openssl3.2 - 官方demo学习 - pkcs12 - pkwrite.c

概述

openssl3.2 - 官方demo学习 - 索引贴
上次PKCS12的官方实验还没做, 原因是没在官方demo中看到如何生成P12的证书, 因为P12是受密码保护的, 如果不知道密码, 随便拿来一个.P12证书, 用编程也操作不了.

整理了官方帮助文件(openssl3.2 - 帮助文档的整理)后, 很容易就找到了官方说明, 如何用openssl命令行去生成P12证书的全流程操作.

今天拿官方demo pkwrite.c + 自己做的服务器证书来做实验, 学到东西了.

学到的知识点

• 如果要操作的.PEM文件有密码保护, 在PEM_read_PrivateKey()调用时, 要给密码回调处理, 回调的返回值是密码长度.
• 并不是只有.P12证书才可以收密码保护, 私钥证书也可以受密码保护. 从PEM_read_PrivateKey()的函数定义就能看出来.

// 如果私钥证书受密码保护, 那么就要在参数3给出负责密码赋值的回调
EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x, pem_password_cb *cb,void *u)
{return PEM_read_PrivateKey_ex(fp, x, cb, u, NULL, NULL);
}

等后续再看看生成私钥时, 如何给密码保护.

笔记

PEM证书可以拼接

按照官方实验, 生成的证书和私钥是分开的.

pkwrite.c里面是从一个.pem中载入证书和私钥.
因为.PEM是文本格式的, openssl在一个文本文件(.PEM)中载入对应内容时, 是按照文本标签来载入的.
所以, 可以自己将证书和私钥贴在一起.

从newcert.pem拷贝一份pem, 命名为newcert_and_key.pem.
然后将newkey.pem的内容贴在 newcert_and_key.pem的后面, 这个PEM证书就可以用来做pkwrite.c的实验.
也可以将pkwrite.c改一下, 从2个.pem中, 分别载入cert和key. 看自己喜好.

