我正在创建一个 OpenSSL 配置,该配置应有助于生成 Hyperledger Fabric Identity 和 TLS 证书的证书签名请求(我们不能在我们的组织中使用 Fabric CA)。我当前的配置生成如下 CSR:
openssl req -in ecdsa_ident_req.pem -text -noout
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C=NL, L=RD, OU=ll, CN=33
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d2:5b:38:77:b4:8e:1d:97:ab:fa:82:8a:5b:5e:
8f:d5:f4:8f:5a:7e:fb:0b:c1:1e:15:31:cf:e6:47:
9c:91:ce:5d:2b:9d:6b:7c:91:a9:ba:35:3f:7c:5c:
d9:a4:5d:d9:51:6e:65:73:a0:b3:c9:79:af:85:90:
a6:19:4e:76:f5
ASN1 OID: prime256v1
NIST CURVE: P-256
Attributes:
Requested Extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation
1.2.3.4.5.6.7.8.1:
.l{"attrs":{"abac.init":"true","admin":"true","hf.Affiliation":"","hf.EnrollmentID":"Admin","hf.Type":"user"}}
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
...
令人意想不到的是.l属性值中的前缀1.2.3.4.5.6.7.8.1。
我需要在设置中进行哪些更改才能将值设置为不带该.l前缀的 JSON 字符串。
我使用的是openssl版本
OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
我使用生成的 CSR
export ISHARE_ATTRS="{\"attrs\":{\"abac.init\":\"true\",\"admin\":\"true\",\"hf.Affiliation\":\"\",\"hf.EnrollmentID\":\"Admin\",\"hf.Type\":\"user\"}}"
openssl req -config ./openssl.cnf -new -newkey ec:ec_param.pem -section req_ecdsa_identity_admin -keyout ecdsa_ident_key.pem -out ecdsa_ident_req.pem
其内容opensll.cnf是:
# Barebones openssl configuration that can be used to generate CSRs for
# - iSHARE Satellite Identity/Enrollment certificates
# - iSHARE Satellite TLS certificates
# Resources/documentation
# - https://www.openssl.org/docs/man3.0/man5/config.html
openssl_conf = openssl_init
[ openssl_init ]
alg_section = evp_properties
engines = engines
oid_section = OID
providers = providers
random = random
ssl_conf = ssl_configuration
[ engines ]
[ evp_properties ]
[ OID ]
iShareAttributesExtension = 1.2.3.4.5.6.7.8.1
[ providers ]
[ random ]
[ ssl_configuration ]
server = tls_server_config
client = tls_client_config
system_default = tls_system_default
[ tls_client_config ]
# configuration for SSL/TLS clients
RSA.Certificate = client-rsa.pem
ECDSA.Certificate = client-ecdsa.pem
[ tls_server_config ]
# configuration for SSL/TLS servers
RSA.Certificate = server-rsa.pem
ECDSA.Certificate = server-ecdsa.pem
[ tls_system_default ]
MinProtocol = TLSv1.2
MinProtocol = DTLSv1.2
[ req_dn_identity ]
countryName = Country Name (2 letter code)
countryName_default = NL
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
[ req_dn_tls ]
countryName = Country Name (2 letter code)
countryName_default = NL
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, hostname)
commonName_max = 64
[ req_ecdsa_identity_admin ]
distinguished_name = req_dn_identity
req_extensions = x509v3_identity
[ req_ecdsa_identity_user ]
distinguished_name = req_dn_identity
req_extensions = x509v3_identity
[ req_ecdsa_identity_peer ]
distinguished_name = req_dn_identity
req_extensions = x509v3_identity
[ req_ecdsa_identity_orderer ]
distinguished_name = req_dn_identity
req_extensions = x509v3_identity
[ req_ecdsa_tls ]
distinguished_name = req_dn_tls
req_extensions = x509v3_ecdsa_tls
[ req_rsa_tls ]
distinguished_name = req_dn_tls
default_bits = 4096
req_extensions = x509v3_rsa_tls
[ x509v3_identity ]
basicConstraints = critical, CA:FALSE
keyUsage = digitalSignature,nonRepudiation
iShareAttributesExtension = ASN1:UTF8String:$ENV::ISHARE_ATTRS
[ x509v3_ecdsa_tls ]
basicConstraints = critical, CA:FALSE
keyUsage = keyEncipherment, dataEncipherment, keyAgreement
extendedKeyUsage = clientAuth, serverAuth
[ x509v3_rsa_tls ]
basicConstraints = critical, CA:FALSE
keyUsage = keyEncipherment, dataEncipherment, keyAgreement
extendedKeyUsage = clientAuth, serverAuth