2025-2026-1 20231301 《信息安全设计》第七周学习总结
2025-2026-1 20231301 《信息安全设计》第七周学习总结
作业信息
| 作业 | 链接 |
|---|---|
| 作业课程 | <班级>(2025-2026-1 信息安全设计) |
| 作业要求 | <作业>(2025-2026-1 信息安全设计 预习作业要求) |
| 作业目标 | 《Windows C/C++ 加密解密实战》> 预习第十、十一章 |
| 作业正文 | <博客>(第七周学习总结) |
学习内容总结
第十章:身份认证和PKI理论基础
一、PKI体系架构深度解析
1. PKI核心组件关系图
graph LR
A[终端实体] --> B[数字证书]
B --> C[认证机构CA]
C --> D[注册机构RA]
D --> E[证书库]
E --> F[CRL/OCSP]
F --> A
C --> G[根CA]
G --> H[子CA]
H --> C
subgraph 信任体系
I[信任锚] --> J[证书链]
J --> K[路径验证]
end
2. X.509证书结构详解
// X.509证书的ASN.1主要结构
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING
}
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
extensions [3] EXPLICIT Extensions OPTIONAL
}
二、证书处理实战代码
1. OpenSSL证书解析与验证
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/pem.h>
// 解析X.509证书详细信息
void parse_certificate_details(X509* cert) {
BIO* out = BIO_new_fp(stdout, BIO_NOCLOSE);
// 显示证书主题
X509_NAME* subject = X509_get_subject_name(cert);
printf("证书主题:\n");
X509_NAME_print_ex(out, subject, 0, XN_FLAG_MULTILINE);
printf("\n\n");
// 显示证书颁发者
X509_NAME* issuer = X509_get_issuer_name(cert);
printf("证书颁发者:\n");
X509_NAME_print_ex(out, issuer, 0, XN_FLAG_MULTILINE);
printf("\n\n");
// 显示证书序列号
ASN1_INTEGER* serial = X509_get_serialNumber(cert);
BIGNUM* bn = ASN1_INTEGER_to_BN(serial, NULL);
char* serial_hex = BN_bn2hex(bn);
printf("证书序列号: %s\n", serial_hex);
OPENSSL_free(serial_hex);
BN_free(bn);
// 显示证书有效期
ASN1_TIME* not_before = X509_get_notBefore(cert);
ASN1_TIME* not_after = X509_get_notAfter(cert);
printf("有效期从: ");
ASN1_TIME_print(out, not_before);
printf("\n有效期至: ");
ASN1_TIME_print(out, not_after);
printf("\n\n");
// 显示公钥信息
EVP_PKEY* pkey = X509_get_pubkey(cert);
printf("公钥算法: ");
const char* key_type = OBJ_nid2ln(EVP_PKEY_id(pkey));
printf("%s\n", key_type);
// 显示证书扩展信息
printf("证书扩展:\n");
for (int i = 0; i < X509_get_ext_count(cert); i++) {
X509_EXTENSION* ext = X509_get_ext(cert, i);
ASN1_OBJECT* obj = X509_EXTENSION_get_object(ext);
char buffer[100];
OBJ_obj2txt(buffer, sizeof(buffer), obj, 1);
printf(" %s\n", buffer);
}
EVP_PKEY_free(pkey);
BIO_free(out);
}
// 完整的证书验证流程
int verify_certificate_chain(X509_STORE* store, X509* cert,
STACK_OF(X509)* chain) {
X509_STORE_CTX* ctx = X509_STORE_CTX_new();
if (!ctx) return -1;
// 初始化验证上下文
if (X509_STORE_CTX_init(ctx, store, cert, chain) != 1) {
X509_STORE_CTX_free(ctx);
return -1;
}
// 执行证书验证
int result = X509_verify_cert(ctx);
if (result == 1) {
printf("证书验证成功!\n");
} else {
printf("证书验证失败!\n");
int error = X509_STORE_CTX_get_error(ctx);
printf("错误代码: %d (%s)\n", error,
X509_verify_cert_error_string(error));
// 检查错误深度
int depth = X509_STORE_CTX_get_error_depth(ctx);
printf("错误深度: %d\n", depth);
}
X509_STORE_CTX_free(ctx);
return result;
}
2. 证书链构建与验证
// 构建证书链并验证
int build_and_verify_chain(const char* cert_file, const char* ca_file) {
X509_STORE* store = X509_STORE_new();
X509_STORE_CTX* ctx = NULL;
STACK_OF(X509)* certs = NULL;
X509* target_cert = NULL;
BIO* bio = NULL;
int ret = 0;
// 创建证书存储并添加信任的CA
X509_STORE_load_locations(store, ca_file, NULL);
X509_STORE_set_default_paths(store);
// 加载目标证书
bio = BIO_new_file(cert_file, "r");
if (!bio) goto cleanup;
target_cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
if (!target_cert) goto cleanup;
// 创建证书链(这里简化处理,实际应从证书中提取)
certs = sk_X509_new_null();
sk_X509_push(certs, target_cert);
// 创建验证上下文
ctx = X509_STORE_CTX_new();
if (!ctx) goto cleanup;
if (!X509_STORE_CTX_init(ctx, store, target_cert, certs)) {
goto cleanup;
}
// 设置验证参数
X509_VERIFY_PARAM* param = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_X509_STRICT);
X509_STORE_CTX_set0_param(ctx, param);
// 执行验证
ret = X509_verify_cert(ctx);
if (ret == 1) {
printf("证书链验证成功!\n");
// 获取验证后的证书链
STACK_OF(X509)* verified_chain = X509_STORE_CTX_get1_chain(ctx);
printf("验证后的证书链包含 %d 个证书\n", sk_X509_num(verified_chain));
sk_X509_pop_free(verified_chain, X509_free);
} else {
