我正在创建一个 OpenSSL 配置,该配置应有助于生成 Hyperledger Fabric Identity 和 TLS 证书的证书签名请求(我们不能在我们的组织中使用 Fabric CA)。我当前的配置生成如下 CSR:
openssl req -in ecdsa_ident_req.pem -text -noout
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C=NL, L=RD, OU=ll, CN=33
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d2:5b:38:77:b4:8e:1d:97:ab:fa:82:8a:5b:5e:
8f:d5:f4:8f:5a:7e:fb:0b:c1:1e:15:31:cf:e6:47:
9c:91:ce:5d:2b:9d:6b:7c:91:a9:ba:35:3f:7c:5c:
d9:a4:5d:d9:51:6e:65:73:a0:b3:c9:79:af:85:90:
a6:19:4e:76:f5
ASN1 OID: prime256v1
NIST CURVE: P-256
Attributes:
Requested Extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation
1.2.3.4.5.6.7.8.1:
.l{"attrs":{"abac.init":"true","admin":"true","hf.Affiliation":"","hf.EnrollmentID":"Admin","hf.Type":"user"}}
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
...
令人意想不到的是.l
属性值中的前缀1.2.3.4.5.6.7.8.1
。
我需要在设置中进行哪些更改才能将值设置为不带该.l
前缀的 JSON 字符串。
我使用的是openssl版本
OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
我使用生成的 CSR
export ISHARE_ATTRS="{\"attrs\":{\"abac.init\":\"true\",\"admin\":\"true\",\"hf.Affiliation\":\"\",\"hf.EnrollmentID\":\"Admin\",\"hf.Type\":\"user\"}}"
openssl req -config ./openssl.cnf -new -newkey ec:ec_param.pem -section req_ecdsa_identity_admin -keyout ecdsa_ident_key.pem -out ecdsa_ident_req.pem
其内容opensll.cnf
是:
# Barebones openssl configuration that can be used to generate CSRs for
# - iSHARE Satellite Identity/Enrollment certificates
# - iSHARE Satellite TLS certificates
# Resources/documentation
# - https://www.openssl.org/docs/man3.0/man5/config.html
openssl_conf = openssl_init
[ openssl_init ]
alg_section = evp_properties
engines = engines
oid_section = OID
providers = providers
random = random
ssl_conf = ssl_configuration
[ engines ]
[ evp_properties ]
[ OID ]
iShareAttributesExtension = 1.2.3.4.5.6.7.8.1
[ providers ]
[ random ]
[ ssl_configuration ]
server = tls_server_config
client = tls_client_config
system_default = tls_system_default
[ tls_client_config ]
# configuration for SSL/TLS clients
RSA.Certificate = client-rsa.pem
ECDSA.Certificate = client-ecdsa.pem
[ tls_server_config ]
# configuration for SSL/TLS servers
RSA.Certificate = server-rsa.pem
ECDSA.Certificate = server-ecdsa.pem
[ tls_system_default ]
MinProtocol = TLSv1.2
MinProtocol = DTLSv1.2
[ req_dn_identity ]
countryName = Country Name (2 letter code)
countryName_default = NL
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
[ req_dn_tls ]
countryName = Country Name (2 letter code)
countryName_default = NL
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, hostname)
commonName_max = 64
[ req_ecdsa_identity_admin ]
distinguished_name = req_dn_identity
req_extensions = x509v3_identity
[ req_ecdsa_identity_user ]
distinguished_name = req_dn_identity
req_extensions = x509v3_identity
[ req_ecdsa_identity_peer ]
distinguished_name = req_dn_identity
req_extensions = x509v3_identity
[ req_ecdsa_identity_orderer ]
distinguished_name = req_dn_identity
req_extensions = x509v3_identity
[ req_ecdsa_tls ]
distinguished_name = req_dn_tls
req_extensions = x509v3_ecdsa_tls
[ req_rsa_tls ]
distinguished_name = req_dn_tls
default_bits = 4096
req_extensions = x509v3_rsa_tls
[ x509v3_identity ]
basicConstraints = critical, CA:FALSE
keyUsage = digitalSignature,nonRepudiation
iShareAttributesExtension = ASN1:UTF8String:$ENV::ISHARE_ATTRS
[ x509v3_ecdsa_tls ]
basicConstraints = critical, CA:FALSE
keyUsage = keyEncipherment, dataEncipherment, keyAgreement
extendedKeyUsage = clientAuth, serverAuth
[ x509v3_rsa_tls ]
basicConstraints = critical, CA:FALSE
keyUsage = keyEncipherment, dataEncipherment, keyAgreement
extendedKeyUsage = clientAuth, serverAuth
前缀是类型标签——“
.
”实际上0x0C
是UTF8String 类型的 ASN.1 DER 标签;l
后面的“ ”是0x6C
,它恰好对应于 ASCII 字母,但在这种情况下实际上意味着 108 – UTF8String 值的长度。这是所有 X.509v3 和 CSR 扩展的标准 - 它们都封装了标记的 DER 值,例如“keyUsage”值内部有一个 BitString 标记,“basicConstraints”值有一个 Sequence 标记,等等。
唯一的区别是该
openssl req
工具知道如何显示“标准”扩展的内容,而对于未知扩展,它显示原始内容 - 包括它们的类型标签(如果有)。OpenSSL 配置语言允许您自定义此标记值 (ASN1_generate_nconf(3)),但没有一个简单的选项来彻底删除它,仅仅是因为该值预计是有效的 DER(这就是您
ASN1:
在第一名 – 产生有效的 DER 值!)。您可以使用
DER:$ENV::ISHARE_ATTRS_HEX
说明符来实现此ASN1:
目的(请注意,它需要提供十六进制编码的字符串),但我强烈怀疑这会导致有效的请求。如果有的话,我相信这会使请求的有效性低于您目前的请求。(或者,如果这对 iSHARE 来说是“有效的”,那么 iSHARE 正在做一些奇怪的事情。)