我正在创建一个 OpenSSL 配置,该配置应有助于生成 Hyperledger Fabric Identity 和 TLS 证书的证书签名请求(我们无法在组织中使用 Fabric CA)。我当前的配置生成如下 CSR:
openssl req -in ecdsa_ident_req.pem -text -noout
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C=NL, L=RD, OU=ll, CN=33
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d2:5b:38:77:b4:8e:1d:97:ab:fa:82:8a:5b:5e:
8f:d5:f4:8f:5a:7e:fb:0b:c1:1e:15:31:cf:e6:47:
9c:91:ce:5d:2b:9d:6b:7c:91:a9:ba:35:3f:7c:5c:
d9:a4:5d:d9:51:6e:65:73:a0:b3:c9:79:af:85:90:
a6:19:4e:76:f5
ASN1 OID: prime256v1
NIST CURVE: P-256
Attributes:
Requested Extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation
1.2.3.4.5.6.7.8.1:
.l{"attrs":{"abac.init":"true","admin":"true","hf.Affiliation":"","hf.EnrollmentID":"Admin","hf.Type":"user"}}
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
...
意外的是属性.l值中的前缀1.2.3.4.5.6.7.8.1。
我需要在设置中进行哪些更改才能将值设置为不带该.l前缀的 JSON 字符串。
我正在使用 openssl 版本
OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
我使用以下方式生成了 CSR
export ISHARE_ATTRS="{\"attrs\":{\"abac.init\":\"true\",\"admin\":\"true\",\"hf.Affiliation\":\"\",\"hf.EnrollmentID\":\"Admin\",\"hf.Type\":\"user\"}}"
openssl req -config ./openssl.cnf -new -newkey ec:ec_param.pem -section req_ecdsa_identity_admin -keyout ecdsa_ident_key.pem -out ecdsa_ident_req.pem
其内容为opensll.cnf:
# Barebones openssl configuration that can be used to generate CSRs for
# - iSHARE Satellite Identity/Enrollment certificates
# - iSHARE Satellite TLS certificates
# Resources/documentation
# - https://www.openssl.org/docs/man3.0/man5/config.html
openssl_conf = openssl_init
[ openssl_init ]
alg_section = evp_properties
engines = engines
oid_section = OID
providers = providers
random = random
ssl_conf = ssl_configuration
[ engines ]
[ evp_properties ]
[ OID ]
iShareAttributesExtension = 1.2.3.4.5.6.7.8.1
[ providers ]
[ random ]
[ ssl_configuration ]
server = tls_server_config
client = tls_client_config
system_default = tls_system_default
[ tls_client_config ]
# configuration for SSL/TLS clients
RSA.Certificate = client-rsa.pem
ECDSA.Certificate = client-ecdsa.pem
[ tls_server_config ]
# configuration for SSL/TLS servers
RSA.Certificate = server-rsa.pem
ECDSA.Certificate = server-ecdsa.pem
[ tls_system_default ]
MinProtocol = TLSv1.2
MinProtocol = DTLSv1.2
[ req_dn_identity ]
countryName = Country Name (2 letter code)
countryName_default = NL
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
[ req_dn_tls ]
countryName = Country Name (2 letter code)
countryName_default = NL
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, hostname)
commonName_max = 64
[ req_ecdsa_identity_admin ]
distinguished_name = req_dn_identity
req_extensions = x509v3_identity
[ req_ecdsa_identity_user ]
distinguished_name = req_dn_identity
req_extensions = x509v3_identity
[ req_ecdsa_identity_peer ]
distinguished_name = req_dn_identity
req_extensions = x509v3_identity
[ req_ecdsa_identity_orderer ]
distinguished_name = req_dn_identity
req_extensions = x509v3_identity
[ req_ecdsa_tls ]
distinguished_name = req_dn_tls
req_extensions = x509v3_ecdsa_tls
[ req_rsa_tls ]
distinguished_name = req_dn_tls
default_bits = 4096
req_extensions = x509v3_rsa_tls
[ x509v3_identity ]
basicConstraints = critical, CA:FALSE
keyUsage = digitalSignature,nonRepudiation
iShareAttributesExtension = ASN1:UTF8String:$ENV::ISHARE_ATTRS
[ x509v3_ecdsa_tls ]
basicConstraints = critical, CA:FALSE
keyUsage = keyEncipherment, dataEncipherment, keyAgreement
extendedKeyUsage = clientAuth, serverAuth
[ x509v3_rsa_tls ]
basicConstraints = critical, CA:FALSE
keyUsage = keyEncipherment, dataEncipherment, keyAgreement
extendedKeyUsage = clientAuth, serverAuth
答案1
前缀是类型标签 – “ .” 实际上0x0C是UTF8String 类型的 ASN.1 DER 标签;l后面的“ ”是0x6C,它恰好对应于一个 ASCII 字母,但在这种情况下实际上意味着 108 – UTF8String 值的长度。
这是所有 X.509v3 和 CSR 扩展的标准 - 它们都封装了一个带标记的 DER 值,例如“keyUsage”值里面有一个 BitString 标记,“basicConstraints”值里面有一个 Sequence 标记,等等。
唯一的区别是该openssl req工具知道如何展示“标准”扩展的内容,而对于未知扩展,它会显示原始内容 - 如果有的话,包括它们的类型标签。
OpenSSL 配置语言允许您自定义此标签值(ASN1_generate_nconf(3)),但没有简单的选项可以彻底删除它,只是因为该值应该是有效的 DER(这就是您ASN1:首先使用它的原因 - 产生有效的 DER 值!)。
你能DER:$ENV::ISHARE_ATTRS_HEX使用说明符来实现这一点ASN1:(请注意,它需要一个十六进制编码字符串),但我非常怀疑这是否会导致有效的请求。如果有的话,我相信它会让请求较少的比您目前拥有的更有效。(或者,如果这对 iSHARE 来说在某种程度上是“有效的”,那么 iSHARE 正在做一些奇怪的事情。)