Certificate:Data:Version: 3 (0x2)Serial Number:04:ac:e1:ce:5b:5f:48:56:2c:45:92:46:fb:ed:ca:dc:0e:f2:4f:47Signature Algorithm: sha256WithRSAEncryptionIssuer: C=CN, ST=SX, O=KRGY, OU=RD, CN=MY_CA/emailAddress=test@sina.comValidityNot Before: Jan 31 11:00:37 2024 GMTNot After : Jan 30 11:00:37 2025 GMTSubject: C=CN, ST=SX, L=TY, O=KRGY, OU=server_cert, CN=SERVER_CERT1/emailAddress=test@sina.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:a3:9a:66:9e:cc:73:0b:b0:b8:ed:1f:20:84:43:74:8e:5b:cb:cf:e7:f2:ae:ed:fa:1f:47:23:39:58:74:64:1d:d9:28:10:33:61:36:a3:6e:13:9c:42:70:a2:90:37:2f:4a:e8:16:89:ec:d9:55:a5:70:04:9c:a6:a2:09:81:25:b6:f7:b6:c6:5c:8d:06:c8:8a:17:83:fa:c9:84:4f:67:6f:29:ef:50:a9:6f:cf:40:02:cc:9f:2e:21:5c:99:b0:b6:d2:37:f3:42:5f:7a:ec:b3:2c:d3:10:62:fa:32:b9:cc:94:23:b2:fa:bb:8c:03:b4:51:59:7c:5c:39:e2:11:68:3c:3d:a2:c6:c5:31:00:40:c9:10:46:47:fc:ef:0c:ec:39:f2:cc:29:de:13:66:07:ca:87:bf:bd:7a:43:0b:3a:91:09:f4:7d:e5:c4:fd:08:89:0b:7c:bd:81:69:0b:f6:17:ec:f9:bc:2c:23:62:01:b2:a9:90:bb:13:3e:84:b2:14:57:11:d3:04:97:8c:3b:99:b0:3d:ee:99:dd:a9:f1:a0:14:75:21:6e:9b:ae:01:fc:f3:3f:9b:70:89:1e:a8:d5:98:8a:9f:8d:6d:95:d7:93:6e:13:71:70:78:d4:e7:30:98:07:1e:de:fb:69:82:54:56:4d:7a:dc:91:8bExponent: 65537 (0x10001)X509v3 extensions:X509v3 Basic Constraints: CA:FALSEX509v3 Subject Key Identifier: 1A:EC:FE:4B:00:EE:C3:3D:C0:CD:BD:D8:05:9B:BC:10:61:A0:27:8EX509v3 Authority Key Identifier: 55:39:9F:AA:3D:85:10:C2:72:E4:16:0E:7A:E4:E3:9E:69:37:8C:13Signature Algorithm: sha256WithRSAEncryptionSignature Value:d0:5b:40:d1:65:82:a1:13:ce:e1:b7:ab:76:f6:03:a3:e5:0c:b6:16:c4:d1:4f:24:81:99:99:ef:cb:e5:53:80:b3:fa:2b:fe:90:a7:9a:da:7a:bc:41:30:0c:fd:d2:c1:27:4c:39:15:aa:06:f7:f2:23:f8:2b:9c:55:47:87:48:f6:96:af:ef:5c:37:be:7d:60:15:48:87:41:b1:67:7f:7c:f6:66:c2:3a:3f:16:6d:59:57:1b:ea:63:ea:f8:74:d4:0d:bb:2a:89:a3:3c:16:57:6f:47:80:96:92:91:be:87:36:a9:c5:ca:00:db:55:3e:27:87:a6:fb:1b:b8:a1:30:fc:6a:4e:85:a9:56:45:40:4b:f4:c9:a5:99:a3:52:3e:e1:11:f2:0c:c3:e7:29:f0:f8:2e:14:c0:70:d0:b7:32:73:65:4a:40:50:5a:67:96:2b:4d:76:38:62:58:25:63:60:29:97:eb:d0:6d:8c:dd:0a:06:c2:9c:2d:45:d5:d1:67:51:e0:72:5a:e2:4f:a8:f1:6d:25:35:67:5c:c0:41:42:1e:61:86:68:e9:df:40:2d:c1:13:66:d0:7a:6c:33:8a:7d:1c:ac:1f:9b:3a:1a:67:75:51:90:ec:fb:74:af:fd:50:96:1d:9c:29:78:a2:47:29:2e:2b:5a:44:8e
-----BEGIN CERTIFICATE-----
MIIDwTCCAqmgAwIBAgIUBKzhzltfSFYsRZJG++3K3A7yT0cwDQYJKoZIhvcNAQEL
BQAwZDELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAlNYMQ0wCwYDVQQKDARLUkdZMQsw
CQYDVQQLDAJSRDEOMAwGA1UEAwwFTVlfQ0ExHDAaBgkqhkiG9w0BCQEWDXRlc3RA
c2luYS5jb20wHhcNMjQwMTMxMTEwMDM3WhcNMjUwMTMwMTEwMDM3WjCBgTELMAkG
A1UEBhMCQ04xCzAJBgNVBAgMAlNYMQswCQYDVQQHDAJUWTENMAsGA1UECgwES1JH
WTEUMBIGA1UECwwLc2VydmVyX2NlcnQxFTATBgNVBAMMDFNFUlZFUl9DRVJUMTEc
