00009-01 34 01
TRANSCRIPT
.00009-01 34 01 -
.
. 1.0 OpenSSL. .00009-01 34 01 79
. . .
. . . .
2006
openssl . . OpenSSL, c 1998-2004, The OpenSSL Project. .
.00009-01 34 01
3
1 OPENSSL 1.1 . . . 1.2 1.3 . . . . 1.4 . 1.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 6 6 6 7 7 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 10 10 10 10 12 13 16 16 16 18 18 18 18 20 20 20 20 20 21 22 22 22 22 22 23
2 3 CA 3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 . . . . . . . . . . . . . . . . . . . . . . . 3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.1 . . . . 3.3.2 (CRL) 3.3.3 . . . . . . . . . . . . . 3.4 . . . . . . . . . . . . . . . . . . . . . . 3.5 SPKAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.8 . . . . . . . . . . . . . . . . . . . . . . . . . . 3.9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 CRL 4.1 . . . 4.2 4.3 . . . . 4.4 . . . . . . . 4.5 . . . . . . . . 5 CRL2PKCS7 5.1 . . . 5.2 5.3 . . . . 5.4 . . . . . . . . 5.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6 DGST 24 6.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 6.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 6.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
,
.00009-01 34 01
4
7 ENC 7.1 . . . . 7.2 . 7.3 . . . . . 7.4 . . . . . . . . 7.4.1 . . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
25 25 25 25 26 26 28 28 28 28 28 31 31 32 32 34 34 34 34 34 34 35 36 36 36 36 37 38 39 39 39 39 42 44 44 46 47 47 48 48 48 48 51
8 OCSP 8.1 . . . . . . . . . . . . . . . . . 8.2 . . . . . . . . . 8.3 . . . . . . . . . . . . . 8.3.1 oscp 8.3.2 ocsp 8.4 OCSP- . . . . . . . . . 8.5 . . . . . . . . . . . . . . . . 8.6 . . . . . . . . . . . . . . . . . 9 PKCS7 9.1 . . . 9.2 9.3 . . . . 9.4 . . . . . . . . 9.5 . . . . . . . 9.6 . . . . . . 10 PKCS8 10.1 . . . 10.2 10.3 . . . . 10.4 . . . . . . . 10.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11 REQ 11.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4 . . . . . . . . . . . . . . . . . . . . . . . 11.5 distinguished name attribute 11.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 SMIME 12.1 . . . 12.2 12.3 . . . . 12.4 . . . . . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
,
.00009-01 34 01
5
12.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 S_CLIENT 13.1 . . . . . . . . . . . . . . . . . . . . 13.2 . . . . . . . . . . . . . . . . . 13.3 . . . . . . . . . . . . . . . . . . . . . 13.4 , 13.5 . . . . . . . . . . . . . . . . . . . . . . . . 14 S_SERVER 14.1 . . . 14.2 14.3 . . . . 14.4 , 14.5 . . . . . . . 15 VERIFY 15.1 . . . 15.2 15.3 . . . . 15.4 . . 15.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
51 51 53 53 53 53 55 56 57 57 57 57 60 60 61 61 61 61 62 63 68 68 68 68 68 69 70 71 72 74 75 76 76
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16 X509 16.1 . . . . . . . . . . . . . . . . . . 16.2 . . . . . . . . . . . . . . . 16.3 . . . . . . . . . . . . . . . . . . . 16.3.1 , 16.3.2 . . . . . . 16.3.3 . . . . . . . . . . . . . 16.3.4 . . . . . 16.3.5 . . . . . . . . . . . . . . 16.3.6 . . . . . . . . . . . . . . . . . 16.4 . . . . . . . . . . . . . . . . . . . . . . . 16.5 . . . . . . . . . . . . . . . . . . . . . . 16.6 . . . . . . . . . . . . .
,
.00009-01 34 01
6
11.1
OPENSSL
OpenSSL , Secure Sockets Layer (SSL v2/v3) Transport Layer Security (TLS v1) , . openssl - OpenSSL . : X.509, . -. . SSL/TLS . S/MIME.
1.2
openssl [ ] [ ] openssl [list-standard-commands] , openssl no-XXX [ ]
1.3
openssl (. ), (. ). list-standard-commands ( ) . no-XXX , ( XXX ). , no-XXX 0 () no-XXX; 1 XXX. stderr. - . no-XXX , quit, no-XXX.
,
.00009-01 34 01
7
1.4
ASN.1-, base64 - SSL/TLS (CRL) PKCS#7 CRL - . PKCS#12 PKCS#7 X.509 (CSR) SSL/TLS- , , SSL/TLS. , OpenSSL. SSL/TLS- , , SSL/TLS. , OpenSSL. , SSL, http-. SSL SSL- S/MIME X.509 OpenSSL X.509
asn1parse base64 ca ciphers crl crl2pkcs7 dgst enc errstr passwd pkcs12 pkcs7 rand req s_client
s_server
s_time sess_id smime speed verify version x509
1.5
, , -passin -passout. . , . , , : , ,
.00009-01 34 01
8
. - pass: . ( ps Unix- ), , . env:var var. (, ps Unix- ), . file:pathname pathname . -passin passout, , . : , , . fd:number , number. , , . stdin .
,
.00009-01 34 01
9
2
. : DGST (. 6) 34.11-94 -md_gost94; ENC (. 7) -gost89 28147-89; OCSP (. 8) -digest -md_gost94; REQ (. 11) , -gost2001: . SMIME (. 12) encrypt ; X509 (c. 16) 34.11-94 (fingerprint) . , 31 2007 34.10-94 .
,
.00009-01 34 01
10
33.1
CA
ca . (CRL). .
3.2
openssl ca [-verbose] [-config filename] [-name section] [-gencrl] [-revoke file] [-crl_reason reason] [-crl_hold instruction] [-crl_compromise time] [-crl_CA_compromise time] [-crldays days] [-crlhours hours] [-crlexts section] [-startdate date] [-enddate date] [-days arg] [-md arg] [-policy arg] [-keyfile arg] [-key arg] [-passin arg] [-cert file] [-selfsign] [-in file] [-out file] [-notext] [outdir dir] [-infiles] [-spkac file] [-ss_cert file] [-preserveDN] [-noemailDN] [-batch] [-msie_hack] [-extensions section] [-extfile section] [-engine id] [-subj arg] [-utf8] [-multivalue-rdn]
3.3
. 3.3.1 , . , ( , default_ca ca ). , , . , . , challenge Netscape , . . 3.5 . , , , . . . . . , , .pem. ,
-config filename -name section
-in filename
-ss_cert filename -spkac filename
-infiles
-out filename
-outdir directory
.00009-01 34 01
11
-cert file -keyfile filename -key password
-selfsign
-passin arg -verbose -notext -startdate date
-enddate date
-days arg -md alg
-policy arg
-msie_hack
-preserveDN
. , , . . ( Unix- ps), . . , , ( -keyfile). , , . -spkac, -ss_cert -gencrl, -selfsign . -selfsign (. configuration option database) , , , . , . arg . 1.5. . . ( ASN.1 UTCTime; ). . ( ASN.1 UTCTime; ). . . , -34.10 md_gost94, . , . , , . . 3.4. Microsoft Internet Explorer. IE , . Distinguished Name . , , . IE.
