从 PEM 文件获取 ASN.1 颁发者字符串?

发布于 2024-07-04 02:13:19 字数 509 浏览 11 评论 0原文

我最近遇到了 Windows 2003 的一个问题(显然它也存在于其他版本中),如果 SSL/TLS 服务器正在请求客户端证书身份验证并且它具有超过 16KB 的受信任证书 DN,则 Internet Explorer(或任何其他应用程序)使用 schannel.dll)无法完成 SSL 握手。 (简而言之,服务器将消息分成 2^14 字节的块,根据 RFC 2246 秒 6.2.1,但 Schannel 并不是为了支持这一点而编写的。我已从 Microsoft 支持部门得到确认,这是一个Schannel 中的缺陷,他们正在考虑在未来的版本中修复它。)

所以我试图找到一种方法来轻松解析我的可信证书(我使用 Apache 作为我的服务器,所以它们都是 PEM 格式)获取 DN 的 ASN.1 格式总长度(这是它们在握手期间通过线路发送的方式),从而查看是否太接近限制。 不过,我还没有找到一种方法来做到这一点:OpenSSL asn1parse 函数很接近,但它似乎没有提供一种方法来获取仅颁发者名称的 ASN.1 序列,这就是我需要。

有什么建议么?

I recently came across an issue with Windows 2003 (apparently it also exists in other versions too), where if an SSL/TLS server is requesting client certificate authentication and it has more than 16KB of trusted certificate DNs, Internet Explorer (or any other app that uses schannel.dll) is unable to complete the SSL handshake. (In a nutshell, the server breaks the message into chunks of 2^14 bytes, as per RFC 2246 sec. 6.2.1, but Schannel wasn't written to support that. I've gotten confirmation from Microsoft support that this is a flaw in Schannel and that they're considering fixing it in a future release.)

So I'm trying to find a way to easily parse through my trusted certificates (I use Apache as my server, so all of them are in PEM format) to get the total ASN.1-format length of the DNs (which is how they get sent over the wire during the handshake), and thereby see if I'm getting too close to the limit. I haven't yet been able to find a way to do this, though: the OpenSSL asn1parse function comes close, but it doesn't seem to provide a way to get the ASN.1 sequence for just the issuer name, which is what I need.

Any suggestions?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

秋心╮凉 2024-07-11 02:13:19

由于 ASN.1 是自描述的,因此编写 ASN.1 解析器相当容易。 您可能知道,ASN.1 数据包含一棵值树,其中每个值类型都由全局分配的 OID(对象 ID)来标识。 您可以在以下位置找到带有源代码的免费 ASN.1 解码器:http://www.geocities.co.jp/SiliconValley-圣何塞/3377/asn1JS.html。 它是用 JavaScript 编写的,因此您可以直接在浏览器中使用它。

至于你的具体问题 - 我会:

  1. 使用提供的解析器,找到另一个解析器或编写我自己的解析器
  2. 查找可信 DN 的 OID(检查规范或简单地使用提供的 ASN.1 解码器页面解码证书)
  3. 将以上两者结合起来提取证书内可信 DN 的大小。

Since ASN.1 is self describing, it's fairly easy to write an ASN.1 parser. As you probably know, ASN.1 data contains a tree of values, where each value type is identified by a globally assigned OID (Object ID). You can find a free ASN.1 decoder with source code at: http://www.geocities.co.jp/SiliconValley-SanJose/3377/asn1JS.html. It;'s written in javascript so you can play with it directly in your browser.

