公众号是真的好久没更新了,实在抱歉,过年之后到现在终于觉得开始清闲了一下,最近一直在整理在日本时候的照片,主要最后一个月末赶上了樱花季,得以观赏了樱花盛开的画面。
这两天遇到了一个问题,就是在查看一个设备证书的时候,证书文件中包含了三个证书,分别是一个根证书和两个子证书,也就形成了一个从根到子证书再到孙证书的证书链:
1
2
3
4
5
6
7
8
[coreuser@HK-CentOS ca]$ cat ca.crt | grep -w "CERTIFICATE"
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
[coreuser@HK-CentOS ca]$
通过openssl命令来查看一下证书的x509标准输出:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[coreuser@HK-CentOS ca]$ openssl x509 -in ca.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
76:29:aa:20:fa:8a:8e:76:24:a2:19:36:f4:ad:1a:aa
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Validity
Not Before: Sep 17 00:00:00 2015 GMT
Not After : Aug 31 23:59:59 2016 GMT
Subject: C=CN, ST=Beijing, L=Beijing, O=Beijing Baidu Netcom Science Technology Co., Ltd., OU=service operation department, CN=baidu.com
Subject Public Key Info:
..............
e1:44:28:42:c5:dd:13:a4:51:a8:bf:fe:30:da:93:36:c5:1e:
76:e0:c6:cd
[coreuser@HK-CentOS ca]$
得到的结果永远都是一个证书的x509标准,如果对此文件熟悉的操作员可以知道此文件中是有三个证书的,但是如果第一次接触就可能被openssl的输出误导。
所以基于openssl的基础上写了一个mulca的脚本来查看这种一个文件中包含多个证书的情况,当然一文件一证书的情况也是可以的。
理论上就是通过判断将各个证书分批调用openssl来进行解析,具体代码如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/bin/sh
sub_ca_file="certificatexx.crt"
ca_number=1
if [ -f $sub_ca_file ];then
rm -rf $sub_ca_file
fi
if [ -z $1 ];then
echo "ERROR: missing the file name";exit
fi
if [ -f $1 ];then
ca_total_number=`cat $1 | grep -w "\-----BEGIN\ CERTIFICATE-----" -c`
if [ $ca_total_number != "0" ];then
echo "Total Certificate found: $ca_total_number";echo
while read line || [ -n "$line" ]
do
if [[ $line == "-----END CERTIFICATE-----" ]];then
echo $line >> $sub_ca_file 2>&1
echo "########Certificate $ca_number#######"
openssl x509 -in $sub_ca_file -text -noout
rm -rf $sub_ca_file 2>&1
echo;echo;ca_number=$(($ca_number+1))
else
echo $line >> $sub_ca_file 2>&1
fi
done < $1
else
echo;echo "An incorrecte certificate file.";echo;echo
fi
else
echo "File \"$1\" is not existed!"
fi
脚本运行结果如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
[coreuser@HK-CentOS ca]$ ./mulca ca.crt
Total Certificate found: 3
########Certificate 1#######
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
76:29:aa:20:fa:8a:8e:76:24:a2:19:36:f4:ad:1a:aa
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Validity
Not Before: Sep 17 00:00:00 2015 GMT
Not After : Aug 31 23:59:59 2016 GMT
Subject: C=CN, ST=Beijing, L=Beijing, O=Beijing Baidu Netcom Science Technology Co., Ltd., OU=service operation department, CN=baidu.com
Subject Public Key Info:
...............
Signature Algorithm: sha1WithRSAEncryption
...............
76:e0:c6:cd
########Certificate 2#######
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
64:1b:e8:20:ce:02:08:13:f3:2d:4d:2d:95:d6:7e:67
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Validity
Not Before: Feb 8 00:00:00 2010 GMT
Not After : Feb 7 23:59:59 2020 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Subject Public Key Info:
...............
Signature Algorithm: sha1WithRSAEncryption
...............
78:43:99:a8
########Certificate 3#######
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Validity
Not Before: Nov 8 00:00:00 2006 GMT
Not After : Jul 16 23:59:59 2036 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject Public Key Info:
...............
Signature Algorithm: sha1WithRSAEncryption
...............
a8:ed:63:6a
[coreuser@HK-CentOS ca]$
如果想修改输出内容,可以通过修改脚本中的openssl命令参数来进行控制:
1
openssl x509 -in $sub_ca_file -text -noout
后续有时间可能会修改成继承openssl的参数从而通过参数传递来控制输出。
代码已经更新到Github mulca: https://github.com/MinpuKang/mulca,欢迎使用,如果有兴趣的朋友可以同步完善,在此谢过!
另外在openssl的提问中开发人员提到了在新的1.1.1版本中,将会有一个新的叫做STORE的功能来解决这个问题并给了输出示例,感觉非常完美,敬请期待:Multi-CAs in one file cannot be listed out #5962
欢迎关注公众号:七禾页话(qiheyehk),旅行、摄影。。。