,
.00009-01 34 01
12
-noemailDN
-batch -extensions section
-extfile file
-engine id
-subj arg
-utf8
-multivalue-rdn
Distinguished Name EMAIL, , altName. , EMAIL . email_in_dn . () . . , , ( X509_extensions, -extfile). , V1. ( ), V3. ( , -extensions). engine ( ) . subject name, . arg /type0=value0/type1=value1/type2=..., \( ), . , UTF8, ASCII. , , , UTF-8 . , -subj RDN. : /DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe -multi-rdn , UID 123456+CN=John Doe.
3.3.2
(CRL) . . nextUpdate . ,
-gencrl -crldays num
.00009-01 34 01
13
-crlhours num -revoke filename -crl_reason reason
. , , . , reason : unspecified ( ) keyCompromise ( ) CACompromise ( ) affiliationChanged ( ) superseded ( ) cessationOfOperation ( ) certificateHold ( ) removeFromCRL ( ) , , . V2. removeFromCRL ( ) , delta, . certificateHold ( ) instruction , OID. OID, holdInstructionNone ( RFC2459), holdInstructionCallIssuer holdInstructionReject. keyCompromise ( ), time. time GeneralizedTime, .. ( ). , -crl_compromise, , CACompromise. , , . , V1, ( ), V2. CRL, ( ). , ( Netscape) V2.
-crl_hold instruction
-crl_compromise time
-crl_CA_compromise time -crlexts section
3.3.3
, ca, : -name, . default_ca ,
.00009-01 34 01
14
ca ( ). default_ca, ca : RANDFILE, preserve, msie_hack. RANDFILE, , , . . . , , ( ). oid_file , OID (OBJECT IDENTIFIERS). : OID , , , , . , OID. : OID= OID. . , -outdir. , . . , -cert. , . . , -keyfile. , . . , . , -days. . , -startdate. . , . , -enddate. , default_days ( - ). , -crlhours -crldays. , . , . , , , (RSA). , ( ). .
oid_section
new_certs_dir certificate private_key RANDFILE default_days default_startdate
default_enddate
default_crl_hours default_crl_days
default_md
,
.00009-01 34 01
15
database unique_subject
serial
crlnumber
x509_extensions crl_extensions preserve email_in_dn
msie_hack policy name_opt, cert_opt
. . , . yes, subject. no, subject. yes ( 0.9.8) OpenSSL. no, selfsign. , . . . , . , . , . , -extensions. , -crlexts. , -preserveDN , -noemailDN. EMAIL distinguished name , no. , EMAIL distinguished name . , -msie_hack , -policy. . . 3.4 . . , -nameopt -certopt x509 (. 16), , no_signame no_sigdump ( , .. ). ca_default . , OpenSSL. , , , .
,
.00009-01 34 01
16
copy_extensions
, . none, , . copy, , , , . copyall, : , . . 3.10. , subjectAltName.
3.4
, distinguished name . match, . supplied, . optional, . , , , -preserveDN, .
3.5
SPKAC
-spkac challenge Netscape. KEYGEN html, . SPKAC spkac. , -spkac, SPKAC, SPKAC, DN "-". , .
3.6
: , . req, , . , demoCA, demoCA/private demoCA/newcerts. demoCA/cacert.pem, demoCA/private/cakey.pem. demoCA/serial, , , 01, demoCA/index.txt. ,
.00009-01 34 01
17
: openssl ca -in req.pem -out newcert.pem : openssl ca -in req.pem -extensions v3_ca -out newcert.pem : openssl ca -gencrl -out crl.pem : openssl ca -infiles req1.pem req2.pem req3.pem SPKAC Netscape: openssl ca -spkac spkac.txt SPKAC ( SPKAC ):SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5 CN=Steve Test [email protected] 0.OU=OpenSSL Group 1.OU=Another Group
ca:
[ ca ] default_ca [ CA_default ] dir database new_certs_dir certificate serial private_key RANDFILE
= CA_default
# The default ca section
= ./demoCA = $dir/index.txt = $dir/newcerts = = = =
# top dir # index file. # new certs dir The CA cert serial no file CA private key random number file
$dir/cacert.pem # $dir/serial # $dir/private/cakey.pem# $dir/private/.rand #
default_days = 365 default_crl_days= 30 default_md = md5 policy email_in_dn = policy_any = no
# how long to certify for # how long before next CRL # md to use # default policy # Dont add the email into cert DN # Subject name display option # Certificate display option # Dont copy extensions from request
name_opt = ca_default cert_opt = ca_default copy_extensions = none [ policy_any ] countryName stateOrProvinceName
= supplied = optional ,
.00009-01 34 01
18
organizationName organizationalUnitName commonName emailAddress
= = = =
optional optional supplied optional
3.7
: , , . . /usr/local/ssl/lib/openssl.cnf ./demoCA ./demoCA/cacert.pem ./demoCA/private/cakey.pem ./demoCA/serial ./demoCA/serial.old ./demoCA/index.txt ./demoCA/index.txt.old ./demoCA/certs ./demoCA/.rnd -
()
3.8
OPENSSL_CONF . -config .
3.9
, , . , . V2 , -, . , SPKAC .
3.10
ca . ca , . : .
,
.00009-01 34 01
19
ca : , ca . copy_extensions . . , basicConstraints CA:TRUE, copy_extensions copyall, , , . , copy_extensions copy basicConstraints CA:FALSE . , basicConstraints, . , keyUsage, . . , : basicConstraints = CA:TRUE, pathlen:0 CA:TRUE, .
,
.00009-01 34 01
20
44.1
CRL crl DER PEM.
4.2
openssl crl [-inform PEM|DER] [-outform PEM|DER][-text] [-in filename] [-out filename] [noout] [-hash] [-issuer] [-lastupdate] [-nextupdate] [-CAfile file] [-CApath dir]
4.3
. DER CRL DER. PEM () DER- base64 . . , -inform. . , . . , . . . - issuer. issuer name. . lastUpdate. nextUpdate. . : subject name ( x509 -hash).
