在國密標準文件《GMT 0015-2012 基于SM2密碼算法的數字證書格式》里有對X.509數字證書格式的詳細描述。
數字證書的定義
由國家認可的,具有權威性、可信性和公正性的第三方證書認證機構(CA)進行數字簽名的一個可信的數字化文件。
數字證書的特性
1、任何能夠獲得和使用認證機構公鑰的用戶都可以恢復認證機構所認證的公鑰。
2、除了認證機構,沒有其他機構能夠更改證書,證書是不可偽造的。
由于證書是不可偽造的,所以可以通過將其放置在目錄中來發布,而不需要以后特意去保護它們。
數字證書的格式
采用GB/T 16262系列標準的特定編碼規則(DER)對下列證書項中的各項信息進行編碼,組成特定的證書數據結構。ASN.1 DER編碼是關于每個元素的標記、長度和值的編碼系統。
| 域 | 值 | 描述 |
|---|---|---|
| version | 2 | 整數2用于版本3證書 |
| serialNumber | INTEGER | |
| issuer | ||
| ? Name | 必須與Subject DN一致 | |
| ? ? RDNSequence | ||
| ? ? ? RelativeDistinguishedName | ||
| ? ? ? ? AttributeTypeAndValue | ||
| ? ? ? ? ? AttributeType | OID | |
| ? ? ? ? ? AttributeValue | 參考5.2.3.4 | |
| validity | ||
| ? NotBefore | ||
| ? ? Time | ||
| ? ? ? UtcTime | YYMMDDHHMMSSZ | 用于2049之前的年份(含2049) |
| ? ? ? generalTime | YYYYMMDDHHMMSSZ | 用于2049之后的年份 |
| ? NotAfter | ||
| ? ? Time | ||
| ? ? ? UtcTime | YYMMDDHHMMSSZ | 用于2049之前的年份(含2049) |
| ? ? ? generalTime | YYYYMMDDHHMMSSZ | 用于2049之后的年份 |
| subject | ||
| ? Name | 必須與Issuer DN一直 | |
| ? ? RDNSequence | ||
| ? ? ? RelativeDistinguishedName | ||
| ? ? ? ? ?AttributeTypeAndValue | ||
| ? ? ? ? ? ?AttributeType | OID | |
| ? ? ? ? ? ?AttributeValue | 參考5.2.3.4 | |
| subjectPublicKeyInfo | ||
| ? algorithm | ||
| ? ? AlgorithmIdentifier | 公鑰算法,可能是RSA公鑰或橢圓曲線公鑰 | |
| ? ? ? algorithm | 1.2.840.113549.1.1.1 | RSA |
| 1.2.156.10197.1.301 | SM2橢圓曲線公鑰密碼算法 | |
| ? ? ? parameters | NULL | RSA |
| ECPublicKeySpec | 當使用SM2密碼算法時,為SM2密碼算法曲線的OID |
數字證書的實踐
使用openssl生成證書
$ openssl req -newkey rsa:1024 -out req.pem -keyout sslclientkey.pem
$ openssl ca -in req.pem -out sslclientcert.pem查看證書內容
$ openssl x509 -in sslclientcert.pem -text -noout
Certificate:Data:Version: 3 (0x2)Serial Number:f5:7d:2c:e9:8b:a7:72:a1Signature Algorithm: sha256WithRSAEncryptionIssuer: C=CN, ST=JS, L=NJ, O=JZ, OU=JZ, CN=XX/emailAddress=123@123.comValidityNot Before: May 27 02:42:27 2024 GMTNot After : May 27 02:42:27 2025 GMTSubject: C=CN, ST=JS, O=JZ, OU=JZ, CN=XX/emailAddress=123@123.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (1024 bit)Modulus:00:d5:0e:4a:f2:21:1a:25:e4:86:cd:21:2b:4d:b8:bd:21:05:a5:f0:ab:91:c1:1d:aa:ba:3d:91:a3:eb:00:ec:42:c7:38:c6:50:b4:2a:43:3f:d9:e2:94:13:23:a5:e7:74:2c:73:bf:e8:29:3a:72:41:6f:fc:be:2c:6b:eb:35:b4:9f:7d:e2:b6:b8:62:30:a8:a1:7a:b6:47:3b:a5:b9:92:94:df:af:7d:0c:ab:af:3b:eb:76:06:09:cf:0f:59:33:54:de:cf:b3:ba:aa:22:35:34:fb:a0:1a:3f:89:8e:ff:04:af:f0:85:67:64:b1:ea:34:ef:72:6e:f9:9a:1f:3bExponent: 65537 (0x10001)X509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:A5:70:4E:A8:2A:12:D1:93:9A:02:F2:81:54:68:11:67:0E:5C:97:3AX509v3 Authority Key Identifier:keyid:2E:5F:85:F6:02:29:A0:10:47:B8:DB:8F:0C:C6:2F:1D:80:AA:9C:7BSignature Algorithm: