X.509证书
X.509证书以如下格式组织:
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate, // 证书主体
signatureAlgorithm AlgorithmIdentifier, // 证书签名算法标识
signatureValue BIT STRING // 证书签名值,是使用signatureAlgorithm部分指定的签名算法对tbsCertificate证书主题部分签名后的值
}
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1, // 证书版本号
serialNumber CertificateSerialNumber, // 证书序列号
signature AlgorithmIdentifier, // 证书签名算法标识
issuer Name, // 证书发行者名称
validity Validity, // 证书有效期
subject Name, // 证书主体名称
subjectPublicKeyInfo SubjectPublicKeyInfo, // 证书公钥
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, // 证书发行者ID(可选),只在证书版本2、3中才有
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, // 证书主体ID(可选),只在证书版本2、3中才有
extensions [3] EXPLICIT Extensions OPTIONAL // 证书扩展段(可选),只在证书版本3中才有
}
Version ::= INTEGER { v1(0), v2(1), v3(2) }
CertificateSerialNumber ::= INTEGER
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}
Name ::= CHOICE {
RDNSequence
}
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::=
SET OF AttributeTypeAndValue
AttributeTypeAndValue ::= SEQUENCE {
type AttributeType,
value AttributeValue
}
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= ANY DEFINED BY AttributeType
Validity ::= SEQUENCE {
notBefore Time, // 证书有效期起始时间
notAfter Time // 证书有效期终止时间
}
Time ::= CHOICE {
utcTime UTCTime, // 以UTC格式表示时间
generalTime GeneralizedTime // 以通用时间格式表示时间
}
UniqueIdentifier ::= BIT STRING
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier, // 公钥算法
subjectPublicKey BIT STRING // 公钥值
// algorithm.algorithm = OID_ec_public_key;
// algorithm.parameters = OID_sm2;
// subjectPublicKey = ECPoint
}
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension // 证书扩展,见“证书扩展”部分文档
Extension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING
}
部分接口
int x509_cert_sign(
uint8_t *cert, size_t *certlen, size_t maxlen,
int version,
const uint8_t *serial, size_t serial_len,
int signature_algor,
const uint8_t *issuer, size_t issuer_len,
time_t not_before, time_t not_after,
const uint8_t *subject, size_t subject_len,
const SM2_KEY *subject_public_key,
const uint8_t *issuer_unique_id, size_t issuer_unique_id_len,
const uint8_t *subject_unique_id, size_t subject_unique_id_len,
const uint8_t *exts, size_t exts_len,
const SM2_KEY *sign_key,
const char *signer_id, size_t signer_id_len);
使用SM2签名算法,对待签名证书进行签名。函数的前三个参数用于保存最终生成整数的内容和长度信息,后三个参数为签名方信息,其余参数与X.509证书的各项参数一一对应。
int x509_cert_verify(const uint8_t *a, size_t alen, const SM2_KEY *pub_key, const char *signer_id, size_t signer_id_len);
以签名者的公钥pub_key和身份信息signer_id验证DER格式证书a的SM2签名。
int x509_cert_verify_by_ca_cert(const uint8_t *a, size_t alen, const uint8_t *cacert, size_t cacertlen, const char *signer_id, size_t signer_id_len);
通过CA证书cacert和身份信息signer_id验证DER格式证书a的SM2签名。
int x509_cert_get_details(const uint8_t *a, size_t alen,
int *version,
const uint8_t **serial_number, size_t *serial_number_len,
int *inner_signature_algor,
const uint8_t **issuer, size_t *issuer_len,
time_t *not_before, time_t *not_after,
const uint8_t **subject, size_t *subject_len,
SM2_KEY *subject_public_key,
const uint8_t **issuer_unique_id, size_t *issuer_unique_id_len,
const uint8_t **subject_unique_id, size_t *subject_unique_id_len,
const uint8_t **extensions, size_t *extensions_len,
int *signature_algor,
const uint8_t **signature, size_t *signature_len);
将证书a的各项信息存放在指定的数组中。
int x509_certs_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);
调用vfprintf等系统函数,打印长为dlen的证书d的各项内容到输出流fp中。
注:头文件中所有x509_..._print格式的函数功能与此相同,依名称不同打印并输出证书的特定部分内容。