我正在尝试发送以64为基数编码的WSSE DSA公钥。我一直在尝试使用开放SSL库将公钥从证书文件中分离出来,但似乎OpenSSL使用我的整个证书文件,而不是提取公钥。
File.open("path/certificate.cer", 'rb') do |file|
cert_file = file.read()
cert = OpenSSL::X509::Certificate.new cert_file
end
cert_string = (cert.public_key.to_s+"").delete("n") #it was formatting itself with newlines
cert_string = cert_string[26..-25] #the start/end messages aren't sent
puts cert_string
下面是我用来从证书中提取公钥的代码。我将它用于公钥绑定,因此它使用来自连接的SSL*。
本质上,您调用len1 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL)一次获得长度,然后调用len2 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), buffer)第二次检索证书。您可以使用len1和len2作为基本的完整性检查,以确保您获得了预期的字节数。
int pin_peer_pubkey(SSL* ssl)
{
if(NULL == ssl) return FALSE;
X509* cert = NULL;
/* Scratch */
int len1 = 0, len2 = 0;
unsigned char *buff1 = NULL;
/* Result is returned to caller */
int ret = 0, result = FALSE;
do
{
/* http://www.openssl.org/docs/ssl/SSL_get_peer_certificate.html */
cert = SSL_get_peer_certificate(ssl);
if(!(cert != NULL))
break; /* failed */
/* Begin Gyrations to get the subjectPublicKeyInfo */
/* Thanks to Viktor Dukhovni on the OpenSSL mailing list */
/* http://groups.google.com/group/mailing.openssl.users/browse_thread/thread/d61858dae102c6c7 */
len1 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
if(!(len1 > 0))
break; /* failed */
/* scratch */
unsigned char* temp = NULL;
/* http://www.openssl.org/docs/crypto/buffer.html */
buff1 = temp = OPENSSL_malloc(len1);
if(!(buff1 != NULL))
break; /* failed */
/* http://www.openssl.org/docs/crypto/d2i_X509.html */
len2 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &temp);
/* These checks are verifying we got back the same values as when we sized the buffer. */
/* Its pretty weak since they should always be the same. But it gives us something to test. */
if(!((len1 == len2) && (temp != NULL) && ((temp - buff1) == len1)))
break; /* failed */
/* End Gyrations */
/* Do something with the public key */
...
ret = TRUE;
} while(0);
/* http://www.openssl.org/docs/crypto/buffer.html */
if(NULL != buff1)
OPENSSL_free(buff1);
/* http://www.openssl.org/docs/crypto/X509_new.html */
if(NULL != cert)
X509_free(cert);
return result;
}
在SOAP中使用WSSE发送以Base 64编码的Ruby公钥…
好吧,这是一个你可以解决的协议细节。你可以发送原始字节,Base64编码(RFC 4648,章节4)或Base64URL编码(RFC 4648,章节5)并发送它。