[我正在使用openssl API构建X509 ...我想使用第三方API对此证书签名,该API接收一个char *以及要签名的数据(还有一些参数以查看要使用的私钥),并且返回签名。
我想问的是,openssl中是否存在放置签名的函数,因为X509_sign()做很多事情但需要私钥...
我有这样做的方法,但是我想知道我是否在X509_INFO部分中丢失了某些内容,或者是否正确设置了签名数据,或者是否丢失了某些内容。
证书已正确生成,但是我不知道是否发送了所有信息或签名是否正确。
这是我创建证书的方式:
//Setting version
if(X509_set_version(certificate, X509_VERSION) != RETURN_OK)
{
errorHandler->returnError(printer, "Unable to set the version to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
//Setting serial number
if(ASN1_INTEGER_set(X509_get_serialNumber(certificate), serialNumber) != RETURN_OK)
{
errorHandler->returnError(printer, "Unable to set the serial number to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
//Setting the subject
if(X509_set_subject_name(certificate, subject) != RETURN_OK)
{
errorHandler->returnError(printer, "Unable to set the subject to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
//Setting the issuer
if(X509_set_issuer_name(certificate, issuer) != RETURN_OK)
{
errorHandler->returnError(printer, "Unable to set the issuer to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
//Setting the public key
if(X509_set_pubkey(certificate, subjectPubKey) != RETURN_OK)
{
errorHandler->returnError(printer, "Unable to set the public key to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
//Setting the not before
if(!X509_gmtime_adj(X509_get_notBefore(certificate), X509_VALIDITY_NOT_BEFORE))
{
errorHandler->returnError(printer, "Unable to set the not before to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
//Setting the not after
if(!X509_gmtime_adj(X509_get_notAfter(certificate), X509_VALIDITY_NOT_AFTER))
{
errorHandler->returnError(printer, "Unable to set the not after to the certificate.", BUILDING_X509_CERTIFICATE);
goto exitFailure;
}
这就是我如何检索DER格式的CERT_INFO(我在第3方API中以char *发送的数据:]
//Preparin the data to sign
certificateInfoToSignLenght = i2d_X509_CINF(certificate->cert_info, &certificateInfoToSign);
if(!certificateInfoToSign)
{
errorHandler->returnError(printer, "Unable to convert the certificate info in DER format.", SIGNING_X509_CERTIFICATE);
goto exitFailure;
}
并将其发送给我的第三方函数,该函数将给我返回签名:
sign_binary(&keyID, certificateInfoToSign,
(unsigned int*)&certificateInfoToSignLenght, signature, &signatureLenght,
signaturePublicKey, &signaturePublicKeyLenght);
最后,我设置签名和算法(第三方API仅在SHA256withRSA中生成签名):
//Adding signing algorithm
signatureType = X509_ALGOR_new();
signatureTypeObject = OBJ_nid2obj(DEFAULT_SIGNATURE_ALGORITHM);
if(!signatureTypeObject)
{
errorHandler->returnError(printer, "Unable to create signature algorithm.", SIGNING_X509_CERTIFICATE);
goto exitFailure;
}
signatureType->algorithm = signatureTypeObject;
certificate->sig_alg->algorithm = signatureType->algorithm;
//Adding the signed data to the certificate
certificate->signature->data = new unsigned char[signatureLenght];
memcpy(certificate->signature->data, signature, signatureLenght);
certificate->signature->length = signatureLenght;
if(!certificate->signature->data)
{
errorHandler->returnError(printer, "Unable to append the signature to the certificate.", SIGNING_X509_CERTIFICATE);
goto exitFailure;
}
👉http://digistore24.com/redir/301523/simonv strong text让我们一起开始新的未来!