PKCS#10 从 PKCS#11 请求对象密钥对

发布于 2024-07-23 20:57:24 字数 1096 浏览 8 评论 0原文

我有一个使用 PKCS#11 的标准调用生成的 RSA 1024 密钥对。我需要为公钥生成 PKCS#10 CSR。

MS 有 IEnroll4 dll，允许使用 createRequestWStr 引发 CSR。示例表明您需要生成一个新的密钥对（MS CAPI 中包含 2 个对象的容器），MS 会自动提供用于生成 csr 的公钥上下文。

就我而言，我已经使用 pkcs#11 生成了一个密钥对（作为 2 个对象，但没有密钥容器）。 MS dll 不允许我继续进行。查询 1：有人可以指出我如何解决这个问题吗？ --------------------------------------------------------- -----------------------------------------

或者，我正在考虑编写自己的代码，用于基于 RSA 标准的 CSR 生成。我有 ASN 1.0 格式认证请求的 ASN.1 语法为：

CertificationRequest ::= SEQUENCE {
   certificationRequestInfo CertificationRequestInfo,
   signatureAlgorithm       SignatureAlgorithmIdentifier,
   signature                Signature
}

SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
Signature ::= BIT STRING

CertificationRequestInfo ::= SEQUENCE {
   version                 Version,
   subject                 Name,
   subjectPublicKeyInfo    SubjectPublicKeyInfo,
   attributes [0] IMPLICIT Attributes
}    
Attributes ::= SET OF Attribute

QUERY 2: 如何使用上述语法？我对这种语法完全陌生？我应该查看哪些资源来编写自己的代码？

原文

I have a RSA 1024 key pair generated using standard call from PKCS#11.
I need to generate a PKCS#10 CSR for the public key.

MS has the IEnroll4 dll which will allow to raise a CSR using createRequestWStr. The samples indicate that you need to generate a new key pair(a container with 2 objects in MS CAPI) and MS automatically gives the the public key context for csr generation.

In my case, I already have a key pair generated using pkcs#11(as 2 objects but no key container). MS dll is not allowing me to proceed further.
QUERY 1:
Can some body point out how I can resolve this issue.
----------------------------------------------------------------------------

Alternatively, I was thinking to write my own code for CSR generation based on RSA standards. I am having the ASN 1.0 format
The ASN.1 syntax for a Certification Request is:

CertificationRequest ::= SEQUENCE {
   certificationRequestInfo CertificationRequestInfo,
   signatureAlgorithm       SignatureAlgorithmIdentifier,
   signature                Signature
}

SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
Signature ::= BIT STRING

CertificationRequestInfo ::= SEQUENCE {
   version                 Version,
   subject                 Name,
   subjectPublicKeyInfo    SubjectPublicKeyInfo,
   attributes [0] IMPLICIT Attributes
}    
Attributes ::= SET OF Attribute

QUERY 2:
How do I use the above syntaxes? I am totally new to this syntax? Which resources should I need to look at to write my own code?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

镜花水月 2024-07-30 20:57:24

如果您需要使用 PKCS#11 接口生成证书请求（即您不能使用 CSP 接口），您最好的选择是避免 IEnroll。

对于 C++，您的（免费和开源）选项似乎是研究 OpenSSL 或 Botan。我不太喜欢 OpenSSL 的 API，但它确实有效。我从来没有用过Botan，但看起来不错。如果你愿意花钱的话，还有很多不错的选择。