-inform DER|PEM
-outform DER|PEM -in filename -out filename -text -noout -hash
-issuer -lastupdate -nextupdate -CAfile file -CApath dir
4.4
PEM- : -----BEGIN X509 CRL---------END X509 CRL---- ,
.00009-01 34 01
21
4.5
PEM DER: crl.pem -outform DER -out crl.der of a DER encoded certificate: crl.der -text -noout
openssl crl -in Output the text form openssl crl -in
,
.00009-01 34 01
22
55.1
CRL2PKCS7
crl2pkcs7 () PKCS#7-, ( ).
5.2
openssl crl2pkcs7 [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-out filename] [certfile filename] [-nocrl]
5.3
. DER CRL DER-. PEM () DER- base64 . PKCS#7-. DER CRL DER-. PEM () DER base64 . , . , . , PKCS#7-. , PKCS#7 . , PEM-. PKCS#7-. , . , . , .
-inform DER|PEM
-outform DER|PEM
-in filename
-out filename
-certfile filename
-nocrl
5.4
PKCS#7- : openssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem PKCS#7- DER- , : openssl crl2pkcs7 -nocrl -certfile newcert.pem -certfile demoCA/cacert.pem -outform DER -out p7.der
,
.00009-01 34 01
23
5.5
PKCS#7- signed data, , . . MIME- application/x-x509-user-cert. PEM- Microsoft Internet Explorer Active-X Xenroll.
,
.00009-01 34 01
24
66.1
DGST
- . (). -md_gost94 .
6.2
openssl dgst -md_gost94 [-c][-d] [-hex] [-binary] [-out filename] [-sign filename] [-passin arg][verify filename] [-prverify filename] [-signature filename] [file...]
6.3
- , , . BIO. - . -, . - . , . 34.11-94 , , . . . 1.5. , . , . , . , . , , . , : ; MS-Windows, , OpenVMS : . , -. , .
-
-d -hex
-binary -out filename -md_gost94 -sign filename -passin arg -verify filename
-prverify filename -signature filename -rand file(s)
file...
. , . ,
.00009-01 34 01
25
77.1
ENC
, . base64, , .
7.2
openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e][-d] [-a] [-A] [-gost89] [-k password] [-kfile filename] [-K key] [-iv IV] [-p][-P] [-bufsize number] [-nopad] [-debug]
7.3
, , . arg . 1.5. . , , OpenSSL SSLeay. OpenSSL 0.9.5. . OpenSSL SSLeay. : . . base64- . , , base64. , base64. -a, base64- . . 28147-89 , . OpenSSL. , -pass. , , . OpenSSL. , -pass. ,
-in filename -out filename -pass arg -salt
-nosalt
-e -d -a
-A
-gost89 -k password
-kfile filename
.00009-01 34 01
26
-S salt -K key
-iv IV
-p -P
-bufsize number -nopad -debug
: , . : , . , -iv. , , -K, , . , , . : , . -K, . , . : , . I/O BIO, IO.
7.4
. -salt , , , OpenSSL. -salt , . , . : . 7.4.1
base64 : openssl base64 -in file.bin -out file.b64 : openssl base64 -d -in file.b64 -out file.bin , 28147-89: openssl enc -gost89 -salt -in file.txt -out file.enc , : openssl enc -gost89 -d -salt -in file.enc -out file.txt -k mypassword ,
.00009-01 34 01
27
, base64 (, ): openssl enc -gost89 -a -salt -in file.txt -out file.enc base64 : openssl enc -gost89 -d -salt -a -in file.enc -out file.txt , ( ): openssl enc -gost89 -d -in file.enc -out file.txt -K 0102030405...
,
.00009-01 34 01
28
88.1
OCSP
OCSP (- ) () (RFC 2560). oscp OSCP. , OCSP-, oscp-.
8.2
openssl ocsp [-out file] [-issuer file] [-cert file] [-serial n] [-signer file] [-signkey file] [-sign_other file] [-no_certs] [-req_text] [-resp_text] [-text] [-reqout file] [-respout file] [-reqin file] [-respin file] [-nonce] [-no_nonce] [-url URL ] [-host host:n] [-path] [-CApath dir] [-CAfile file] [-VAfile file] [-validity_period n] [-status_age n] [-noverify] [-verify_other file] [-trust_other] [-no_intern] [-no_signature_verify] [-no_cert_verify] [-no_chain] [-no_cert_checks] [-port num] [-index file] [CA file] [-rsigner file] [-rkey file] [-rother file] [-resp_no_certs] [-nmin n] [-ndays n] [-resp_key_id] [-nrequest n]
8.38.3.1
oscp
-out filename
. . -issuer filename , . . , , PEM. -cert filename , filename. issuer; , . -serial num , cert, , , num. , 0x. - num. -signer filename, - ocsp- , signkey filename signer, , signkey. signkey , , . , ocsp .
,
.00009-01 34 01
29
-sign_other filename -nonce, -no_nonce
, . OCSP- nonce . , OCSP- respin, nonce ; nonce nonce. OCSP- ( cert serial), nonce ; no_nonce nonce .
-req_text, -resp_text, -text -reqout file, -respout file -reqin file, -respin file
OCSP-, . DER- . OCSP- . , OCSP (, serial, cert host). -url responder_url URL . URL, HTTP, HTTPS (SSL/TLS). -host hostname:port, host , OCSP- -path pathname port hostname. path http- / . -CAfile file, -CApath , pathname . OCSP-. -verify_other file , , , OCSP-. ; , . -trust_other , verify_certs, , . , . -VAfile file , , . verify_certs -trust_other. -noverify OCSP- nonce. , , , . -no_intern , OCSP-, , . , , -verify_certs -VAfile.
,
.00009-01 34 01
30
no_signature_verify
OCSP-. , , , . -no_cert_verify , OCSP-. OCSP- , . -no_chain . -no_cert_checks , OCSP-. , ; . -validity_period , nsec, -status_age OCSP-. age notBefore notAfter. , . OCSP- . , -validity_period . 5 . notAfter, , . notBefore, , age . . -digest . SHA1. -md_gost94.
,
.00009-01 34 01
31
8.3.2
ocsp
-index indexfile
indexfile ca openssl (. 3), . index, ocsp (), . (), , ( issuer serial), ( respin) ocsp ( url). index, CA rsigner. -CA file , indexfile. -rsigner file , OCSP-. -rother file , OCSP. -resp_no_certs OCSP-. -resp_key_id ID , subject. , .. RFC 2560 . -rkey file OCSP-: , , rsigner. -port portnum , OCSP-. url. -nrequest number OCSP- number , . -nmin minutes, , -ndays days : nextUpdate. , nextUpdate , , .