sha256WithRSAEncryption4f:ce:d5:16:ad:54:91:d4:72:ca:34:63:85:b7:3e:64:48:91:ab:a1:1e:7f:e1:be:f2:ef:7f:0a:e9:f7:54:e0:53:96:05:de:ec:fb:16:1d:e1:ce:34:c9:7f:fd:d5:d4:7f:83:84:b7:f6:5e:0a:bb:af:94:5a:0b:c7:8c:1f:25:dd:71:0e:6f:24:06:d7:8f:74:67:e9:9c:9a:c3:b6:ef:0a:b8:ea:1f:77:51:24:2c:3e:1e:99:06:c4:ed:89:bd:c7:67:14:70:16:e5:36:05:86:f6:bc:f8:73:7f:81:cc:54:a6:9e:96:eb:bb:b0:45:56:1c:f8:44:b0:34:e9:a2:c4:85:a0:56:84:7f:7e:da:f5:0c:cd:da:e3:e6:e7:fb:4d:c0:b9:5d:fc:9e:d9:f9:61:91:ef:9c:e6:09:08:1f:4f:28:e0:56:f0:d4:b4:09:e1:9a:ff:5c:5d:8f:31:61:7f:75:31:ba:91:17:70:48:71:6e:33:ec:5e:87:95:80:2e:7f:a9:7d:de:41:29:4f:85:df:7d:4e:c1:19:cd:68:90:69:ab:e1:dc:f5:50:d4:65:e9:8d:9f:d9:8a:c1:5e:9a:0b:55:f5:08:4e:43:88:9a:5b:ef:ba:ab:b9:a9:b5:71:ae:b2:33:69:45:c0:04:be:5d:18:5b:28:d7:28:fb
證書格式轉換:將PEM轉換為DER格式
$ openssl x509 -in sslclientcert.pem -outform der -out sslclientcert.der查看DER格式證書內容
$ openssl x509 -in sslclientcert.der -inform der -text -noout
Certificate:Data:Version: 3 (0x2)Serial Number:f5:7d:2c:e9:8b:a7:72:a1Signature Algorithm: sha256WithRSAEncryptionIssuer: C=CN, ST=JS, L=NJ, O=JZ, OU=JZ, CN=XX/emailAddress=123@123.comValidityNot Before: May 27 02:42:27 2024 GMTNot After : May 27 02:42:27 2025 GMTSubject: C=CN, ST=JS, O=JZ, OU=JZ, CN=XX/emailAddress=123@123.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (1024 bit)Modulus:00:d5:0e:4a:f2:21:1a:25:e4:86:cd:21:2b:4d:b8:bd:21:05:a5:f0:ab:91:c1:1d:aa:ba:3d:91:a3:eb:00:ec:42:c7:38:c6:50:b4:2a:43:3f:d9:e2:94:13:23:a5:e7:74:2c:73:bf:e8:29:3a:72:41:6f:fc:be:2c:6b:eb:35:b4:9f:7d:e2:b6:b8:62:30:a8:a1:7a:b6:47:3b:a5:b9:92:94:df:af:7d:0c:ab:af:3b:eb:76:06:09:cf:0f:59:33:54:de:cf:b3:ba:aa:22:35:34:fb:a0:1a:3f:89:8e:ff:04:af:f0:85:67:64:b1:ea:34:ef:72:6e:f9:9a:1f:3bExponent: 65537 (0x10001)X509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:A5:70:4E:A8:2A:12:D1:93:9A:02:F2:81:54:68:11:67:0E:5C:97:3AX509v3 Authority Key Identifier:keyid:2E:5F:85:F6:02:29:A0:10:47:B8:DB:8F:0C:C6:2F:1D:80:AA:9C:7BSignature Algorithm: sha256WithRSAEncryption4f:ce:d5:16:ad:54:91:d4:72:ca:34:63:85:b7:3e:64:48:91:ab:a1:1e:7f:e1:be:f2:ef:7f:0a:e9:f7:54:e0:53:96:05:de:ec:fb:16:1d:e1:ce:34:c9:7f:fd:d5:d4:7f:83:84:b7:f6:5e:0a:bb:af:94:5a:0b:c7:8c:1f:25:dd:71:0e:6f:24:06:d7:8f:74:67:e9:9c:9a:c3:b6:ef:0a:b8:ea:1f:77:51:24:2c:3e:1e:99:06:c4:ed:89:bd:c7:67:14:70:16:e5:36:05:86:f6:bc:f8:73:7f:81:cc:54:a6:9e:96:eb:bb:b0:45:56:1c:f8:44:b0:34:e9:a2:c4:85:a0:56:84:7f:7e:da:f5:0c:cd:da:e3:e6:e7:fb:4d:c0:b9:5d:fc:9e:d9:f9:61:91:ef:9c:e6:09:08:1f:4f:28:e0:56:f0:d4:b4:09:e1:9a:ff:5c:5d:8f:31:61:7f:75:31:ba:91:17:70:48:71:6e:33:ec:5e:87:95:80:2e:7f:a9:7d:de:41:29:4f:85:df:7d:4e:c1:19:cd:68:90:69:ab:e1:dc:f5:50:d4:65:e9:8d:9f:d9:8a:c1:5e:9a:0b:55:f5:08:4e:43:88:9a:5b:ef:ba:ab:b9:a9:b5:71:ae:b2:33:69:45:c0:04:be:5d:18:5b:28:d7:28:fb
)
![[從零開發JS應用] 如何在VScode中配置Javascript環境,常見的調試方法有哪些?](http://pic.xiahunao.cn/[從零開發JS應用] 如何在VScode中配置Javascript環境,常見的調試方法有哪些?)
![頁面加載不出來,報錯[@umijs/runtime] load component failed](http://pic.xiahunao.cn/頁面加載不出來,報錯[@umijs/runtime] load component failed)
)