或者，如果您想自己编写 ASN.1，您可能需要阅读外行指南ASN.1、BER 和 DER 的子集。正式规范在 X.208 和 X.209 中，但这些很难读。

您想要生成 ASN.1 的 DER 编码（如链接中所述）。

这是一个示例编码：

308201493081b3020100300e310c300a06035504031303666f6f30819d300d06092a864886f70d01
0101050003818b00308187028181009c921beeef551bcb051518f0c48bfe72cb1d5609a64a005e0c
008580bb81b3a43cea280d5bffa4e777733845fc2f485f1c8ccc0b2914f30d1e41369fd4a6758a3c
c887834c4d6177bd96b9f341232b00d453f28f2ae5ad5e3b0324d0b5b440a0901968fd556470dd4d
2ea2e99dd99c580703c042853265374cd3622f6c3369e5020103300d06092a864886f70d01010505
000381810068c0266a16117b37fb15ad143e2941ff8b8f082daf4ec02789db01636f51c739f199fb
19c56228cc12b9e482b966f8650fa3fdb24e31e97eef15f61aabc91dc194aeba4ebce5eab0c5e3db
36cc090a0e4b2c7d3ac27eeb0d3900d73bd88172464b890a8f9a58a0d34c0f5e226b6173cc92a316
4bbbf1d12f29d1e2ad3f36c977

或使用优秀的 dumpasn1 实用程序进行翻译：

   0 30  329: SEQUENCE {
   4 30  179:   SEQUENCE {
   7 02    1:     INTEGER 0
  10 30   14:     SEQUENCE {
  12 31   12:       SET {
  14 30   10:         SEQUENCE {
  16 06    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
  21 13    3:           PrintableString 'foo'
            :           }
            :         }
            :       }
  26 30  157:     SEQUENCE {
  29 30   13:       SEQUENCE {
  31 06    9:         OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
  42 05    0:         NULL
            :         }
  44 03  139:       BIT STRING 0 unused bits, encapsulates {
  48 30  135:           SEQUENCE {
  51 02  129:             INTEGER
            :               00 9C 92 1B EE EF 55 1B CB 05 15 18 F0 C4 8B FE
            :               72 CB 1D 56 09 A6 4A 00 5E 0C 00 85 80 BB 81 B3
            :               A4 3C EA 28 0D 5B FF A4 E7 77 73 38 45 FC 2F 48
            :               5F 1C 8C CC 0B 29 14 F3 0D 1E 41 36 9F D4 A6 75
            :               8A 3C C8 87 83 4C 4D 61 77 BD 96 B9 F3 41 23 2B
            :               00 D4 53 F2 8F 2A E5 AD 5E 3B 03 24 D0 B5 B4 40
            :               A0 90 19 68 FD 55 64 70 DD 4D 2E A2 E9 9D D9 9C
            :               58 07 03 C0 42 85 32 65 37 4C D3 62 2F 6C 33 69
            :                       [ Another 1 bytes skipped ]
 183 02    1:             INTEGER 3
            :             }
            :           }
            :       }
            :     }
 186 30   13:   SEQUENCE {
 188 06    9:     OBJECT IDENTIFIER
            :       sha1withRSAEncryption (1 2 840 113549 1 1 5)
 199 05    0:     NULL
            :     }
 201 03  129:   BIT STRING 0 unused bits
            :     68 C0 26 6A 16 11 7B 37 FB 15 AD 14 3E 29 41 FF
            :     8B 8F 08 2D AF 4E C0 27 89 DB 01 63 6F 51 C7 39
            :     F1 99 FB 19 C5 62 28 CC 12 B9 E4 82 B9 66 F8 65
            :     0F A3 FD B2 4E 31 E9 7E EF 15 F6 1A AB C9 1D C1
            :     94 AE BA 4E BC E5 EA B0 C5 E3 DB 36 CC 09 0A 0E
            :     4B 2C 7D 3A C2 7E EB 0D 39 00 D7 3B D8 81 72 46
            :     4B 89 0A 8F 9A 58 A0 D3 4C 0F 5E 22 6B 61 73 CC
            :     92 A3 16 4B BB F1 D1 2F 29 D1 E2 AD 3F 36 C9 77
            :   }

If you need to generate your certificate-request with the PKCS#11-interface (i.e. you cannot use a CSP-interface instead) your best bet is to avoid IEnroll.

For C++ your (free and open source) options seems to be to look into OpenSSL or Botan. I am not terribly fond of OpenSSL's API, but it works. I have never used Botan, but it seems pretty nice. There are also many excellent choices if you are willing to pay for them.

Alternatively, if you want to write the ASN.1 yourself you probably want to read A Layman's Guide to a Subset of ASN.1, BER, and DER. The formal specifications are in X.208 and X.209, but those are hard reading.

