CSP:使用CryptoAPI解析X509证书基本项
来源:互联网 发布:mmd打斗动作数据 编辑:程序博客网 时间:2024/05/20 04:49
from http://blog.csdn.net/yyfzy/article/details/46790043
在之前的文章“CSP:使用CryptoAPI解码X509证书内容”里,讲述了如何使用CryptoAPI将证书文件解码,得到证书上下文句柄PCCERT_CONTEXT的方法。下面我们接着讲述如何通过证书上下文句柄,获得想要的证书项。本文先讲述如何获取证书的基本项,后面还有文章介绍如何获取证书的扩展项。
下面的代码,都是假定已经通过解码证书文件、得到了证书上下文句柄m_pCertContext。至于如何解码证书文件、得到证书上下文句柄m_pCertContext,请阅读之前的文章。
首先,我们看看关于证书上下文的结构定义:
- typedef struct _CERT_CONTEXT {
- DWORD dwCertEncodingType;
- BYTE *pbCertEncoded;
- DWORD cbCertEncoded;
- PCERT_INFO pCertInfo;
- HCERTSTORE hCertStore;
- } CERT_CONTEXT, *PCERT_CONTEXT;
- typedef const CERT_CONTEXT *PCCERT_CONTEXT;
-
- typedef struct _CERT_INFO {
- DWORD dwVersion;
- CRYPT_INTEGER_BLOB SerialNumber;
- CRYPT_ALGORITHM_IDENTIFIER SignatureAlgorithm;
- CERT_NAME_BLOB Issuer;
- FILETIME NotBefore;
- FILETIME NotAfter;
- CERT_NAME_BLOB Subject;
- CERT_PUBLIC_KEY_INFO SubjectPublicKeyInfo;
- CRYPT_BIT_BLOB IssuerUniqueId;
- CRYPT_BIT_BLOB SubjectUniqueId;
- DWORD cExtension;
- PCERT_EXTENSION rgExtension;
- } CERT_INFO, *PCERT_INFO;
我们想要获取的证书基本项,有些就直接存在于这两个结构体中。
一、版本号结构体CERT_INFO中的字段dwVersion即为证书版本,可以直接通过下面的代码获得:
- DWORD dwCertVer = m_pCertContext->pCertInfo->dwVersion;
版本值的定义如下:- #define CERT_V1 0
- #define CERT_V2 1
- #define CERT_V3 2
也就是说,V1的值为0;V3的值为2,目前绝大多是证书都是V3版本。二、序列号
序列号对应结构体CERT_INFO中的字段SerialNumber,不过该字段为ASN.1编码的大数对象,需要解码才能转化为我们平时看到的十六进制序列号。获取序列号的函数如下:
- ULONG CCSPCertificate::get_SN(LPSTR lptcSN,ULONG *pulLen)
- {
- CHAR scSN[512] = {0};
-
- if (!m_pCertContext)
- {
- return CERT_ERR_INVILIDCALL;
- }
- if (!pulLen)
- {
- return CERT_ERR_INVALIDPARAM;
- }
-
- PCRYPT_INTEGER_BLOB pSn = &(m_pCertContext->pCertInfo->SerialNumber);
- for (int n = (int)(pSn->cbData - 1); n >= 0; n--)
- {
- CHAR szHex[5] = {0};
- sprintf_s(szHex, "%02X", (pSn->pbData)[n]);
- strcat_s(scSN, 512, szHex);
- }
-
- if (!lptcSN)
- {
- *pulLen = strlen(scSN) + 1;
- return CERT_ERR_OK;
- }
-
- if (*pulLen <= strlen(scSN) + 1)
- {
- return CERT_ERR_BUFFER_TOO_SMALL;
- }
- strcpy_s(lptcSN, *pulLen, scSN);
- *pulLen = strlen(scSN);
-
- return CERT_ERR_OK;
- }
三、公钥算法(证书算法)
证书中的公钥算法,需要通过CERT_INFO中字段SubjectPublicKeyInfo来获取。具体函数如下:
- ULONG CCSPCertificate::get_KeyType(ULONG* pulType)
- {
- if (!m_pCertContext)
- {
- return CERT_ERR_INVILIDCALL;
- }
- if (!pulType)
- {
- return CERT_ERR_INVALIDPARAM;
- }
-
- PCERT_PUBLIC_KEY_INFO pPubKey = &(m_pCertContext->pCertInfo->SubjectPublicKeyInfo);