As to your exact question - I would:

  1. Use the supplied parser, find another one or write my own
  2. Find the OID of trusted DNs (check the specification or simply decode a certificate using the supplied ASN.1 decoder page)
  3. Combine the two above to extract the size of trusted DNs inside a certificate.
节枝 2024-07-11 02:13:19

openssl asn1parse 可以做到这一点,但您需要进行一些手动解析来找出颁发者序列的开始位置。 根据 RFC 5280,它是 TBSCertificate 序列中的第四项(如果是 v1 证书,则可能是第三项),紧随签名算法之后。 在以下示例中:

    0:d=0  hl=4 l= 621 cons: SEQUENCE
    4:d=1  hl=4 l= 470 cons:  SEQUENCE
    8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
   10:d=3  hl=2 l=   1 prim:    INTEGER           :02
   13:d=2  hl=2 l=   1 prim:   INTEGER           :02
   16:d=2  hl=2 l=  13 cons:   SEQUENCE
   18:d=3  hl=2 l=   9 prim:    OBJECT            :sha1WithRSAEncryption
   29:d=3  hl=2 l=   0 prim:    NULL
   31:d=2  hl=2 l=  64 cons:   SEQUENCE
   33:d=3  hl=2 l=  11 cons:    SET
   35:d=4  hl=2 l=   9 cons:     SEQUENCE
   37:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
   42:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :US
   46:d=3  hl=2 l=  26 cons:    SET
   48:d=4  hl=2 l=  24 cons:     SEQUENCE
   50:d=5  hl=2 l=   3 prim:      OBJECT            :organizationName
   55:d=5  hl=2 l=  17 prim:      PRINTABLESTRING   :Test Certificates
   74:d=3  hl=2 l=  21 cons:    SET
   76:d=4  hl=2 l=  19 cons:     SEQUENCE
   78:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
   83:d=5  hl=2 l=  12 prim:      PRINTABLESTRING   :Trust Anchor
   97:d=2  hl=2 l=  30 cons:   SEQUENCE
   99:d=3  hl=2 l=  13 prim:    UTCTIME           :010419145720Z
  114:d=3  hl=2 l=  13 prim:    UTCTIME           :110419145720Z
  129:d=2  hl=2 l=  59 cons:   SEQUENCE

颁发者 DN 从偏移量 31 开始,标头长度为 2,值长度为 64,总长度为 66 字节。 当然,编写脚本并不那么容易......

openssl asn1parse will do it, but you'll need to do some manual parsing to figure out where the issuer sequence begins. Per RFC 5280, it's the 4th item in the TBSCertificate sequence (potentially 3rd if it's a v1 certificate), immediately following the signature algorithm. In the following example:

    0:d=0  hl=4 l= 621 cons: SEQUENCE
    4:d=1  hl=4 l= 470 cons:  SEQUENCE
    8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
   10:d=3  hl=2 l=   1 prim:    INTEGER           :02
   13:d=2  hl=2 l=   1 prim:   INTEGER           :02
   16:d=2  hl=2 l=  13 cons:   SEQUENCE
   18:d=3  hl=2 l=   9 prim:    OBJECT            :sha1WithRSAEncryption
   29:d=3  hl=2 l=   0 prim:    NULL
   31:d=2  hl=2 l=  64 cons:   SEQUENCE
   33:d=3  hl=2 l=  11 cons:    SET
   35:d=4  hl=2 l=   9 cons:     SEQUENCE
   37:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
   42:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :US
   46:d=3  hl=2 l=  26 cons:    SET
   48:d=4  hl=2 l=  24 cons:     SEQUENCE
   50:d=5  hl=2 l=   3 prim:      OBJECT            :organizationName
   55:d=5  hl=2 l=  17 prim:      PRINTABLESTRING   :Test Certificates
   74:d=3  hl=2 l=  21 cons:    SET
   76:d=4  hl=2 l=  19 cons:     SEQUENCE
   78:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
   83:d=5  hl=2 l=  12 prim:      PRINTABLESTRING   :Trust Anchor
   97:d=2  hl=2 l=  30 cons:   SEQUENCE
   99:d=3  hl=2 l=  13 prim:    UTCTIME           :010419145720Z
  114:d=3  hl=2 l=  13 prim:    UTCTIME           :110419145720Z
  129:d=2  hl=2 l=  59 cons:   SEQUENCE

the Issuer DN starts at offset 31 and has a header-length of two and a value length of 64, for a total length of 66 bytes. This isn't so easy to script, of course...

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文