MBoGCSqGSIb3DQEJARYNdGVzdEBzaW5hLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAKOaZp7McwuwuO0fIIRDdI5by8/n8q7t+h9HIzlYdGQd2SgQ
M2E2o24TnEJwopA3L0roFons2VWlcAScpqIJgSW297bGXI0GyIoXg/rJhE9nbynv
UKlvz0ACzJ8uIVyZsLbSN/NCX3rssyzTEGL6MrnMlCOy+ruMA7RRWXxcOeIRaDw9
osbFMQBAyRBGR/zvDOw58swp3hNmB8qHv716Qws6kQn0feXE/QiJC3y9gWkL9hfs
+bwsI2IBsqmQuxM+hLIUVxHTBJeMO5mwPe6Z3anxoBR1IW6brgH88z+bcIkeqNWY
ip+NbZXXk24TcXB41OcwmAce3vtpglRWTXrckYsCAwEAAaNNMEswCQYDVR0TBAIw
ADAdBgNVHQ4EFgQUGuz+SwDuwz3Azb3YBZu8EGGgJ44wHwYDVR0jBBgwFoAUVTmf
qj2FEMJy5BYOeuTjnmk3jBMwDQYJKoZIhvcNAQELBQADggEBANBbQNFlgqETzuG3
q3b2A6PlDLYWxNFPJIGZme/L5VOAs/or/pCnmtp6vEEwDP3SwSdMORWqBvfyI/gr
nFVHh0j2lq/vXDe+fWAVSIdBsWd/fPZmwjo/Fm1ZVxvqY+r4dNQNuyqJozwWV29H
gJaSkb6HNqnFygDbVT4nh6b7G7ihMPxqToWpVkVAS/TJpZmjUj7hEfIMw+cp8Pgu
FMBw0Lcyc2VKQFBaZ5YrTXY4YlglY2Apl+vQbYzdCgbCnC1F1dFnUeByWuJPqPFt
JTVnXMBBQh5hhmjp30AtwRNm0HpsM4p9HKwfmzoaZ3VRkOz7dK/9UJYdnCl4okcp
LitaRI4=
-----END CERTIFICATE----------BEGIN ENCRYPTED PRIVATE KEY-----
MIIFJDBWBgkqhkiG9w0BBQ0wSTAxBgkqhkiG9w0BBQwwJAQQ1u8sSfODapF0mti+
EkjAsQICCAAwDAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIKM05Kcht6JkEggTI
RkbSmvYL7rcuTcXKRv5A6E3a7rXIbeu2/LJNH8Y4vwtoQBrq60E85fqs/m+AlQ1P
ONUu3B8FpiJXiqMKrLy1AG8NmIeat/xyMbsY3azlPuJmb6ZJ7GAII9SbQKsytPfh
02ZiJi8ATE1VwPf3psv9G0WigrsUy7y4NvKokAnZMyOy2qOPBPt6puPxf5BcxK8g
z8tt5on4ER6gaeKkUH+/ok5pKG78ilrmel92x3AkOt+04qN6pDKvpDz3z9azunSj
k7zA1wQ6HMggl8ohuwGNmdor56funvPpYxDJZ2+DMwsf+jYxuW5G4XYkbNA2685Q
Fx9Hscw27/jaYYP506VpCe9lHnYL7xb8nyXghxLMSd480SYYgdiiPasR0NCo7ZTo
PYWVFs3Beq8c9FNUEThtaWhuVtK0MGbQEl6vCu15lO6XIlT7JUgDIgPwR27VPYVV
ncyZsPbviGBMRfEQ2DUFSbBKOXtQhIVgbf7qbf/NXMLWvZyLo/iaROCGxRQF1zrB
XdvDvKAfHzWoKMHRT58sPGuplTURsDrzwcIO1Gd5UEpYQnMpEbYXigQHPICjKmvO
OXTR7vVlpbaq8+ZMmAtJtNQ7bOxAaKN/DNBd6vd7sq7wGfAd5dE5uC797BE+yymC
NNMyK49c9WEwrVvb0GS0RnxdGtchvf/zM+h/KwfA2SlPiGUs5dprb5wZt5kGGVeX
K5ti2agnKlAoKxBwJnsIgBgUdEHYR5/k9Ovdj9JhR/a5WwgoIi/ow8OQWXH5WGCv
Gpqnc0n3XE/rrGPjLEJo+C0+yxyKqGh6vpuiV66sKGvBF3U9fzLnxhObUh/ntrb2
JxtJmRbjCcYF2lZjJ8EfJOD+7L7aONY69yTNU3DhBWtRVYq5pfGoDx94zPBQ9PJ4
OlLX7wIh0CUdnHxIeL//t6RBonVtIu6iPkCDgIXLKHjlQ+YupKORjD8h+Qoy83Ki
MQzm8rcGRwXARiYCfp1s6JQZKxjs0lVkg7IzgPDyuF7Rp17hHQv97ERRU7Hn8VI+
QGPncdnG+VVLpXDqet1PNIZFRa12D/a4gVkHdNA4IoFlzMiEfwzPEXuDov3J/Uo3
MQBKPRpCtpXLGFFeIoFRuhZUgC3+OJTHt38CFmRMphrH+DHgQ3HzIfU9+VQZZUHU
xLS1MsVZNq7XN/c7fL2yU6axiI7XwQbn01P2c26j2FWX+u82BrJ+7BrCkZ9RDkRW
kW0uGV8KrAb/22WKv5sBn2OGPajsrHBS3MqJBYi40y4xUZVmZF4XKxvYRcXtOmBW
otITMS0UGhYjFvuxffYOC557trMLz+zDyBTv99b6/ePWa5wPs5eGbsahwfDoYYN0
3sjghAbjB1LH9e+mLpA/tQ110d4PPVC2XT8hPXqBPM7392WQShRw4Rmb3h0US0iI
1NU9rbymfECZIYNoRsyD4a9jbAo+f9cbW3Y7G0mCNOjjO2VoSJb54FC+xFGTftj3
9E6xniWeM/6+A8feP3BuA2qBJ1CP3l2857Ops1MNU/clnHdgaxqnq/CP5TPcaQJ/
Fw5y/oPHo5KMZ3HNGm/PXP+w167dbfkwQFv90GkIxFg4z355JErINsYUhycUqX+7
TgJRTgKxK7Ni23H86DDpywMzFP4zovMX
-----END ENCRYPTED PRIVATE KEY-----