- if (pPubKey)
- {
- if (_stricmp(pPubKey->Algorithm.pszObjId, szOID_RSA_RSA) == 0)
- {
- *pulType = CERT_KEY_ALG_RSA;
- }
- else if (_stricmp(pPubKey->Algorithm.pszObjId, szOID_ECC_PUBLIC_KEY) == 0)
- {
- *pulType = CERT_KEY_ALG_ECC;
- }
- else
- {
- *pulType = 0;
- return CERT_ERR_ALG_UNKNOWN;
- }
- }
- else
- {
- return GetLastError();
- }
-
- return CERT_ERR_OK;
- }
四、证书用途
证书从用途来分,分为“签名证书”和“加密证书”两大类。“签名证书”的公钥用来验证签名,而“加密证书”的公钥则用来加密数据。我们需要通过调用函数CertGetIntendedKeyUsage()来获取证书的用途,具体函数实现如下:
- ULONG CCSPCertificate::get_KeyUsage(ULONG* lpUsage)
- {
- BYTE btUsage[2] = {0};
-
- if (!m_pCertContext)
- {
- return CERT_ERR_INVILIDCALL;
- }
- if (!lpUsage)
- {
- return CERT_ERR_INVALIDPARAM;
- }
-
- if (CertGetIntendedKeyUsage(GLOBAL_ENCODING_TYPE, m_pCertContext->pCertInfo, btUsage, 2))
- {
- if (btUsage[0] & CERT_DIGITAL_SIGNATURE_KEY_USAGE)
- {
- *lpUsage = CERT_USAGE_SIGN;
- }
- else if (btUsage[0] & CERT_DATA_ENCIPHERMENT_KEY_USAGE)
- {
- *lpUsage = CERT_USAGE_EXCH;
- }
- else
- {
- *lpUsage = 0;
- return CERT_ERR_USAGE_UNKNOWN;
- }
- }
- else
- {
- return GetLastError();
- }
-
- return CERT_ERR_OK;
- }
五、签名算法
证书的签名算法,是指证书用来签名时使用的算法(包含HASH算法)。签名算法用结构体CERT_INFO中SignatureAlgorithm字段来表示,可以通过SignatureAlgorithm的子字段pszObjId返回签名算法的Oid,这样对比Oid就可以知道签名算法的具体含义了。pszObjId常见得定义如下:
- #define CERT_SIGNATURE_ALG_RSA_RSA "1.2.840.113549.1.1.1" //RSA直接签名
- #define CERT_SIGNATURE_ALG_MD2RSA "1.2.840.113549.1.1.2" //MD2作Hash、然后RSA签名
- #define CERT_SIGNATURE_ALG_MD4RSA "1.2.840.113549.1.1.3" //MD4作Hash、然后RSA签名
- #define CERT_SIGNATURE_ALG_MD5RSA "1.2.840.113549.1.1.4" //MD5作Hash、然后RSA签名
- #define CERT_SIGNATURE_ALG_SHA1RSA "1.2.840.113549.1.1.5" //SHA1作Hash、然后RSA签名
- #define CERT_SIGNATURE_ALG_SM3SM2 "1.2.156.10197.1.501" //SM3作Hash、然后SM2签名
由于Windows对SM2/SM3算法还没有定义,所以对于ECC证书,Windows直接显示签名算法的Oid:“1.2.156.10197.1.501”,如下图所示:
六、颁发者
关于颁发者,我们可以通过CERT_NAME_ISSUER_FLAG获取属性。具体通过下面两个函数实现:
- ULONG CCSPCertificate::get_Issuer(LPSTR lpValue, ULONG *pulLen)
- {
- ULONG hr = CERT_ERR_OK;
- ULONG ulIssuerLen = 0;
- LPTSTR lpszIssuer = NULL;
-
- if (!m_pCertContext)
- {
- return CERT_ERR_INVILIDCALL;
- }
- if (!pulLen)
- {
- return CERT_ERR_INVALIDPARAM;
- }
-
- hr = _GetPropertyValue(szOID_COMMON_NAME, CERT_NAME_ISSUER_FLAG, NULL, ulIssuerLen);
- if (0 != hr || ulIssuerLen == 0)
- {
- return hr;
- }
-
- if (!lpValue)
- {
- *pulLen = ulIssuerLen;
- return CERT_ERR_OK;