8.4
OCSP-
OCSP- , RFC2560. OCSP- OCSP- . OCSP- . , , CAfile CApath, OpenSSL. , OCSP . ,
.00009-01 34 01
32
CA OCSP-: , OCSP . , OCSP-, . OCSP- OCSPSigning extended key usage, OCSP . , OCSP-, , OCSP. , OCSP . , OCSP . , OCSP- , ( ), . OCSP- , , OCSP-. : openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem -VAfile.
8.5
, . , -CApath, -CAfile ( VA) -VAfile. OCSP- : OCSP-. HTTP- POST- OCSP. , , , . . ocsp CGI- respin respout.
8.6
OCSP- : tt openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der OCSP- URL- http://ocsp.myhost.com/, openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -url http://ocsp.myhost.com/ -resp_text -respout resp.der OCSP- : openssl ocsp -respin resp.der -text
,
.00009-01 34 01
33
OCSP- 8888 (. 3.6) . . openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem -text -out log.txt , : openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem -nrequest 1 : openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem -issuer demoCA/cacert.pem -serial 1 , , . openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem -reqin req.der -respout resp.der
,
.00009-01 34 01
34
99.1
PKCS7 pkcs7 PKCS#7 DER PEM.
9.2
openssl pkcs7 [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-out filename] [print_certs] [-text] [-noout] [-engine id]
9.3
. DER PKCS#7 1.5 DER-. PEM () DER- base64 . . , -inform. . , . . . , . subject issuer . , subject issuer. PKCS#7- ( , -print_certs). engine ( ) .
-inform DER|PEM
-outform DER|PEM -in filename -out filename -print_certs
-text -noout -engine id
9.4
PKCS#7- PEM DER: openssl pkcs7 -in file.pem -outform DER -out file.der , : openssl pkcs7 -in file.pem -print_certs -out certs.pem
9.5
PEM- PKCS#7- : ,
.00009-01 34 01
35
-----BEGIN PKCS7---------END PKCS7---- : -----BEGIN CERTIFICATE---------END CERTIFICATE-----
9.6
, PKCS#7-. 1.5 PKCS#7, RFC2315.
,
.00009-01 34 01
36
1010.1
PKCS8
pkcs8 PKCS#8. PKCS#8 PrivateKeyInfo EncryptedPrivateKeyInfo format PKCS#5 ( 1.5 2.0) PKCS#12.
10.2
openssl pkcs8 [-topk8] [-inform PEM|DER] [-outform PEM|DER] [-in file- name] [-passin arg] [-out filename] [-passout arg] [-noiter] [-nocrypt] [-nooct] [-embed] [-nsdb] [-v2 alg] [-v1 alg] [-engine id]
10.3
, PKCS#8 . : PKCS#8. . PKCS#8, PEM DER-. PEM- DER . . , -inform. , . , . , . . arg . 1.5. , . , . - , . . . arg . 1.5.
-topk8
-inform DER|PEM
-outform DER|PEM -in filename
-passin arg -out filename
-passout arg
,
.00009-01 34 01
37
-nocrypt
-v2 alg
-v1 alg -engine id
, PKCS#8 PKCS#8 EncryptedPrivateKeyInfo, , . , PrivateKeyInfo. , . . 2.0. PKCS#5. , PKCS#8 pbeWithMD5AndDES-CBC, 56- DES, , 1.5 PKCS#8. 2.0, , , 168 DES 128- RC2, 2.0. OpenSSL, . arg , , des, des3 rc2. des3. , 1.5 PKCS#5 PKCS#12 . engine ( ) .
10.4
PKCS#8- PEM : -----BEGIN ENCRYPTED PRIVATE KEY---------END ENCRYPTED PRIVATE KEY---- : -----BEGIN PRIVATE KEY---------END PRIVATE KEY---- , PKCS#5 2.0 , , SSLeay- . , . 56-, PKCS#8. ,
.00009-01 34 01
38
PKCS#12- PKCS#8: , . DER- PKCS#8, ASN1, PEM.
10.5
PKCS#5 v2.0 DES: openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem PKCS#8, , 1.5 PKCS#5: openssl pkcs8 -in key.pem -topk8 -out enckey.pem PKCS#8, , PKCS#12 (3DES): openssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES PKCS#8 DER-: openssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem PKCS#8 : openssl pkcs8 -in pk8.pem -out key.pem
,
.00009-01 34 01
39
1111.1
REQ
req PKCS#10. , , , . . req openssl . , PKCS#8-. , (, ), mkkey . , mkkey, req openssl. , req YARROW : . mkkey .
11.2
openssl req [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-text] [-pubkey] [-noout] [-verify] [-modulus] [-new] [-rand file(s)] [-newkey rsa:bits] [-newkey dsa:file] [-nodes] [-key filename] [-keyform PEM|DER] [-keyout file- name] [-[md5|sha1|md2|mdc2]] [-config filename] [-subj arg] [-multi- value-rdn] [-x509] [-days n] [set_serial n] [-asn1-kludge] [-newhdr] [-extensions section] [-reqexts section] [-utf8] [-nameopt] [-batch] [-verbose] [-engine id]
11.3
. DER ASN.1 DER , PKCS#10. PEM : DER-, base64, . , , -inform. , . , . , (-new -newkey). . arg . 1.5. . . . arg . 1.5.
-inform DER|PEM
-outform DER|PEM -in filename
-passin arg -out filename -passout arg
,
.00009-01 34 01
40
-text -pubkey -noout -modulus -verify -new
-rand file(s)
-newkey arg
-key filename -keyform PEM|DER -keyout filename
-nodes -config filename
-subj arg
. . . , . . . . , , . -key , RSA, , . , , . , : ; MS-Windows, , OpenVMS : . . arg :. 34.10-2001 : A, B, C; XA, XB. -newkey , , : gost2001:A. , . , -key. PEM. , . , , . , , . . , , , OPENSSL_CONF. subject . arg /type0=value0/type1=value1/type2=..., \( ), .
,
.00009-01 34 01
41
-multivalue-rdn
-x509
-days n -set serial n
-extensions section -reqexts section
-utf8
-nameopt option
-asn1-kludge
, -subj RDN. : /DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe -multi-rdn , UID 123456+CN=John Doe. . . , ( ) . set_serial, 0. -x509, . 30 . . , 0x. , . ( -x509) . . , UTF8, ASCII. , , , UTF-8 . , subject issuer. , . -nameopt. . 16. req , , PKCS#10. , , . . PKCS#10 SET OF. , , , SET OF. SET OF, . , .
,
.00009-01 34 01
42
-newhdr
-batch -verbose -engine id
NEW PEM . ( Netscape) . . . engine ( ) .
