如何在GO语言中创建带有扩展和属性值的证书签名请求？

Question

如何在GO语言中创建带有扩展和属性值的证书签名请求？

3

我想使用crypto/x509包创建证书请求（csr），但我无法弄清楚如何添加扩展和属性参数。

在CertificateRequest结构中，我们可以看到扩展是pkix.Extension类型。这是pki.Extension的结构：

type Extension struct {
        Id       asn1.ObjectIdentifier
        Critical bool `asn1:"optional"`
        Value    []byte
}

在代码中搜索，我发现https://golang.org/src/crypto/x509/x509.go中有以下常量：

var (
    oidExtKeyUsageAny                            = asn1.ObjectIdentifier{2, 5, 29, 37, 0}
    oidExtKeyUsageServerAuth                     = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 1}
    oidExtKeyUsageClientAuth                     = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 2}
    oidExtKeyUsageCodeSigning                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 3}
    oidExtKeyUsageEmailProtection                = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 4}
    oidExtKeyUsageIPSECEndSystem                 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 5}
    oidExtKeyUsageIPSECTunnel                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 6}
    oidExtKeyUsageIPSECUser                      = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 7}
    oidExtKeyUsageTimeStamping                   = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 8}
    oidExtKeyUsageOCSPSigning                    = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 3, 9}
    oidExtKeyUsageMicrosoftServerGatedCrypto     = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 10, 3, 3}
    oidExtKeyUsageNetscapeServerGatedCrypto      = asn1.ObjectIdentifier{2, 16, 840, 1, 113730, 4, 1}
    oidExtKeyUsageMicrosoftCommercialCodeSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 2, 1, 22}
    oidExtKeyUsageMicrosoftKernelCodeSigning     = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 61, 1, 1}
)

好的，现在我有参数的Id。在我的情况下，我想将KeyUsage扩展设置为serverAuth。我有id，但是值是什么？

我不知道我是否正确。有人可以帮助我吗？

- Vivi

1个回答

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- Oleksandr Oshkin · Answer 1

属性字段被认为是过时的，而且无法正常工作。

当我需要向csr添加属性时，我复制了所需功能到内部文件中，用原始格式添加了我的属性，并在marshaling证书请求的tbsCSR字段之前修复了CreateCertificateRequest。注意：certificateRequest结构体不是x509.CertificateRequest，该结构体仅用于marshaling。这里是passwordChallengeAttribute的代码示例：

var oidChallengePassword = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 7}

type passwordChallengeAttribute struct {
    Type  asn1.ObjectIdentifier
    Value []string `asn1:"set"`
}

passwordAttribute := passwordChallengeAttribute{
    Type:  oidChallengePassword,
    Value: []string{challenge},
}

b, err := asn1.Marshal(passwordAttribute)
if err != nil {
    //
}

var rawAttribute asn1.RawValue
asn1.Unmarshal(b, &rawAttribute)
tbsCSR.RawAttributes = append(tbsCSR.RawAttributes, rawAttribute)

但是使用扩展更好并且得到支持，因此您只需要实现表示所需扩展的数据结构，进行编组并将其添加到扩展列表中。例如，添加BasicConstraints扩展：

type basicConstraints struct {
    IsCA       bool `asn1:"optional"`
    MaxPathLen int  `asn1:"optional,default:-1"`
}   
var extensions []pkix.Extension
basicCon := basicConstraints{IsCA: true, MaxPathLen: -1} 
bitstr, err := asn1.Marshal(basicCon)
if err != nil {
    //  
}   
var oidExtensionBasicConstraints = []int{2, 5, 29, 19} //export from x509 package
bcExt := pkix.Extension{Id: oidExtensionBasicConstraints, Value: bitstr}
extensions = append(extensions, bcExt)
csrTmpl := &x509.CertificateRequest{
    Extensions:    extensions,
}