我的程序使用 OpenSSL,需要根据需要创建自签名证书。它运行的系统无法访问“openssl”CLI 命令,所以我不能使用它。相反,我需要使用 OpenSSL X509 API 来实现这一点。
请注意,我不需要创建证书文件,只需创建证书;OpenSSL 称之为“X509”结构。
我找不到任何有关如何执行此操作的文档。
我怎样才能做到这一点?
谢谢。
我的程序使用 OpenSSL,需要根据需要创建自签名证书。它运行的系统无法访问“openssl”CLI 命令,所以我不能使用它。相反,我需要使用 OpenSSL X509 API 来实现这一点。
请注意,我不需要创建证书文件,只需创建证书;OpenSSL 称之为“X509”结构。
我找不到任何有关如何执行此操作的文档。
我怎样才能做到这一点?
谢谢。
这是一个示例代码,可能会有所帮助
X509 *certificate = NULL;
EVP_PKEY *pkey = NULL;
int ASN1_INTEGER *serialNumber = NULL;
int i = 0;
RSA *rsaKeyPair = NULL;
BIGNUM *e = NULL;
X509_NAME *name = NULL;
time_t currentTime;
certificate = X509_new();
rsaKeyPair = RSA_new();
e = BN_new();
BN_set_word(e, 65537);
if (!RSA_generate_key_ex(rsaKeyPair, 1024, e, NULL))
{
ret = error;
}
/* the big number is no longer used */
BN_free(e);
e = NULL;
EVP_PKEY_assign_RSA(pkey,rsaKeyPair))
/* no more use for rsaKeyPair */
rsaKeyPair = NULL;
(void)X509_set_version(certificate,2);
/*Allocate and create serial number*/
serialNumber = M_ASN1_INTEGER_new();
/*implement serial number algorithm here*/
CreateSerialNumber(serialNumber);
/* set the serial number */
(void)X509_set_serialNumber(certificate,serialNumber);
/*Serial number set to certificate, free it now*/
M_ASN1_INTEGER_free(serialNumber);
serialNumber = NULL;
/* set the validity */
currentTime = time(0);
X509_gmtime_adj(X509_get_notBefore(certificate), 0);
X509_gmtime_adj(X509_get_notAfter(certificate), 1000);
/* set the public key from the privateKey structure into the certificate structure */
X509_set_pubkey(certificate,pkey);
/* get the subject name pointer */
name = X509_get_subject_name(certificate);}
/* country */
X509_NAME_add_entry_by_txt(
name,"C",MBSTRING_ASC, (unsigned char *)creationParams->Country, -1, -1, 0);
!X509_NAME_add_entry_by_txt(name,"O", MBSTRING_ASC, (unsigned char*) "sample", -1, -1, 0);
X509_NAME_add_entry_by_txt(
name,"CN",MBSTRING_ASC, (unsigned char*) creationParams->CommonName, -1, -1, 0);
/* its self signed: set issuer name = subject */
X509_set_issuer_name(certificate,name);
/* sign the certificate using sha-1 */
X509_sign(certificate,pkey,EVP_sha1());
我将@Sreekanth 的代码与我在 OpenSSL 发行版中找到的代码(在 demos/selfsign.c 中)结合起来。这是我能想到的最简单的:
X509 *CreateCertificate (char *Country, char *OrganizationName, char *CommonName, char *DNSName, int Serial, int DaysValid)
{ X509 *Cert = NULL;
EVP_PKEY *PrivateKey = NULL;
X509_NAME *Name = NULL;
RSA *KeyPair = NULL;
BIGNUM *BigNumber = NULL;
int Success = 0;
// Faux loop...
do {
// Create the certificate object
Cert = X509_new();
if (!Cert)
break;
// Set version 2, and get version 3
X509_set_version (Cert, 2);
// Set the certificate's properties
ASN1_INTEGER_set (X509_get_serialNumber (Cert), Serial);
X509_gmtime_adj (X509_get_notBefore (Cert), 0);
X509_gmtime_adj (X509_get_notAfter (Cert), (long)(60 * 60 * 24 * (DaysValid ? DaysValid : 1)));
Name = X509_get_subject_name (Cert);
if (Country && *Country)
X509_NAME_add_entry_by_txt (Name, "C", MBSTRING_ASC, Country, -1, -1, 0);
if (CommonName && *CommonName)
X509_NAME_add_entry_by_txt (Name, "CN", MBSTRING_ASC, CommonName, -1, -1, 0);
if (OrganizationName && *OrganizationName)
X509_NAME_add_entry_by_txt (Name, "O", MBSTRING_ASC, OrganizationName, -1, -1, 0);
X509_set_issuer_name (Cert, Name);
// Set the DNS name
if (DNSName && *DNSName)
{ X509_EXTENSION *Extension;
char Buffer[512];
// Format the value
sprintf (Buffer, "DNS:%s", DNSName);
Extension = X509V3_EXT_conf_nid (NULL, NULL, NID_subject_alt_name, Buffer);
if (Extension)
{
X509_add_ext (DynamicCert->Certificate, Extension, -1);
X509_EXTENSION_free (Extension);
}
}
// Create the RSA key pair object
KeyPair = RSA_new();
if (!KeyPair)
break;
// Create the big number object
BigNumber = BN_new();
if (!BigNumber)
break;
// Set the word
if (!BN_set_word (BigNumber, 65537))
break;
// Generate the key pair; lots of computes here
if (!RSA_generate_key_ex (KeyPair, 1024, BigNumber, NULL))
break;
// Now we need a private key object
PrivateKey = EVP_PKEY_new();
if (!PrivateKey)
break;
// Assign the key pair to the private key object
if (!EVP_PKEY_assign_RSA (PrivateKey, KeyPair))
break;
// KeyPair now belongs to PrivateKey, so don't clean it up separately
KeyPair = NULL;
// Set the certificate's public key from the private key object
if (!X509_set_pubkey (Cert, PrivateKey))
break;
// PrivateKey now belongs to Cert, so don't clean it up separately
PrivateKey = NULL;
// Sign it with SHA-1
if (!X509_sign (Cert, PrivateKey, EVP_sha1()))
break;
// Success
Success = 1;
} while (0);
// Things we always clean up
if (BigNumber)
BN_free (BigNumber);
if (PrivateKey)
EVP_PKEY_free (PrivateKey);
// Things we clean up only on failure
if (!Success)
{
if (Cert)
X509_free (Cert);
if (PrivateKey)
EVP_PKEY_free (PrivateKey);
if (KeyPair)
RSA_free (KeyPair);
Cert = NULL;
}
// Return the certificate (or NULL)
return (Cert);
}