11.4
req . , (, req) . . input_password output_password ( ) ( ). passin passout , , . . , 512. , -new. -newkey . . , . -keyout . , OID (OBJECT IDENTIFIERS). : OID , , , , . , OID. : OID= OID. . , . 0, . -nodes.
default_bits
default_keyfile
oid_file
oid_section
RANDFILE encrypt_key
,
.00009-01 34 01
43
default_md
string_mask
req_extensions
x509_extensions
prompt
utf8
attributes
distinguished_name
, , , (RSA). , ( ). . . default ( ) PrintableStrings, T61Strings BMPStrings. pkix PrintableStrings and BMPStrings PKIX RFC2459. utf8only, UTF8Strings: PKIX RFC2459 2003 . , nombstr PrintableStrings T61Strings: BMPStrings and UTF8Strings, Netscape. pkix ( , , Active-X Xenroll Windows), utf8only , , . - -reqexts . , , , -x509. - extensions . no, . , distinguished_name attributes. , UTF8, ASCII. , , , UTF-8 . , : distinguished_name. , challengePassword unstructuredName. OpenSSL, , . , distinguished name, . 11.5. ,
.00009-01 34 01
44
11.5
distinguished name attribute
distinguished name attribute. prompt no, , CN=Ivanov Ivan Ivanovich OU=Company [email protected] (, ) - req. . , prompt no, . : fieldName="prompt" fieldName_default=" " fieldName_min= 2 fieldName_max= 4 fieldName , commonName CN. "prompt" . , . , . , , .. fieldName_min and fieldName_max: (, countryName PrintableString). ( organizationName) DN . , , . , fieldName , , . , , organizationName 1.organizationName. OID. OpenSSL , commonName, countryName, localityName, organizationName, organizationUnitName, stateOrProvinceName. emailAddress, name, surname, givenName initials dnQualifier. OID oid_file oid_section. DirectoryString.
11.6
: openssl req -in req.pem -text -verify -noout : ,
.00009-01 34 01
45
openssl req -new -key key.pem -out req.pem , : openssl req -newkey gost2001:A -keyout key.pem -out req.pem : openssl req -x509 -newkey gost2001:A -keyout key.pem -out req.pem , oid_file:1.2.3.4 1.2.3.6 shortName otherName A longer Name Other longer Name
, oid_section :testoid1=1.2.3.5 testoid2=${testoid1}.6
, :[ req ] default_bits default_keyfile distinguished_name attributes x509_extensions dirstring_type = nobmp [ req_distinguished_name ] countryName countryName_default countryName_min countryName_max localityName organizationalUnitName commonName commonName_max emailAddress emailAddress_max [ req_attributes ] challengePassword challengePassword_min challengePassword_max [ v3_ca ] subjectKeyIdentifier=hash ,
= = = = =
1024 privkey.pem req_distinguished_name req_attributes v3_ca
= = = =
Country Name (2 letter code) AU 2 2
= Locality Name (eg, city) = Organizational Unit Name (eg, section) = Common Name (eg, YOUR name) = 64 = Email Address = 40
= A challenge password = 4 = 20
.00009-01 34 01
46
authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true
:RANDFILE [ req ] default_bits default_keyfile distinguished_name attributes prompt output_password = $ENV::HOME/.rnd
= = = = = =
1024 keyfile.pem req_distinguished_name req_attributes no mypass ] GB Test State or Province Test Locality Organization Name Organizational Unit Name Common Name [email protected]
[ req_distinguished_name C = ST = L = O = OU = CN = emailAddress = [ req_attributes ] challengePassword
= A challenge password
11.7
, PEM : -----BEGIN CERTIFICATE REQUEST---------END CERTIFICATE REQUEST---- ( Netscape) : -----BEGIN NEW CERTIFICATE REQUEST---------END NEW CERTIFICATE REQUEST---- -newhdr, . . , Microsoft IE Active-X Xenroll, , KeyUsage, ( ) OID, extendedKeyUsage.
,
.00009-01 34 01
47
11.8
: Using configuration from /some/path/openssl.cnf Unable to load config info : unable to find distinguished_name in config problems making Certificate Request : ! ( ) , . . . : Attributes: a0:00 , attributes , SET OF (DER- 0xa0 0x00). : Attributes: , SET OF ( ). . -asn1-kludge.
11.9
OPENSSL_CONF, , . -config . SSLEAY_CONF , .
,
.00009-01 34 01
48
1212.1
SMIME
smime S/MIME. , , .
12.2
openssl smime [-encrypt] [-decrypt] [-sign] [-verify] [-pk7out] [-gost89] [-in file] [-certfile file] [-signer file] [-recip file] [-inform SMIME|PEM|DER] [-passin arg] [-inkey file] [-out file] [outform SMIME|PEM|DER] [-content file] [-to addr] [-from ad] [-subject s] [-text] [-rand file(s)] [cert.pem]...
12.3
, . . -encrypt . . MIME. . MIME. . . , . MIME. . . , . PKCS#7- PEM-. , , MIME, . PKCS#7-. SMIME, S/MIME. PEM DER PKCS#7- . PKCS#7-, PKCS#7- ( -encrypt -sign), . ,
-decrypt
-sign
-verify
-pk7out -in filename
-inform SMIME|PEM|DER
.00009-01 34 01
49
-content filename
-text
-add
-CAfile file -CApath dir
-gost89
-nointern
-noverify -nochain
-nosigs -nocerts
, () , -verify. , PKCS#7- , . S/MIME; multipart/signed MIME content type. MIME- (text/plain) . : MIME- text/plain, . . PKCS#7- PEM DER. S/MIME . , . -verify. , . -verify. , - subject name. . -encrypt. . , , , ( ). , , -certfile. , , . . , , , . . , , . . , (, -certfile).
,
.00009-01 34 01
50
-binary
-nodetach
-certfile file
-signer file
-recip file
-inkey file
-passin arg -rand file(s)
cert.pem... -to, -from, -subject
-policy -purpose
-ignore_critical -crl_check
, , CR LF , S/MIME. . , MIME-. : , , S/MIME. , MIME multipart/signed. . . . PEM-. . , . . , . , . . , , -recip -signer. . arg . 1.5. , , . , : ; MS-Windows, , OpenVMS : . . . . , . , S/MIME, , , , . , openssl sslclient, sslserver, nssslserver, smimeencrypt, smimesign,crlsign, any. X509v3, . ,
.00009-01 34 01
51
-crl_check_all -policy_check -explicit_policy -x509_strict -policy_print
x509
12.4
MIME- . . sendmail . MIME, ( ). -text . , , . , (. 12.6). S/MIME, . ( -add) . , . , . -encrypt -decrypt . , enveloped data PKCS#7. PKCS#7 encrypted data .