int error = X509_STORE_CTX_get_error(ctx);
printf("证书链验证失败: %s\n", X509_verify_cert_error_string(error));
}
cleanup:
if (ctx) X509_STORE_CTX_free(ctx);
if (bio) BIO_free(bio);
if (target_cert) X509_free(target_cert);
if (certs) sk_X509_pop_free(certs, X509_free);
if (store) X509_STORE_free(store);
return ret;
}
第十一章:实战PKI
一、OpenSSL CA搭建完整实战
1. 创建私有CA的完整脚本
#!/bin/bash
# create_ca.sh - 创建完整的PKI CA环境
CA_DIR="./my_ca"
mkdir -p $CA_DIR/{certs,crl,newcerts,private,requests}
touch $CA_DIR/index.txt
echo 1000 > $CA_DIR/serial
echo 1000 > $CA_DIR/crlnumber
# 生成根CA私钥
openssl genrsa -aes256 -out $CA_DIR/private/ca.key.pem 4096
chmod 400 $CA_DIR/private/ca.key.pem
# 生成根CA证书
openssl req -config openssl.cnf \
-key $CA_DIR/private/ca.key.pem \
-new -x509 -days 7300 -sha256 -extensions v3_ca \
-out $CA_DIR/certs/ca.cert.pem
# 生成中间CA私钥
openssl genrsa -aes256 -out $CA_DIR/private/intermediate.key.pem 4096
chmod 400 $CA_DIR/private/intermediate.key.pem
# 生成中间CA证书请求
openssl req -config openssl.cnf -new -sha256 \
-key $CA_DIR/private/intermediate.key.pem \
-out $CA_DIR/requests/intermediate.csr.pem
# 根CA签署中间CA证书
openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
-days 3650 -notext -md sha256 \
-in $CA_DIR/requests/intermediate.csr.pem \
-out $CA_DIR/certs/intermediate.cert.pem
# 创建证书链文件
cat $CA_DIR/certs/intermediate.cert.pem $CA_DIR/certs/ca.cert.pem > \
$CA_DIR/certs/ca-chain.cert.pem
echo "CA环境创建完成!"
2. OpenSSL配置文件示例(openssl.cnf)
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./my_ca
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
private_key = $dir/private/ca.key.pem
certificate = $dir/certs/ca.cert.pem
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_strict
[ policy_strict ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ server_cert ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ client_cert ]
basicConstraints = CA:FALSE
nsCertType = client
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
二、证书编程高级实战
1. 证书签发完整流程代码
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/pem.h>
// 创建并签发证书
X509* create_and_sign_certificate(EVP_PKEY* ca_key, X509* ca_cert,
EVP_PKEY* subject_key,
const X509_NAME* subject_name,
int days_valid) {
X509* cert = X509_new();
if (!cert) return NULL;
// 设置证书版本
X509_set_version(cert, 2); // X509v3
// 设置序列号
ASN1_INTEGER_set(X509_get_serialNumber(cert), rand());
// 设置主题名称
X509_set_subject_name(cert, subject_name);
// 设置颁发者名称(使用CA的主题)
X509_set_issuer_name(cert, X509_get_subject_name(ca_cert));
// 设置有效期
X509_gmtime_adj(X509_get_notBefore(cert), 0);
X509_gmtime_adj(X509_get_notAfter(cert), days_valid * 24 * 60 * 60);
// 设置公钥
X509_set_pubkey(cert, subject_key);
// 添加扩展
add_certificate_extensions(cert, ca_cert);
// 使用CA私钥签名
if (X509_sign(cert, ca_key, EVP_sha256()) == 0) {
X509_free(cert);
return NULL;
}
return cert;
}
// 添加证书扩展
int add_certificate_extensions(X509* cert, X509* issuer) {
X509V3_CTX ctx;
X509V3_set_ctx(&ctx, issuer, cert, NULL, NULL, 0);
// 添加基本约束
X509_EXTENSION* ext = X509V3_EXT_conf_nid(NULL, &ctx,
NID_basic_constraints, "critical,CA:FALSE");
if (ext) {
X509_add_ext(cert, ext, -1);
X509_EXTENSION_free(ext);
}
// 添加密钥用法
ext = X509V3_EXT_conf_nid(NULL, &ctx,
NID_key_usage, "critical,digitalSignature,keyEncipherment");
if (ext) {
X509_add_ext(cert, ext, -1);
X509_EXTENSION_free(ext);
}
// 添加扩展密钥用法
ext = X509V3_EXT_conf_nid(NULL, &ctx,
NID_ext_key_usage, "serverAuth,clientAuth");
if (ext) {
X509_add_ext(cert, ext, -1);
X509_EXTENSION_free(ext);
}
// 添加主题密钥标识符
ext = X509V3_EXT_conf_nid(NULL, &ctx,
NID_subject_key_identifier, "hash");
if (ext) {
X509_add_ext(cert, ext, -1);
X509_EXTENSION_free(ext);
}
// 添加颁发者密钥标识符
ext = X509V3_EXT_conf_nid(NULL, &ctx,
NID_authority_key_identifier, "keyid:always");
if (ext) {
X509_add_ext(cert, ext, -1);
X509_EXTENSION_free(ext);
}
return 1;
}
posted on 2025-09-30 21:26 20231301周子昂 阅读(8) 评论(0) 收藏 举报
浙公网安备 33010602011771号