做实验之前, 要知道受保护的私钥的口令, 否则载入私钥会失败.

实验 pkcs12 - pkwrite.c

在VS2019中调试时, 参数为 newcert_and_key.pem pwd_my_server my_server my_server.p12

做实验的私钥newcert_and_key.pem(受密码保护)的导入口令为 pwd_my_server

/*!
\file pkwrite.c
\note openssl3.2 - 官方demo学习 - pkcs12 - pkwrite.c*//** Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.** Licensed under the Apache License 2.0 (the "License").  You may not use* this file except in compliance with the License.  You can obtain a copy* in the file LICENSE in the source distribution or at* https://www.openssl.org/source/license.html*/#include <stdio.h>
#include <stdlib.h>
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/pkcs12.h>#include "my_openSSL_lib.h"
#include <assert.h> // for assert()/* Simple PKCS#12 file creator */// 如果要操作的PEM证书有密码, 就让密码回调函数告诉openssl操作, PEM证书的密码是啥?
int my_pem_password_cb(char* buf, int size, int rwflag, void* userdata)
{int i_pwd_len = 0; // 在openssl的函数中, 返回0是失败, 返回1是成功. 函数返回默认是失败int i_user_data = 0;do {// buf is "T"if (NULL == buf){break;}if (NULL != userdata){// 如果是面向对象变成, 这里的userdata传递的就是结构指针i_user_data = *((int*)userdata);assert(2024 == i_user_data);}// size = 1024// 从回调buffer入参的size可以看出, openssl中密码的最大长度为1024个字节.if (size < 6){break;}// 我这个证书制作出来的时候, 密码是333333strcpy(buf, "333333");i_pwd_len = 6; // 密码"333333" 的长度为6} while (0);assert(6 == i_pwd_len);// 返回值为密码长度return i_pwd_len;
}int main(int argc, char** argv)
{FILE* fp;EVP_PKEY* pkey;X509* cert;PKCS12* p12;int i_user_data = 0;const char* psz_infile = NULL;const char* psz_passwd = NULL;const char* psz_name = NULL;const char* psz_p12file = NULL;if (argc != 5) {// argv[0]  argv[1]           argv[2]  argv[3]    argv[4]// pkwrite  infile              pwd    name       p12file// this_EXE newcert_and_key.pem 333333 my_server  my_server.p12// 在VS2019中调试时, 参数为 newcert_and_key.pem pwd_my_server my_server  my_server.p12fprintf(stderr, "Usage: pkwrite infile password name p12file\n");exit(EXIT_FAILURE);}psz_infile = argv[1];psz_passwd = argv[2];psz_name = argv[3];psz_p12file = argv[4];OpenSSL_add_all_algorithms();ERR_load_crypto_strings();if ((fp = fopen(psz_infile, "r")) == NULL) {fprintf(stderr, "Error opening file %s\n", argv[1]);exit(EXIT_FAILURE);}cert = PEM_read_X509(fp, NULL, NULL, NULL);rewind(fp);// 如果给的就是带密码保护的证书, 调用PEM_read_PrivateKey时, 就会弹出密码输入提示// 得再研究一下, 不通过界面输入密码的方法// PEM_read_PrivateKey的参数3是密码信息的回调, 调用函数前, 传递参数3, 将密码填好再调用.// 我做的这个证书, 密码是333333// 如果PEM证书有密码, 就要提供密码信息填写的回调. my_pem_password_cb// 如果是面向对象编程, 就要提供用户data(参数4), 方便传递类指针, 进行面向对象变成i_user_data = 2024; // 用户自己的数据, openssl不用, 传啥都行, 看openssl库用户自己情况pkey = PEM_read_PrivateKey(fp, NULL, my_pem_password_cb, &i_user_data);assert(NULL != pkey);fclose(fp);p12 = PKCS12_create(psz_passwd, psz_name, pkey, cert, NULL, 0, 0, 0, 0, 0);if (!p12) {fprintf(stderr, "Error creating PKCS#12 structure\n");ERR_print_errors_fp(stderr);exit(EXIT_FAILURE);}if ((fp = fopen(psz_p12file, "wb")) == NULL) {fprintf(stderr, "Error opening file %s\n", psz_p12file);ERR_print_errors_fp(stderr);exit(EXIT_FAILURE);}i2d_PKCS12_fp(fp, p12);PKCS12_free(p12);fclose(fp);return EXIT_SUCCESS;
}

程序跑过之后, 生成了P12证书.

用win10的证书管理器安装P12证书是成功的

.P12证书受密码保护, 如果密码输入错误或不知道乱输入, 会报错, 无法导入证书.
这个口令就是产生证书时, 所谓的导出口令.





证书安装完, 可能是安装位置的缘故, 只能在管理计算机证书界面的个人/证书中看到新安装的证书.
在用户账户/管理用户证书的界面看不到新安装的证书.

打开新安装的证书后, 可以看到东西.


看证书使用者信息, 可以看到是自己签发的证书.
用官方脚本生成的证书默认是RSA2048, 如果需要其他非对加密称算法和密钥长度, 可以自己以后试试用openssl命令行来直接做.
官方脚本例子中, 有签发证书时, 选择不同的非对称加密算法和密钥长度的例子.

END