12.51 2 3 4 5
. . . PKCS#7- MIME-. , .
12.6
:
,
.00009-01 34 01
52
openssl smime -sign -in message.txt -text -out mail.msg -signer mycert.pem : openssl smime -sign -in message.txt -text -out mail.msg -nodetach -signer mycert.pem , : openssl smime -sign -in in.txt -text -out mail.msg -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem Unix- sendmail, : openssl smime -sign -in in.txt -text -signer mycert.pem -from [email protected] -to someone@somewhere -subject Signed message | sendmail someone@somewhere : openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt , gost89: openssl smime -encrypt -in in.txt -from [email protected] -to someone@somewhere -subject -gost89 user.pem -out mail.msg : openssl smime -sign -in ml.txt -signer my.pem -text | openssl smime -encrypt -out mail.msg -from [email protected] -to someone@somewhere -subject Signed and Encrypted message -gost89 user.pem : -text, MIME-. : openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem Netscape PKCS#7- . , , base64, : -----BEGIN PKCS7---------END PKCS7---- openssl smime -verify -inform PEM -in signature.pem -content content.txt base64 openssl smime -verify -inform DER -in signature.der -content content.txt
,
.00009-01 34 01
53
1313.1
S_CLIENT
s_client SSL/TLS- , SSL/TLS-. SSL-.
13.2
openssl s_client [-connect host:port] [-verify depth] [-cert filename] [-certform DER|PEM] [-key filename] [-keyform DER|PEM] [-pass arg] [-CApath directory] [-CAfile filename] [-reconnect] [-pause] [-showcerts] [-debug] [-msg] [-nbio_test] [-state] [-nbio] [-crlf] [-ign_eof] [-quiet] [ssl2] [-ssl3] [-tls1] [-no_ssl2] [-no_ssl3] [-no_tls1] [-bugs] [-cipher cipherlist] [-starttls protocol] [-engine id] [-rand file(s)]
13.3
, , . , , 4433. . , -connect , . , -connect , , . . : DER PEM. PEM. . , . , . : DER PEM. PEM. . arg . 1.5. . . , . , . ,
-connect host:port
-host -port -cert certname
-certform format -crl_check -crl_check_all -key keyfile -keyform format -pass arg -verify depth
.00009-01 34 01
54
-CApath directory
-CAfile file
-reconnect
-pause -showcerts -prexit
-state -debug -msg -nbio_test -nbio -crlf -ign_eof -quiet
, . -, . 15 . . , , . , 5 ID. . read write. , . , . . , . , - - , URL. : , , , . SSL-. , . . - - CR+LF, . . . , -ign_eof.
,
.00009-01 34 01
55
-ssl2, -ssl3, -tls1, - SSL- TLSno_ssl2, -no_ssl3, - . no_tls1 , SSL v3, SSL v2 TLS . , , . TLS -no_tls, SSL, -ssl2. -bugs SSL TLS . . -cipher cipherlist , . , - , - . . ciphers. -starttls protocol - () TLS . protocol - . smtp, pop3, imap, and ftp. -engine id engine ( ) . -rand file(s) , , . , : ; MS-Windows, , OpenVMS : . -mtu TCP . -serverpref ( SSLv2)
13.4
,
SSL-, , , . ( , -quiet, -ign_eof) , R, Q, , .
,
.00009-01 34 01
56
13.5
s_client SSL-. SSL HTTP- openssl s_client -connect servername:443 ( https 443). , http-, GET / -. , , , , -bugs, -ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1 , . - OpenSSL. - , , . , , , , . s_client . URL. , -prexit http- . -cert, , . , , . , -showcerts, .
,
.00009-01 34 01
57
1414.1
S_SERVER
s_server SSL/TLS- , SSL/TLS.
14.2
openssl s_server [-accept port] [-context id] [-verify depth] [-Verify depth] [-cert filename] [certform DER|PEM] [-key keyfile] [-keyform DER|PEM] [-pass arg] [-dcert filename] [-dcertform DER|PEM] [-dkey key- file] [-dkeyform DER|PEM] [-dpass arg] [-dhparam filename] [-nbio] [nbio_test] [-crlf] [-debug] [-msg] [-state] [-CApath directory] [-CAfile filename] [-nocert] [-cipher cipherlist] [-quiet] [-no_tmp_rsa] [-ssl2] [-ssl3] [-tls1] [-no_ssl2] [-no_ssl3] [-no_tls1] [-no_dhe] [-bugs] [-hack] [-www] [-WWW] [-HTTP] [-engine id] [-id_pre- fix arg] [-rand file(s)]
14.3
TCP-, . , 4433. SSL. . , . , . - , . , server.pem. : DER PEM. PEM. , . , . : DER PEM. PEM. . arg . 1.5. - , , , -cert -key, , , . , - , . , .
-accept port -context id
-cert certname
-certform format -key keyfile -keyform format -pass arg -dcert filename, dkey keyname
,
.00009-01 34 01
58
-dcertform format, - , dkeyform format, - . dpassarg -nocert , . ( DH). -dhparam filename DH, . DH- , DH-. , . , , s_server. -no_dhe , DH- , DH-. -verify depth, -Verify . depth . -verify , , -Verify , . -CApath directory , . -, . 15 . . -CAfile file , , . , . -state SSL-. -debug , . -msg . -nbio_test - -nbio - -crlf CR+LF, . -ign_eof . -quiet . , -ign_eof.
,
.00009-01 34 01
59
-ssl2, -ssl3, -tls1, - SSL- TLSno_ssl2, -no_ssl3, - . no_tls1 , SSL v3, SSL v2 TLS . -bugs SSL TLS . . -hack SSL Netscape. -cipher cipherlist , . -, - , . - , . . ciphers. -www . - . HTML-, , , -. -WWW -. , URL https://myhost/page.html, ./page.html. -HTTP -. , URL https://myhost/page.html, ./page.html. , HTML- (, HTTP, CRLF). -starttls protocol - () TLS . protocol - . smtp, pop3, imap, and ftp. -engine id engine ( ) . -id_prefix arg SSL/TLS , arg. SSL/TLS- ( ), , (range) (, ).
,
.00009-01 34 01
60
-rand file(s)
, , . , : ; MS-Windows, , OpenVMS : .
14.4
,
SSL- -www -WWW, , , , , . , . : q SSL-, . Q SSL- . r SSL-. R SSL- . P underlying TCP-: - . S .
14.5
s_server SSL-. -, , , openssl s_server -accept 443 -www , , , SSL , . . sess_id.
,
.00009-01 34 01
61
1515.1
VERIFY verify .
