 您可能知道,ASN.1 数据包含一棵值树,其中每个值类型都由全局分配的 OID(对象 ID)来标识。 您可以在以下位置找到带有源代码的免费 ASN.1 解码器:http://www.geocities.co.jp/SiliconValley-圣何塞/3377/asn1JS.html。 它是用 JavaScript 编写的,因此您可以直接在浏览器中使用它。
至于你的具体问题 - 我会:
Since ASN.1 is self describing, it's fairly easy to write an ASN.1 parser. As you probably know, ASN.1 data contains a tree of values, where each value type is identified by a globally assigned OID (Object ID). You can find a free ASN.1 decoder with source code at: http://www.geocities.co.jp/SiliconValley-SanJose/3377/asn1JS.html. It;'s written in javascript so you can play with it directly in your browser.
As to your exact question - I would:
openssl asn1parse 可以做到这一点,但您需要进行一些手动解析来找出颁发者序列的开始位置。 根据 RFC 5280,它是 TBSCertificate 序列中的第四项(如果是 v1 证书,则可能是第三项),紧随签名算法之后。 在以下示例中:
颁发者 DN 从偏移量 31 开始,标头长度为 2,值长度为 64,总长度为 66 字节。 当然,编写脚本并不那么容易......
openssl asn1parse will do it, but you'll need to do some manual parsing to figure out where the issuer sequence begins. Per RFC 5280, it's the 4th item in the TBSCertificate sequence (potentially 3rd if it's a v1 certificate), immediately following the signature algorithm. In the following example:
the Issuer DN starts at offset 31 and has a header-length of two and a value length of 64, for a total length of 66 bytes. This isn't so easy to script, of course...