c - 升级 openssl 后 CSR 生成代码中断

问题描述

我们有生成 CSR 的现有代码，如下所示：

void create_csr()
{
    EVP_PKEY * pk = EVP_PKEY_new();
    RSA * rsa = RSA_generate_key(RSA_SIZE, RSA_F4, NULL, NULL);
    EVP_PKEY_set1_RSA(pk, rsa);
    X509_REQ * x = X509_REQ_new();
    X509_REQ_set_pubkey(x, pk);

    BIO * outBio = BIO_new(BIO_s_mem());
    PEM_write_bio_X509_REQ(outBio, x)
    char * buf;
    size_t bufLen = BIO_get_mem_data(outBio, &buf);
    WriteToFile(buf, bufLen, "cert_req.csr"); // <== File IO details inside
}

跑步# openssl asn1parse -in cert_req.csr

与OpenSSL 1.0.1e-fips 11 Feb 2013：

    0:d=0  hl=4 l= 312 cons: SEQUENCE          
    4:d=1  hl=4 l= 300 cons: SEQUENCE          
    8:d=2  hl=2 l=   0 prim: INTEGER           :00
   10:d=2  hl=2 l=   0 cons: SEQUENCE          
   12:d=2  hl=4 l= 290 cons: SEQUENCE          
   16:d=3  hl=2 l=  13 cons: SEQUENCE          
   18:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
   29:d=4  hl=2 l=   0 prim: NULL              
   31:d=3  hl=4 l= 271 prim: BIT STRING        
  306:d=2  hl=2 l=   0 cons: cont [ 0 ]        
  308:d=1  hl=2 l=   3 cons: SEQUENCE          
  310:d=2  hl=2 l=   1 prim: OBJECT            :itu-t
  313:d=1  hl=2 l=   1 prim: BIT STRING        

与OpenSSL 1.1.1b 26 Feb 2019：

    0:d=0  hl=4 l= 310 cons: SEQUENCE          
    4:d=1  hl=4 l= 301 cons: SEQUENCE          
    8:d=2  hl=2 l=   1 prim: INTEGER           :00
   11:d=2  hl=2 l=   0 cons: SEQUENCE          
   13:d=2  hl=4 l= 290 cons: SEQUENCE          
   17:d=3  hl=2 l=  13 cons: SEQUENCE          
   19:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
   30:d=4  hl=2 l=   0 prim: NULL              
   32:d=3  hl=4 l= 271 prim: BIT STRING        
  307:d=2  hl=2 l=   0 cons: cont [ 0 ]        
  309:d=1  hl=2 l=   0 cons: SEQUENCE          
  311:d=1  hl=2 l=   1 prim: BIT STRING        

似乎与OpenSSL 1.1.1b 26 Feb 2019，该prim: OBJECT :itu-t字段被省略。

尝试使用OpenSSL 1.0.1e-fips 11 Feb 2013shell 命令读取使用的 CSROpenSSL 1.1.1b 26 Feb 2019失败，如下所示：

# openssl req -in cert_req.csr -pubkey -noout -outform pem 
unable to load X509 request
140324106245960:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field missing:tasn_dec.c:526:Field=algorithm, Type=X509_ALGOR
140324106245960:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:777:Field=sig_alg, Type=X509_REQ
140324106245960:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

我们OpenSSL 1.0.1e-fips 11 Feb 2013的服务器无法解析 CSR 并生成证书

关注问题：在生成 CSR 时，有没有办法将其OpenSSL 1.1.1b 26 Feb 2019用作itu-t签名算法，并在 ASN.1 编码中插入prim: OBJECT :itu-t字段和值？如何？

非常感谢！

标签： copensslupgradesigningcsr