15.2
openssl verify [-CApath directory] [-CAfile file] [-purpose purpose] [-untrusted file] [-help] [issuer_checks] [-verbose] [-] [certifi- cates]
15.3
. : hash.0 ( hash subject name; . 16.) Unix- c_rehash . . PEM-, . . . . : sslserver, nssslserver, smimesign, smimeencrypt. . 15.4. . . , , . , . , . . , , . , -. , . , . PEM. , openssl sslclient, sslserver, nssslserver, smimeencrypt, smimesign,crlsign, any. ,
-CApath directory
-CAfile file -untrusted file -purpose purpose
-help -verbose -issuer_checks
-
certificates
-policy -purpose
.00009-01 34 01
62
-ignore_critical -crl_check -crl_check_all -policy_check -explicit_policy -x509_strict -policy_print
X509v3, . x509
15.4
verify , internal SSL and S/MIME verification, . , verify, : , , , . . . . , . , . , . , . OpenSSL 0.9.5a , subject name issuer , . OpenSSL 0.9.6. , subject name issuer , . ( ) , , keyUsage ( ) . , , . ; , , , . . -purpose , . (leaf) , , . , 16.6. ,
.00009-01 34 01
63
. . SSLeay OpenSSL . . notBefore notAfter . . , . - , .
15.5
, , . : server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) error 24 at 1 depth lookup:invalid CA certificate , subject name . . , , 0, , - 1 . . . , x509_vfy.h. , ; . 0 X509_V_OK 2
ok
X509_V_ERR_UNABLE_TO_GET unable to get issuer _ISSUER_CERT certificate
3
X509_V_ERR_UNABLE_TO_GET unable to get certificate _CRL CRL X509_V_ERR_UNABLE_TO_ DECRYPT_CRL_SIGNATURE unable to decrypt CRLs signature
5
6
X509_V_ERR_UNABLE_TO_ DECODE_ISSUER_PUBLIC_KEY
unable to decode issuer public key
, : , , . . . . . SubjectPublicKeyInfo .
,
.00009-01 34 01
64
7 X509_V_ERR_CERT_ SIGNATURE_FAILURE 8 X509_V_ERR_CRL_ SIGNATURE_FAILURE 9 X509_V_ERR_CERT_NOT_YET_ VALID X509_V_ERR_CERT_HAS_ EXPIRED X509_V_ERR_CRL_NOT_YET_ VALID X509_V_ERR_CRL_HAS_ EXPIRED
certificate signature failure CRL signature failure
certificate is not yet valid certificate has expired
10
11
CRL is not yet valid
12
CRL has expired
13
14
15
X509_V_ERR_ERROR_IN_CERT_ format error in NOT_BEFORE_FIELD certificates notBefore field X509_V_ERR_ERROR_IN_CERT_ format error in NOT_AFTER_FIELD certificates notAfter field X509_V_ERR_ERROR_IN_CRL format error in CRLs _LAST_UPDATE_FIELD lastUpdate field
16
X509_V_ERR_ERROR_IN_CRL _NEXT_UPDATE_FIELD
format error in CRLs nextUpdate field
17
X509_V_ERR_OUT_OF_MEM
out of memory
18
X509_V_ERR_DEPTH_ZERO _SELF_SIGNED_CERT
self signed certificate
19
X509_V_ERR_SELF_SIGNED _CERT_IN_CHAIN
self signed certificate in certificate chain
. : notBefore . : notAfter . . . notBefore notAfter lastUpdate . nextUpdate . . . . , .
,
.00009-01 34 01
65
20 X509_V_ERR_UNABLE_TO_GET unable to get _ISSUER_CERT_LOCALLY issuer certificate
local
21
X509_V_ERR_UNABLE_TO_ VERIFY_LEAF_SIGNATURE
unable to verify the first certificate
22
X509_V_ERR_CERT_CHAIN_ TOO_LONG
certificate long
chain
too
23 24
X509_V_ERR_CERT_REVOKED X509_V_ERR_INVALID_CA
certificate revoked invalid CA certificate
25
X509_V_ERR_PATH_LENGTH_ EXCEEDED X509_V_ERR_INVALID_ PURPOSE X509_V_ERR_CERT_ UNTRUSTED
path length constraint exceeded unsupported certificate purpose certificate not trusted
26
27
28
X509_V_ERR_CERT_REJECTED
certificate rejected
, , , . , . , , . . . . . , . the basicConstraints pathlength . . . .
,
.00009-01 34 01
66
29 X509_V_ERR_SUBJECT_ISSUER subject issuer mismatch _MISMATCH
30
X509_V_ERR_AKID_SKID_ MISMATCH
authority and subject key identifier mismatch
31
X509_V_ERR_AKID_ISSUER _SERIAL_MISMATCH
authority and issuer serial number mismatch
32
X509_V_ERR_KEYUSAGE_ NO_CERTSIGN
key usage include signing
does not certificate
, , , subject name issuer name . , -issuer_checks. , , , subject key authority key identifier . , -issuer_checks. , , , issuer name serial number authority key identifier of the current certificate. , -issuer_checks. , , , keyUsage .
,
.00009-01 34 01
67
50 X509_V_ERR_APPLICATION_ VERIFICATION
application verification failure
, . .
,
.00009-01 34 01
68
1616.1
X509
x509 . , , - .
16.2
openssl x509 [-inform DER|PEM|NET] [-outform DER|PEM|NET] [-keyform DER|PEM] [CAform DER|PEM] [-CAkeyform DER|PEM] [-in filename] [-out filename] [-serial] [-hash] [subject_hash] [-issuer_hash] [-subject] [-issuer] [-nameopt option] [-email] [-startdate] [-enddate] [-purpose] [-dates] [-modulus] [-fingerprint] [-alias] [-noout] [-trustout] [-clrtrust] [-clrreject] [-addtrust arg] [-addreject arg] [-setalias arg] [-days arg] [-set_serial n] [-signkey filename] [-x509toreq] [-req] [-CA filename] [-CAkey filename] [-CAcreateserial] [-CAserial filename] [text] [-C] [-md2|-md5|-sha1|-mdc2|-md_gost94] [-clrext] [-extfile filename] [-extensions section] [-engine id]
16.3
, . 16.3.1 , . , X509, , , -req. DER DER- , PEM DER- base64 c . NET Netscape, . , -inform. , . , . . , . MD5 (fingerprint) -signkey ( , ) ,
-inform DER|PEM|NET
-outform DER|PEM|NET -in filename
-out filename
-md5
.00009-01 34 01
69
-sha1
-md_gost94 -engine id
SHA1 (fingerprint) -signkey ( , ) 34.11-94 (fingerprint) . engine ( ) .