You want to generate a DER encoding of the ASN.1 (that is described in the link).

Here is an example encoding:

308201493081b3020100300e310c300a06035504031303666f6f30819d300d06092a864886f70d01
0101050003818b00308187028181009c921beeef551bcb051518f0c48bfe72cb1d5609a64a005e0c
008580bb81b3a43cea280d5bffa4e777733845fc2f485f1c8ccc0b2914f30d1e41369fd4a6758a3c
c887834c4d6177bd96b9f341232b00d453f28f2ae5ad5e3b0324d0b5b440a0901968fd556470dd4d
2ea2e99dd99c580703c042853265374cd3622f6c3369e5020103300d06092a864886f70d01010505
000381810068c0266a16117b37fb15ad143e2941ff8b8f082daf4ec02789db01636f51c739f199fb
19c56228cc12b9e482b966f8650fa3fdb24e31e97eef15f61aabc91dc194aeba4ebce5eab0c5e3db
36cc090a0e4b2c7d3ac27eeb0d3900d73bd88172464b890a8f9a58a0d34c0f5e226b6173cc92a316
4bbbf1d12f29d1e2ad3f36c977

or translated with the excellent dumpasn1 utility:

   0 30  329: SEQUENCE {
   4 30  179:   SEQUENCE {
   7 02    1:     INTEGER 0
  10 30   14:     SEQUENCE {
  12 31   12:       SET {
  14 30   10:         SEQUENCE {
  16 06    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
  21 13    3:           PrintableString 'foo'
            :           }
            :         }
            :       }
  26 30  157:     SEQUENCE {
  29 30   13:       SEQUENCE {
  31 06    9:         OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
  42 05    0:         NULL
            :         }
  44 03  139:       BIT STRING 0 unused bits, encapsulates {
  48 30  135:           SEQUENCE {
  51 02  129:             INTEGER
            :               00 9C 92 1B EE EF 55 1B CB 05 15 18 F0 C4 8B FE
            :               72 CB 1D 56 09 A6 4A 00 5E 0C 00 85 80 BB 81 B3
            :               A4 3C EA 28 0D 5B FF A4 E7 77 73 38 45 FC 2F 48
            :               5F 1C 8C CC 0B 29 14 F3 0D 1E 41 36 9F D4 A6 75
            :               8A 3C C8 87 83 4C 4D 61 77 BD 96 B9 F3 41 23 2B
            :               00 D4 53 F2 8F 2A E5 AD 5E 3B 03 24 D0 B5 B4 40
            :               A0 90 19 68 FD 55 64 70 DD 4D 2E A2 E9 9D D9 9C
            :               58 07 03 C0 42 85 32 65 37 4C D3 62 2F 6C 33 69
            :                       [ Another 1 bytes skipped ]
 183 02    1:             INTEGER 3
            :             }
            :           }
            :       }
            :     }
 186 30   13:   SEQUENCE {
 188 06    9:     OBJECT IDENTIFIER
            :       sha1withRSAEncryption (1 2 840 113549 1 1 5)
 199 05    0:     NULL
            :     }
 201 03  129:   BIT STRING 0 unused bits
            :     68 C0 26 6A 16 11 7B 37 FB 15 AD 14 3E 29 41 FF
            :     8B 8F 08 2D AF 4E C0 27 89 DB 01 63 6F 51 C7 39
            :     F1 99 FB 19 C5 62 28 CC 12 B9 E4 82 B9 66 F8 65
            :     0F A3 FD B2 4E 31 E9 7E EF 15 F6 1A AB C9 1D C1
            :     94 AE BA 4E BC E5 EA B0 C5 E3 DB 36 CC 09 0A 0E
            :     4B 2C 7D 3A C2 7E EB 0D 39 00 D7 3B D8 81 72 46
            :     4B 89 0A 8F 9A 58 A0 D3 4C 0F 5E 22 6B 61 73 CC
            :     92 A3 16 4B BB F1 D1 2F 29 D1 E2 AD 3F 36 C9 77
            :   }

回复收藏 0 原文

~没有更多了~