- }
- if (*pulLen <ulIssuerLen)
- {
- return CERT_ERR_BUFFER_TOO_SMALL;
- }
-
- hr = _GetPropertyValue(szOID_COMMON_NAME, CERT_NAME_ISSUER_FLAG, lpValue, *pulLen);
- if (0 != hr)
- {
- return hr;
- }
-
- return hr;
- }
-
- ULONG CCSPCertificate::_GetPropertyValue(LPCSTR szOId, DWORD dwSourceId, LPSTR lpValue, DWORD &dwValLen)
- {
- if (!m_pCertContext)
- {
- return CERT_ERR_INVILIDCALL;
- }
-
- dwValLen = CertGetNameStringA(m_pCertContext, CERT_NAME_ATTR_TYPE,
- dwSourceId == CERT_NAME_ISSUER_FLAG ? 1 : 0, (void*)szOId, NULL, 0);
- if (dwValLen <= 1)
- {
- return GetLastError();
- }
-
- if (!lpValue)
- {
- return CERT_ERR_OK;
- }
-
- dwValLen = CertGetNameStringA(m_pCertContext, CERT_NAME_ATTR_TYPE,
- dwSourceId == CERT_NAME_ISSUER_FLAG ? 1 : 0, (void*)szOId, lpValue, dwValLen);
- if (dwValLen <= 1)
- {
- return GetLastError();
- }
-
- return CERT_ERR_OK;
- }
七、使用者
证书使用者用结构体CERT_INFO中Subject字段表示,不过是NAME_BLOB类型,需要调用CertNameToStr()转化为最终的字符串。具体实现函数如下:
- ULONG CCSPCertificate::get_SubjectName(LPSTR lpValue, ULONG *pulLen)
- {
- DWORD dwSubjectLen = 0;
- CERT_NAME_BLOB certSubject;
-
- if (!m_pCertContext)
- {
- return CERT_ERR_INVILIDCALL;
- }
- if (!pulLen)
- {
- return CERT_ERR_INVALIDPARAM;
- }
-
- certSubject = m_pCertContext->pCertInfo->Subject;
- dwSubjectLen = CertNameToStr(GLOBAL_ENCODING_TYPE, &certSubject, CERT_X500_NAME_STR, NULL, 0);
- if (dwSubjectLen <= 1)
- {
- return E_FAIL;
- }
-
- if (!lpValue)
- {
- *pulLen = dwSubjectLen;
- return CERT_ERR_OK;
- }
- if (*pulLen < dwSubjectLen)
- {
- return CERT_ERR_BUFFER_TOO_SMALL;
- }
-
- *pulLen = CertNameToStrA(GLOBAL_ENCODING_TYPE, &certSubject, CERT_X500_NAME_STR, lpValue, *pulLen);
- if (*pulLen <= 1)
- {
- return GetLastError();
- }
-
- return CERT_ERR_OK;
- }
八、有效期限
证书的有效期,在结构体CERT_INFO中,对应于字段NotBefore和NotAfter,两者都是FILETIME类型。可以使用下面的函数,将其转化为SYSTEMTIME类型:
- ULONG CCSPCertificate::get_ValidDate(SYSTEMTIME *ptmStart, SYSTEMTIME *ptmEnd)
- {
- FILETIME ftStart;
- FILETIME ftEnd;
-
- if (!m_pCertContext)
- {
- return CERT_ERR_INVILIDCALL;
- }
-
- if (ptmStart)
- {
- memcpy(&ftStart, &m_pCertContext->pCertInfo->NotBefore, sizeof(FILETIME));
- FileTimeToSystemTime(&ftStart, ptmStart);
- }
- if (ptmEnd)
- {
- memcpy(&ftEnd, &m_pCertContext->pCertInfo->NotAfter, sizeof(FILETIME));
- FileTimeToSystemTime(&ftEnd, ptmEnd);
- }
-
- return CERT_ERR_OK;
- }
至此,X509证书的基本项均已解析完毕!如需获取证书的扩展项或者公钥等数据,请关注后续博文。
0 0