16.3.2
: -alias -purpose , 16.3.3. -text . , , subject name issuer name, , . -text. option , . certopt . . , . subject name . OpenSSL , subject name. issuer name . -hash . subject name. issuer name. , subject issuer. , . -nameopt. . 16.3.5. () , . notBefore. notAfter. . - DER- (. 16.5). ,
-certopt option
-noout -modulus -serial -subject_hash
-issuer_hash -hash -subject -issuer -nameopt option
-email -startdate -enddate -dates -fingerprint
.00009-01 34 01
70
- 16.3.3
.
, , . , , . . . , , . . . , SSL-, SSL-. . 15 . OpenSSL , . -trustout x509 . , , , . . , - . . , . , . . . . , clientAuth ( SSL-), serverAuth ( SSL-) emailProtection ( S/MIME). OpenSSL- . . , -addtrust.
-setalias arg -alias -clrtrust -clrreject -addtrust arg
-addreject arg
,
.00009-01 34 01
71
-purpose
. . 16.6.
16.3.4
x509 ; , -. -signkey filename . , issuer name subject name (.. ), . , , -days. , -clrext. , , subject name . . , ( -signkey -CA). , . (DER PEM) , -signkey. . 30 . . -signkey . . , . . -signkey -CA. -CA, ( CAserial -CAcreateserial) . ( 0x). , .
-clrext
-keyform PEM|DER -days arg -x509toreq -req
-set_serial n
,
.00009-01 34 01
72
-CA filename
-CAkey filename
-CAserial filename
-CAcreateserial
-extfile filename
-extensions section
, . , x509 -. , issuer name subject name , , . , , -req. -req , . , , . , , . , . -CA , , . , . . ( ) .srl. , mycacert.pem, mycacert.srl. , , . 02, 1. , -CA , . , , . , . , . , () , extensions, .
16.3.5
- nameopt , subject name issuer name. nameopt , , OpenSSL. , - . , ,
.00009-01 34 01
73
. compat RFC2253 . . , RFC2253 esc_2253, esc_ctrl, esc_msb, utf8, dump_nostr, dump_unknown, dump_der, sep_comma_plus, dn_rev sname. , , RFC2253. esc_2253, esc_ctrl, esc_msb, utf8, dump_nostr, dump_der, use_quote, sep_comma_plus_space, space_eq sname. . esc_ctrl, esc_msb, sep_multiline, space_eq, lname align. , RFC2253 , ,+ >;. , # , . , .. ASCII, 0x20 (), (0x7f). RFC2253 \XX notation ( XX , ). (most significant) , , ASCII- 127. , , \. UTF-. RFC2253. UTF-8- , ( esc_msb) () . , , 0xff, \UXXXX \WXXXXXXXX . , , UTF-8- . . , . , . ASN.1. . BMPSTRING: Hello World.
oneline
multiline esc_2253
esc_ctrl
esc_msb
use_quote
utf8
no_type
show_type
,
.00009-01 34 01
74
dump_der
, , , DER-. , . RFC2253 #XXXX... dump_nostr ( OCTET STRING). , , . dump_all . dump_der DER- . dump_unknown , OID OpenSSL. sep_comma_plus, . - sep_comma_plus_space, RDN AVA ( sep_semi_plus_space, AVA , sep_multiline ). , space, . sep_multiline LF RDN + AVA. , . dn_rev DN . RFC2253. AVA, . nofname, sname, . nofname lname, oid . sname ( CN commonName). lname . oid OID . align . sep_multiline. space_eq =, . 16.3.6
, , certopt, text. . compatible no_header no_version no_serial no_signame
. . , .. Certificate Data. ,
.00009-01 34 01
75
no_validity no_subject no_issuer no_pubkey no_sigdump no_aux no_extensions ext_default ext_error ext_parse ext_dump ca_default
, .. notBefore notAfter. subject name. issuer name. . . . 3 X509. ; . . ASN.1-. . , ca, no_issuer, no_pubkey, no_header, no_version, no_sigdump no_signame.
16.4
: openssl x509 -in cert.pem -noout -text : openssl x509 -in cert.pem -noout -serial subject name : openssl x509 -in cert.pem -noout -subject subject name RFC2253-: openssl x509 -in cert.pem -noout -subject -nameopt RFC2253 subject name , UTF-8: openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb MD5- : openssl x509 -in cert.pem -noout -fingerprint SHA1- : openssl x509 -sha1 -in cert.pem -noout -fingerprint PEM- DER-: openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER : openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem , : openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca -signkey key.pem -out cacert.pem , , : openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr -CA cacert.pem -CAkey key.pem -CAcreateserial ,
.00009-01 34 01
76
SSL- Steves Class 1 CA: openssl x509 -in cert.pem -addtrust clientAuth -setalias "Steves Class 1 CAout trust.pem
16.5
PEM- : -----BEGIN CERTIFICATE---------END CERTIFICATE---- , , : -----BEGIN X509 CERTIFICATE---------END X509 CERTIFICATE---- : -----BEGIN TRUSTED CERTIFICATE---------END TRUSTED CERTIFICATE---- UTF-8, , , T61Strings ISO8859-1. , Netscape Microsoft IE, . , . -fingerprint - DER- . - . - , . Netscape MD5, Microsoft IE SHA1. -email subject name subject alternative name. : .
16.6
-purpose , . . , , -verify. basicConstraints , . true, , false, . true. ,
.00009-01 34 01
77
V1 ( ) , , . Verisign, V1. keyUsage, . keyCertSign, . extended key usage . ( ), . . basicConstraints, keyUsage 1 . SSL Client extended key usage OID web client authentication. keyUsage digitalSignature. Netscape SSL client. SSL Client CA extended key usage OID web client authentication. Netscape SSL CA, , basicConstraints. SSL Server extended key usage OID web server authentication / SGC OID. keyUsage digitalSignature keyEncipherment ( ). Netscape SSL server. SSL Server CA extended key usage OID web server authentication / SGC OID. Netscape SSL CA, , basicConstraints. Netscape SSL Server Netscape SSL- SSL-, keyEncipherment keyUsage. , - . , SSL-. Common S/MIME extended key usage Client Tests OID email protection. Netscape S/MIME. S/MIME Netscape, SSL client, ; , Verisign S/MIME. ,
.00009-01 34 01
78
S/MIME Signing
S/MIME- digitalSignature, keyUsage. S/MIME Encryption S/MIME- keyEncipherment, keyUsage. S/MIME CA extended key usage OID email protection. Netscape S/MIME CA, , basicConstraints. CRL Signing keyUsage CRL signing. CRL Signing CA . basicConstraints.
,
.00009-01 34 01
79
() . - - () . .
,